What are they? Who are they intended for? How are they enforced? What makes them special?
By: John Solon I Senior Project Manager, Burger Consulting Group
Burger Consulting Group (BCG) has recently had numerous client inquiries about cybersecurity. It isn’t surprising with the influx of cybersecurity events in the U.S. over the last 18months. Hackers want to learn about the work you do for the government (and in what area/s), to gain intelligence about U.S. government activity and military plans. For a company, nothing could be worse than being publicly called out for it and fined. Additionally, what company wants to be responsible for a breach in the Department of Defense’s supply chain?
Due to these events, the Federal Government has become more focused on cybersecurity than ever before and wants to make launching cyber-attacks more difficult. Many of the inquiries made to Burger Consulting Group, are in regard to NIST 800-53, NIST 800-171, CMMC, and FedRAMP. So, we are taking the opportunity to provide some information on the “what, who, how, and why” of it when it comes to these standards and programs:
NIST SP 800-53
What is it?
The NIST SP 800-53 provides a catalog of controls that support the development of secure and resilient federal information systems. These controls are the operational, technical, and management safeguards used by information systems to maintain the integrity, confidentiality, and security of federal information systems.
Who is it intended for?
Vendors – Defense Department Contractors
FedRAMP CSP’s (Cloud Service Providers) are required to provide a NIST 800-53 compliant service (plus cloud-specific overlay controls), to federal agencies.
How is it enforced?
FISMA – Federal Information Security Management Act of 2002 is legislation that relies on NIST special publications to enforce its mandate.
Why is it special?
It is the most technical and prescriptive RMF (Risk Management Framework). It is broken up into 18 control families that dictate everything from the way your systems must be configured to the processes and procedures that make up your organization’s risk management program.
CMMC
What is it?
The CMMC program (Cybersecurity Maturity Model Certification), evolved as a more robust response to ineffective cybersecurity measures set out in the Defense Federal Acquisition Regulation Supplement (DFARS). CMMC requires that government contractors protect their Controlled Unclassified Data (CUI), by implementing the NIST 800-171 controls and having them verified by a 3rd Party Assessment Organization (C-3PAO).
Who is it intended for?
CMMC applies to anyone in the defense contract supply chain. These include contractors who engage directly with the Department of Defense and subcontractors contracting with primes to fulfill and/or execute those contracts.
How is it enforced?
Coordination between the Department of Defense and the CMMC Accreditation Body (CMMC-AB), develops procedures to certify independent third-party assessment organizations (C3PAO) and assessors.
Why is it special?
CMMC requires third-party assessments and includes three new domains: Asset Management, Recovery, and Situational Awareness. CMMC also has five different levels of maturity.
NIST 800-171
What is it?
NIST 800-171 is another SP (Special Publication) developed by NIST to standardize how federal agencies define Controlled Unclassified Data (CUI) and the IT security standards for those that have access to it.
Who is it intended for?
CMMC requires government contractors, their third-party vendors, and service providers who store and share classified and unclassified Federal Government data to comply with NIST 800-171 guidance.
How is it enforced?
The Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012 now requires that defense contractors show proof of compliance with NIST 800-171.
Why is it special?
NIST 800-171 is higher-level and less prescriptive. Therefore, there is more latitude on behalf of the organization to defend their control environment.
FedRAMP
What is it?
The Federal Risk and Authorization Management Program (FedRAMP) was established in 2011 to provide a cost-effective, risk-based approach for the adoption and use of cloud services by the Federal Government. FedRAMP empowers agencies to use modern cloud technologies, with an emphasis on security and protection of federal information.
Who is it intended for?
- Vendors – Any Cloud Service Provider (CSP) who sells SaaS, PaaS, or IaaS products to the United States Federal Government
- Purchasers – United States Federal Government
How is it enforced?
The JAB (Joint Authorization Board) is the primary governance and decision-making body for FedRAMP. The JAB consists of the Chief Information Officers from the Department of Defense, the Department of Homeland Security, and the General Services Administration.
Why is it special?
FedRAMP’s standardized baseline is to evaluate the security of cloud services. For any cloud services that they wish to use, agencies work with Cloud Service Providers to review the security posture and authorize the Cloud Service Offering (CSO). Agencies can review and reuse CSO security packages once they are designated as “Authorized” within the FedRAMP Marketplace by issuing their own authorization to use the product – “do once, use many”.
Obviously, this is general information and navigating through the assessment and certification process can be challenging. Burger Consulting Group can provide the support and direction needed when working towards your certifications. For more information please Contact Us or email [email protected].