Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

With any security framework, be it ISO 27001, FedRAMP, or CMMC, the goal is not to secure “your business.” It’s to secure sensitive and controlled information that your business handles. This is a fundamentally important way of looking at your security. Why does this matter? It’s all about borders. Where do you draw the line between what you keep secure and what you don’t care about?

When a cloud services provider wants to work with the federal government, they have to pass a rigorous audit to make sure they’re capable of properly securing the controlled information they would handle in the process. Achieving that Authority to Operate is done through the Federal Risk and Authorization Management Program and is the biggest barrier to federal contracts, and the bar is high. As many as 60% of CSPs attempting to pass their ATO audit will fail.

When you think about an IRS publication, you’re probably thinking about the complex forms you need to fill out, usually relating to taxes. That’s not all the IRS publishes, though, and one of the more important documents they maintain is called Publication 1075. When it comes to sensitive information for everyday Americans and private sector businesses, there’s very little more important and more sensitive than tax information.

Information security frameworks like CMMC are not just about enforcing security. They’re about enforcing accountability. That’s why a whole section of controls and rules that make up CMMC centers around incident response and reporting. You can’t just have security in place, but throw your hands up and do nothing if there’s an incident or breach. Nor can you sweep it under the rug and hope no one notices.

Across the ecosystem of federal contractors, a majority of deployments tend to be relatively standard. 80% of them will be FedRAMP impact level Moderate, for example, and most will have a standard set of considerations and concerns, such that a lot of security controls can be automated. It’s those outliers that make FedRAMP challenging.