Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

CMMC is a familiar framework to any contractor working as part of the defense industrial base and handling any form of controlled unclassified information. Whether it’s compliance in general, a specific clause relating to DFARS 252.204-7012 in your contract, or impetus from another source, you’re going to need to implement security standards from NIST SP 800-171 and adhere to the rules laid out in the Cybersecurity Maturity Model Certification framework.

In the world of government-adjacent security and compliance, there are many different terms and acronyms you’ll encounter for the processes you have to perform. Often, these terms are interrelated in a single process, so you tend to learn them in clusters. One such cluster includes STIGs, SRGs, SCAP, and CCIs. What are these, what do they mean, and what do you need to do to utilize them properly? Let’s answer the most commonly asked questions.

Working as a contractor for the federal government means complying with a wide range of rules. Some of these are large, obvious, and well-enforced, like the security frameworks we so often discuss here on the Ignyte blog. Others are small rules, scattered throughout disparate memos and resources, and it can sometimes be easy to forget them – or not even know them at all. And, of course, it doesn’t help matters that these rules can change from time to time.

Over the last half-decade or more, the prevalence of cyberattacks on the government has only increased. Moreover, it’s not just attacks on the government agencies themselves that matter, but also attacks against the contractors and subcontractors working with those government agencies.

In the past, we’ve written a lot about FedRAMP certification and the way the Ignyte platform can help you with record-keeping and the overall process. We’ve largely glossed over the role that the third-party assessment organization plays, hand-waving it as a relationship you build between your chosen 3PAO and your own organization. As a certified 3PAO, however, we do have a unique insight into this process.

FedRAMP, the federal risk and authorization management program, is a comprehensive and structured way to develop a security – mostly cybersecurity – position when working with the federal government. It’s a framework meant for contractors and third-party businesses that handle information for the government and who need to keep it secure. The question is, if you’re a cloud service provider, what are the benefits of implementing FedRAMP?

In the world of security, there are many different frameworks that may be relevant or important to your plans. We’ve talked a lot about FedRAMP, the federal government’s security framework, but it’s only one of many options. Others, from HIPAA to FISMA to SOC2, can all have their role. One of the biggest and most direct equivalents to FedRAMP is ISO 27001. What is it, how does it compare to FedRAMP, and which one should you use? Let’s talk about it. Table of Contents 1.

Here at Ignyte, we’ve talked a lot about FedRAMP, the Federal Risk and Authorization Management Program. As you likely well know, FedRAMP is the federal government’s unified security standard, derived from NIST standardization documents and transformed into a framework to provide a cohesive idea of security across disparate government organizations and contractors. You might wonder, how does this work with state-level agencies and departments?

Whenever a government agency, contractor, or subcontractor wants to work with a cloud service provider, they have to find one that upholds the level of cybersecurity, physical security, and authentication that the government sets as standard. Usually, agencies have two options to do this. They can work with a cloud service provider that is FedRAMP authorized, or they can work with one that is FedRAMP Equivalent.

In the past, we’ve talked a lot about the various FedRAMP guidelines required to reach either a single Authority to Operate or a generalized Provisional Authority to Operate. One thing that can be said to be common to all of these is that, in general, you’re talking about FedRAMP Moderate Impact Levels when you discuss these kinds of standards and certification processes. This is because around 80% of cloud service providers and offerings are classified as Moderate impact.