Insight by stackArmor

How contractors can more easily meet, sustain federal cyber requirements

Martin Rieger, the chief solutions officer and chief information security officer a stackArmor, said the caring, feeding, maintenance and continuous development...

CMMC. FedRAMP. SP-800-171. FISMA. These are some of the most important alphabet and numerical soup federal contractors must be intimately knowledgeable about to successfully navigate the market.

The focus by agencies over the last five or so years on compliance isn’t a matter of creating more hoops for companies to jump through. It’s a matter of trusting, but also verifying to protect against cybersecurity vulnerabilities.

And with the latest revision to National Institute of Standards and Technology Special Publication 800-53, Revision 5, new updates to the Federal Risk Authorization and Management Program (FedRAMP) and the Federal Information Security Management Act (FISMA) become even more necessary to grasp.

Martin Rieger, the Chief Solutions Officer at stackArmor, said FedRAMP, FISMA and many other policy and regulatory compliance requirements are more than just documentation or technology architecture. He said the caring, feeding, maintenance and continuous monitoring of these activities are what will make companies successful.

While FedRAMP requirements have been around for more than a decade, Rieger said many times contractors struggle to meet the government’s mandates.

“They tend to budget improperly because they don’t know what they don’t know. There is more than just the documentation. There is the design and implementation of security controls that need to meet the complex architecture requirements,” Rieger said on the discussion, Simplifying Federal Regulatory Security and Compliance Requirements. “One of the biggest mistakes that companies make is to think that it’s all about the product or the solution. It is as much about the organization going through the process, as it is about delivering a cloud solution or cloud service offering to the government.”

Addition of supply chain risk management

The latest revision of NIST 800-53 is a good example of how it’s an organizational change and focus that need to occur.

The FedRAMP cloud security program office released the new security baselines with the integration NIST 800-53 Revision 5 into the requirements.

Rieger said this means going forward with new FedRAMP authorizations or when companies come up for re-authorization, they will have to demonstrate expanded Supply Chain Risk Management (SCRM) efforts. He said SCRM didn’t appear in Revision 4.

“Going forward, companies will need to have a policy around SCRM. They’ve got to have procedures to support it, plus a plan that didn’t exist before,” he said. “It is the training of the personnel, the hiring, firing, transferring of background checks, and then the entire process of developing the product, including development and testing. That’s the difficult work, but the preparation that goes into developing policies for 17 different NIST families, now 18 with supply chain risk management can be a bit of a culture shock for organizations.”

The same is true for another emerging requirement from FedRAMP, continuous monitoring.

Rieger said this too is more than just a paperwork exercise as it requires daily, weekly, monthly, quarterly, and annual obligations of scanning, reporting and the deployments of new services and capabilities.

“The budgeting for this is something that must be carefully planned for and thought out. It needs to be prepared in a way that organizations have a three-to-five-year budget aligned with the requirements of their system, including things like licensing, hosting costs, as well as the initial assessment and the annual assessments which are all a part of continuous monitoring,” he said. “The personnel expertise and knowledge required for this from engineers and architects as well as security analysts, security managers and officers are typically roles that most companies don’t have in place. Sponsorship is another critical piece of this. Agencies are the ones who accept the risk, and regardless of what path a company goes through to achieve FedRAMP, it’s the agencies that are authorizing and accepting risk at the end of the day.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    Election 2024 Foreign Influence

    Microsoft’s anticompetitive behavior weakens its customers’ cybersecurity

    Read more
    Getty Images/iStockphoto/maxkabakov

    CISA’s SILENTSHIELD assessment requires urgent measures

    Read more