Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

One of the most critical elements of modern information security is encryption. Encryption is a complex field based solely on the arms race between people seeking secure ways to encode and encrypt data at rest and in transit and those seeking to break that encryption. Encryption is extremely commonplace. Most websites you visit use SSL, the Secure Socket Layer, which uses encryption to secure data traveling between your device and the servers hosting the website.

Here at Ignyte, we talk a lot about various overarching information security frameworks, like FedRAMP, CMMC, and ISO 27001. Within these overall frameworks exist a range of smaller and narrower standards, including COMSEC. If you’ve seen COMSEC as a term, you may be passingly familiar with what it is, but if you need to know the details, it’s surprisingly muddy to identify with specificity. So, we decided to talk about it.

As much as some people dislike it, the world is interconnected, and to operate a business successfully, you will have to use the products or services produced by other businesses. Under normal circumstances, this is fine. However, when you’re a contractor looking to work with a department of the federal government, you have to adhere to higher standards.

If you’re part of the defense industrial base and you’re seeking CMMC certification, there’s a very good chance you’re aiming for Level 2. Level 1 is mostly meant for businesses with a focus on federal contract information but not CUI, while Level 3 is meant for businesses handling the most sensitive kinds of CUI; since most businesses fall somewhere in the middle, Level 2 is the most common.

As of the end of last year, DoD contractors have to start paying attention to CMMC, as the Final Rule for CMMC 2.0 is now in force. While the timelines for full CMMC 2.0 compliance have just started, the full compliance process will inevitably take time. There will be mistakes, gaps, and missed items along the way. The accepted way to handle these gaps is through the use of POA&Ms. What are POA&Ms, how do you use them, and what do you need to know for 2025 and beyond?

Governmental cybersecurity is largely focused on federal government agencies. When we talk about FedRAMP, CMMC, DFARS, and other security standards, it’s almost always with an eye toward the governmental agencies and departments that comprise the federal government and the contractors and suppliers that work with them. For private businesses and non-governmental partners, ISO 27001 provides a great security framework. What about the middle ground, though?

Government cybersecurity and information security frameworks are a constant work in progress. Many different frameworks draw their requirements from the National Institute of Standards and Technology, and one of the most important documents for cybersecurity is NIST Special Publication 800-171: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.

Every year that goes by shows an improvement in technology, often by leaps and bounds over previous technology. What used to be the realm of far-off science fiction so unbelievably exotic that it defined genres is now a commonplace reality. With new technology comes new threats. We’ve seen a dramatic increase in digital threats, from the SolarWinds supply line attack, to the compromised Outlook services, to the currently-ongoing Salt Typhoon attack on telecom companies.

Throughout this blog, we often write about both FedRAMP and CMMC as cybersecurity frameworks applied to the federal government and its contractors. These frameworks share a lot of the same DNA stemming from the same resources, and they share the same goal of making the federal government more secure. One significant question you may have, though, is one of practicality. Do CMMC and FedRAMP have reciprocity?

To say that the actions of the Trump administration are having an impact on cybersecurity is an understatement. Executive orders are an important and useful tool that have been used by many presidents for the good of the country – and sometimes for other ends – and some recent executive orders have been aimed at establishing and improving the cybersecurity of the country. Meanwhile, others have, to put it lightly, the opposite impact.