Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

When you think about an IRS publication, you’re probably thinking about the complex forms you need to fill out, usually relating to taxes. That’s not all the IRS publishes, though, and one of the more important documents they maintain is called Publication 1075. When it comes to sensitive information for everyday Americans and private sector businesses, there’s very little more important and more sensitive than tax information.

Information security frameworks like CMMC are not just about enforcing security. They’re about enforcing accountability. That’s why a whole section of controls and rules that make up CMMC centers around incident response and reporting. You can’t just have security in place, but throw your hands up and do nothing if there’s an incident or breach. Nor can you sweep it under the rug and hope no one notices.

Across the ecosystem of federal contractors, a majority of deployments tend to be relatively standard. 80% of them will be FedRAMP impact level Moderate, for example, and most will have a standard set of considerations and concerns, such that a lot of security controls can be automated. It’s those outliers that make FedRAMP challenging.

We’ve talked a lot about the process a business goes through to achieve FedRAMP authorization and the ability to work with a government department or agency. What about the other side of the coin? What happens if you lose that authorization? Depending on how and why, the consequences can range from minimal to dire, so it’s important to know and be prepared.

Every cloud service provider that seeks an authorization to operate with the federal government using the FedRAMP framework has to undergo and pass an audit. Beyond passing the audit, the CSP needs to keep and maintain proof of not just their external audit, but also internal audits, continuous monitoring results, and more.

One thing is certain: every year, the cybersecurity threat environment will evolve. AI tools, advances in computing, the growth of high-powered data centers that can be weaponized, compromised IoT networks, and all of the traditional vectors grow and change. As such, the tools and frameworks we use to resist these attacks will also need to change. While in some years, the evolution of protection is slow and steady, some promise larger shakeups.

Part of the process of achieving ISO 27001 certification is creating the fundamental documents necessary to outline and prove your security. One of those fundamental documents is the SoA, or Statement of Applicability. The statement of applicability is a rundown of all of the ISO 27001 security controls, and a discussion of whether or not that control applies to your business.

If you’ve browsed the FedRAMP marketplace in the interest of using a government-certified service, either as part of your own services or on behalf of an agency, you’ve likely seen the various -aaS designations. The “aaS” stands for “as a Service”, and it’s part of how modern internet services function. What are the different kinds of services, and how do they engage with FedRAMP? The differences can be important.

ISO 27001 is a very useful certification for just about any company operating abroad. Comparable in many ways to NIST-based frameworks like CMMC in the United States, ISO 27001 is an international standard built to help organizations of all sizes, in all industries, across all regions of the world, to obtain a high level of standardized information security.

FedRAMP is a government-wide program meant to ensure a standardized baseline for information security throughout the cloud service providers working with the federal government. It’s a tall order. Setting forth standards that are robust enough to cover all the bases, while being open and flexible enough to cover every CSP, is not easy.