Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Here at Ignyte, we talk a lot about the major governmental cybersecurity frameworks like FedRAMP and CMMC or the international framework ISO 27001. What we don’t talk about as much – but which is no less important – are smaller-scale or more limited frameworks. SOC is one such framework, and it’s extremely important for those who need it. There’s also a lot of confusion surrounding it, both in business and as a layperson. What is SOC for?

While we talk a lot on this site about the US Government’s various cybersecurity frameworks, like FedRAMP and CMMC, there’s one significant framework that deserves just as much attention: ISO 27001. ISO 27001, being an ISO standard, is an international framework for cybersecurity divorced from any one country’s government.

Seeking a FedRAMP authority to operate is a critical part of any cloud service looking to work with the government in an official capacity. It’s required if you are going to handle controlled unclassified information on behalf of the government or its contractors, and since the requirements trickle down, you don’t even necessarily have to be part of the government’s prime contractors to need your ATO.

The Department of Defense DFARS Cybersecurity Clause, more commonly known as the DoD Cyber Clause (or just DFARS 7012), is the long-standing set of rules the DoD has put in place for all members of the DoD supply chain and defense industrial base. It has also spread beyond those boundaries through the use of DFARS 7012 clauses in contracts for other parts of the federal government.

FedRAMP is the Federal Risk and Authorization Management Program, and it’s one of the most widely used governmental cybersecurity frameworks across the United States. It’s meant to serve as the gatekeeper for any contractor looking to work with the federal government to ensure that everyone across the board has a minimum level of cybersecurity in place to protect themselves, the government, and each other from risks and threats. FedRAMP is not alone.

The overall defense industrial base is growing increasingly aware of the needs of modern information and cyber security. From recent major supply chain attacks to the constant threat of nation-state actors trying to compromise systems, it’s important to be committed to the best security you can implement, no matter where you are in the supply chain. One of the tools provided to you, and required by the Defense Federal Acquisition Regulation Supplement, is the SPRS.

The world of cybersecurity is always changing, with rapid evolution in both threat and response creating a continual churn in knowledge, technology, and standards. Frameworks meant to help protect systems and businesses, especially the government, tend to be comparatively slow. It takes a lot of momentum and effort to get a new framework iteration through the various committees, analysis groups, and other roadblocks necessary to get it approved.

CMMC mandates that companies working as part of the government supply line need to comply with a level of security determined by their handling of controlled information. Identifying the level of compliance necessary for your business is the first step in achieving that compliance. The second step is scoping.

One of the most critical elements of modern information security is encryption. Encryption is a complex field based solely on the arms race between people seeking secure ways to encode and encrypt data at rest and in transit and those seeking to break that encryption. Encryption is extremely commonplace. Most websites you visit use SSL, the Secure Socket Layer, which uses encryption to secure data traveling between your device and the servers hosting the website.

Here at Ignyte, we talk a lot about various overarching information security frameworks, like FedRAMP, CMMC, and ISO 27001. Within these overall frameworks exist a range of smaller and narrower standards, including COMSEC. If you’ve seen COMSEC as a term, you may be passingly familiar with what it is, but if you need to know the details, it’s surprisingly muddy to identify with specificity. So, we decided to talk about it.