Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

As much as some people dislike it, the world is interconnected, and to operate a business successfully, you will have to use the products or services produced by other businesses. Under normal circumstances, this is fine. However, when you’re a contractor looking to work with a department of the federal government, you have to adhere to higher standards.

If you’re part of the defense industrial base and you’re seeking CMMC certification, there’s a very good chance you’re aiming for Level 2. Level 1 is mostly meant for businesses with a focus on federal contract information but not CUI, while Level 3 is meant for businesses handling the most sensitive kinds of CUI; since most businesses fall somewhere in the middle, Level 2 is the most common.

As of the end of last year, DoD contractors have to start paying attention to CMMC, as the Final Rule for CMMC 2.0 is now in force. While the timelines for full CMMC 2.0 compliance have just started, the full compliance process will inevitably take time. There will be mistakes, gaps, and missed items along the way. The accepted way to handle these gaps is through the use of POA&Ms. What are POA&Ms, how do you use them, and what do you need to know for 2025 and beyond?

Governmental cybersecurity is largely focused on federal government agencies. When we talk about FedRAMP, CMMC, DFARS, and other security standards, it’s almost always with an eye toward the governmental agencies and departments that comprise the federal government and the contractors and suppliers that work with them. For private businesses and non-governmental partners, ISO 27001 provides a great security framework. What about the middle ground, though?

Government cybersecurity and information security frameworks are a constant work in progress. Many different frameworks draw their requirements from the National Institute of Standards and Technology, and one of the most important documents for cybersecurity is NIST Special Publication 800-171: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.

Every year that goes by shows an improvement in technology, often by leaps and bounds over previous technology. What used to be the realm of far-off science fiction so unbelievably exotic that it defined genres is now a commonplace reality. With new technology comes new threats. We’ve seen a dramatic increase in digital threats, from the SolarWinds supply line attack, to the compromised Outlook services, to the currently-ongoing Salt Typhoon attack on telecom companies.

Throughout this blog, we often write about both FedRAMP and CMMC as cybersecurity frameworks applied to the federal government and its contractors. These frameworks share a lot of the same DNA stemming from the same resources, and they share the same goal of making the federal government more secure. One significant question you may have, though, is one of practicality. Do CMMC and FedRAMP have reciprocity?

To say that the actions of the Trump administration are having an impact on cybersecurity is an understatement. Executive orders are an important and useful tool that have been used by many presidents for the good of the country – and sometimes for other ends – and some recent executive orders have been aimed at establishing and improving the cybersecurity of the country. Meanwhile, others have, to put it lightly, the opposite impact.

When it comes to overall productivity platforms, collaboration tools, and office suites, the two biggest options dominating the market are the Google G Suite and Microsoft’s Office ecosystem. Whether it’s word processing, team collaboration, IT frameworks, device management, or the entire infrastructure of a business, there’s a pretty good chance one of these two options is going to power the way you operate.

A lot goes into protecting the information security of the nation. The National Institute of Standards and Technology, NIST, maintains a list of security controls under the banner of NIST SP 800-53, Security and Privacy Controls for Information Systems and Organizations. Meanwhile, the Federal Risk and Authorization Management Program, or FedRAMP, sets up a framework that makes those security controls apply to governmental agencies and the third-party cloud service providers that work with them.