In recent months, there have been a number of articles and announcements on cybersecurity developments regarding FedRAMP, FISMA, NIST SP 800-53 Rev 5 and NIST CSF 2.0, CMMC, and the SEC. That’s a lot of acronyms to keep track of and keep straight, even if you deal with this alphabet soup of government-related cybersecurity information on a regular basis. For the layperson, it’s a foreign language.
Since October has been Cybersecurity Awareness Month, it was suggested that a quick primer (admittedly drawn from various government and other sources) on what these acronyms are — and aren’t — and where they currently stand might be helpful. And beware…there are even more acronyms that are used below to explain them.
What it is: The “Federal Risk and Authorization Management Program (FedRAMP) is a government-wide compliance program to help protect unclassified government data and operations in the cloud. It provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP derives some of its security baselines from two other members of our alphabet soup — FISMA (the Federal Information Security and Modernization Act) and NIST (National Institute of Standards and Technology) SP 800-53 (both described below). FedRAMP has also been described as FISMA only for the cloud.
Background: FedRAMP was initially created in 2011, not by a law passed by Congress but by executive action (a memo from OMB — the White House’s Office of Management and Budget). Recognizing that this meant it could be significantly modified or even eliminated at the whim of the Executive Branch, Congress finally passed legislation last year to codify the program into law and to make certain reforms in the program (including giving Congress clear statutory oversight authority over it).
How it works: There have been two ways for cloud service providers (CSPs) to receive a FedRAMP Authority to Operate (ATO) to serve federal agencies – via an individual federal agency ATO or a Provisional Authority to Operate (P-ATO) from the Joint Authorization Board (JAB). The JAB is the decision-making body for FedRAMP and consists of the chief information officers (CIOs) from the General Services Administration (GSA), Department of Defense (DoD) and Department of Homeland Security (DHS).
Latest developments: On October 27, OMB issued a draft memo updating its guidance to federal agencies that will help them implement the changes required by the new law passed by Congress last year, and which it says is “responsive to developments in Federal cybersecurity and substantial changes to the commercial cloud marketplace that have occurred since the program was established.”
What it is: The Federal Information Security Modernization Act of 2014 (FISMA) is a law that establishes roles and responsibilities for federal agency information technology security. It applies to the cybersecurity of federal civilian agencies (“.gov” entities), and it assigns responsibilities to OMB, DHS, and NIST, and to each civilian agency and their respective inspectors general. It requires that each agency authorize the information systems that they use. (As noted above, this is similar to FedRAMP’s requirements, only those are for cloud products and services.)
Background: FISMA was first enacted by Congress in 2002 as the Federal Information Security Management Act. It was last updated in 2014 (when Congress also changed “Management” to “Modernization” in the title; at least they avoided having to change the acronym).
How it works: In a nutshell, to better ensure/promote civilian agency IT cybersecurity, under FISMA, the OMB provides agencies strategic support, DHS provides agencies operational support, and each agency executes its own tactical-level cybersecurity actions. FISMA does not require agencies to implement specific cybersecurity strategies or use certain tools; however, it requires civilian agencies to follow any cybersecurity guidance issued by OMB and any NIST cybersecurity standards (such as SP 800-53, explained in the next item).
Latest developments: Congress has been attempting to update the 2014 law for several years and may finally do so this year (or, at the pace Congress moves, probably next year), as there seems to be a fair degree of bi-partisan consensus on the components of draft legislation being bounced around by the key players in the House and Senate. But stay tuned — Congress is more unpredictable than ever this year and has often been easily distracted, and the actual bill language still has to be agreed to, even if there is consensus on the components.
- NIST SP 800-53 Rev. 5
What it is: The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 — Security and Privacy Controls for Information Systems and Organizations provides federal civilian agencies with a catalog of security and privacy requirements which agencies must implement for their IT systems. While it does not directly apply to government information systems related to national security, a companion document (the Committee on National Security Systems [CNSS] Instruction No. 1253, Security Categorization and Control Selection for National Security Systems) is largely based on NIST SP 800-53 and does apply to such national security systems.
Background: NIST is a non-regulatory agency housed within the U.S. Commerce Department. While it doesn’t issue regulations, it does issue standards, publications (such as 800-53) and other guidance which, with respect to cybersecurity, help agencies with meeting FISMA and other federal cybersecurity requirements. NIST SP 800-53 was originally released in 2005 and has since been updated a number of times – the final version of the most recent updated Revision (“Rev. 5”) was issued in 2020 and extended the guidance’s coverage to non-federal organizations.
How it works: As noted above, it provides federal agencies with a catalog of security and privacy requirements that agencies must implement for their IT systems, and current law (FISMA) requires agencies to utilize the latest 800-53 standards (currently Rev. 5).
Latest Developments: After Rev. 5 was issued in 2020, NIST released assessment procedures/tests in January 2022. More recently, on October 17, 2023, NIST issued one new proposed control and two control enhancements with corresponding assessment procedures for SP 800-53, with an expedited 2-week public comment period. NIST will also issue a patch release — SP 800-53 Release 5.1.1 — in early November 2023.
- NIST CSF 2.0
What it is: The NIST Cybersecurity Framework (CSF) is a set of guidelines and best practices to help organizations understand, mitigate, reduce and communicate about cybersecurity risks. It is considered by many to be the leading cybersecurity guidance in the world.
Background: In 2013, an executive order issued by President Obama directed NIST to lead a public/private sector effort to develop a cybersecurity framework of standards and best practices for protecting critical infrastructure (CI). NIST subsequently developed and issued version 1.0 of the CSF in 2014, which was focused on helping CI owners and operators mitigate cybersecurity risks. A modification was released in 2018 as version 1.1.
How it works: The CSF is flexible guidance that revolves around specific cybersecurity pillars — identify, protect, detect, respond and recover. More specifically, according to NIST, it was developed “based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk…It was designed to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders.” While the CSF “provides a series of outcomes to address cybersecurity risks, it does not specify the actions to take to meet the outcomes.” Indeed, NIST advises, “Because standards, technologies, risks, and business requirements vary by organization, the Framework should be customized by different sectors and individual organizations to best suit their risks, situations, and needs.” Of note, while the CSF remains voluntary for private sector CI organizations, a 2017 Executive Order issued by President Trump mandated its use by federal agencies, and subsequent OMB guidance has provided direction to help agencies implement the CSF in a way that is tailored to their respective individual needs.
Latest developments: On August 8, 2023, NIST released for public comment a draft of its Cybersecurity Framework version 2.0, the first major overhaul of the CSF since its 2014 release. The new draft CSF 2.0 reflects the huge changes in the cybersecurity landscape since 2014. Like the previous version, it provides guidance to industry, government agencies, and other organizations to reduce cybersecurity risks. NIST says that it offers a “taxonomy of high-level cybersecurity outcomes that can be used by any organization – regardless of its size, sector, or maturity – to better understand, assess, prioritize, and communicate its cybersecurity efforts.” To do this, CSF 2.0 expands the scope of the guidance, which previously applied to CI organizations (and subsequently, per OMB, to federal agencies), to now encompass all organizations, regardless of their type or size. Finally, CSF 2.0 adds a new cybersecurity pillar – govern – to the guidance.
After its review of public comments, which are due November 4, NIST is expected to announce at some point its next steps on the draft CSF 2.0.
What it is: The Cybersecurity Maturity Model Certification (CMMC) program is a Department of Defense initiative under which DoD contractors will be required to implement and verify specified cybersecurity controls for the protection of unclassified DoD data. The security rigor of these controls is commensurate with the sensitivity of the data. Currently, there are three levels, with Level 3 providing the most robust security. The prescribed levels not only identify the minimum requirements for protecting DoD unclassified data, but they also drive the verification activities. Organizations that have Level 1 contracts and some Level 2 contracts will be permitted to self-assess their implementation of the CMMC security controls. However, the majority of the Level 2 and all Level 3 contracts require an audit by a CMMC 3rd Party Assessment Organization (C3PAO) to ensure the contractor complies with cybersecurity requirements. (Star Wars fans obviously love the program’s use of the C3PAO acronym.)
Background: DoD began work in early 2019 to develop the CMMC framework. DoD originally anticipated fully implementing the CMMC framework over a five-year period, and thus fully applying it to DoD-covered contracts, perhaps starting in Fiscal Year 2024. However, progress on the framework has been somewhat erratic. Responding to a variety of concerns raised about the initial draft CMMC framework, in November 2021, the Pentagon announced a number of changes and retitled the revised effort CMMC 2.0.
How it works: The CMMC framework would establish a “verification mechanism” requiring all prime contractors and subcontractors seeking to do business with DoD to obtain certification from accredited third-party organizations that the contractors’ in-house cybersecurity practices and processes meet certain standards.
Latest Developments: In July, 2023, the Pentagon forwarded the proposed CMMC 2.0 rule to OMB for final review. OMB was reportedly expected to release the proposed rule in September (which obviously slipped). But whenever it is released, the rule may not become fully effective for another year.
- The SEC’s New Cyber Requirements
What it is: The Securities and Exchange Commission (SEC) is an independent agency that regulates publicly traded companies. (NOTE: This SEC is NOT the conference of universities in the southeastern U.S. that has dominated college football for years.) The agency’s stated mission is to protect investors, promote fairness in the securities markets, and share information about companies and investment professionals to help investors make informed decisions and invest with confidence.
As part of this mission, the SEC worked over the past year and a half on new regulatory requirements for publicly traded companies, specifically to require them to disclose within specified timeframes information regarding “material” cyber incidents, as well as their cyber risk and governance efforts.
Background: In March 2022, the SEC first proposed these new cybersecurity risk management and disclosure rules for publicly traded companies. On July 26 of this year, after making some changes, the SEC approved/adopted the final rules for disclosing “material” cybersecurity incidents and required reporting on risk management and governance.
How it works: Companies that are registered with the SEC must 1) disclose “material” cybersecurity incidents within four business days of their initial discovery; 2) provide updated disclosures of previously reported cybersecurity incidents; 3) make the above disclosures regardless of sector or other legal reporting requirements (such as those found in the Cyber Incident Reporting for Critical Infrastructure Act of 2022, or CIRCIA); and 4) make “periodic disclosures” about their cybersecurity defense posture, including details of their internal processes for cyber threat mitigation, their board of directors’ oversight of cyber risks, and management’s role and expertise in assessing and managing material risks from cybersecurity threats. The adopted rule includes a broad (i.e., subject to interpretation) definition that an incident is “material” if “there is a substantial likelihood that a reasonable shareholder would consider it important.”
Latest developments: With the above-mentioned final approval by the SEC on July 26, 2023, the rule became effective in September, and many companies now have three months to comply with the new rule’s provisions for reporting cyber incidents (i.e., by December 8, 2023, although smaller companies have until June 15, 2024), and all registered companies must comply with the rule’s annual disclosure requirements for annual reports for fiscal years ending on or after December 15, 2023. Companies are now taking steps needed to comply with these requirements in advance of these deadlines.
In conclusion, the above is only the tip of the iceberg when it comes to cybersecurity’s alphabet soup of acronyms. But it can, at least, serve as an introduction and help the average layperson who sees them in the news better understand these terms.