The National Institute of Standards and Technology is updating the security standards that govern the protection of sensitive government information. NIST recently released an initial public draft for comment. The document will be the third version of its existing standard (NIST SP 800-171), Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. The comment period closes July 14, 2023.Continue Reading NIST Seeks Input on Standards for Protecting Sensitive Government Information
Government Privacy
Do Business With the Federal Government? Here’s a 2022 Cybersecurity Recap: Part Five- Further Adoption of FedRAMP & StateRAMP
To conclude our series of cybersecurity areas to focus on in 2023 for those who do business with the Federal government, we look at the FedRAMP and StateRAMP developments from 2022. For the rest of this series, see our prior articles (Part One, Part Two, Part Three, and Part Four).Continue Reading Do Business With the Federal Government? Here’s a 2022 Cybersecurity Recap: Part Five- Further Adoption of FedRAMP & StateRAMP
Do Business With the Federal Government? Here’s a 2022 Cybersecurity Recap: Part Four – Cybersecurity Federal Acquisition Regulation (FAR) Updates
The federal government has continued its efforts to fulfill the requirements set forth in Executive Order 14028, Improving the Nation’s Cybersecurity. For companies that do business with the Federal government, beyond looking at the other issues raised in this series of posts (see here, here and here), these efforts will be important to keep in mind in 2023. There are three efforts underway by the FAR Council to amend the Federal Acquisition Regulations (FAR) related to the Executive Order (in addition to the Secure Software efforts discussed in Part Three).Continue Reading Do Business With the Federal Government? Here’s a 2022 Cybersecurity Recap: Part Four – Cybersecurity Federal Acquisition Regulation (FAR) Updates
Do Business With the Federal Government? Here’s a 2022 Cybersecurity Recap: Part Three – Secure Software Development Attestation Requirements
Today we continue our series (see here and here) with the Office of Management and Budget’s September 2022 memorandum requiring federal agencies to only use software from software producers that attest compliance with secure software development guidance issued by the NIST. The new requirements will apply to any third-party software that is used on government information systems or that otherwise “affects” government information. You can read our article about the guidance here.Continue Reading Do Business With the Federal Government? Here’s a 2022 Cybersecurity Recap: Part Three – Secure Software Development Attestation Requirements
Do Business With the Federal Government? Here’s a 2022 Cybersecurity Recap: Part Two – NIST SP 800-171, Revision 3
In this second in our series, we look at the long awaited update to NIST SP 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” which is expected to be released in late spring 2023. NIST SP 800-171 forms the backbone for contractor security requirements in Department of Defense regulations and the CMMC program. It remains unclear if this update will impact the rollout of the CMMC program. Continue Reading Do Business With the Federal Government? Here’s a 2022 Cybersecurity Recap: Part Two – NIST SP 800-171, Revision 3
Do Business With the Federal Government? Here’s a 2022 Cybersecurity Recap: Part One – CMMC Developments
As we get settled into the New Year it is a good time to reflect on your company’s current data security and plans for 2023. In this five-part series, we reflect on the top important cybersecurity developments for companies that do business with the federal government (whether directly or as a supplier or reseller) and what we anticipate in the new year.Continue Reading Do Business With the Federal Government? Here’s a 2022 Cybersecurity Recap: Part One – CMMC Developments
NIST Seeks Comments on Cybersecurity Framework Refresh
The National Institute of Standards and Technology (NIST) is seeking comments to improve its Cybersecurity Framework, “Framework for Improving Critical Infrastructure Cybersecurity” (Request for Information available here). The Cybersecurity Framework is a key document providing organizations with standards, guidelines, and best practices to manage cybersecurity risk. With many changes to the cybersecurity landscape since the last update to the Cyber Framework in 2018, NIST hopes to address new threats, capabilities, technologies, and resources. Comments are due by April 25, 2022.
Continue Reading NIST Seeks Comments on Cybersecurity Framework Refresh
White House Focuses on Improving the Cybersecurity of National Security Systems
President Biden recently signed a National Security Memorandum on cybersecurity. This memorandum was required by an earlier executive order, which we previously have discussed here. The new memorandum (NSM) requires certain network cybersecurity measures for any government information system that is used for highly sensitive national security purposes. The requirements go into effect on a rolling basis over the next 6 months.
Continue Reading White House Focuses on Improving the Cybersecurity of National Security Systems
NIST Issues Long-Awaited Final Guidance on Security and Privacy Controls – SP 800-53
After many years of being in draft form, NIST recently released its final version of Revision 5 of Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations to address a need for a more proactive and systematic approach to cybersecurity. With the release of Revision 5, NIST hopes to provide updated security and privacy controls that will make information systems more penetration resistant, limit damages from cyber-attacks, make systems more cyber-resilient, and protect individuals’ privacy. NIST intends this update to be usable by a more diverse set of consumer groups than previous iterations of the document permitted.
Continue Reading NIST Issues Long-Awaited Final Guidance on Security and Privacy Controls – SP 800-53
NIST Issues Draft Guidance on Security and Privacy Control Baselines – SP 800-53B
NIST’s new draft guidance, Special Publication 800-53B, Control Baselines for Information Systems and Organizations, provides important information on selecting both security and privacy control baselines for the Federal Government. These control baselines are from NIST Special Publication 800-53 and have been moved to this separate publication “so the SP 800-53 [can] serve as a consolidated catalog of security and privacy controls regardless of how those controls [are] used by different communities of interest.” The new guidance addresses federal information systems and is applicable to information systems used or operated by an agency, a contractor on behalf of an agency, or another organization on behalf of an agency.
Continue Reading NIST Issues Draft Guidance on Security and Privacy Control Baselines – SP 800-53B
NIST Proposes Draft Enhanced Security Requirements for Protecting CUI
NIST recently released the final public draft of SP 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (formerly Draft NIST SP 800-171B). NIST is proposing additional security requirements for certain CUI in non-federal systems that is associated with critical programs or high value assets and is soliciting public comments through August 21, 2020.
Continue Reading NIST Proposes Draft Enhanced Security Requirements for Protecting CUI