The Schellman Blog

On October 27, 2023, the Office of Management and Budget (OMB) released a draft memorandum titled Modernizing the Federal Risk Authorization Management Program (FedRAMP). Savvy readers may have noticed the parallelism of the 2011 and 2023 FedRAMP memorandums to those for FISMA in 2002 and FISMA 2014—for FISMA, the latter memo focused on "Modernization" in comparison with the former one regarding "Management."

Back in August 2022—while rulemaking for the Cybersecurity Maturity Model Certification (CMMC) was ongoing (as it still is)—the Joint Surveillance Program (JSP) was sanctioned by the DoD and CyberAB as an interim step in the CMMC program that allowed organizations to pursue a formal DIBCAC High (NIST 800-171) assessment.

The Cybersecurity Maturity Model Certification (CMMC) is a framework that aims to better secure federal contract information (FCI) and controlled unclassified information (CUI) that is stored, processed, or transmitted by defense contractors and the entire defense industrial base (DIB). American defense data is incredibly valuable, and that includes highly sensitive personnel records and technical data. As such, the DIB continues to be a prime target for exploitation, and because a leak of such information could endanger the lives of government personnel and service members—not to mention the risk of billions of financial losses. Now, with the enactment of 32 CFR and 48 CFR, the Department of War (DoW) has established the legal basis of CMMC. As a premier CMMC third-party assessor organization (C3PAO) among the first authorized, we’re going to provide a complete introductory overview of this newer certification, including insight into what it constitutes, who will need CMMC, the requirements, and how to get certified so that as we approach the phased enforcement dates, you’ll be able to proceed with confidence.

To become FedRAMP authorized, you must pass the initial, rigorous FedRAMP assessment. But in the following years, you’ll also need to complete Annual Assessments performed by a third-party assessment organization (3PAO) if you’re interested in maintaining that compliance.

With the new SEC Cybersecurity Disclosure Rule requiring both the reporting of material cybersecurity events and the disclosure of cybersecurity programs for public companies, those affected are taking a closer look at cybersecurity frameworks that—while previously considered optional or “nice to have”—could help their organization meet the new regulatory requirements.

The National Institute of Standards and Technology (NIST) has made a significant move in introducing its groundbreaking AI Risk Management Framework (AI RMF). Designed to empower organizations and individuals with comprehensive risk management guidance, the AI RMF aims to create a world where AI can thrive responsibly.

In May of 2021, President Biden issued his Executive Order on Improving the Nation’s Cybersecurity (E0 14028), an EO that took specific and significant aim at federal IT systems as well as the private sector technology and software providers that support it.

Anyone who has ever chosen a workout program likely started with the same goal—to improve their physical health or strength. But in exercise, different people will choose to address different things—some may opt for a comprehensive workout like CrossFit, some may choose martial arts, and others may choose Olympic weightlifting. No matter what approach you choose, you’ll improve your well-being.