Services
Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
Industry Solutions
Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
About Us
About Us
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
 

Introduction to Different Federal Services

Federal Assessments

So you're here because you need a federal assessment or you want to pursue a federal assessment and you're not sure where to start. There are a myriad of options. So today we're going to discuss what those options are to hopefully better define your roadmap and determine what makes sense for you and your organization.

Hi, I'm Marci Womack. I'm a federal services practice leader here at Schellman. We've been doing federal assessments, going on 10 years and do hundreds of these annually. We often talk to organizations who are either in the federal space or want to pursue opportunities in the federal space. And there are many assessment and compliance opportunities that they don't know which one makes sense for their organization.

Our goal today is to outline what some of those frameworks are and what the options you have depending on the services that you provide to your customers or the types of data that you're handling on behalf of your customers.

So the few different options of federal services or federal assessments that are available to you, one of the hot topics is:

These are generally for cloud service providers that are providing services to federal or state and local governments. And traditionally, they are SaaS/PaaS/IaaS providers that are handling data on behalf of their customers. And what these programs are designed to do is to provide a foundational baseline statement of "here is our security and compliance posture relative to the frameworks and the standards defined therein".

You may also be handling CUI or performing in the DoD space as a parts manufacturer or any type of service provider in the DoD space. And you may be handling CUI (controlled and classified information). At that point, you start getting into:

  • NIST 800-171 space (CMMC is the big term and big framework right now)
  • DFARS 7012 in those types of areas

So these really matter if you're handling that controlled and classified information can control defense information control, technical information and that type of thing.

And then lastly, we have a few kind of federal adjacent frameworks like CJIS and MARS-E. So CJIS is the criminal justice information security policy and this is if you're handling criminal justice information and MARS-E is for organizations that are providing services related to health care exchanges. So MARS-E may come into play relative on a state basis or on a national basis, depending on your customer base. And these are federally adjacent. They align with NIST 800-53, which is kind of the foundational framework that's the baseline for many of the other areas that we've discussed today.

These are just some of the assessment frameworks that Schellman can help you with. We can perform gap assessments, compliance assessments. Many of them have their own built in assessment framework like FedRAMP or StateRAMP, for example, CMMC as well. But depending on what your needs are, we can help you understand what your customer is really asking you for and which framework makes sense for you to pursue in terms of assessment.

So I know I just threw out a lot of information, terms, acronyms. It is government, so that's what you get. But we're happy to talk with you. So reach out to us, fill out the contact form on our website and a member of our federal team will get back to you. 

About Marci Womack

Marci Womack is a Managing Director in Schellman’s Federal Practice overseeing both the emerging CMMC assessment program and the established FedRAMP assessment program. Marci also serves as the 3PAO (third party assessment organization) representative on the Federal Secure Cloud Advisory Committee (FSCAC). Prior to joining Schellman in 2016 as a senior associate, Marci worked as a federal contractor implementing and assessing federal cybersecurity programs, as well as an FFIEC/GLBA security controls assessor and consultant. Marci has over 10 years of information security experience across various industries and holds many key certifications, including CISSP, CISA, and CEH. Marci is also experienced in other frameworks, including StateRAMP, CJIS, MARS-E, IRS 1075, and GLBA (FFIEC).