Introduction to Different Federal Services
So you're here because you need a federal assessment or you want to pursue a federal assessment and you're not sure where to start. There are a myriad of options. So today we're going to discuss what those options are to hopefully better define your roadmap and determine what makes sense for you and your organization.
Hi, I'm Marci Womack. I'm a federal services practice leader here at Schellman. We've been doing federal assessments, going on 10 years and do hundreds of these annually. We often talk to organizations who are either in the federal space or want to pursue opportunities in the federal space. And there are many assessment and compliance opportunities that they don't know which one makes sense for their organization.
Our goal today is to outline what some of those frameworks are and what the options you have depending on the services that you provide to your customers or the types of data that you're handling on behalf of your customers.
So the few different options of federal services or federal assessments that are available to you, one of the hot topics is:
These are generally for cloud service providers that are providing services to federal or state and local governments. And traditionally, they are SaaS/PaaS/IaaS providers that are handling data on behalf of their customers. And what these programs are designed to do is to provide a foundational baseline statement of "here is our security and compliance posture relative to the frameworks and the standards defined therein".
You may also be handling CUI or performing in the DoD space as a parts manufacturer or any type of service provider in the DoD space. And you may be handling CUI (controlled and classified information). At that point, you start getting into:
- NIST 800-171 space (CMMC is the big term and big framework right now)
- DFARS 7012 in those types of areas
So these really matter if you're handling that controlled and classified information can control defense information control, technical information and that type of thing.
And then lastly, we have a few kind of federal adjacent frameworks like CJIS and MARS-E. So CJIS is the criminal justice information security policy and this is if you're handling criminal justice information and MARS-E is for organizations that are providing services related to health care exchanges. So MARS-E may come into play relative on a state basis or on a national basis, depending on your customer base. And these are federally adjacent. They align with NIST 800-53, which is kind of the foundational framework that's the baseline for many of the other areas that we've discussed today.
These are just some of the assessment frameworks that Schellman can help you with. We can perform gap assessments, compliance assessments. Many of them have their own built in assessment framework like FedRAMP or StateRAMP, for example, CMMC as well. But depending on what your needs are, we can help you understand what your customer is really asking you for and which framework makes sense for you to pursue in terms of assessment.
So I know I just threw out a lot of information, terms, acronyms. It is government, so that's what you get. But we're happy to talk with you. So reach out to us, fill out the contact form on our website and a member of our federal team will get back to you.
About Marci Womack
Marci Womack is a Director in Schellman’s FedRAMP practice and CMMC technical lead, and is based in Denver, CO. Marci has nine years of information security experience across various industries – cloud services, government, and financial services. In addition to performing numerous FedRAMP assessments, Marci has experience assessing organizations for compliance with other federal frameworks, including NIST SP 800-53, DoD CC SRG, NIST SP 800-171, CJIS, MARS-E, IRS 1075, and GLBA (FFIEC).