Mapping Graphic Information

Fips 140: The FIPS 140 series of certifications maintain standards for cryptographic modules used by the government. NIST and associated labs review source code and any subsequent changes before validating a product, the certification of which lasts for about five years or until a vulnerability is discovered. FIPS 140-2 is being phased out for FIPS 140-3 over a few years, updating to a more diversified hardware, software, firmware, and hybrid modeling framework. Many products have FIPS-inside modes, meaning they use or can be configured to use FIPS-validated modules.

Common Criteria: An international standard for mapping a product to evaluation criteria that coordinates between user specification and vendor implementation, with vendors able to bound the scope of analysis for a product, effectively giving buyer and producer a common language to specify requirements. It maps around sixty requirements over several evaluation levels and is widely used in industry and required in federal agencies, with compliance assessed by NIST-approved labs, though the timeline for assessment can take years.

SOC 2: SOC 2 reports detail compliance with American Institute of Certified Public Accountants (AICPA) requirements over a predetermined timeframe in accordance with CPA or other accountant-entity audits. It assesses the security of an entity’s data management practices and infrastructure and is generally accredited to vendor-tied data centers by geography.

ISO 27001: A widely used international standard providing benchmark requirements for information security management systems. It benefits from NIST overlay integration and is audited by accredited third parties.

NDAA '21 835: A new provision to the NDAA that outlines new requirements and responsibilities for DoD’s acquisitions processed, specifically in software security requirements for bid solicitation, the development of standardized code review practices, and integration with extant directives to achieve coordinated cybersecurity requirements for acquisitions policies.

EO 13873: Executive order tasking DHS Secretary with annual assessments of ICT supply chain entities that threaten national security. Responsibility was delegated down to CISA/NRMC and resulted in the development of an ICT framework and criticality assessment, as well as pending work on additional sector analysis, specific product and version analysis, entity analysis, and critical user identification. It also grants Secretary of Commerce ability to prohibit acquisition or transfer at discretion.

FedRAMP: A GSA program that implements a “do once use many” structure for the provision of cloud services to federal agencies. Vendors and their products are vetted by certified third party auditing organizations for use by any federal civilian agency against a range of impact severity levels, and held to several NIST standards, including guidance on continuous monitoring. Its controls overlap with and add on to FISMA compliance requirements.

DoD CMMC: The DoD’s new CMMC program tiers and assesses vendor cybersecurity practices on a five-level range. It is incorporated into contracts and designed to operate with other existing standards, such as DFARS requirements and FedRAMP (both of which are aligning with CMMC level 3). It builds a C3PAO audit onto the existing DFARS requirements and is expected to provide a useful resource across the federal government.

SBOM: NTIA’s proposed and piloted ingredients list for software, the program would held vendors and customers alike track the granular dependencies embedded in their programs and provide a concrete deliverable compatible with acquisition contracts.

FISMA: Originating in 2002 with an overhaul in 2014, the Act enforces the security of federal agency information systems and non-government organizations dealing in governmental CUI (Controlled Unclassified Information). It assigns responsibility to individual agencies for compliance with implementing risk-based security controls for their information systems, sourced from NIST 800-53, and the same for non-governmental organizations dealing with federal information, sourced from NIST 800-171. It requires yearly reports to Congress by agencies and incorporates several other standards and frameworks and is overseen by the OMB.

CFIUS: A Department of Treasury Committee, augmented by FIRRMA 2018, to review and action on national security concerns derived from foreign investments and transactions. Companies involved in foreign acquisition or transaction are reviewed by CFIUS on a transaction basis. CFIUS can authorize or investigate, with the authority to order divestment and mitigation plans.

GSA VRAP: A nascent program included in GSA’s Polaris draft request for proposals that would aggregate classified and unclassified information on vendor supply chain risk for parties to federal contracts.

DFARS: DFARS is DoD’s supplement to the Federal Acquisition Regulation (FAR). It contains specific cybersecurity provisions requiring vendor compliance with security controls sourced from NIST 800-171. Compliance can be determined by federal assessment, third-party audit, or self-assessment, with each method providing different degrees of accreditation. The requirements map to ISO 27001 as well, and defense contracts can be revoked without compliance.

NDAA '19 889: As part of the NDAA FY 2019 enforced by an interim rule issued by DoD, GSA, and NASA, the provision prohibits any executive agency from contracting with entities using equipment, systems, or services sourced from covered companies, including Huawei Company, ZTE Corporation, and more specific cases of several other Chinese affiliated entities.

NIST IR 8286: A broader set of cybersecurity and enterprise risk management improvements guideline, underlining target data collection, analyses, information consolidation, and risk consideration and registers. It also coordinates an overlay between ISO 31000, OMB A-123, SP 800-30, 800-37, and 800-39 and provides a useful gap analysis of the following systemic ICT SCRM issues: lack of standardized risk measures, lack of formal analysis procedures, failure to deal with escalating complexity, system interdependency oversight, and CSRM-ERM miscues.

NDAA '21 836: Requires the development and integration of data management and analytics practices to be available to all DoD in order to inform the ongoing use of acquired digital systems. It effectively requires the DoD to develop, test, demonstrate, and produce policy around the use of a data tracking system for its digital assets and acquisitions to inform acquisition program risk, efficiency, and updates.

NIST IR 8276: A key C SCRM practices overlay drawn from industry lessons and study, summarized as: cross-organizational C SCRM integration, formal program establishment, critical supplier identification and management, supply chain comprehension, supplier collaboration, integration with resilience and improvement activities, full lifecycle planning, and holistic and comprehensive relationship assessment and monitoring.

DoDIN APL: DoDIN’s APL serves as a centralized list for DoD acquired products that have achieved interoperability and cybersecurity authorization against a variety of standards and defense requirements. Fulfilling a combination of lab testing, self-assessment, government certification, and FIPS 140-2 compliance, items can be pulled from the list, and reviews can occur after patches, though may not need to take place based on the scope of product alteration. Full review is required after three years, with the exception of provision of a three-year extension approval. DoD entities must purchase from items on the list where possible.

ICD 731: An intelligence community directive laying out the IC policy for protecting the supply chain throughout the lifecycle of mission critical services and products, delegating roles within the IC and establishing processes for risk assessments, information sharing, best practices, and acquisition methods.

DoDI 5000’s/AAF: The DoD’s Adaptive Acquisition Framework lays out six pathways for vendors to sell products to the Department, sorted by the type of capability being addressed and all under a blanket requirement of cybersecurity. The specific software pathway focuses on more agile requirement development and iteration processes within a more comprehensive lifecycle planning, incorporating other industry best practices such as DevSecOps. The acquisition overhaul is still in its early days but aims to produce more rapid capability development for the DoD.

FISMA: Originating in 2002 with an overhaul in 2014, the Act enforces the security of federal agency information systems and non-government organizations dealing in governmental CUI (Controlled Unclassified Information). It assigns responsibility to individual agencies for compliance with implementing risk-based security controls for their information systems, sourced from NIST 800-53, and the same for non-governmental organizations dealing with federal information, sourced from NIST 800-171. It requires yearly reports to Congress by agencies and incorporates several other standards and frameworks and is overseen by the OMB.

NIST SP 800-161: The NIST special publication providing ICT supply chain risk management guidance specifics to federal agencies and offering risk-management integration practices. The GSA Polaris Draft RFP refers to it for use as a template

DoD JCIDS: The DoD’s Joint Capabilities Integration and Development System (JCIDS) governs the capabilities-development portion of its acquisition process, enabling iteration of desired product capabilities from design to deployment, moving the process toward a more agile disposition, and incorporating a maturation and risk-reduction phase.

NIST SP 800-171: The NIST special publication aggregating controls required for non-federal systems dealing with Controlled Unclassified Information or providing protections for those systems. It sources many of its controls from NIST SP 800-53 and feeds into FISMA, DFARS, and DoD’s CMMC, often supplemented with additional requirements at Department and program discretion.

FedRAMP: A GSA program that implements a “do once use many” structure for the provision of cloud services to federal agencies. Vendors and their products are vetted by certified third party auditing organizations for use by any federal civilian agency against a range of impact severity levels, and held to several NIST standards, including guidance on continuous monitoring. Its controls overlap with and add on to FISMA compliance requirements.