In previous years, your customers and the level of assurance they needed to transact with your organization served as the primary driver of your compliance roadmap.
But things have gotten more complicated today. It isn’t just direct customers who can drive your compliance roadmap. Your customer’s customers will also start to dictate the compliance obligations you have to meet. In 2022, additional compliance requirements may be coming your way. And you may also need to do more work to prove that you’re actually complying with existing requirements.
Who’s driving these compliance requirements? One major player is the U.S. government, one of the largest purchasers of goods and services in the country.
The federal government is in the middle of a massive overhaul over its cybersecurity practices. The Biden Administration issued an Executive Order in 2021 mandating that federal agencies meet numerous new security requirements (e.g., use zero trust architecture and MFA) within the next 3 years. The Biden Executive Order also pushes agencies to scrutinize their supply chain. Software providers that want to service the federal government will need to attest to the integrity of their products and ensure they have controls to govern their own software development processes. But the chain of responsibility doesn’t stop there: these software providers will also push security and compliance requirements down to their suppliers.
Since the federal government spends over $90 billion a year on information technology, the new cybersecurity requirements have a far-reaching impact on private-sector organizations.
Bottom line: Even if you don’t directly contract with the federal government and don’t have plans to do so anytime soon, it’s still quite likely that you’ll need to implement more stringent security policies and controls in your own organization and improve your oversight over suppliers and vendors. You will be on the hook for these compliance obligations because your customers are on the hook to fulfill certain requirements within their contracts with the federal government.
Let’s take a look at two common compliance standards government contractors have to follow and how those requirements will impact you as a company that provides software or processes data for a government contractor.
NIST SP 800-53 Rev. 5
NIST SP 800-53, Security and Privacy Controls for Information Systems and Organizations is a mandatory standard for federal information systems, organizations, and agencies. Any large privately-sector organization that works with the federal government is likely to align their compliance program to NIST SP 800-53 to maintain the relationship.
NIST SP 800-53 rev 5, the latest version, has a new control family on Supply Chain Risk Management. Language in this section is clear and unambiguous that NIST wants organizations to put risk at the heart of supply chain management. This control family emphasized several key points:
- Organizations are required to have formal risk policies and procedures to identify and manage supply chain risk.
- Organizations need to be aware of the origins and components of systems they use to ensure that changes upstream are assessed and documented
- Organizations must assess suppliers based on identified risks and agreed contractual or terms and conditions.
- Organizations must identify key supply chain information related to sensitive operations and systems and identify security controls to countermeasure third-party risks associated with the operations and systems.
- Third-party agreements or contracts should clearly underline any privacy-related controls that third-parties should adhere to as part of development of supply of systems and services.
- There must be notification agreements established to ensure third-parties know when and how to alert organizations in the event of security incidents.
As a vendor that provides a product or service to a private company that contracts with the federal government, you will need to have the security controls your customer expects you to have and attest that you’re meeting requirements in the contract you maintain with that customer. If you are using a third-party component in your own application, you will also want to know the risks you’re exposed to by using that third-party component. You’ll want to check that that company has adequate safeguards in place to counter the security risks you’ve identified, and that those controls are detailed in your contract with the company.
FedRAMP
The U.S. federal government is one of the largest buyers of cloud technology. In order to protect data stored in the cloud, the General Services Administration (GSA) created the Federal Risk and Authorization Management Program (FedRAMP) to provide a standardized security framework for all cloud products and services that is recognized by all executive agencies. All cloud service providers that want to sell to the federal government must obtain a FedRAMP Authority to Operate (ATO) status either through a federal agency or through the Joint Authorization Board (JAB). FedRAMP also affects the companies that provide software to those cloud service providers (more on this below).
Getting through the FedRAMP process to achieve an Authority to Operate (ATO) from an agency is an onerous process that can take an organization one to two years. The amount of time and effort needed to get authorization for your cloud service depends on which level of FedRAMP you need to comply with and the maturity of your security program. There are four levels:
- FedRAMP Tailored Low Impact SaaS (LI-SaaS): This is a more streamlined path for cloud providers that don’t store any PII (except to provide login capability), are considered “low-security-impact” as defined by FIPS PUB 199, Standards for Security Categorization of Federal Information and Information Systems, and host their service within an FedRAMP-authorized platform. To get FedRAMP LI-SaaS, your organization needs a minimum of 37 controls documented and assessed. The remaining controls depend on the situation or an attestation may apply.
- Low: For organizations considered low-security-impact, as defined by FIPS Publication 199. There are 125 controls that need to be documented and assessed for this level.
- Moderate: For organizations considered moderate-security-impact, as defined by FIP Publication 199. There are 325 controls that need to be documented and assessed for this level.
- High-Impact: For organizations considered high-security-impact, as defined by FIP Publication 199. There are 421 controls that need to be documented and assessed for this level.
It’s important to know that FedRAMP can affect your organization even if you don’t have plans to sell a cloud service to any federal agencies. If you provide a cloud service that gives you access to sensitive customer data and you have customers that need to be FedRAMP authorized, those customers will expect you to come alongside them on the journey. If you do not achieve the proper level of FedRAMP authorization by the time your customer achieves theirs, your customers will no longer be able to use your service at that time.
Adapting to This New Reality: What to Focus on Now
It should be clear by now that the costs of non-compliance are higher than ever before. If you don’t meet the compliance standards, certifications, and/or guidelines your customers expect you to, you may lose existing customers and lose opportunities to win new customers.
Additionally, it’s more important than ever to be truthful when responding to security questionnaires from your customers.
Company leaders must know the ins and outs of their security program before they include the attestation in their agreements between their company and a given customer.
If you have government agencies as your customer and your organization does not have sufficient capabilities to safeguard federal information, or if you misrepresent your cybersecurity practices (even if by accident), the federal government can take legal action against your organization and key leaders within your company. In fact, the Department of Justice (DOJ) recently launched a new Civil-Cyber Fraud Initiative — which will use the False Claims Act (FCA) to investigate entities and individuals who knowly submitted false claims to the government.
In addition to allowing the United States to pursue perpetrators of fraud on its own, the FCA allows individuals to to file suits on behalf of the government (called “qui tam” suits) against those who have defrauded the government. Private citizens (e.g., employees in an organization) who successfully bring qui tam actions may receive a portion of the government’s recovery. Many Fraud Section investigations and lawsuits arise from such qui tam actions.
Thus, if your leadership makes an assertion that your organization has specific security controls in place when those controls are in fact not present, it is seen as defrauding the federal government. Under the FCA, any person found guilty of submitting false claims to the government is liable for treble damages and a penalty that is linked to inflation.
How do you best protect your organization? There are two important steps to take. One, make sure your organization is truly doing enough to effectively protect valuable data and to adhere to the regulatory and customer requirements you’re subjected to. This starts with knowing what you have. Company leaders and their compliance team should know how things work, their key systems, processes, what data they’re collecting and processing, and what controls are already in place to help them meet data security and privacy objectives.
Two, stand up an internal process to test, review and validate controls’ effectiveness before your leaders sign off on contracts, security addendums and other agreements with customer organizations. At this time, it’s important to review your controls critically to see if there are gaps given your risks, regulatory requirements, existing processes, and controls. You might review standardized security and privacy controls/guidelines from organizations such as NIST to see if you want to introduce new controls into your organization.
Upon careful review, it’s not unusual for an organization to find that they have controls that are out-of-date, or haven’t been tested in a long time. If a control isn’t functioning as expected, it needs to be retired and replaced with something more effective.
Once you have identified the key gaps and put a remediation plan in place to address your gaps, it’s important to make sure operators of your key systems know the importance of the remediation measures and complete their tasks. Once remediations are completed, controls should be tested again – and evidence on their effectiveness should be collected and retained.
How Hyperproof Can Help
Keeping track of all security controls (including how they work, who’s responsible for them, and how to test them) and collecting evidence of controls’ operating effectiveness can be incredibly tedious when you use homegrown systems and makeshift tools (e.g., Excel spreadsheets, ticketing systems, etc.). When controls aren’t well documented, the risk of not identifying control deficiencies is quite high, and so is the risk of falling out of compliance with your contractual obligations with customers.
You can prevent control failures and maintain compliance much more efficiently by using a compliance software platform such as Hyperproof to centrally manage all controls and orchestrate all of your compliance work.
Hyperproof comes with out of the box templates for numerous security/compliance frameworks including NIST SP 800-53, NIST Cybersecurity Framework, NIST Privacy Framework, FedRAMP (all impact levels), and more. The templates make it easier for an organization to conduct a gap analysis and determine which new controls they’d like to implement within their organization.
Hyperproof also comes with functionality that allows you to automate the collection of evidence; Leaders can log into Hyperproof, see their organization’s compliance posture in real-time, understand the health status of controls, and determine what work’s been done and what work still needs to happen. This gives leaders the assurance they need in order to sign contracts and security agreements with confidence.
Last but not least, Hyperproof offers vendor risk management software that allows you to more easily assess vendor risk and coordinate vendor risk remediation activities.
To learn more about Hyperproof, sign up for a personalized demo.
Monthly Newsletter