Tag Archives: government-events

Goodbye RMF, Hello CSRMC

Posted on by

The Risk Management Framework (RMF) was introduced in 2022 to create a standardized way to measure and manage cybersecurity risk in the federal government. Modeled with standards including the Federal Information Security Modernization Act and NIST Special Publication 800-53, the RMF was a repeatable, structured method to manage cybersecurity risk and ensure compliance with federal standards. The RMF allowed agencies to identify, understand, prioritize, and reduce risks to their information systems and missions. It informed leaders of security risks, allowing them to make educated decisions about trade-offs between security and mission needs.

While it was designed to be more than a checklist, in practice the RMF had become just that. Rather than engaging with it dynamically, agencies employed highly manual processes that slowed the adoption of much-needed solutions. The process could not keep up with the quickly evolving threat landscape. Continue reading

FedRAMP 20x Keeps Government Cloud Use Moving

Posted on by

Earlier this year, the General Services Administration (GSA) announced a significant update to the Federal Risk and Authorization Management Program (FedRAMP). Named FedRAMP 20x, the focus of this initiative is on introducing automation to increase the pace of authorizations.

The Phase One pilot of this effort trialed a new approach to FedRAMP Low authorization. This automated process focused on Key Security Indicators (KSIs) rather than the traditional NIST SP 800-53 narrative control set. Vendors meeting the KPIs were granted a 12-month FedRAMP Low authorization. Using this process, the first FedRAMP authorizations were issued in just four months.

The GSA is now kicking off Phase Two, which will look at granting FedRAMP Moderate authorizations. Participation in this pilot is by invitation only, in order to ensure the small FedRAMP staff concentrates efforts on participants that are well-positioned to achieve Moderate authorization. The focus of this phase, "quality, not quantity,"-- is aimed at fine-tuning automated processes, with a target of 10 approved solutions. Continue reading

Making Sure Data Centers are Good Neighbors

Posted on by

Artificial intelligence (AI) is having a huge impact on how states and cities deliver services and manage communities. The computing power needed to support this technology requires the construction and management of a multitude of new data centers. This infrastructure has proven to be both a blessing and a curse for localities.

Data centers can transform the economics of a region, bringing a host of benefits to communities including job creation, tax revenue, and infrastructure upgrades, including investments in clean energy. Additionally, areas with data centers tend to attract companies building technology hubs that provide additional highly paid and highly skilled jobs. Continue reading

Ready or Not CMMC is Here

Posted on by

Cybersecurity Maturity Model Certification (CMMC) sets security standards for contractors working with the Department of Defense (DoD) to ensure the data they interact with is protected. The standards have been in place since the introduction of the Defense Federal Acquisition Regulation (DFARS) in 2015, and now, 10 years later, a more formalized compliance process is being implemented.

Starting October 1, 2025, the CMMC clause will start to be used in DoD contracts. This clause requires contractors to align their security practices with the CMMC level required by the contract. While contractors have been required to meet rigorous security standards for some time, whether they did was determined primarily through self-attestation. This roll-out introduces the need for third-party validation of compliance claims, ensuring the security of the defense supply chain. Continue reading

Streamlining Government with a Back-to-Basics Approach

Posted on by

Building efficiencies into government requires more than adopting new technologies that automate processes. It also involves updating how the government procures those technologies, as well as other goods and services. Several Executive Orders (EOs) have addressed improving the procurement process across government. In response, some recent updates and guidance show progress is being made in revisiting the requirements companies must meet to sell to the government.

OneGov

The General Services Administration (GSA) was created as a centralized function for the administration of government. This included managing procurement, office space, supplies, and records. Over time, these functions have migrated back into individual agencies for a variety of reasons, a key one being (ironically enough) efficiency. Many agencies started their own contracting vehicles and took on more procurement activity because they felt they could better serve the needs of their workforce and missions themselves. In some cases, this was true, but the spread of responsibility led to great duplication in effort and weakened the government's buying power. Continue reading