Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

As of now, the final rule for the Cybersecurity Maturity Model Certification has been published. The clock is ticking for organizations to make the changes they need to make, adhere to the multi-phase schedule required to achieve certification, and continue their work with the federal government across the board. As organizations, both large and small, start to dig into this work, it becomes increasingly clear that certain individuals and roles are critical to have on hand.

The Cybersecurity Maturity Model Certification, or CMMC, has been a long time coming. It was first developed in 2019, primarily as a way for defense contractors for the Department of Defense to switch from self-attestation to a validated certification. CMMC 1.0 has been in effect since 2020, but there has been a lot of feedback regarding the complexity and clarity of the system, leading to the development of CMMC 2.0.

If you’re a firm that works with foreign governments, in addition to certifications like ISO 27001 that you will generally need to achieve, you will also have to have processes in place for handling foreign government information or FGI. It’s not enough that your internal network is classified and access controlled; you need specific handling processes and procedures for managing FGI separately from other confidential or classified data you may have.

Information and digital security frameworks like FedRAMP, CMMC, and ISO 27001 are not static documents. They provide a static framework for your business to comply with and achieve, but that framework is only valid for so long. Several different forces are in play to ensure that the stipulations and security measures outlined in these frameworks remain valid over time.

In the wide world of information security, there are many different frameworks, standards, and systems in use to help assume a secure stance against threats. Two commonly seen frameworks are SOC 2 and ISO 27001. How do these two stand in comparison to each other, and which one do you need for your business? Let’s discuss.

ISO 27001 is the international standard for information security and protection. It’s roughly equivalent to similar infosec frameworks in the United States, like FedRAMP and CMMC, but the international development, maintenance, and scope of the ISO framework makes it much more commonly seen outside of US Government contracting. In the US, it’s clear that a security framework mandated by the government is required when working as a contractor for the government. What about ISO 27001?

If you’ve spent any length of time reading about the internationally accepted security framework laid out in ISO 27001, you’ve likely come across the term ISMS or Information Security Management System. You may wonder, though; what is the ISMS specifically, how do you set one up, and what does it do for your business? Let’s talk about it.

One of the biggest burdens on any government agency or contractor is dealing with controlled unclassified information, or CUI. This information requires oversight, security, access control, and record-keeping – all part of the general “control” of that information – and keeping track of it all can be a huge task. One way in which this task is made easier is through the process of decontrol.

We’ve talked a lot on this blog about protecting controlled unclassified information, and we’ve mentioned in places some other kinds of information, like classified and secret information, covered defense information, and other protected information. There’s one thing all of this information has in common: it’s generated by the United States government.

We’ve written a lot about various security frameworks, from CMMC to ISO 27001, and throughout all of them, one of the core elements is the need to protect CUI. Information that is controlled at a very high – SECRET, Classified, or other – level is tightly bound by specific rules and can only be handled by select individuals. Completely base, public information is freely available and completely uncontrolled. But there’s a lot of information somewhere in the middle.