Doing Business With the U.S. Federal Government? Compliance Is Heating Up Again

2022 has lived up to the saying “nothing is constant but change”.  We’ve encountered big shifts in federal laws, threats of cyberwar, the rapid growth of federal supply chain risk management, and more.  All this activity continues to drive change into the already complex regulatory compliance environment. Governments and governing bodies have been working hard throughout 2022 to get ahead of new cyber threats by announcing a variety of updates to government-related compliance standards. As a result of President Biden’s Executive Order, the Cybersecurity and Infrastructure Security Agency (CISA) has been working to remove barriers to threat information sharing between the private sector and the government. As a result of this effort, we will see stronger cybersecurity standards across the Federal government, improved software supply chain security and the establishment of a cyber safety review board.  Let’s take a look at some of the changes coming down the pipeline. 

Government compliance changes to expect in the next six months 

The uptick in supply chain attacks is driving an emphasis on zero trust as well as updates to the FedRAMP and CMMC frameworks. Federal Supply Chain Risk Management is vital to U.S. security because our nation’s adversaries have become extremely sophisticated in their ability to exploit supply chain vulnerabilities to infiltrate systems, steal intellectual property and much more. To lessen the threat surface, zero trust has become a hot topic and will continue to pick up steam due to the Federal Government recognizing the importance of limiting access to data.  The NIST and FedRAMP frameworks will be implementing zero trust into their controls and if organizations do not follow suit, they will not be doing business with the government in the future.   

Since CMMC 2.0 (Cybersecurity Maturity Model Certification) was released at the end of 2021, there have been many updates. The current plan is for the DFARS Interim Final Rule update to be released in March 2023 and go into effect after a 60-day comment period. To help increase proactive preparation for the framework, a voluntary interim program in which contractors can earn a certification that will be honored when CMMC rulemaking goes into effect, will be released.  

In an effort to enable a more efficient security authorization process for all parties involved, FedRAMP will release FedRAMP Revision 5, based on NIST 800-53 Rev 5. Any CSP doing business with the government will need to spend time within the next six months reviewing the updated controls and guidance to begin addressing any gaps identified. 

NIST is in the process of updating their Framework for Improving Critical Infrastructure Cybersecurity (CSF) and we will most likely see the results roll out in the remainder of 2022. Seeking input from the public (closed in April 2022), NIST’s goal is to make the CSF a more valuable tool, with an added emphasis on privacy risk management to expand its supply chain cybersecurity efforts. 

Using technology to streamline compliance  

Doing business with the government equates to numerous compliance certifications, continuous monitoring and solid policies and procedures.  What if there was a more efficient way to conduct multiple audits and have a positive impact on revenue?  A-SCEND, A-LIGNs compliance management and audit automation software, reduces the time spent preparing for various audits and assessment, deduplicates efforts and improves efficiency.  This SaaS platform allows users to upload evidence and reuse across multiple efforts, transforming the audit process into a well-planned initiative. 

For more information on how A-LIGN can help your organization achieve compliance, contact us today.