Federal Compliance Definitions: A Glossary of Terms
The world of compliance is filled with acronyms and abbreviations for some of its more complicated regulation systems and organizations. There is perhaps no better example than the long list of acronyms associated with federal compliance laws. Ensure you and your organization are up to speed on this important terminology by reviewing this list.
Federal Compliance Terms, A-Z
3PAO – Third-Party Assessment Organization
A Third-Party Assessment Organization (3PAO) is an organization that has been certified to help cloud service providers and government agencies meet FedRAMP compliance regulations. By utilizing FedRAMP approved templates, these organizations evaluate cloud-based providers’ systems to ensure transparency and consistency in data security strategies. Per the U.S. General Services Administration’s (GSA), a 3PAO must meet the following requirements:
- Independence and quality management in accordance with International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 17020: 1998 standards.
- Information assurance competence that includes experience with the Federal Information Security Management Act of 2002 (FISMA) and testing security controls.
- Competence in the security assessment of cloud-based information systems.
ATO – Authority to Operate
As part of the Agency authorization process, a Cloud Service Provider (CSP) works directly with the Agency sponsor to review the cloud service’s security package. After the security assessment is completed, the head of the Agency—or their authorized designee—can grant an ATO. This process generally has four phases:
- Partnership Establishment
- Full Security Assessment
- Authorization Process (during which the ATO status is approved)
- Continuous Monitoring
CDI – Covered Defense Information
Covered Defense Information (CDI) is an umbrella term used to describe information that requires protection under DFARS Clause 252.204-7012. It is defined as unclassified Controlled Technical Information (CTI) or other information as described in the Controlled Unclassified Information (CUI) registry that requires safeguarding or dissemination controls. CDI will either be marked or otherwise identified in the contract and provided by DoD in support of the performance of the contract. Additionally, CDI may also be collected, developed, received, transmitted, used or stored by the contractor in the performance of the contract.
CSF – Cybersecurity Framework
A Cybersecurity Framework (CSF) is defined as “voluntary guidance, based on existing guidelines, and practices for organizations to better manage and reduce cybersecurity risk.” It should be organized, adaptable, repeatable and effective, to best ensure marginal risks to valuable company data and information. There are four common kinds of CSFs:
- Payment Card Industry Data Security Standard (PCI DSS)
- International Organization for Standardization (ISO 27001/27002)
- CIS Critical Security Controls
- NIST Framework
CSP – Cloud Service Provider
A Cloud Service Provider (CSP) is a company that offers some component of cloud computing to other businesses or individuals. CSPs make their offerings available as an on-demand, self-provisioning purchase or on a subscription basis. There are three types of CSPs:
- Infrastructure as a Service (IaaS): In this model, the CSP delivers infrastructure components to an organization that would otherwise exist in an in-house data center. Examples include servers, storage and networking as well as the virtualization level, which the IaaS provider hosts in its own data center.
- Software as a Service (SaaS): SaaS vendors offer an assortment of business technologies, including productivity suites, customer relationship management software, healthcare IT software and more.
- Platform as a Service (PaaS): A PaaS service provider offers cloud infrastructure and services that users can access to perform various functions—this type of CSP is most commonly used in software development.
CUI – Controlled Unclassified Information
Controlled Unclassified Information (CUI) is defined as “information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations and government-wide policies—but is not classified under Executive Order 13526 or the Atomic Energy Act.”
FedRAMP – Federal Risk and Authorization Management Program
The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization and continuous monitoring for cloud products and services.
FISMA – Federal Information Security Modernization Act of 2014
The Federal Information Security Modernization Act of 2014 (FISMA 2014) is legislation that directs federal government agencies to implement a cybersecurity program that includes independent assessments as well as NIST SP 800-37, Revision 2. FISMA assigns responsibilities to a variety of agencies to ensure the security of data in the federal government. The National Institute of Standards and Technology (NIST) outlines the nine steps towards compliance under FISMA:
- Categorize the information to be protected.
- Select minimum baseline controls.
- Refine controls using a risk assessment procedure.
- Document the controls in the system security plan.
- Implement security controls in appropriate information systems.
- Assess the effectiveness of the security controls once they’ve been implemented.
- Determine agency-level risk to the mission or business case.
- Authorize the information system for processing.
- Monitor the security controls on a continuous basis.
JAB – Joint Authorization Board
The Joint Authorization Board (JAB) is the primary governance and decision-making body for the FedRAMP program. The JAB reviews and provides joint provisional security authorizations on cloud solutions using a standardized baseline approach. Its members include Chief Information Officers from the Department of Defense, the Department of Homeland Security and the General Services Administration. The defined duties for the JAB include:
- Define FedRAMP security and authorization requirements.
- Approve accreditation criteria for third-party assessment organizations (3PAO).
- Establish a priority queue for authorization package reviews.
- Review FedRAMP authorization packages.
- Grant joint provisional authorizations.
- Ensure that provisional authorizations are reviewed and updated regularly.
NIST 800-171 – National Institute of Standards and Technology
The National Institute of Standards in Technology is a physical science laboratory and a non-regulatory agency of the Department of Commerce. Founded in 1901, the agency was established to remove a second-rate measurement infrastructure that was causing the country to lag behind the industrial competitiveness of the UK, Germany and other economic rivals. Today, NIST measurements support the most innovative technology being developed ranging from microscopic medical monitoring devices to communication systems that span the globe.
One such measurement is the National Institute of Standards and Technology Special Publication 800-171, which governs Controlled Unclassified Information (CUI) in Non-Federal Information Systems and Organizations. Essentially, this standard defines how to safeguard and distribute material deemed sensitive, though not classified. Developed in a response to the passage of FISMA in 2003, NIST 800-171’s intent was to improve cybersecurity as the industry and the risks surrounding it continued to evolve.
P-ATO – Provisional Authorization to Operate
According to the FedRAMP website, a Provisional Authority to Operate (P-ATO) is permission given to an organization to operate at the Moderate impact level by the FedRAMP Joint Authorization Board (JAB). Essentially, a P-ATO is a preauthorization for an organization that then allows in-house monitoring and implementation of a cybersecurity system.
PMO – Program Management Office
A Program Management Office (PMO) is a group—either internal or external—that sets, maintains and ensures standards for project management across an organization. Their other responsibilities include ensuring that company procedures, practices and operations run smoothly—on time, on budget and all in the same way.
RMF – Risk Management Framework
Developed by NIST, a Risk Management Framework (RMF) is a set of information security policies and standards for organizations. A well-structured RMF provides an effective framework to facilitate decision-making to select appropriate security controls. There are seven recommended steps for implementing an RMF:
- Prepare: The organization must examine its current security measures and identify areas of potential risk or weakness.
- Categorize: Classify and label the information processed, stored and shared, as well as all of the systems the organization relies on.
- Select: Review the categorization and select baseline security controls. Revise and add to the security control baseline as necessary, based on organization assessment of risk and local conditions.
- Implement: Instill the security controls and integrate with legacy systems. Document how the controls are arranged within the system and their effects on the overall environment.
- Assess: Evaluate the security controls to determine their quality and effectiveness.
- Authorize: Top management tests and approves the secured system passed on the accepted risk appetite to operations and assets. Management should also consider the system’s overall impact on individuals and other organizations. Once the level of remaining risk has been identified, the framework can either be authorized or subjected to additional revisions.
- Monitor: An organization should develop an ongoing monitoring and assessment schedule for the security controls. A thorough documentation of results is a must-have.
SSP – System Security Plan
A System Security Plan (SSP) documents the controls that have been selected to moderate the risk of a system. These controls are determined by the Risk Analysis and the FIPS 199. Federal systems—defined as any systems that are funded by federal money—fall into either a Low, Moderate or High category, per NIST’s guidelines. An SSP provides information regarding the system owner, name of the system and lists the security controls selected for the system. Each control listing includes a detailed description that allows the system owner or auditor to confirm the effectiveness of that control.
How A-LIGN Can Help
As a full-service security, compliance and privacy firm, A-LIGN provides organizations a variety of federal assessment services. Our team of assessors have experience in CMMC, FISMA, FedRAMP and NIST 800-171 assessments, and can help you determine which is vital for your organization. Together, we can determine the security requirements your organization needs for an ATO, as well as develop a holistic plan of action to protect your CDI and CUI.