The global cybersecurity compliance landscape is constantly evolving, a trend driven by advancements in cyber-attacks targeted at both government and commercial supply chains.
Hackers have proven just how menacing they can get if allowed to breach unprotected systems. To fend off unprecedented cyber-attacks, organizations must comply with the latest cybersecurity protocols based on the types of sensitive information they handle.
We’ve prepared a guide to the most recent updates to major cybersecurity frameworks with a view to helping you stay on top of the compliance game.
NIST CSF
NIST (the National Institute of Standards and Technology) guidelines are a comprehensive set of standards developed by a United States agency of the same name, designed to encourage compliance with certain government regulations.
Although NIST protocols are primarily targeted at US federal agencies, nongovernmental institutions can equally implement these controls to bolster their cybersecurity hygiene.
The final draft of NIST’s latest version, known as NIST CSF 2.0, was unveiled in February 2024, signaling the introduction of a new function known as “Govern.”
True to its name, the Govern function emphasizes the significance of governance in preventing cybersecurity threats. Organizations must establish elaborate governance structures necessary for managing cyber risks while aligning themselves with their overarching business objectives.
The recently introduced Govern function comes with six categories, namely;
- Organizational Context (GV.OC)
- Risk Management Strategy (GV.RM)
- Cybersecurity Supply Chain Risk Management (GV.SC)
- Policy (GV.PO)
- Oversight (GV.OV)
- Roles, Responsibilities, and Authorities (GV.RR)
CMMC CSF
The Cybersecurity Maturity Model Certification (CMMC) framework is a cybersecurity assessment program developed by the US Department of Defense (DoD), obligating mandatory compliance for all Defense Industrial Base (DIB) entities. It specifically spells out the procedures for handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
The current CMMC iteration, known as CMMC 2.0, came into effect on December 16, 2024. It’s a simplified form of its previous version, reducing maturity levels from five to three.
CMMC Level 1 is the foundational level, targeting the protection of FCI. It requires defense contractors to self-audit and report their cybersecurity compliance status annually. Organizations must satisfy 17 controls that align with the NIST 800-171 and FAR 52.204-21 (b) (1).
Level 2 is the expert level and seeks to protect both FCI and CUI. DoD vendors seeking CMMC Level 2 certification must adhere to all 110 security controls in NIST 800-171, and audits must be conducted triennially by accredited CMMC third-party assessor organizations (C3PAOs).
Level 3 is CMMC’s most advanced maturity level. It requires organizations to satisfy all Level 2 requirements plus additional controls in NIST 800-172 (currently under development). Audits must be spearheaded triennially by assessors appointed directly by the government.
Other noteworthy changes in CMMC 2.0 include the introduction of Plan of Action and Milestones (POA&Ms), an emphasis on small defense vendors, and phased implementation.
FAR CSF
On January 3, 2025, the Federal Acquisitions Regulations (FAR) published a proposed rule that would see the agency standardize workforce requirements for providers of cybersecurity and information technology (IT) support.
Titled “Strengthening America’s Cybersecurity Workforce (the Proposed Rule),” FAR’s new proposal seeks to implement a 2019 executive order christened ‘America’s Cybersecurity Workforce,’ developed to impress the significance of a strong cybersecurity workforce.
Here are some expected changes;
- Incorporating the National Initiative for Cybersecurity Education Workforce Framework for Cybersecurity (NICE Framework) into FAR
- Amending FAR 2.01 to provide distinct definitions for ‘Cybersecurity’ and the ‘NICE Framework.’
- Amending FAR 7.105 to spell out how agencies should define the requisite knowledge, skills, and job descriptions while engaging cybersecurity and IT support services
- Amending FAR 11.002 to require seamless aligning of existing cybersecurity roles and contractor engagements with the NICE Framework
- Amending FAR 12.202 to obligate organizations to align procurement documents for commercial products and services with the NICE Framework
- FAR 39.104 to obligate organizations to align procurement documents for cybersecurity and IT support services with the NICE Framework
FedRAMP CSF
The Federal Risk and Authorization Management Program (FedRAMP) is a US government-wide cybersecurity framework that fosters a standardized approach to adopting secure cloud solutions. FedRAMP regulations target both cloud-based products and services and are especially designed to secure federal agencies that engage with third-party cloud service providers (CSPs).
Given emerging threats to the CSP landscape, the General Services Administration (GSA) – FedRAMP’s oversight body – has proposed and implemented several updates to revamp the framework. One such change is introducing a single path to the Authority to Operate (ATO).
ATO is an official approval that mandates a cloud service provider to avail its offerings within the government’s environment. CSPs with this authorization are deemed to have undergone rigorous security assessments and are certified as meeting the relevant compliance requirements.
FedRAMP’s earlier framework had two distinct paths to ATO – the JAB (Joint Authorization Board) and agency authorization. However, the JAB route has since been replaced by a seven-member board of technology experts appointed by the Office of Management and Budget (OMB).
Other noteworthy changes include introducing a new FedRAMP board, the technical advisory group, and the Agile Delivery Pilot.
Final Thoughts
Adhering to these cybersecurity frameworks can bolster your cyber hygiene and protect your supply chain from unforeseen cyber breaches. Where compliance is mandatory, implementing the necessary protocols is critical in avoiding noncompliance penalties.
Remember that all these cybersecurity frameworks are constantly evolving. As such, keeping abreast of new developments is the surest way to stay ahead of compliance requirements.