COMPLIANCE

We bring unparalleled compliance expertise to our clients. CastleLock compliance services are designed to help you meet your compliance requirements and safeguard your sensitive information. With CastleLock there are no more compliance surprises.

The Defense Federal Acquisition Regulation Supplement (DFARS), is a supplement the Federal Acquisition Regulation (FAR) the Department of Defense uses to provide guidelines for procurement of everything the Department of Defense needs to operate. The DFARS is a list of regulations and clauses with requirements to manage the DoD supply chain. DFARS 252.204-7012 is often called out in reference to being DFARS compliant, but while there is no DFARS compliance certification, there are contractual obligations for organizations accepting this clause in their contract. DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting, outlines core requirements for organizations collecting, developing, receiving, transmitting, using, or storing Covered Defense Information (CDI) in service of a contract.

The Cybersecurity Maturity Model Certification (CMMC) was first released on January 31, 2020 and is expected to be fully implemented by 2025. Updated in November 2021, the CMMC is the new approach the Department of Defense is using to manage cyber risk in the DoD supply chain. A three-level cumulative maturity framework, all DoD Supply Chain members will be required to meet CMMC level 1 at a minimum and CMMC level 2 if they are collecting, developing, receiving, transmitting, using, or storing Covered Unclassified Information (CUI) in service of a contract. Incorporating controls from NIST 800-171, FAR 52, NIST 800-171B, and others.

A derivative of NIST SP 800-53, the first release of NIST SP 800-171 was published in December of 2016 to address the minimum requirements for protecting Controlled Unclassified Information in nonfederal systems. 110 controls across 14 control families, this control framework is the core requirement, but not the only requirement, for Safeguarding Covered Defense Information in DFARS clause 252.204-7012. If an organization plans to do business with the Department of Defense and that opportunity contains covered defense information, it is important to understand this control framework. CastleLock consultants have been helping organizations understand and achieve full implementation of all 110 controls since the NIST 800-171 draft publication in 2015.

The Federal Information Security Act (FISMA) passed in 2002, forced federal agencies to develop, document and implement an information security program. Using NIST SP 800-53, organizations must document their assessed risk (Low, Moderate, High,) their information system and their remediation plans. Engage CastleLock to provide a FISMA Compliant Security Assessment Plan, System Security Plan with a Plan of Action and Milestones.

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.This standard approach uses NIST SP 800-53 as the core control framework, and grants authorizations to cloud service providers operating at impact level moderate and high. CastleLock provides FedRAMP readiness assessment consultations and authorization package preparation services.

Originally published in 2005, the NIST SP 800-53 publication is nearing its fifth revision. This control framework provides recommended control sets for three different impact levels, low, moderate and high across eighteen different control families and 965 controls. These are the core requirements for Federal Information Security Management Act (FISMA) which are directly applicable to federal organizations. NIST 800-53 is a foundation for other programs such as cloud service providers under a FedRAMP program.