Cybersecurity assessment initiatives and frameworks abound in the US government, the most important being the Federal Information Systems Management Act (FISMA), passed in 2002. The law’s broad scope included a mandate to the US National Institute of Standards and Technology (NIST), charging it to create methods and standards to assess and optimize the cybersecurity posture of US government agencies.
You have heard it enough to make you aim a fire extinguisher at your firewall: “compliance does not mean security”. Compliance work can consume up to 70% of security budgets in Federal government agencies, and it is common to spend more money identifying, documenting, and gaining approval for a remediation than the remediation itself costs.
When it comes to controlling logins and privileges on Unix/Linux servers, Centrify’s philosophy is aligned with modern NIST recommendations, as opposed to traditional vendors whose solutions are centered around a Password Vault. Centrify believes users should login directly as themselves and elevate privileges granularly as needed and authorized.
When it comes to enhancing their cybersecurity postures, federal agencies have to wade through an entire alphabet soup of regulatory compliance guidelines. From the RMF (Risk Management Framework) to FISMA (Federal Information Security Management Act) and DISA STIGs (Defense Information Systems Agency Security Technical Implantation Guides), there are a number of requirements that agencies must implement to satisfy the government’s definition of a secure environment.
Time is running out for federal contractors to comply with the Federal Controlled Unclassified Information (CUI) Program.
What does the CUI Program mean to contractors?
As of December 31, 2017, all federal contracts will require that businesses contracting with the federal government must comply with the Federal CUI rule (32 CFR Part 2002) which strives to eliminate ad-hoc policies and markings that agencies and departments apply to unclassified information that requires safeguarding or dissemination controls.