Compliance Requirements in the Federal Sector: Ignore Them at Your Peril.

Doing business with the federal, state, and local governments differs considerably from the regulatory environment of the commercial sector. Government contractors and other third-party vendors need to understand these differences and the compliance requirements that apply to them. Failing to do so can have severe consequences for their organizations. Incredibly, some organizations blissfully continue doing business without strict compliance in hopes that the rules will be relaxed for them. Unfortunately, this is not the case.

There are several compliance requirements that organizations need to be aware of when doing business with the government. The most notable ones are the Federal Acquisition Regulation (FAR), the Defense Federal Acquisition Regulation Supplement (DFARS), and the Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (Uniform Guidance). Each of these regulatory frameworks has its specific requirements that organizations need to adhere to.

Federal agencies and companies doing business with government entities have become more dependent on computerized information systems to carry out their operations as technology has progressed. Regulations have evolved to help ensure the proper operation of these systems and the data they contain. The Federal Information Security Management Act (FISMA) and the National Institute of Standards and Technology’s (NIST) 800-53 security control framework are two examples of such regulations. The Federal Risk and Authorization Management Program (FedRamp) and the Cybersecurity Maturity Model Certification Program (CMMC) are two newer initiatives that are also aimed at improving the security of government information systems.

Federal agencies are not the only organizations that must comply with FISMA and NIST 800-53. Any organization that stores, processes, or transmits sensitive government information is subject to the requirements of these regulations. This includes contractors, grantees, and other third-party vendors that do business with the government. Organizations that do not comply with these governance and risk management regulations put themselves at risk in several ways. Failing to comply can result in significant consequences, including loss of data, system outages, and reputational damage. In some cases, it can also lead to civil and criminal penalties, including fines, imprisonment, and debarment from doing business with the government.

These regulations are not arbitrary nice-to-haves; they exist to ensure the safety and security of the country and its citizens. The risk of non-compliance means not understanding the importance of staying aligned to federal standards and regulations set forth for public safety and protection. Compliance is not a choice if you want to do business with the government. Organizations that ignore compliance requirements do so at their peril.

Given the recent rise in cybercrimes and intrusions, as well as their continued occurrence, government contractors, providers, and suppliers should take steps now to ensure that their organization is FISMA and NIST 800-53 compliant. Cybersecurity should be given the highest priority, as should ensuring compliance with all applicable regulations. Under the Civil Cyber-Fraud Initiative, DOJ is expected to bring additional FCA claims against government contractors who it believes have failed to meet their cybersecurity obligations. In addition, the plan is likely to encourage whistleblowers to be more proactive in bringing FCA qui tam suits when they believe their employers are not fulfilling their contractual cybersecurity obligations to the government.

So What is an Organization to Do to Get Out of Peril?

There are several steps that organizations need to take to comply with FedRAMP. The first step is to become a FedRAMP-authorized cloud service provider (CSP). This can be done by submitting an application to the FedRAMP Program Management Office (PMO) and meeting all of the requirements outlined in the application process. Once an organization is approved as a CSP, it will need to develop and implement a security control framework that meets the requirements of FedRAMP. The most common security control framework that is used for this purpose is the NIST 800-53 security control framework. Organizations will also need to obtain a third-party assessment of their security controls and have their system go through a FedRAMP authorization process. Once an organization has completed all of the steps required to become a FedRAMP authorized CSP, it will need to maintain its compliance with the program’s requirements on an ongoing basis. This includes periodically assessing their security controls and submitting reports to the FedRAMP PMO. The steps for complying with CMMC are similar to the steps for complying with FedRAMP. This includes periodically assessing their security controls and submitting reports to the CMMC Accreditation Body.

For more information on FedRAMP, please visit: https://www.fedramp.gov/

For more information on CMMC, please visit: https://www.acq.osd.mil/cmmc/

Clara Conti is a transformational leader, senior global public sector executive, corporate restructuring guru, and founder of multiple business startups. Connect with her on?LinkedIn?and?Twitter.