Public Sector Compliance Terminology 101

Welcome to Reckless Compliance Podcast, where we learn about unintended consequences of federal compliance, brought to you by ignyteplatform.com. If you’re looking to learn about cyber risk management and get your product into the federal market, this podcast is for you. Or if you’re a security professional within the federal space looking for a community, join us.

We’ll break down tools, tips, and techniques to help you get better and faster to get through the laborious federal accreditation processes. It doesn’t matter what type of system or federal agencies you’re dealing with. If you’ve heard of confusing terms like ATOs, FedRAMP, RMF, DISA STIGs, SAP & SARS, or newer terms like CATO, Big Bang, OSCAL, and SBOMs, we’ll break it down, all one by one. And now, here’s the show. 

Hello everyone, this is Max Aulakh here, host. This is our very first episode, episode 101. The episode 101, I really wanted to focus on terminology. As we go through the public sector compliance for this podcast, Reckless Compliance, One thing you’ll notice is that there is so much terminology that gets thrown around, a lot of buzzwords, acronyms, and it’s really just part of the military culture.

We’ve always had a hundred different acronyms, and there’s a lot of reasons for that. Language efficiency, some things are just new technology, new regulations. Basically, you can’t avoid them. And the goal of this podcast episode is to reduce confusion or explain them in simpler terms, so when you’re coming across these terms, you know what they mean and the intent behind them. And one of the things I learned from a friend of mine, his name’s Eric. He’s a counsel attorney, cyber command. He calls this the term of art. Essentially, what that means is these are words that we use that have precise meaning or specialized meaning within a particular field. And within public sector, within cyber compliance and information security, there’s a lot of term of arts. There’s a lot of things that we use, and we tend to use them specifically to mean something very specific or broadly. And sometimes that’s very interchangeable and that can actually hurt us quite a bit in terms of making progress when it comes to compliance initiatives or just getting compliance out of the way to make progress. So we’re going to cover four different areas.

What this means is that Depending on where you work within the public sector, and we’ll cover different areas, but depending on where you work, you’re gonna hear different terminology. There’s overlapping terminology that means the same thing, and sometimes that means entirely different. So here are kind of the four areas that are very common in public sector. You have the private sector, we also call that the Defense Industrial Base, or DIB. These are organizations like Lockheed Martin, two small manufacturing shops here in the Midwest. That’s all part of the DIB, the Defense Industrial Base. Underneath that, there’s also CSPs, or Cloud Service Providers. These are organizations like Amazon, or infrastructure software platform companies. There’s a lot of new software companies and platform companies that are also part of the Defense Industrial Base. And then, of course, you have the traditional contractors, recruitment firms, all kinds of firms that provide manpower and resources to the government.

And we consider that the Defense Industrial Base. The Defense Industrial Base has its own set of acronyms that are different from the next area, which is the federal agencies themselves. So the federal agencies are CMS, Center for Medicaid, CISA, DHS, ATF. These are all federal agencies.

And then you have the actual armed services. So the federal agencies like DHS, FBI, and so on, they have, of course, different mission, different terminology on how you do accreditation work, how you do compliance work. Then the DoD themselves. The DoD, you have things like Air Force, Navy, Army, so on and so forth.

And then the last area is any kind of intelligence agencies, CIA, special programs, just anybody that’s working within that particular area, you’re going to hear a different set of acronyms, all with the same intent of enabling security or doing security the right way. But it’s really important to understand these four areas, and this is what dictates what kind of terminology you might hear.

So the other thing we want to talk about is we want to bring these acronyms, all of this terminology, in context of what you might end up working with. So you’ll have different laws that are drivers, like you’ll hear FISMA quite a bit, Federal Information Systems Management Act. You’ll have the data itself, like CUI, Controlled Unclassified Information. You’ll have standards and documents, things like NIST 853, that’s an example of a standard out there, and organizations and stakeholders, like NIST themselves or GSA, Government Services Administration, and of course you have programs. the FedRAMP program or the program office. So all of these different acronyms, there’s context to them. It’s really important to understand the context so you can work within that right area with the right kind of stakeholders.

So let’s talk about the commercial defense industrial base. What are some of the things that are big right now? And what are those terms? So, CMMC stands for Cybersecurity Maturity Model. It’s fairly new compared to other things out there. It’s been out there for a couple of years, but it’s in early stages of development and it still has to mature. And, you know, November 2023, And some of the data, so that’s the program itself, the Cybersecurity Maturity Model. It’s a certification scheme that they’re still working out. And the professionals that work within this particular area primarily deal with two types of information, CUI and FCI. CUI stands for Controlled Unclassified Information. FCI stands for Federal Contract Information. And there are sub-information types out there, CTI, CDI, controlled technical information, defense information, ITAR, which is international trade, arms regulated data. And then if you’re really old school like me, you’ll see stuff like STINFO, which is scientific and technical information. So that’s the kind of the data that we’re trying to secure in the Defense Industrial Base. The primary organization that you’ll get used to is called the AB, stands for the Accreditation Body. It’s a non-profit that is in charge of all of CMMC. And of course, the government agency behind that is called the Defense Contracting Management Agency, or DCMA. DCMA, another acronym for an agency. Now, DCMA has a program office, and that program office is called the DBCAC, Defense Industrial Base, forgot what CAC stands for, but essentially you can look them up. That program office sits within the DCMA, and DCMA conducts external audits, helps the AB in terms of coordinating with auditors. And that’s a big deal right now for the defense industrial base. And the standards and the laws that they’re using right now, one is called DFARS, Defense Federal Acquisition Regulation 252.204.

And of course, I’ll have all of this available to you, as well as the standard they’re using is something called NIST 800.171. The latest one is revision three, and it’s going through its revision. The other key part of the defense industrial base that you are going to be seeing more and more, it’s called FedRAMP, Federal Risk Authorization Process. It’s for the cloud service provider. So if you’re not a manufacturer, but you’re like an Amazon or any kind of cloud software, cloud native company, one of the things that you have to get through is FedRAMP. which is a different standard. So, it’s a little bit older than CMMC. I think FedRAMP is about a decade old, where CMMC might be only two to three years old. But we want to give this topic a special attention, because a lot of headache goes into trying to comply with the FedRAMP program, and we’ll give that kind of its own section. So, just kind of the recap of the Defense Industrial Base. For the Defense Industrial Base, you’re going to hear acronyms CMMC, CUI, FCI, and STINFO and accreditation boundary, the authorization body, which is in charge of the CMMC standard, and then the Defense Contract Management Agency, DCMA. And then, of course, you’ll hear about the standard, which is NIST 800-171, with the regulation, the law that sits on top of it, as we call it, the DFAR, so the Defense Federal Acquisition Regulations. So that is the commercial defense industrial base set of acronyms.

The next area is the federal agency. So let’s say if you are working with a federal agency, DHS, what are some of the things you’re going to hear there when it comes to public sector compliance? Department of Commerce, Department of Energy, Human Health Services, IRS, a lot of these agencies, they all have to operate the same way. So, the big assurance task, or independent verification and validation, they call it the ANA process, the Authorization and Attestation Sometimes we use the ANA process interchangeable with RMF or risk management framework. Here, the context is that they’re strictly following what 853. So where CMMC uses 171, this uses 853. There’s an older name for this. They call it CNA, or Certification and Accreditation. You may hear this as well. This is what I call a legacy term, and we’ll cover that a little bit later. But as the world goes on, you’re not going to hear about that as much. You’ll hear quite a bit about RMF and the data, right? So just like CMMC, there’s the aspect of, well, what is it that we’re securing? What kind of data? And the way it works for RMF and the authorization they actually get their data and the security level of their data from another standard called NIST 800-160 Volume 2. It has all the data types like budgeting data, intelligence data. It’s a catalog of different data types, so if you’re a data classification kind of company or an individual, This defines all the data types at a very broad level, right? The government is always talking in a very broad way, so you have to map whatever you’re working within your agency to those data types. And that data type gets tied into your confidentiality, integrity, availability, in terms of how important is that data. Now, the authority. Why would the agencies have to do this? One of the laws that it falls under, you’ll hear this a lot, FISMA, very old legislation. I personally believe that it needs to be reformed entirely, but that is exactly what gives the authority to do this. So FISMA stands for Federal Information Systems Management Act. And some professionals might call it Modernization Act, essentially is to modernize different systems and whatnot. So that’s a law, right? The FSMA is a law. And underneath FSMA sits each and every agency has to do this accreditation process or the ANA process. And FEDRAMP is essentially the single standard, which stands for Federal Risk Assessment Management Program. There’s an office that essentially manages the entire program, and they have their own set of vocabularies and things like that. So some of those are this, right? What kind of things you might hear.

So if you’re an accreditation professional, you’ve already seen these, but if you work in the defense industrial base, now you’re crossing over to the agencies, you’re going to start to see things like PATO, provisional authority to operate, or an agency authority to operate. the JAB ATO, Joint Authority, or Joint Accreditation Board agency to operate. And one of the newer terms is what they’re calling continuous ATO. It’s actually coming, the term is coming out of defense, but the thought process is that whenever we talk about a continuous ATO or CATO or a CATO, that terminology is trickling down to the federal agencies, which is very good. We’ll cover this term quite a bit, but it’s making its waves right now within the defense or the DOD, which is the next section we’ll talk about. And here are some of the documentation. These are FedRAMP-specific terms. These are very important. You’ll hear these quite a bit, and we’ll define them within our show notes. So, you’ll hear things like SSP, System Security Plan, ASAR, Security Assessment Report, a Security Assessment Plan, SAP, which is a duly used acronym for the intelligence side, stands for Special Access Program. But here, in FedRAMP context, it’s System Assessment Plan or Security Assessment Plan, and then the RAR, which is the Readiness Assessment Report. So there’s a lot of other terminology, inheritance, and then of course there’s the Kanban Continuous Monitoring. So if you’re a professional that is getting ready for the public sector to work within the agency side, it’s really important to get to know these acronyms compared to the CMMC side. you’ll also have different roles. So some of the key people that are part of all of this are things like cyber risk assessors, or CRAs. That’s a new term. It’s instead of a SCA, security controls assessor, which is what we do as assessors. Sometimes we’re just looking at the controls, but really the thought process here is that we shouldn’t really look at the controls, we should look at the risk. How do we assess cyber risk? So, CRAs is a new term that is being used within agencies, and I think it’s good because it’s changing the narrative from just looking at the requirement and the control and focusing on the risk to the actual mission or the agency.

Other acronyms, these are positions and people. A lot of professionals I work with have these titles. I used to have this. So, ISSM, Information System Security Manager, Information System Security Engineer, and an officer. So those are kind of the key team members that are usually doing public sector compliance. And then, of course, you have folks that are validating all of that work. The assessors, the SCA, and then, of course, the AOs, which stands for Authorization Official, and then the Delegated Authorization Representative. and that stands for AODR. So these are the key people. So if you’re within the federal agency side, right, and those are organizations like Department of Commerce, Energy, Human Health Services, IRS, you’re going to hear a lot about FSMA. You’re going to hear a lot about ATOs, Authority to Operate. You’re going to hear a lot about these documents that are built by the federal PMO within, you know, a templated format.

You’re going to hear newer terms like OSCAL, which we’ll get to a little bit later, but it’s really important to have context of what these documents state, what’s the purpose of them, and are they even necessary, because sometimes some of these things are not necessary, and other times they are necessary, depending on the initiative you’re working on. So that’s kind of the context for the federal agencies. Now, let’s say you are going to be working within the Department of Defense itself, the Air Force, the Army, Navy, plain vanilla kind of environment, not anything classified or anything like that. You can separate all of these Department of Defense areas in two big giant categories, classified or unclassified. So we’re going to kind of just cover the unclassified side. There is a separate unclassified and intelligent side of the house, but the good news is this. Once you learn how to work on the unclassified side, there’s a heavy overlap between the classified side of the house. Those will be covered under maybe a separate session, and I’ve got a lot of friends that I’ll probably bring on, and they’re actually a lot better than me on some of these items because they’ve worked on different programs.

So, if you’re working for the DoD, you’re going to hear about some basic tools. You will live and die by something called EMAS. Everybody hates it, but it is what it is. It’s essentially a controls management suite, the government’s version of a governance risk and compliance software. written over a decade ago, outdated at all times, but you’re going to need to know how to work EMAS inside and out. Of course, there is the vulnerability scanner. They call it ACAS. It’s a government version of, I think, Tenable. But that’s essentially their global vulnerability management system that you will learn how to use. And then you will also learn about something called a SCAP scanner. That essentially is to check the actual configurations. We call those STIGs, Security Technical Implementation. So that’s the core of the tooling that you’ll use for traditional on-prem packages. Most of the government is still on-prem. We’re trying to go over to the cloud with a lot of struggles and that’ll introduce a whole new set of technology and stack which we’ll cover in another area. The whole shift into the software factories and things like that.

Now, organizations. You’ll come across a lot of different organizations if you’re working within the DoD. It doesn’t matter if you’re part of the Air Force, Army. One organization that you’ll be centrally tied to is DISA, Defense Information Systems Agency, and DISA writes a lot of standards. They write a lot of different standards that impact our work. One of those standards is what they call the impact levels. This is different than the FedRAMP level, right? The FedRAMP will have high, medium, and low, and DISA will have level 2, 4, 6, right? And I’ll share more about that. But the key here is it’s really, if you’re working within that sector, it’s really important to learn the standards that apply to you. There’s also cloud standards that apply to you. If you’re working within the military and all of a sudden you have to shift your on-prem applications into AWS, Azure, and now Google, you’re going to have to apply a lot of cloud security readiness guides and things like that. The other thing you will hear a lot about in the DoD is cyber inspections. They call those cyber readiness inspections, or CCRIs. That’s really important, and the good news is that this area has the same type of documents as your FedRAMP, so you’re going to hear about SSPs, the POEMs, the plan of action, the milestones, and so on and so forth. The only caveat here is that instead of these organizations using the plain vanilla NIST risk management framework off of REP5, they are using something called CNSSI 1253. It’s another standard for national security systems that’s based off of 853, but they call it CNSSI 1253, and that’s for national security systems. And the other terms, the professionals you’re going to be working with here, the same professionals as I mentioned earlier, the agencies and the DoD, they’re very similar except for the DoD has a lot more rigor or a lot more work, you could say. But you’re going to have information systems, security managers, and so on and so forth, but you’ll still have identified roles as the AO, the authorization official, the designated representative, AODR, the SCOZ, security controls, assessors, and so on, right? The entire validation team. It doesn’t matter if you have a traditional IT system or you’ve got a cloud system. Somebody within the government has the title of ISSM and AO, and those are the primary people that we work with when it comes to public sector compliance.

So, just to recap, when it comes to DoD, you’re going to have to learn EMAS. Live and die by it. Most people hate it. I’ve never met anybody that’s like, I’m excited to go work with an EMAS. You’re going to have to learn ACAS as the vulnerability scanner, and then SCAP scanner as your base toolset. All the DISA standards apply as well, and you’re working with the same set of professionals. So, there are newer terms that are being introduced within the DoD. There’s a concentrated effort in the industry to redefine this process into something better. We still have a lot to learn, so I encourage you to check out things like Big Bang, Party Bus, because there’s a lot of new ways, there’s a lot of innovative ways to do accreditation work. We just haven’t caught up to it. The government hasn’t caught up to it. And also, I would say, I would argue that most software engineers are not necessarily excited about doing accreditation work, right? So it’s on us.

As compliance professionals, accreditation professionals, whatever, security professional, whatever label we want to put on ourselves, it’s up to us to figure out how to modernize the entire process. So you’ll hear things like continuous ATO, real-time, always updated. That’s kind of the pie in the sky. There’s other buzzwords around it. Fast ATO, ATO in a day. Is it possible? Yes. Does it happen a lot? I haven’t seen it happen every day, right? Or a lot. But it is happening. And then, of course, there’s the new legislation around software bill of material. You’ll hear SBOMs quite a bit, and you’ll hear everything as a platform. There’s a lot of software factories and platformization going on with containers and moving around different workloads. These are all newer efforts, and I think they’re good for our country. But also, the accreditation process is going to radically shift. It’s going to go from being kind of a one-time check to a continuous focus on the process itself. And with this new shift, you’re going to have new type of skills. You’re going to have new types of team members. Instead of just regular IT departments, you’re now working with platform engineers who are familiar with Kubernetes, Dockers, Terraform, and essentially all of the different thousands of services, microservices that are available from AWS, and somehow the compliance and the accreditation professionals have to fit within that new paradigm. So I think it’s a very exciting opportunity for us.

The last area I want to cover is this. there’s a within the DoD and within the classified side, there is the intelligence community. So the intelligence community has same kind of obligations, but a lot more stricter, obviously, for obvious reasons. But within the intelligence community, you’ll start to hear acronyms like ICD, which stands for Intelligence Community Directive. So instead of going through FISMA and looking at NIST 800-171, there’s an entire new set of acronyms that are available to you, new set of guidances. So here, you’ll also get involved with the industrial security professionals, which take care of things like background check, facilities, clearances, the entire program. security, there’s a guidance out there called the NISPOM. I encourage you to look that up and what that entails. I’ve never been an industrial security professional myself, but you cannot work in that environment without having some of those things taken care of. And here you’ll start to hear words like special access, or PIT, platform IT, MUSAs, which are the multi-user, single-user LANs, those kinds of things, KG175, TACLANs, which are essentially high assurance routers, In any kind of, you know, those kinds of environments, the inspection of the system settings is highly critical. You’re going to notice a shift from instead of just focusing on the controls, you’re going to dive deep into the system settings to essentially hunt for internal threats and, of course, external threats. This area is the most risk-averse area within the entire public sector for different reasons, right? And It’s very institutionalized, and the way they work and how they work is very ingrained, so modernizing this particular area for, you know, how do we do regulated delivery of new software, new code into this area is quite challenging, right? So it’s on us as compliance professionals on how do we enable that. Good news is, same set of documents, SSP, POAMs, COOPS, standard operating procedures. You’re gonna have to write all of this stuff, but it’s in different formats, different templates. Sometimes you can use a system like EMAS, sometimes you can’t. Same set of acronyms when it comes for working professionals. AOs as authorization officials, AODRs for designated representatives, and so on and so forth. So within this space, very tight community. I don’t think there’s that many that are doing this level of work. We’ll certainly bring people on this podcast that have worked within this particular environment type, but it is the most risk-averse environment, institutionalized, and somehow we need to figure out how to modernize this particular environment. So just kind of a, you know, legacy terms that you might come across. These are very old. You still might see them out there. I don’t have an extensive list, but things like DITSCAP, which is super old. It was the older, two to three decades ago on how to do security within the government. The DICAP process, which is about one decade ago. and then CNA, Certification and Accreditation, and the DAA, Designated Authorizing Official. And so these are legacy terms. You still might see those out there depending on the environment. So just to kind of recap, our first episode, I wanted to quickly record this. The intent of this is to just state that depending on the area we’re talking about, whether it’s commercial, defense industrial base, federal agencies, DOD, intelligence, you’re going to have different kinds of acronyms, different terms. And as accreditation professionals, you have to understand the context and where you’re working at, because the same term might mean something entirely different, right? So always be learning.

So just to kind of summarize, recap, we’ve got four distinct areas. Commercial, defense, industrial base, federal agencies, DOD agencies, and intelligence agencies. I am sure there’s probably 10 to 20 other ways to segment this, and also thousands of other acronyms. But in context of this podcast and this environment that we’re in, these are the most common things that you’ll hear of. So until next time, let me know if there are other terms, other things that you commonly come across. Thank you guys for listening and I will talk to you guys next time. 

Thank you for tuning in. If you enjoyed the podcast, head over to ignyteplatform.com slash reckless. You’ll find notes, links, and additional content. Head over to iTunes to subscribe, rate, and leave a review.