Cutting Through the Federal Compliance Confusion
Federal agencies and systems integrators are under immense pressure to comply with a host of various laws, policies and standards. Those regulations shift and evolve to accommodate the emergence of new security threats and technologies, such as cloud and mobility.
Compliance regulations take two key forms: there are regulations agencies must ensure their vendors and solutions adhere to, and regulations they themselves must comply with.
It is often so confusing that agencies use specialized consultants to determine whether a desired IT initiative will result in compliance issues. The Government Accountability Office (GAO) is specifically tasked with regularly auditing public sector organizations for compliance.
Simply put: it’s challenging to navigate – all the letters and numbers create a sort of alphabet soup. Here, we’ll help you cut through the confusion and outline some of the key compliance regulations federal agencies must follow.
The Federal Risk and Authorization Management Program (FedRAMP) is a government standard that applies to cloud and SaaS IT solutions, like Duo, which must be FedRAMP Authorized to be used by federal agencies. FedRAMP is important as it mitigates risk associated with cloud-based solutions.
NIST 800-63-3 is billed as a set of Digital Identity Guidelines authored by the National Institute of Standards and Technology, which is part of the U.S. Department of Commerce. The guidelines provide technical requirements for federal agencies implementing digital identity services and cover identity proofing and authentication of users, including employees, contractors and private individuals. They define the technical requirements of identity proofing, registration, authenticators, management processes, authentication protocols, federation and related assertions. NIST 800-63-3 allows for commercial, off-the-shelf (COTS) IT solutions to stand in place of personal identity verification (PIV) cards and common access cards (CAC) for logical authentication.
Federal Information Processing Standards (FIPS) are a set of standards developed by the federal government for use in computer systems by non-military government agencies and by government contractors and vendors who work with the agencies. FIPS standards describe document processing, encryption algorithms, cryptography and other IT standards.
FARS-CUI, DFARS-CUI and NIST SP 800-171
The [Defense] Federal Acquisition Regulation Supplement (FARS/DFARS) - Controlled Unclassified Information (CUI) regulation and NIST SP 800-171 apply to all non-government organizations (such as federal contractors) that process, store or transmit controlled unclassified information. It mandates “multi-factor authentication for local and network access to privileged accounts.”
The Criminal Justice Information Services (CJIS) Security Policy was designed to provide controls to protect the full lifecycle of criminal justice information in transit and at rest. It covers the hardware, software and infrastructure used by the criminal justice community and provides guidance for the creation, viewing, modification, transmission, dissemination, storage and destruction of criminal justice information. Duo helps with CJIS by protecting data at rest and in motion, providing strong two-factor authentication and through integrations with partners such as NetMotion, which helps protect data.
Homeland Security Presidential Directive 12 (HSPD-12) requires a common identification standard for all federal employees (and most contractors), to be used for physical and logical access to federal facilities and resources.This requirement has primarily been met via PIV/CAC cards.
How Duo Helps
That’s just a small sampling of the myriad compliance regulations federal agencies and systems integrators must consider. It’s a lot for a small team, or an individual, to contend with, but all are necessary protections to ensure data privacy and security.
Duo can help you overcome the compliance confusion by providing a strong authentication solution and the ability to set access policies to ensure compliance is maintained.
For example, Duo offers FedRAMP Authorized authentication solutions, offline MFA functionality to help comply with DFARS-CUI and two-factor authentication to comply with NIST guidelines.
Duo’s trusted access solution is wired for zero-trust security. We work with a broad ecosystem of partners, such as Yubico and its YubiKey hardware for strong two-factor authentication (2FA), and integrate with applications and systems to help agencies along their zero-trust journeys.
With Duo, you get a trusted advisor to ensure your security infrastructure is up to snuff to achieve regulatory compliance and stay that way. We can be your guide through the compliance confusion.