​
Cybersecurity Basics
In the past, federal laws and regulations rarely mentioned "cybersecurity." Instead, they refer to information security, systems security, operations security, data protection, privacy, or something else.
The Department of Defense recently recognized cybersecurity as the foundation supporting the three pillars—cost, schedule, and performance—of the acquisition process. With today's focus on securing the digital world, the public and private sectors have began to standardize a technology-neutral methodology for implementing and assessing an organization's cybersecurity posture.
​
​
Cybersecurity refers to the physical and digital controls that protect technological systems, processes, and devices from harm. Historically, these controls centered around securing information systems, or, more recently, information and communications technology (ICT). Information systems and ICT both refer to all of the resources necessary to use, process, store, or transmit information.
​​
​
Security controls, according to the National Institute of Standards and Technology (NIST), are the measures for safeguarding against and reducing cybersecurity risks. The cybersecurity Risk Management Framework (RMF) operates by assessing an information system for cyber risks and selecting the best control measures to mitigate those risks. Controls may be physical, technical, or procedural.
Federal cybersecurity laws and guidance identify each cybersecurity risk because of that risk's impact on one of the following five cybersecurity pillars. After assessing the risk's impact, the risk is assigned an impact level of low, medium, or high risk. Some risk models focus only on the first three pillars, which make up the CIA Triad. Using the risk assessment processes in the CSF and RMF, organizations adopt security controls to protect each pillar from cyber threats.​​
-
​​Confidentiality: An assurance that data has not been made available or disclosed to unauthorized persons or processes.​
​
-
Integrity: An assurance that data has not been altered, modified, or deleted without authorization.​
​
-
Availability: An assurance of timely and reliable access to data.​​​
-
​​Non-Repudiation: An assurance of the identities of individuals, accounts, devices, or systems sending and receiving data, so that neither individual can later deny participating in the communication.
​
-
Authentication: An assurance of the source and integrity of data or the identity of an entity using, storing, or transmitting data.​
Information Security
01
Protections for covered data in use, in transit, and at rest from unauthorized access, use, disclosure, disruption, modification, or destruction. Information security is also called information assurance, data protection, or data privacy.
Network Security
02
Protections for an organization's ICT infrastructure and traffic from internal and external cybersecurity threats designed to disrupt, degrade, destroy, or deny access to ICT resources.
Application Security
03
A process in software engineering and application management to protect application software from vulnerabilities through user authentication, authorization management, encryption, logging and testing.
Operational Security
04
The analytical process of assessing potential cyber threats and applying countermeasures to those threats to protect ICT functions and access.
Cloud Security
05
Procedural and technological security measures to protect cloud-based data, processes, and infrastructure. Both the cloud customer and cloud service provider (CSP) share responsibility for securing cloud-based services.
Identity & Access Management
07
Physical and logical controls for managing access to ICT resources. This includes policies and processes for administering network users, assigning individual's access rights, and enforcing access controls.
Resilience
08
A business's ability to continue operations during and following a cyber incident. Resilience includes the organization's ability to regain full access and function of its ICT infrastructure.
Historically, the government has allowed the private sector to develop its own standards and practices for protecting cyberspace. While this approach to managing cybersecurity allowed for rapid technological advances and innovation, the private sector left the government to try to catch up. This approach led to the federal government's slow development of cybersecurity law by statute, executive order, agency policies and regulations, and other publications since the 1970s.
​​
​
​The government has made clear that it cannot mandate minimum cybersecurity standards for the general public. Instead, the government protects cyber operations through contract requirements and clauses, industry-specific regulations, and criminal statutes. For example, most Americans know by now that the Health Insurance Portability & Accountability Act's (HIPAA) Privacy Rule establishes minimum information security standards to secure private health information or that federal law prohibits the use of certain Chinese telecommunications companies' products in public telecommunications infrastructure.
​
​​
The Federal Acquisition Regulation contains three standard contract clauses that establish minimum cybersecurity requirements for government contractors.
​
-
FAR Clause 52.204-21 lists several cybersecurity controls that contractors must implement to protect federal contract information (FCI).
​
-
FAR Clause 52.224-3 requires contractors with access to information covered by the Privacy Act of 1974 to protect covered information in accordance with the Privacy Act and to undergo annual Privacy Act requirements training.
​
-
FAR Clause 52.239-1 prohibits contractors from publicly disclosing any security controls or practices that they implement to protect covered information and information systems.
Federal agencies supply additional cybersecurity-related contract provisions that require contractors to implement additional minimum controls or standards. Follow this link to view a list of agency-specific cybersecurity requirements.​ In addition to, or instead or, standard contract clauses, agencies may require a contractor to implement certain cybersecurity controls as part of a contract's performance requirements.
​​
​
Because of the complexity of the federal cybersecurity framework, contractors may be subject to other cybersecurity requirements not expressly stated in statute, regulation, or contracts. View our pages discussing cybersecurity compliance programs and cybersecurity enforcement actions for additional information.
The National Institute of Standards and Technology (NIST) partners with experts across the federal government and the private sector to publish industry standards and best practices for cybersecurity. ​​NIST's Risk Management Framework (RMF) is a technology-neutral process for selecting, implementing, and assessing an organization's cybersecurity. Federal agencies must implement NIST's cybersecurity standards, as do some government contractors handling covered information or operating covered information systems. State and local governments may also require implementation of NIST cybersecurity requirements.
​
Organizations may find it helpful to apply the RMF methodology when implementing NIST's Cybersecurity Framework (CSF) or other NIST publications. GovConCyber's compliance program guidance follows the RMF, CSF, and corporate compliance best practices to help organizations create their own risk management and compliance processes.
​
Explore each step of the RMF process below.
​