Author: Jake Nix, vCISO, JAMIS
At JAMIS Software, we understand the unique requirements of tracking and managing government contracts. Our expertise extends beyond delivering our world class solution and includes understanding and helping our customers, and end-users navigate the complex government contracting and compliance environment.
The government compliance space can be confusing and challenging to navigate with the various requirements that are based on several factors, some of which include: Your organization’s relationship with the United States Government:
- Are you a prime or sub-contractor;
- Are you providing a service or a product;
Do you maintain (store, process, or transmit) covered data within your systems, or within 3rd party systems you use (such as JAMIS Prime). Types of covered data can include:
- Federal Contract Information (FCI);
- Confidential Unclassified Information (CUI);
- Covered Defense Information (CDI);
- Other more sensitive types, including classified information, etc.
While there are additional considerations that we can help you think through, most government prime and sub-contractors either hold FCI or CUI. Assuming the contractors are providing a service to the government (either directly or on behalf of a prime) this requires compliance with certain cybersecurity frameworks or standards, such as NIST 800-171, NIST 800-53 (FISMA), FedRAMP, and eventually some will require CMMC compliance as the phased rollout continues, specifically for DoD contracts.
There are many solutions out there that tout they use a FedRAMP Authorized Cloud Services Provider, such as Amazon Web Services (AWS). Thus they are compliant with FedRAMP requirements. This practice can create confusion in multiple ways; the first and most important is the distinction that maintaining your product or service on a FedRAMP authorized hosting provider does not inherently make your solution FedRAMP compliant. It can help make the authorization process easier for companies, but it does not, in itself, provide authorization. Be sure to check the FedRAMP marketplace to verify who is in-fact FedRAMP authorized.
Second, and of similar importance, compliance with certain standards like FedRAMP, for instance, can reduce the flexibility of a solution and increase cost. While Cybersecurity hygiene is critical, there must be a balance between risk and cost, and that is why there are different regulations and standards within the government space that are commensurate with the risk related to the data being processed, stored, or transmitted.
At JAMIS, we understand our role in this complex environment and the importance of communicating government requirements clearly and transparently. JAMIS has shown a commitment to security and compliance, exhibited through performing independent annual external audits to determine compliance with NIST 800-171 with a FedRAMP Accredited 3PAO (Third-Party Assessor). We have also undergone a CMMC readiness assessment to ensure we have the tools and plans necessary to support clients as this new requirement is formally rolled out.
JAMIS also provides the flexibility of allowing our customers’ instance of JAMIS Prime and their data to be hosted in the FedRAMP Authorized AWS Cloud, or within a leading practice, SOC 2 assessed Data Center – Zayo. Regardless of the data center used, JAMIS will perform their leading practice evaluation Vulnerability and Threat Management Standard as described in our previous post.
We hope this blog has helped provide you with some concise and transparent information around the government contracting and compliance environment and the requirements you may face, and how we will be able to help support them. At JAMIS, we believe in being your trusted partner in the government contracting world. Not only by providing a best-in-class solution, but also by being an open and educational partner in how we help support all aspects of the contracting process.