Resource Library

The Department of Energy’s Office of Inspector General conducted an audit to determine whether an unidentified DOE site effectively manages its cybersecurity program. OIG identified “several areas of immediate concern related to vulnerability management and the authorization of information system operations,” and alerted site management to them. The site is not identified due to the […]

GAO reported in June 2020 that, of the 15 major Department of Defense IT programs selected for review, 11 had decreased their December 2019 cost estimates by 0.03–33.8 percent. In contrast, the remaining four programs experienced increases in their cost estimates, two of them by more than 20 percent. Ten of the 15 programs had […]

In a new report, the Congressional Research Service examines the Department of Defense’s Cybersecurity Maturity Model Certification framework, offering an overview and analysis of issues for Congress associated with the CMMC framework, and discussing congressional considerations related to DoD’s efforts to mitigate cybersecurity risks and vulnerabilities within the defense industrial base in the performance of its […]

In response to a request from Congress for a review of federal agencies’ information and communications technology (ICT) supply chain risk management (SCRM) practices, the Government Accountability Office found that no federal agency had fully implemented the approach. GAO found that few of the 23 civilian Chief Financial Officers Act agencies had implemented seven selected foundational […]

Four new publications from the National Institute of Standards and Technology offer recommendations to federal agencies and manufacturers concerning effective cybersecurity for Internet-of-Things devices. These publications help address challenges raised in the recently signed IoT Cybersecurity Improvement Act of 2020, and begin to provide the guidance it mandates. Together, the four documents — NIST Special […]

In a recent memo on FY2021 requirements under the Federal Information Security Management Act, Office of Management and Budget director Russ Vought established new agency deadlines for implementation of continuous diagnostic and mitigation programs. By the end of FY2021, agencies must certify that they have implemented the CDM Program Data Quality Management Plan and are […]

The Department of Homeland Security Office of Inspector General reviewed the department’s information security program for compliance with Federal Information Security Modernization Act requirements, to determine whether its program and practices adequately and effectively protected data and information systems supporting DHS’ operations and assets for FY 2019. In a report partially redacted for the public, […]

DHS has improved its efforts to secure the nation’s voting systems, but should take additional steps to protect the broader election infrastructure, which includes polling and voting locations and related storage facilities, according to a new report from the DHS Office of Inspector General. The Cybersecurity and Infrastructure Security Agency (CISA) has developed a set […]

The Department of Defense (DoD) has released its eagerly anticipated Interim Rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to implement two major initiatives: the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 DoD Assessment Methodology and the Cybersecurity Maturity Model Certification (CMMC). The Interim Rule introduces the related clauses DFARS 252.204-7019, Notice of […]

The Department of Defense has issued an interim rule amending the DFARS to implement a DoD Assessment Methodology and the Cybersecurity Maturity Model Certification framework. DoD is implementing a phased rollout of CMMC. Until September 30, 2025, the clause at 252.204–7021, Cybersecurity Maturity Model Certification Requirements, is prescribed for use in solicitations and contracts, including […]