Deloitte’s NIST capabilities

The NIST Cybersecurity Framework Core is a set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors.¹ The NIST Cybersecurity Framework comprises five concurrent and continuous functions: Identify, Protect, Detect, Respond, and Recover. When considered together, these functions provide a high-level, strategic view of the life cycle of an organization's management of cybersecurity risk. The controls within the framework map directly to other security frameworks, including ISO 27001, COBIT 5, CIS CSC, and NIST 800-53.

NIST 800-53 is a broad set of safeguarding measures for many types of computing platforms, including general-purpose computing systems, cyber-physical systems, cloud and mobile systems, industrial and process control systems, and Internet of Things (IoT) devices.² These safeguarding measures include security and privacy controls to protect the critical and essential operations and assets of organizations and the personal privacy of individuals. The measures are designed to:

• Make the information systems we depend on more resistant to attacks

• Limit the damage from attacks when they occur

• Make the systems resilient and able to survive

Largely based on NIST 800-171 r1, the CMMC model was published in January 2020 and was designed with a focus on protecting federal contract information (FCI) and controlled unclassified information (CUI).

It encompasses 17 cybersecurity domains, ranging from access control to situational awareness. These domains consist of 43 capabilities that are supported by 171 practices derived from various cybersecurity frameworks and leading practices.

The CMMC model encompasses five levels of maturity with varying levels of adoption (for example, level 1 requires only 17 practices, while level 5 requires all 171 practices).

The level of maturity required for DoD contractors will depend on the sensitivity of the DoD information that they are handling; for example, companies that handle highly sensitive information will be required to have a level 5 certification, while the least sensitive will only be required to have a level 1 certification.³

Federal Risk and Authorization Management Program (FedRAMP) provides a cost-effective, risk-based approach for the adoption and use of cloud services.⁴ Established in December 2011, FedRAMP is the first government-wide security authorization program for the Federal Information Security Management Act (FISMA), which requires each federal agency to develop, document, and implement programmatic information security for systems that support the operations and assets of the agency.⁵ This also includes systems and services provided or managed by another agency, contractor, or other sources.

FedRAMP processes are designed to assist agencies in meeting FISMA requirements for cloud systems and addresses the complexities of cloud systems that create unique challenges for complying with FISMA.

Enhanced Service Organization Control (SOC) 2 reports, also called SOC 2+ reports, are in particular demand today. These reports are being used to demonstrate assurance in areas that go beyond the Trust Services Criteria (TSC), including compliance with a wide range of regulatory and industry frameworks, such as those sponsored by NIST and the International Standardization Organization (ISO), among others. Learn more about Deloitte’s third-party reporting proficiency with SOC 2+.