Federal agency frameworks

A Beginners Guide to Today’s Top Federal Agency Frameworks

We put together a beginner’s guide to today’s top federal agency frameworks to help you avoid information overload via web search. That’s a genuine possibility with the excess of acronyms and an abundance of data out there. Having everything in one place to support you on your compliance journey just makes sense. Frameworks can be a real brain buster and eat up a lot of your time. Hopefully, this guide simplifies things a little and buys you some more time.


What Are Federal Agency Frameworks? 

Infosec frameworks are a series of documented processes that define policies and procedures around implementing and managing information security controls. That is a long-winded and technical way to explain that they’re a blueprint for managing cybersecurity risk and reducing vulnerabilities. While some frameworks are legally required to conduct business, like GDPR and CCPA, because they apply to specific jurisdictions, others are optional, like SOC 2. Nevertheless, some companies may insist you be SOC 2 compliant to conduct business with their organization. But, you can learn more about those sorts of best practices in A Beginner’s Guide to Today’s Top Security Frameworks.

Federal agency frameworks are similar in the way they’re designed. However, they extend to third parties and vendors working on behalf of federal agencies and are required for businesses.  The frameworks listed below protect federal government information and systems against cyber threats. 


CJIS: Criminal Justice Information Services Security Policy

What Is It?

The CJIS security policy blends presidential and FBI directives, federal laws and the criminal justice community’s Advisory Policy Board decisions. 

How It Works

The CJIS Security Policy establishes minimum security requirements and controls to safeguard criminal justice information (CJI). The CJIS standards include data encryption, wireless networking, remote access, multi-factor authentication and physical security.

There are 13 policy areas which organizations must be acquainted with to satisfy the compliance requirements, which include: 

  • Information Exchange Agreements
  • Security Awareness Training
  • Incident Response
  • Auditing and Accountability
  • Access Control
  • Identification and Authentication
  • Configuration MAnagement
  • Media & Physical Protection
  • Systems and Communications Protection and Information Integrity
  • Formal Audits
  • Personnel Security
  • Mobile Devices

Who It Applies To

All entities, whether law enforcement or a non-criminal justice agency, that access any FBI CJI data must adhere to the security standard.

The CJIS Security Policy applies to any organization accessing, transmitting, storing or creating CJI. So fingerprints, identity history, case details, incident record, etc. It doesn’t matter if you’re law enforcement or a non-criminal justice agency, if you need the FBI CJI data, you’re required to be CJIS compliant. 

And as more and more law enforcement agencies utilize third-party and cloud-based software, the need to become CJIS compliant extends to many other industries. 

Fun Fact: Because CJIS security requirements are so rigorous, they’re considered a gold standard. So, many other companies outside of law enforcement choose to implement the FBI’s standards to protect their digital properties. They’re similar to NIST but much more robust.


COPPA: Children’s Online Privacy Protection Act  

What Is It?

The Children’s Online Privacy Protection Act (COPPA) is a U.S. federal law designed to, as stated, protect children. It restricts the collection of personal information about juveniles and limits how that information is used, by the operators of internet services and websites. The U.S. Congress passed it in 1998 and the law took effect in April 2000.

How It Works

The Federal Trade Commission enforces the COPPA Rules, which lay out what operators of websites and online services must do to protect children’s privacy and safety online. For example, suppose COPPA applies to your company. In that case, you need to have certain information in your privacy policy and get parental consent before collecting some types of information from kids under 13. Basically, COPPA puts parents in control.

Who It Applies To

TLDR: COPPA applies to websites and online services operators that collect personal information from kids under 13. 

In more detail, you must comply with COPPA if:

  • Your website or online service is directed to children under 13 and you collect personal information from them.
  • Your website or online service is directed to children under 13 and you let others collect personal information from them.
  • Your website or online service is directed to a general audience, but you have actual knowledge that you collect personal information from children under 13.
  • Your company runs an ad network or plug-in, for example, and you have actual knowledge that you collect personal information from users of a website or service directed to children under 13.


FCRA: Fair Credit Reporting Act 

What Is It?

The Fair Credit Reporting Act (FCRS) is a U.S. Federal Government legislation passed to promote the accuracy, fairness and privacy of consumer information contained in the files of consumer reporting agencies. That’s a fancy way to say it protects consumers from the willful and/or negligent inclusion of inaccurate information in their credit reports. 

How It Works

The FCRA regulates collecting, disseminating, and using consumer information, including consumer credit information. When you stop to think about it, consumer reports are a big deal that impacts every person. Lenders, employers, landlords, and utilities can request them and those files tip the scale for or against you every time they’re viewed. So the FCRS makes sure there’s a notification in place when there’s an order for your file and that there’s a robust investigation process for flagged information. 

Who It Applies To

It applies to: 

  • Consumer Reporting Agencies
  • Credit Card companies
  • Auto Finance companies
  • Mortgage Banking institutions
  • Employers
  • Much more


FedRAMP: The Federal Risk and Authorization Management Program

What Is It?

The Federal Risk and Authorization Management Program (FedRAMP) is a US government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP is a multi-faceted review process that looks at all aspects of a cloud service provider so that it can fully access federal agencies’ interactions to ensure security compliance. And it’s probably the most well-known of the federal agency frameworks list.

How It Works

FedRAMP prescribes the security requirements and processes that cloud service providers must follow for the government to use their service. Essentially it allows the federal government to accelerate the adoption of cloud computing. 

The FedRAMP process is straightforward. 

  • First, your organization goes through a readiness assessment. 
  • Next, there is a pre-authorization. 
  • Following that, there is a complete security assessment. 
  • After successfully clearing the full security assessment, the agency authorization process occurs. 
  • Lastly, after everything is deemed compliant, the final step is continuous monitoring that ensures future compliance.

Who It Applies To

Any cloud services that hold federal data must be FedRAMP Authorized. As a U.S. Government-wide program, it applies to all federal agencies. 


FISMA: The Federal Information Security Management Act

What Is It?

The Federal Information Security Management Act (FISMA) is United States legislation that defines a framework of guidelines and security standards to protect government information and operations.

How It Works

Under FISMA, the federal agency that uses a cloud service provider assumes the risk of outsourcing information system management. So FISMA requires agency program officials, chief information officers and inspectors general to implement information security policies and controls to reduce risk to an acceptable level.

FISMA requirements include:

  • Information System Catalog: Every agency requires an inventory of information systems that are operated by or under the control of the agency. The catalog must include an identification of the interfaces between each system and all other systems or networks, including those not operated by or under the control of the agency.

  • Risk Assessments and Management: Each agency should conduct risk assessments to validate its security controls and to determine if any additional controls are needed to protect agency operations with consideration for (including mission, functions, image, or reputation), agency assets, individuals, other organizations, or the United States

  • Checks and Balances: All accredited systems are required to monitor a selected set of security controls and the system documentation should be updated to reflect changes and modifications to the system. Continuous monitoring activities include configuration management and control of information system components, security impact analyses of changes to the system, ongoing assessment of security controls, and status reporting.

Who It Applies To

This federal agency framework applies to state agencies that administer federal programs or private businesses and service providers who contract with the U.S. government. 


Pulling it All Together

A Beginners Guide to Today’s Top Federal Agency Frameworks is just a fraction of the numerous complex laws and regulations applicable to organizations in North America. While your InfoSec program should constantly evolve you don’t want to bite off more than you can chew.

Not sure where to start? We can help. With over 100 years of combined experience working in security, our team of ex-auditors and security veterans know the ins and outs of compliance. We’re happy to help point you in the right direction. After all, safer data benefits everyone. 

Are you interested in turning your security and compliance program into a business advantage? Get a free trial or contact one of our representatives at today.