Today, the federal government relies on many external service providers to help execute varying federal missions and business functions using state-of-the-practice information systems. Many federal contractors routinely process, store, and transmit sensitive federal information in their systems to support the delivery of essential products and services to federal agencies. Additionally, federal information is frequently provided to or shared with entities such as State and local governments, colleges and universities, and independent research organizations.
As a contractor or sub-contractor to government agencies and organizations, due to Executive Order 13556, Controlled Unclassified Information, and The Code of Federal Regulations (CFR) 52.204-21, the 15 “basic” security controls, evidence of protecting Controlled Unclassified Information (CUI) must be provided to show FAR/DFARS compliance.
If you have received a Corrective Action Report (CAR) from a government agency or prime contractor, you will be required to provide a Plan of Action and Milestones (PoAM) stating the actions you will take to become compliant.