In the seminal holiday film A Christmas Story, nine-year-old Ralphie Parker uses his diligently earned Little Orphan Annie Secret Society decoder pin to decrypt the secret message from Annie to her fans, only to express disappointment and confusion when he realizes the “secret code” he decrypted is nothing more than a marketing ploy to sell more Ovaltine. Although neither drinking copious amounts of Ovaltine nor possessing a Little Orphan Annie decoder pin are requirements of a federal contractor’s cybersecurity program, the use of encryption—like that employed by Ovaltine and its plucky propagandist—cannot be avoided. The challenge, of course, is approaching encryption in a manner that avoids the same irritating bewilderment experienced by Ralphie Parker. Modern encryption, while inherently and necessarily enigmatic, need not be overcomplicated, and that’s a good thing, because federal contractors, namely Department of Defense contractors, now face specific standards of encryption necessary to meet and maintain certain federal cybersecurity standards or bear the significant risk commensurate with noncompliance. Whether a contractor falls under the auspices of Federal Acquisition Regulation 52.204-21, Defense FAR Supplement 252.204-7012, or the newly unveiled Cybersecurity Maturity Model Certification (CMMC), contractor use of encryption is poised to be a critical element of compliance for the Federal Government over the next decade. This means that contractors must have a working knowledge of federal encryption standards to understand not only how such standards apply to the storage and handling of data but also whether the contractor can truly comply with those standards or have the wherewithal to understand the type of information technology products they are permitted to provide the Government.

Click to read full article.