OculusCyber Logo

OculusCyber

Home

Browse Topics

Security Best Practices

AI Security Frameworks

Threat Intelligence

Compliance

Federal

By Admin

November 13, 2025

U.S. FEDERAL GOVERNMENT

├── Executive Branch

│ │

│ ├── Office of Management and Budget (OMB)

│ │ ├── Issues government-wide cybersecurity policies (Circular A-130)

│ │ └── Oversees FISMA reporting

│ │

│ ├── Department of Homeland Security (DHS)

│ │ │

│ │ ├── Cybersecurity & Infrastructure Security Agency (CISA)

│ │ │ ├── Oversees Federal civilian cybersecurity under FISMA

│ │ │ ├── Manages CISA KEV Catalog

│ │ │ ├── Issues Binding Operational Directives (BOD)

│ │ │ └── Operates vulnerability/ threat portals (CVE, KEV, etc.)

│ │ │

│ │ └── US-CERT (sub-unit of CISA)

│ │ ├── Incident response

│ │ ├── Alerts & advisories

│ │ └── Threat intelligence

│ │

│ ├── Department of Commerce

│ │ │

│ │ └── National Institute of Standards and Technology (NIST)

│ │ ├── NIST Risk Mgmt Framework (RMF)

│ │ ├── NIST Cybersecurity Framework (CSF)

│ │ ├── NIST SP 800-53 Security Controls

│ │ ├── NIST SP 800-37 (RMF Process)

│ │ ├── NIST SP 800-171 (CUI Protection)

│ │ ├── NIST SP 800-63 (Digital Identity)

│ │ └── National Vulnerability Database (NVD)

│ │ ├── Hosts CVE scoring (CVSS)

│ │ └── Maps weaknesses to CPE/CWE

│ │

│ ├── General Services Administration (GSA)

│ │ └── FedRAMP Program Management Office (PMO)

│ │ ├── Cloud authorization program

│ │ ├── Uses NIST 800-53 controls baseline

│ │ ├── Issues FedRAMP Moderate/High/LI-SaaS baselines

│ │ └── Works with 3PAOs for cloud assessments

│ │

│ ├── Department of Defense (DoD)

│ │ │

│ │ ├── DISA (Defense Information Systems Agency)

│ │ │ ├── STIGs (Security Technical Implementation Guides)

│ │ │ └── DoD Cloud SRG

│ │ │

│ │ ├── DoD CIO

│ │ └── DoD RMF (based on NIST RMF + DoD-specific overlays)

│ │

│ └── Intelligence Community (ODNI)

│ └── IC Standards (ICD 503)

└── Independent / Federally Supported Organizations

├── MITRE Corporation

│ ├── Maintains CVE Program (with DHS/CISA)

│ ├── MITRE ATT&CK Framework

│ ├── MITRE D3FEND

│ └── MITRE ATLAS (AI threat modeling)

└── FIRST.org (not federal but works with them)

└── Maintains CVSS Standard (used by NVD)