There is no one-size-fits-all blueprint for how to achieve Cybersecurity Maturity Model Certification (CMMC) compliance. The Department of Defense (DoD) can’t mandate a direction for contractors to take, so there are options when it comes to the tools that get you there.
Microsoft has a collection of resources that can aid contractors in the Defense Industrial Base (DIB) achieve compliance. Maryam Rahmani, Global Black Belt for the Microsoft 365 Government Cloud and CMMC at Microsoft, will explain Microsoft’s portfolio and how it can be implemented to registered attendees.
Included in the presentation will be Microsoft’s technical reference guide for CMMC 2.0, an overview of the Microsoft compliance ecosystem, and a product placemat for CMMC 2.0.
Rahmani is committed to empowering customers leveraging both Microsoft’s cloud services and Microsoft’s partners’ expertise. As a consultant in cyber risk, she has helped organizations mitigate cyber related risks by adhering to regulations and standards.
Register for CMMC CON 2022 to gain an understanding of the technology offered by Microsoft that can help you achieve compliance when CMMC 2.0 becomes law.
Who’s Been Playing Solitaire on the Domain Controller?
It’s a classic scene. You’re sorting through the attic and you end up browsing through old memories: photos from a forgotten road trip, souvenirs, and trinkets from your world travels, old board games you bought in a flash of excitement and only played once. Things you once loved, but that now sit unused, gathering dust and taking up space.
In the workplace, computer systems often end up cluttered in the same way. We end up with stacks of unnecessary software sitting around in files and folders where we’ve long stopped looking. But unlike the charming, nostalgic relics laying around the attic, that unused software sitting on your computer might be leaving you open to danger in the form of vicious cyberattacks.
Cybercriminals are constantly looking for ways into your system. Software like browsers (Firefox, Chrome, Edge), plug-ins (Java, Adobe Flash, Silverlight) and random applications (games, messaging apps, etc.) are well-known to be extremely vulnerable to malware and other forms of data hacking, particularly if they’re out of date.
This begs the question: how many useless apps are lying around on your system right now, putting your business at unnecessary risk? Here’s how to find out, and what to do about it…
Inventory Your Software Assets
The first step is to dig through your systems and figure out what’s absolutely necessary — and what’s not. If you have a contract that requires compliance with DFARS 252.204-7012, a software inventory is required, but further, it’s just common sense: You have to know what you have before you can protect it.
Nowadays, there’s an app for everything. Chances are that you and your employees have loaded up on them in an attempt to find more efficient ways to manage time, stay connected, or even have more fun at work.
That schedule management software you downloaded may have seemed useful at the time, but if it’s no longer in use then it’s time to send it to the trash.
Any piece of software not essential to your business should be considered potentially harmful and promptly cleared from your system. Delete software installers, remove unnecessary browser add-ons and extensions, and of course, make sure to update any apps that will be sticking around.
Eliminate Redundant Apps
There are so many solutions available for every problem that you’ll often discover you have several applications doing the same job. Figuring out what pieces of software are currently being used to solve the same problem can help you see where you need to cut the fat.
Do you need three browsers, or would one be sufficient? If you’re using Google Hangouts for video conferencing, do you need to have Skype on your system as well?
It’s also a good idea to take a look at the software that was already installed on your device when you took it out of the box. Known as bloatware, many new computers, tablets, and mobile devices come pre-packaged with lots of this third-party software to increase revenue for the vendor.
If you have bloatware on your systems, you might find that many of these extra apps have sat unused since day one. And some bloatware behaves like spyware, sending information about you and your system to outside agents without your knowledge. If they’re not currently in use, or they’re performing simple functions you can do through more essential applications, consider getting them off of your systems ASAP.
Sometimes system clutter grows out of control simply because we’ve given too many people the green light to do whatever they please. For this reason, it’s probably best to adopt a tougher approach to access privileges.
Keeping your systems clean and organized is undoubtedly easier if you allow fewer people to access and install software. Consider using special permissions to allow only top-level decision-makers to install new software. Carefully monitor who is adding new applications and require that they justify why these programs are needed. And finally, terminate dormant accounts so that hackers can’t use them to infiltrate your system and install harmful malware.
Get Superior Protection Today
If cleaning house feels like a major job, it’s time to call in reinforcements! CyberSheath’s comprehensive managed cybersecurity services can help you to conduct a professional software risk assessment, simplify your systems, and save you from putting your business at unnecessary risk. Contact Us now to find out how.
Companies are becoming increasingly enamored with the advantages offered by cloud computing. However, many mistakenly assume that once you upload your data, it’s up to the cloud service provider (CSP) to keep it all safe and sound. In reality, most CSPs use what’s known as a shared responsibility model for security, meaning that only certain aspects of your cybersecurity plan are their responsibility. Ultimately, YOU are responsible for the security of YOUR data.
With cybercriminals attacking from every direction, it’s your responsibility to prevent misunderstandings that might lead to damaging data breaches. For this reason, having a full picture of the risks associated with your chosen CSP, along with a clear agreement on roles and responsibilities, is paramount if you hope to keep your sensitive data protected.
Review Your Security Documentation
In the excitement of exploring the capabilities of the cloud, it’s easy to be less than thorough in your assessment of your CSP’s security practices.
However, you need to be sure that your CSP is employing industry-leading incident response tools, consistently auditing its security systems, rigorously testing for weaknesses, and protecting against emerging threats. You can do this by taking a look at your provider’s System Security Plan (SSP).
Reviewing an SSP is the most accurate way to assess the security controls your CSP is implementing. As the main document in a security package, an SSP gives you a detailed report on security protocols and highlights any gaps that may need to be addressed.
If you have a contract that requires compliance with DFARS 252.204-7012, then your CSP must meet the standards set by the FedRAMP moderate level of protection, and support government incident response efforts.
Doing your due diligence and insisting on rigorous compliance certifications, such as SOC Type II or PCI DSS, will give you peace of mind that your CSP is following the latest regulatory measures and maintaining the highest levels of data security.
Treat the Cloud like It’s Your Home
Some businesses are under the illusion that, since the cloud is not an on-site system, it doesn’t need to be treated in the same way they’d treat their personal systems. If you’ve made that mistake, then it’s imperative that you start viewing the cloud like the extension of your business it truly is.
It’s critical to be proactive in this regard, as opposed to waiting for a problem to occur and then addressing your security gaps. In the same way that you don’t allow every employee unrestricted access to your in-house systems, it’s essential to manage and control access to the cloud within your company.
Create written guidelines that specify who can use which cloud services, what data can be stored there, and for which purposes the cloud is to be used. Train your staff on the risks of cloud use and make sure they are aware of the latest trends in cybercrime that affect cloud users.
Encrypting the data you move to and from the cloud is also an absolute must. You want to take particular care to ensure that data is encrypted during transit when it is most open to attacks. Also, verify that your CSP encrypts your data at rest and on backup media to prevent data leaks.
In short, make sure you’re treating the cloud-like you would your own home. Lock the doors, turn on the alarms, and train yourself on how to respond to emergencies, so you can sleep easy knowing you’re adequately protected.
Stay Alert About Your Cloud Vendor
The world of cybersecurity moves quickly and, in the event that there’s a breach or a threat concerning your specific vendor, it’s best that you know as soon as possible. If your cloud provider has security alerts, make sure you have notifications enabled, and check resources such as the US-CERT for announcements about threats that have been reported.
Looking for Secure Cloud Solutions?
If you want to stay ahead of developing cyber threats and you’re wondering how to implement strong security measures for your cloud services, let the cloud experts help you. CyberSheath’s cloud solutions are second to none, so contact us now and let us give you a helping hand to keep your business secure.