there are no posts to show...

Helpful Resources


As cyberattacks become ever more prevalent and sophisticated, it’s important to remind your employees to practice good cyber hygiene to help protect your company and your intellectual property. One of the ways that bad actors infiltrate organizations is through a form of social engineering called phishing.

Phishing is a cybercrime in which a target or targets are contacted by email, telephone, or text message. The senders of these messages pose as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.


Phishing avoidance tips: Don’t take the bait

  1. Always be suspicious of any message that requests you to click a link or open an attachment.
  2. Be cautious of any message communicating a sense of urgency or dire consequences should you fail to take immediate action.
  3. Notice an incorrect company name.
  4. Be on alert for emails with generic greetings such as ma’am, sir, or customer.
  5. Contact the person or organization using a different, validated method if you are concerned about a message. This could be dialing a phone number you already have or checking the organization’s contact information on their website. Never use the links or contact information in the message that is raising red flags for you.
  6. Note if the email is oddly structured or formatted.
  7. Be careful not to provide personal or sensitive information in response to a message.


Always report phishing

Be sure employees know how to act if they receive a phishing message. If you are using Microsoft Office Outlook as your email client, here are the steps to take.

  • Select the suspicious message.
  • Choose ‘report message’ from the ribbon.
  • Select ‘phishing’.

This is the fastest way to report a phishing attempt and remove the message from an inbox.


What to do if you or an employee has been phished

If you or a team member suspects that a phishing attempt has been inadvertently successful, there are things you can do to mitigate the damage.

  • If you are already a CyberSheath client, contact us immediately and report it.
  • While it’s fresh in your mind, write down as many details of the attack as you can recall. Note any information such as usernames, account numbers, or passwords you may have shared.
  • Immediately change the passwords on those affected accounts, and anywhere else that might have the same password. While changing passwords take care to create unique passwords for each account.
  • Confirm that you have multi-factor authentication, also known as two-step verification, turned on for every account possible.
  • If this attack affects your work or school accounts, notify the IT support folks at those entities of the possible attack. If you shared information about your credit cards or bank accounts, contact those companies to alert them to possible fraud.


Get in touch with the experts at CyberSheath to see how we can work with you to guard against phishing and other methods employed by cybercriminals. We are here to help your company implement cybersecurity controls that protect your data and your organization.


As a contractor in the defense industrial base, your company needs to be ready to demonstrate compliance with CMMC. You should have the resources and ability to take action if you want to stay eligible for federal contracts.

CMMC timeline: Today, not tomorrow

During our CMMC CON last year, we had the chance to talk with Jeff Dalton, the newly appointed chairman of the CMMC Accreditation Body, about all things CMMC, including the urgency for acceptance of the new mandate. “We are out of time to protect our data and our networks,” he says. “We’re being infiltrated and attacked as we speak, probably far more than the average person realizes. Companies should be adopting some standard now—today. CMMC/NIST800-171 provides evolutionary paths to maturity, which are critically important as you can’t just say, ‘We’re cyber secure today’ and think your organization is all set in perpetuity.’

As you work to wrangle your cybersecurity initiatives, apply similar rigor, methodology, and project management that you would utilize if you were building something for your customer. Treat CMMC and cybersecurity the same way: create a project, craft and resource a plan, and measure your progress.

One standard, one model to move the country forward

Being closely tied to CMMC, Jeff of course believes in the strength of the standard, but he says it doesn’t matter to him which framework or model companies choose, as long as they apply some rubric to advance their security posture. “CMMC is a baseline,” he states. “I would be ecstatic if the various agencies, corporations, including the Fortune 100, and all their suppliers, would use it as their baseline to measure themselves against.”

Committing to adherence to a baseline provides the expectation that your organization is going to meet certain requirements and then work to further improve your processes. “That’s why I like CMMC because it’s having various levels,” Jeff continues. “You complete one level, and then there’s another level to reach for.”

Another reason for standardizing on CMMC is that it already has an ecosystem, which other models don’t possess. “We are in a situation now in our country where they have to adopt something, get started, and then be able to measure performance.”

There’s no turning back

If you examine any kind of serious aerospace, space travel, or automotive company, or any entity making millions of high-cost products, they all have processes, standards, and policies that they follow. With software, cyber and IT services, and most technology engineering disciplines, there is resistance to standardizing process and policies. That needs to change.

CMMC is here and it’s real. The training has started. “We have thousands of people in the ecosystem now. Many people have been through the training and program, and certified assessor training is about to start,” Jeff shares. “The AB is also offering new executive training, which is aimed at the executives and purchasing agents of organizations seeking certification.”

“CMMC has caused cybersecurity to become dinner table conversation and that’s a really positive thing because we’re never going to change until we all start thinking about it and doing something about it,” he concludes.

When your company is ready to take the next step on your path to more robust cybersecurity, contact the experts at CyberSheath. We’re here to help you meet your compliance and cybersecurity goals.

Independent analyst firms have weighed in with commentary on nearly every discipline of information technology. Security has garnered a large portion of that IT discussion, yet until recently, Cybersecurity Maturity Model Certification (CMMC) compliance has been left out.


Frost & Sullivan changed that by selecting CyberSheath as its preferred managed service provider for CMMC compliance, highlighting the importance of security in the Defense Industrial Base (DIB) amid growing global threats.


The recommendation comes as the Department of Defense (DoD) prepares to codify CMMC 2.0 in Spring 2023 and contractors in the DIB will soon need to achieve compliance. New research shows that the DIB isn’t even close.


A 110 Supplier Performance Risk System (SPRS) score — the metric that shows how well a contractor meets Defense Federal Acquisition Regulation Supplement (DFARS) requirements — is required by law. Critics of the system have anecdotally deemed 70 to be “good enough,” but data from Merrill Research shows that a shocking 87% of contractors can’t even meet that bar.


Given the tight timelines, the incredible expense of achieving compliance internally, and the constantly evolving and increasing security requirements, Frost & Sullivan have concluded that organizations in the DIB shouldn’t go it alone.


“This recognition is validation of our approach to CMMC compliance,” said Eric Noonan, Co-Founder and CEO at CyberSheath. “We have prided ourselves on helping organizations reduce their risk and better protect our national security secrets. Many of these contractors haven’t had to consider cybersecurity before, and we walk them through the compliance process rather than offering them some technical tool they don’t know how to use.”


Read Frost & Sullivan’s complete whitepaper, Securing the Defense Industrial Base in the Cyber Domain. Learn more about actionable steps you can take to be ready for CMMC 2.0 by registering for CyberSheath’s webinar on Jan. 25 at noon EST.

This year marked a deluge of messaging about the Cybersecurity Maturity Model Certification (CMMC) and federal contractors were rightfully confused. With our keystone event, CMMC CON, we aimed to set the record straight and offer the best guidance for those in the Defense Industrial Base (DIB).


CMMC CON 2022 brought in 1,000+ registered attendees and offered insight from industry leaders like investigative journalist Brian Krebs, Frost & Sullivan’s Robert Beuerlein, and Cyber AB chairman Jeff Dalton. It was our biggest CMMC CON to date, and that only scratched the surface of the impact we had in 2022.


Here’s a look at some media outlets that looked to CyberSheath to offer perspective on the evolving threat landscape and what can be done to improve cybersecurity posture ahead of CMMC 2.0.


  • Fortune: The Twitter whistleblower story dominated the media cycle. CyberSheath CEO explained how the same scenario unfolds in the DIB and why all business owners should pay attention.
  • The Hill: Our CyberSheath CEO contributed to this piece that laid out how legislators can best prevent catastrophic cyberattacks on American soil.
  • CSO: Are CISOs always put in the best position? No, and we explain what they need to succeed.
  • EE Times: When President Biden urgently called for improved critical infrastructure security, we highlighted the importance of public-private partnerships to create solutions.
  • TechNewsWorld: When the FBI, CISA, and NSA issued an alert about Russian threat actors, we spoke up about the struggles federal contractors have securing data.


Then there was the world of TV…


Both regional and national media were interested to hear from CyberSheath this year. CyberSheath’s CEO was a hit with news networks, so much so that he was asked back for return appearances.


  • NBC News: CyberSheath CEO joined NBC’s Joshua Johnson for a discussion about the mobile app that the Chinese government required all Winter Olympics participants to download.
  • FOX News: Three days after Russia attacked Ukraine, the story extended to our borders when the threat of Russian cyberattacks cast doubt on the cybersecurity capabilities here in the United States. FOX had CyberSheath CEO back seven more times over the next 30 days!
  • CNN: Cyberattacks continued to be a story in Russia’s war and CyberSheath CEO was the go-to expert to explain what a cyber escalation might look like.
  • KABC: When the Los Angeles School District was hit with a ransomware attack, the ABC affiliate in LA wanted to hear from CyberSheath CEO about what victims should expect and do as a result.


In early December, we released the first ever comprehensive, independent study of the DIB’s cybersecurity maturity, which we commissioned Merrill Research to perform. While the results are alarming, it shows us a clear roadmap for what needs to be achieved in 2023 and beyond to better secure our nation’s secrets.


And as we head into 2023, join us on our upcoming webinar to learn how to prepare for the forthcoming DFARS changes predicted. No matter where you are in your compliance journey, there are actionable steps you can take to be ready for potential regulation changes.

RESTON, Va. — Nov. 30, 2022 — Defense contractors hold information that’s vital to national security and will soon be required to meet Cybersecurity Maturity Model Certification (CMMC) compliance to keep those secrets safe. Nation-state hackers are actively and specifically targeting these contractors with sophisticated cyberattack campaigns.


A shocking 87% of contractors have a sub-70 Supplier Performance Risk System (SPRS) score, the metric that shows how well a contractor meets Defense Federal Acquisition Regulation Supplement (DFARS) requirements.


DFARS, which has been law since 2017, requires a score of 110 for full compliance. Critics of the system have anecdotally deemed 70 to be “good enough,” but the overwhelming majority of contractors still come up short.


The first ever comprehensive, independent study of the DIB’s cybersecurity maturity was conducted by Merrill Research and commissioned by CyberSheath, the largest CMMC managed service vendor. The survey data of 300 U.S.-based Department of Defense (DoD) contractors was tested at the 95% confidence level, meaning that there is a 95% probability that significant differences are real and are not due to sampling error. The study was completed in July and August 2022, with CMMC 2.0 on the horizon.


“The report’s findings show a clear and present danger to our national security,” said Eric Noonan, CEO of CyberSheath. “We often hear about the dangers of supply chains that are susceptible to cyberattacks. The DIB is the Pentagon’s supply chain, and we see how woefully unprepared contractors are despite being in threat actors’ crosshairs. Our military secrets are not safe and there is an urgent need to improve the state of cybersecurity for this group, which often does not meet even the most basic cybersecurity requirements.”


Roughly 80% of the DIB doesn’t monitor its systems 24/7/365 and doesn’t use U.S.-based security monitoring services. Other deficiencies were evident in the following categories that are currently required by law and will be required in the future to achieve CMMC compliance:


  • 80% lack a vulnerability management solution
  • 79% lack a comprehensive multi-factor authentication (MFA) system
  • 73% lack an endpoint detection and response (EDR) solution
  • 70% have not deployed security information and event management (SIEM)


These security controls are legally required of the DIB, and since they are not met, there is a significant risk facing the DoD and its ability to conduct armed defense. In addition to being largely non-compliant, an astounding 82% of contractors find it “moderately to extremely difficult to understand the governmental regulations on cybersecurity.”

Additional Resources


About CyberSheath Services International, LLC

Established in 2012, CyberSheath is one of the most experienced and trusted IT security services partners for the U.S. defense industrial base. From CMMC compliance to strategic security planning to managed security services, CyberSheath offers a comprehensive suite of offerings tailored to clients’ information security and regulatory compliance needs. Learn more at



CyberSheath Services International, LLC

Kristen Morales at

While it might not be the most interesting aspect in your cybersecurity planning, it is critically important to make sure your systems are up to date with the latest patches from all of your technology solution providers. This seemingly simple task can quickly become complex when you consider all the various systems that need to be updated–but ensuring your infrastructure is current helps stop security breaches from happening.


There’s an old saying that a stitch in time saves nine. The message delivered in this adage is applicable to patch management, where the time and resources you spend maintaining your systems will save aggravation and much worse down the road if you continue to operate with outdated systems.


Why you need patch management services

A patch fixes a potential vulnerability. Sometimes these updates are new features that aren’t related to security but are meant to address deficiencies. Keep in mind that any time you’re installing a patch, a bug is getting fixed.


Not proactively managing solution patches is the number one issue we see across our client base. Often companies struggle with patching their systems in a timely manner, much like we all do. (If your Google Chrome is updated right now – congratulations. Something as simple as not wanting to reboot and losing project time can impact individuals updating systems.)


Enterprises especially struggle with third-party patching, which can lead to critical vulnerabilities. IT teams are very busy with other projects and, consequently, figuring out third party patches for tools like Adobe, Oracle, etc., can be a huge challenge.


How CyberSheath can help

To illustrate the importance of keeping your systems up to date, think for a moment about your house. You might be investing in new windows and better siding, but if you leave the crack in your back sliding door, you are potentially exposing your home to the elements. It’s easy to see that protecting your home–and your computer–means having a holistic plan for managing updates and minimizing vulnerabilities.


Our patch management service is an extension of our vulnerability management service, and is built around helping companies be able to patch their systems before they are exploited by bad actors.


At the outset of an engagement, we perform vulnerability scanning using a tool called Tenable IO. We can then share those reports with our internal IT resources. Using ConnectWise on the client’s desktops, we automate the packages to knock down those vulnerabilities. On a monthly cadence, desktops and servers are scanned, validated, and updated.


Protect your company, partners, and customers

With the defense industrial base, when you allow for vulnerabilities, you are opening up your organization–and those you are servicing–to risks. Hackers target smaller companies that often do not have the bandwidth to actively manage their system patches. These bad actors then wait, work themselves up the food chain, and get into bigger organizations.


At CyberSheath, we’re a one-stop shop, meet-you-where-you-are company with skilled security and IT teams that can help. Contact us to learn more about how we can help you with your patch management needs.


Microsoft offers a variety of clouds meeting the various needs of different organizations. These mission-critical clouds are also a good fit for the defense industrial base (DIB). How do you know which Microsoft cloud offering is right for your company? Let’s review.


Microsoft 365 Commercial versus Microsoft 365 Government

Microsoft 365 Enterprise: This version of Microsoft 365 is specifically for commercial organizations. For these entities, Microsoft offers Office 365, as well as Azure Commercial for enterprise mobility and security. The suite is rounded out with Dynamics 365.

Microsoft 365 Government: There are various Microsoft offerings suited to the needs of a variety of organizations doing business with the federal government. Let’s start with those companies with the least rigorous cybersecurity requirements.

  • Companies requiring DISA SRG Impact Level 2 (equivalent): Entities falling into this category can leverage Office 365 GCC and Dynamics 365 Government, both running on the government community cloud (GCC). The GCC is an enclave that has been built for the government to meet some of the compliance obligations.  This level also relies on Azure Commercial and all of the authentication and authorization happens with the Azure Active Directory that is in the Azure Commercial world worldwide data centers.
  • Companies requiring DISA SRG Impact Level 4 (equivalent): Organizations at this level can take advantage of Office 365 GCC High and Dynamics GCC High, which are both housed on the government cloud and built for the requirements of the defense industrial base.  This level also features Azure Government, which has logically and physically separate data centers from the commercial offering. Azure Government is a special cloud offering that requires validation for procurement. At IL4, it meets a lot of the cybersecurity regulations, especially in regard to CMMC and provides you with the highest level of resiliency and reliability.
  • DoD entities requiring DISA SRG Impact Level 5: This is the highest-level Microsoft provides coverage for. All components run on the government cloud, and it also leverages the separate Azure Government for enterprise mobility and security.


More on Azure US Government Clouds

Azure Government is a physically separated instance from Azure Commercial. It is the only hyper-scale cloud built specifically for the US government. Not only that, but it also meets the most complex compliance standards and supports the broadest selection of services, tools, and languages. Here’s how it stacks up compared to the commercial version in terms of authorization.


Commercial FedRAMP High 


DFARS 252.204-7012 

FCI & CUI Basic (PII) 

CMMC 2.0 Level 1 

GovernmentFedRAMP High


DFARS 252.204-7012

FCI & CUI Specified (ITAR)

CMMC 2.0 Levels 1-3


If you are looking to ensure compliance to work with the DoD, consider Microsoft 365 Government GCC High. It can help you strengthen your security posture to better protect DoD data against sophisticated cyberattacks, reduce administration and spend on on-premises data centers and maintenance of old legacy systems, and shift much of the burden to the cloud for meeting compliance obligations and monitoring the changing landscape of US regulations and standards.


If you have any questions about how to get started with leveraging these Microsoft solutions, contact us.

Consider your company and what it does from a different perspective. Look at the value of your product or service in relation to the data that you are holding and processing, using, and generating as you and your team perform your duties and obligations. Robert Beuerlein, Principal Consultant of Aerospace & Defense at Frost & Sullivan, put it this way at CMMC CON 2022 when talking about CEOs in the DIB: “(I want them to) take a look at the value they place on their product in relation to the data that they are holding and processing and using and generating in the performance of their duties and obligations. I would argue that that data is more valuable, potentially, than the product that they’re providing.” That’s where the importance of protecting the controlled unclassified data (CUI) of the defense industrial base (DIB) from cyberattacks comes in.


​​The complexity and vulnerability of the DIB

When examining the growth challenges of this sector three particular issues are front of mind.

  • Disruptive technologies – Everybody is connected to everyone else and everything—and that entanglement is increasing in intensity. That natural evolution of modern information technology combined with the low barrier to entry for malign actors to get started, means that companies like yours are constantly under threat.
  • Geo-political chaos – There is much unrest in the world and malign actors can take advantage of that chaos to gain footholds. Non-state actors and criminal syndicates can exploit gaps and lock up your data and put ransomware on your systems. Keep in mind that revisionist states are not bound by what we consider to be normal rules of engagement.
  • Competitive intensity – The cyber domain touches all aspects of the defense industrial base, from logistics and munitions to data processing and professional services. With five prime contractors and over 200,000 companies around the world part of the DIB, it’s more important than ever to distinguish your company in a positive way.


Impact of the CMMC framework

The Department of Defense (DoD) is keen to tap into the innovation, and as small businesses file 16 and a half times more patents than large corporations, it’s clear where that innovation resides. It’s important that the Cybersecurity Maturity Model Certification (CMMC) not become a stumbling block to these up-and-coming businesses engaging with the DoD.

The requirements of CMMC seek to secure CUI, and the rules that govern these definitions are complex—therefore knowing how to apply them to your business is critical. Also, be mindful that cyber policy changes quickly, and the data and information policy associated with that also evolves fast.


How a managed service provider can help

If all of this is sounding a bit overwhelming, you are not alone. It might make sense for you to partner with a managed service provider (MSP) to help you navigate your CMMC requirements. Here are some of the reasons that working with a MSP might make sense for your organization.

  • Firm fixed pricing – A MSP typically examines your CMMC requirements, and assesses your organization, activities, and structures to determine a cost of the engagement. Knowing the cost of alignment with CMMC is extremely useful to a business.
  • Rapidly scalable – Knowing you can rely on an outside resource to quickly scale your cybersecurity response in relation to what is happening in your business keeps you covered and secure.
  • Access to knowledgeable cybersecurity policy resources – While you are focusing on the business end of your work and the product or service that you’re providing, the MSP is staying abreast of the policy.
  • Halo effect impacts other areas – You may have to maintain compliance in terms of training, how you manage your data, how you run your scans and all of your cybersecurity. This work positively impacts the rest of your organization as it expands out around and encompasses other areas of work, making everything run more smoothly and more effectively.


As part of the DIB, it’s important to realize that the data and information generated by your work and their processes is incredibly valuable—and needs to be secure. Meeting and maintaining the requirements of CMMC is an important part of that effort.

If you are looking for an experienced MSP to help you navigate the cybersecurity mandate, contact the experts at CyberSheath.


Our businesses and our information are not as safe as we think. On their own, things will not improve, especially as cybersecurity threats continue to multiply and evolve. Supply chain attacks have far-reaching consequences, and DoD contractors are being targeted, making cybersecurity even more critical for the defense industrial base (DIB).

Each company is realizing ​​that at some point they are part of another entity’s supply chain. Individuals, companies, and governments now understand that a failure to protect and maintain these systems is going to have serious short-term, long-term, and strategic consequences for the country.

These conditions put the federal government in a unique position to help drive change by virtue of what it requires from its vendors. With a Cybersecurity Maturity Model Compliance (CMMC) mandate, the federal government is promoting meaningful and potentially impactful regulation to promote private sector investment in cybersecurity across these supply chains.


Enforcement of mandatory cybersecurity minimums

Security is only as strong as its weakest link. And indeed, there have been many serious breaches of federal government systems and access to federal government data that started with incidents at contractors. Just recently it was reported in 2021 through the beginning of this year, multiple advanced persistent threats compromised the DIB sector organization’s enterprise network. This long-term access allowed threat actors to steal sensitive data.

It’s clear that organizations need to be on guard and measure their cybersecurity posture. A CMMC mandate would drive home the point that the government wants to work with companies who can demonstrate that they have progressed beyond the average in their security maturity development. A framework matters because it provides for measurable and demonstrable progress from one level of security maturity to the next.


A Mandate drives forced curiosity

“Security maturity models are useful in that they’re fairly flexible in some regards, and they force organizations to start measuring how they’re doing on cybersecurity,” says investigative journalist Brian Krebs at CMMC CON 2022. “That forced curiosity alone is enough to move things to the next level of security maturity for these organizations.”

The government has an important role in this regard—and they should be setting the standard. A lot of good can come out of that forced curiosity as companies potentially mature beyond the heroics of an overworked staff, or other issues pertaining to lack of resources or skill.

Start taking the steps to mitigate dangers. In an environment of forced curiosity and mandatory security minimums, there is a desire to paint a picture that there are actions small businesses can easily take at no cost to them. While there are many useful free government resources, they typically require a dedicated full-time professional to figure out how to effectively leverage them—and that person requires a network for support, and all of that requires funding.


If you are looking for a path forward as your company works to meet the requirements of the CMMC, CyberSheath can help. Our skilled team partners with you to help you achieve your cybersecurity goals—allowing you to stay focused on your business. Contact us to get started.


As soon as May 2023, federal contractors in the Defense Industrial Base (DIB) will face compliance requirements with a new version of the Cybersecurity Maturity Model Certification (CMMC) program. Many contractors don’t have the budget or expertise to achieve compliance in-house and need a partner.


Some organizations may seek a managed service provider (MSP) to help navigate the framework of CMMC 2.0. Robert Beuerlein, Principal Consultant of Aerospace & Defense at Frost & Sullivan, will present a whitepaper at CMMC CON 2022 to give an overview of the MSP landscape and offer contractors some qualities to identify in potential MSPs.


Beuerlein has 22 years of management experience in cyber operations and information warfare.  He is a retired senior commissioned officer with global experience in training and development systems, information technology, and defense contracting. His significant expertise in Department of Defense (DoD) planning and budgeting processes makes him an authority that contractors can glean a new perspective from.


Register for CMMC CON 2022 to join the conversation with Beuerlein about CMMC 2.0 compliance and how MSPs can help the DIB navigate a complex landscape.

Cybersecurity has grown increasingly urgent for organizations within the Defense Industrial Base (DIB). According to a new report from the Government Accountability Office, U.S. critical infrastructure has become more vulnerable and the report recommends Treasury and Homeland Security jointly assess if a federal insurance response is warranted.


Contractors in the DIB are already trying to navigate a federal requirement to comply with the Cybersecurity Maturity Model Certification (CMMC) program, and understand where their vulnerabilities might be with sensitive data on the line.


As the cybersecurity landscape grows more complex for contractors, journalist Brian Krebs will lend his insight with his keynote Q&A address at CyberSheath’s CMMC CON 2022.


Krebs, author of New York Times bestselling book “Spam Nation” and independent investigative reporter, has covered cybersecurity for more than 20 years. He covers cybercrime at the award-winning, was a reporter with the Washington Post from 1995 to 2009, and is best known for breaking stories on high-profile data breaches, including those that hit Target, Home Depot, Michaels, and Ashley Madison. Krebs will speak with CyberSheath CEO Eric Noonan on his view of the cybersecurity landscape, how threat actors strike, and what contractors can do to prevent attacks.


Register for CMMC CON 2022 now to see Krebs’ keynote Q&A and gain actionable insights through a series of sessions, trivia, and complimentary copy of CyberSheath’s upcoming report on the state of the DIB.

Running your business and focusing on your core competency as you work hard to service your clients can take all of your time. How do you make sure that you are protecting your company from cyber threats? If you have internal IT resources, do they have the expertise and bandwidth to monitor your systems all day everyday?


That’s where our Security Operations Center or SOC can help. We partner with you to provide your business with the ability to see what’s going on in order to respond accordingly. Our team is constantly growing their skillset to combat ever-evolving, persistent cyber threats. We:

  • Understand the larger cybersecurity picture
  • Translate security into the language of your business
  • Hold deep technical knowledge matured over long cybersecurity careers
  • Possess a track record of success


How our SOC helps you

We take the inherent challenge associated with safeguarding the physical and logical business assets off your plate with our DFARS-compliant security management platform that provides a unified approach to threat detection and compliance management.


The SOC managed services provided by CyberSheath include:

  • Security Information and Event Management (SIEM): Working together we onboard your devices into the CyberSheath SIEM platform. This solution gathers and analyzes logs and event data from disparate security controls and devices across the network, and then correlates them to identify related security events.
  • Asset Discovery and Vulnerability Assessment: Our technical experts also deploy a vulnerability assessment platform that allows for the identification of vulnerabilities across your environment.
  • Intrusion Detection and Behavioral Monitoring: We deploy sensors to network locations to monitor traffic and establish a benchmark for normal behavior. In addition to network-based monitoring, our team deploys host-based monitoring agents to your infrastructure.
  • Threat Intelligence: We update correlation rules, IDS signatures, vulnerability detection rules, and IP reputation updates to ensure the security management platform is appropriately maintained and detecting current threats within your environment.


If you would like to learn more about how CyberSheath can help you gain peace of mind knowing that your systems are always monitored, contact us to learn more.

Running a business is fraught with challenges–including delivering value to your customers, evolving with market demands, and staying up to date on compliance requirements. Allow your focus to remain on your customers and your core competency by offloading the cybersecurity issues to a proven partner.


CyberSheath just launched a new service that provides all federal contractors with a cost-effective, scalable solution to meet cybersecurity requirements across security, IT, and compliance. Our expert advice, honed delivery methods, and centralized support deliver quick return on investment.


Expand your market reach

To achieve rapid results and persistent compliance value, companies can rely on CyberSheath to speed their customer’s journey to DFARS cybersecurity compliance. As a participant in the new CyberSheath Partner Program, companies will be able to more easily identify and collaborate with the right partner to fill compliance gaps across a range of technology and industry solutions, such as managed CMMC governance, security solutions, and IT services.


Partners will also be able to take advantage of new centralized resources, including a recently developed partner portal and an enhanced CyberSheath website to support collaboration as we work to quickly and efficiently deliver solutions that drive impactful client outcomes.


Why you can trust CyberSheath

Our company is a pioneer and industry leader in the managed security service provider (MSSP) space. We are skilled experts who were involved in the first DoD cybersecurity initiative in 2008–and in every iteration since then. On average, clients realize an over 50% compliance improvement within 6 months of engaging with us. Here’s a snapshot of our credentials.


  • Hundreds of U.S. defense industrial base customers across manufacturing, engineering, and R&D environments
  • 6+ successful DoD audits of our services
  • 600+ NIST 800-171 assessments and implementations
  • 9+ years of NIST 800-171/DFARS/CMMC cybersecurity solutions 
  • Trusted Gold Microsoft partner
  • Registered Provider Organization with the CMMC Accreditation Board 


As your organization looks to identify, onboard, and collaborate with an experienced partner to speed the journey to DFARS cybersecurity compliance for both your company and your clients, consider CyberSheath. Learn more about the program or contact us to get started.


In this day and age, it is not uncommon for a story of a cyberattack to be front-page news. What is unsettling, however, is that the prevalence of these breaches is far more numerous than reported. And what is at stake is more than compromised consumer credit reports–national security hangs in the balance when the breached target is a member of the defense industrial base (DIB).


How can this threat be neutralized–and what is being done to protect vital intelligence from falling into the wrong hands? Mandated cybersecurity minimums for companies looking to do business with the DoD and its affiliates would go a long way in limiting these events.


Current state of cyber-compliance

The government created a scoring scale for cyber-security controls, which covers a range of -203 (doing nothing) to +110 (fully compliant). Our experience over the last decade has revealed an average score of -125, with the lowest score we have ever seen being -175. Why is that?


The crux of the problem is that while these controls have been mandated in contract law for defense contractors since at least 2015 and subject to both contract law and False Claims Act penalties, they have been unaudited and largely ignored. There has been no enforcement of these mandatory cybersecurity minimums.


Cybersecurity for the DoD is a modern-day policy of “Don’t Ask. Don’t Tell.”, with many organizations not taking appropriate cybersecurity measures, and then not reporting non-compliance. One notable development that could change all of this is the current administration’s leveraging of the False Claims Act to crack down on non-compliant defense contractors.


How the False Claims Act impacts cybersecurity compliance

A former Aerojet Rocketdyne employee claims the company entered into contracts with NASA and the DoD despite knowing it was not in full compliance with the contracts’ cybersecurity requirements. The judge refused to dismiss the case and they are headed to jury trial.


CyberSheath was not surprised at this development. In fact, we saw this coming, knowing that the government would be cracking down on defense contractors.


The Problem of Non-Compliance

All of this non-compliance of very basic cybersecurity controls is the cause and the effect behind SolarWinds, Office of Personnel Management (OPM), and likely many other data breaches. Tying non-compliance to an actual cyber-attack is hard if not impossible but it doesn’t take too much of a leap of faith to make the connection when you see the scale of sensitive information being stolen.


In parallel to the non-stop barrage of attacks on the defense industrial supply chain, many successful organizations like National Defense Industrial Association (NDIA) and their 70,000 members push back against mandatory cybersecurity minimums and the kinds of controls that would slow–if not stop–some of these attacks altogether. Here is what has transpired.

  • The organization penned a letter in June 2021 citing the cost of cybersecurity controls, despite the fact that the law mandating almost 85% of the cybersecurity requirements was close to six years old at the time and already mandated but ignored by much of the DIB.
  • By September 2021, NDIA had joined forces with two other large industry associations, Information Technology Industry Council (ITI) and the Professional Services Council (PSC), to collectively express concern on behalf of their members, again despite the fact that approximately 85% of the required controls had been mandatory for six years.
  • Meanwhile, the estimated number of defense contractors required to report cybersecurity incidents within 72 hours to the DoD Cyber Crime Center (DC3) is often shared by the DoD as numbering from 200K to 350K. Likely no one knows the real number as DC3 only speaks to a relationship with 885 of the several hundred thousand with sensitive information.


Despite the regulations, the government knows via their own audits that contractors are ignoring the requirements. A recent across seven separate defense contractors, including:

  • Multi-factor authentication was not consistently used
  • Network vulnerabilities were not consistently mitigated
  • Server racks were not consistently secured
  • Data on removable media was not consistently protected and monitored
  • Intrusion detection was not implemented
  • Administrators did not require or maintain justification for access
  • Physical security controls were not implemented


It’s clear that something needs to be done to help secure information and other intelligence that is vital to the safety of our country. Implementing a mandate requiring minimal but impactful cybersecurity measures makes sense–for the sake of the company doing business with the DoD, either directly or as subcontractor, and for the security of our nation.


Are you a defense contractor not compliant with CMMC?

Don’t miss your chance to REGISTER NOW to accelerate your compliance journey by understanding what to do, how to do it, and by when.

CMMC 2_0 Compliance Playbook Webinar Registration

Phase one of securing your IT infrastructure should include protecting your endpoints and safeguarding your employees from phishing attempts. After you have implemented these controls, the next logical step is to launch a DNS filtering solution.


What is DNS filtering and why do you need it?

Domain name server (DNS) filtering is a tool that identifies malware and harmful content and then restricts access to the websites serving that potentially dangerous content. Issues could arise when users are accessing a new website and are mistakenly redirected to a different site, or when ad servers on a frequently visited site are compromised. 


Cisco Umbrella can help

Cisco Umbrella provides DNS filtering for security protection from these issues. This solution keeps a record of all the websites that are known to be malicious and prevents employees from accessing those sites. Default DNS services do not possess this capability. With many team members working from home these days without the protection of a traditional firewall, DNS filtering is particularly important. If Cisco Umbrella is installed on an endpoint, whether a laptop or other workstation, when that user tries to access something that is potentially harmful, it gets blocked.


If a phishing email is delivered with dangerous links, Cisco Umbrella can prevent people from accessing a site that has been redirected or that is going to try to deliver malicious payload. These threat actors also rely on something called ‘command and control’. If a team member downloads something to their computer that seems innocuous, the program will then reach out to the threat actor’s command and control server. Stopping those communications is another way that Cisco Umbrella can protect your endpoints, as it detects these queries in real time. 


When these outside agents reach out to compromise your IT systems, be prepared. Partner with CyberSheath and enlist the assistance of our 24/7/365 security operations center, where we monitor this traffic and flag any suspicious activity. Our skilled team can also setup and configure Cisco Umbrella. Contact us today to get started.


An important step to protecting your network is securing all your endpoints, including servers, individual workstations, and remote laptops. There are many ways these nodes can be inadvertently compromised, such as receiving malware delivered via email, plugging in a USB drive containing suspect files, or mistakenly downloading a malicious program from the internet.


When any of these things happen, a threat actor can install ransomware on one of your endpoints, lock it up, and encrypt critical files. This entity could potentially then contact you and request financial remuneration, perhaps in Bitcoin, in exchange for decrypting the information.


Factoring in the reality that nation state threat actors have ample reason to compromise the defense industrial base, safeguarding against this nefarious information gathering becomes even more important.


What endpoint detection response is and how it helps

Endpoint detection response allows for traditional signature-based antivirus protection where the tool identifies a bad program based on certain characteristics and then neutralizes that program before it causes harm.


Notably, this solution also guards against polymorphic, heuristic threats that can rapidly change in an effort to evade detection. Based on the behavior that these guest programs are taking, a robust endpoint detection response solution can discover these changes and block the malware from being a threat.


Microsoft Defender for Endpoint for complete endpoint security

Microsoft Defender for Endpoint allows your team to minimize the damage to your environment. It stops traditional and heuristic threats, and helps you gain visibility into potential malicious or anomalous behavior. In the event that malware is installed on an endpoint, Defender for Endpoint can also isolate a workstation before it becomes a malware host.


Since it is run in the cloud, scaling is fast. Built in AI detects the different types of behaviors using Microsoft threat intelligence. The tool works on Microsoft operating systems, as well as on Linux and Mac.


99.9% of the time the endpoint detection response technologies will detect and stop bad behavior. On the off chance that some sophisticated attack does get through, it is a good idea to have a 24/7 security operations center like CyberSheath’s to notice that behavior, isolate any impacted devices, and begin an investigation.


If your company already has licenses for Microsoft Defender for Endpoint, reach out and we can help provision those licenses. If you have an existing subscription but no one is keeping an eye on what it is finding, we can help with configuration and with continuous monitoring of the solution. Contact us to learn more.

Email is so ubiquitous in our everyday lives that it can be a challenge to always be on guard when receiving messages. Each day it’s not unheard of for each member of your team to have hundreds of messages land in their inbox. How do you make sure that none of those communications are harmful, directing employees to share security information or download damaging files?

What spam and phishing are–and why they are dangerous

A threat actor can deliver something via email that can then be downloaded and installed on the recipient’s computer, or convince unwary employees to take an action that could be detrimental to themselves or their company. These unwanted emails are called spam and the action of trying to engage people to perform dangerous activities is called phishing.

Often the nefarious entities sending this spam are looking for financial gain, but in the case of the defense industrial base (DIB), they could want to gain access to information in your possession that could benefit the entity that they may be working for.

There are different avenues they take, but it’s all about using email to get you to trust them and then take action. Here are a couple of examples.

  • An email received from a Gmail account stating that it is from the CEO and he has been locked out of his account. The communication would then direct the reader to call a number or download software.
  • A communication could mimic a partner company, perhaps misrepresenting themselves as Microsoft, and directing the recipient to download a software update to protect themselves from a threat.

Since life these days is chaotic and we are all engaged more hours than we are on the clock, we might not be sitting in front of our computers, but instead be rushing off on an important errand when we glance at our phones and notice an email, purportedly from our boss. Any one of us could take the action requested by the spammer, and not realize until much later the error in judgment.

Protecting your business from these threats

The solution is to limit the ability of these threat actors to send email to your employees by having the right spam tool with the right settings in place. In some cases, a company might have a good tool in place, but it might not be optimally deployed.

In a nutshell, companies should configure everything with ‘anti’ in the name (anti-malware, anti-phishing, anti-spam), and set up features with ‘safe’ in the name (safe links, safe attachments). These actions help ensure that attachments are scanned before they are delivered to your endpoint. Realistically speaking, you want to support digital interactions as you are mitigating risk through the proper setup of these types of tools.

Microsoft 365 Defender helps stop attacks

This solution, which is part of Microsoft’s XDR solution, leverages the Microsoft 365 security portfolio to automatically analyze threat data across domains, building a complete picture of each attack in a single dashboard. It offers two options.

  • Plan 1 – This option provides configuration protection capabilities, such as establishing safe attachments and safe links. It also performs anti-phishing and real-time detections.
  • Plan 2 – This option takes those basic anti-spam capabilities and layers on additional capabilities like automation investigation or remediation, and education capabilities. Since the education piece is critical, our experts recommend Plan 2. With the evolving security landscape, this solution has dynamic features which can accommodate the threats of today and meet future challenges.

As a Microsoft partner, we are skilled in implementing and optimizing Microsoft 365 Defender to help you safeguard your organization. Reach out to us to get a quote. We can provision licenses, implement the tool, and push out solid security policies in your Office 365 environment. If you already have the licenses, we can also maximize the entitlements that these licenses have. Contact us to get started.


For the past several years, contractors with the Department of Defense (DoD) have had to meet a custodial requirement in contracts as it relates to security. Soon, this will likely be required outside the defense industrial base (DIB) and apply to all federal contractors.


If you’re like many contractors, you’re wondering how best to safeguard Controlled Unclassified Information (CUI). While there are many ways to meet the rules and regulations, not all of them are feasible or efficient and many of them are expensive.


The key is to limit the scope of your CUI protections. That can be difficult because CUI isn’t always neatly organized in one place. Often it sits in many departments like legal, contracts, accounting, sales, professional services, and engineering. CUI can be on employees’ computers, in their email accounts, on their mobile devices, and on shared network folders.


Contractors tend to take one of three strategies to corral CUI and limit disrupting their larger business:


  1. Limit by contract or product: You serve the government with specific business segments, so you define your environment based on products and services.
  2. Limit by geography: A global enterprise only does business with the government through U.S. entities, so it might define limits by geography so the rest of its global sites are undisturbed.
  3. Limit by technology: Limiting by contract or geography ignore the shared technology resources used across the entire company. An enclave achieves compliance by segmenting CUI from other systems.


An enclave solution, or isolating the CUI within an organization, is a scalable, efficient, and cost-effective approach to the custodial responsibility of security. The National Institute of Standards and Technology (NIST) endorsed this approach with Special Publication 800-171:


“Security domains may employ physical separation, logical separation, or a combination of both. This approach can provide adequate security for the CUI and avoid increasing the organization’s security posture to a level beyond that which it requires for protecting its missions, operations, and assets.”


While an enclave may require a duplicate system for business processes like email or security tools, creating a large compliance system that spans across a whole product segment or even an entire enterprise and goes far beyond just the CUI is significantly more expensive and time consuming.


CyberSheath is helping clients take the best step forward with its new Federal Enclave, which simplifies adherence to difficult cybersecurity business requirements. Register for CyberSheath’s webinar to learn more about the value of enclaves and how Federal Enclave can help.

Federal Enclave Webinar

Working with the federal government means maintaining compliance with fluid cybersecurity standards. It can be an overwhelming, confusing, and expensive venture for a business that isn’t familiar with the ever-changing mandates.


CyberSheath’s Federal Enclave can ensure you stay compliant with federal cybersecurity minimums while saving you time and money.


Federal Enclave is both a common-sense approach to protecting data and the most comprehensive Defense Federal Acquisition Regulation Supplement (DFARS) compliant enclave. It ensures your users that handle sensitive data always have secure access to an out-of-the-box compliant environment, secured and managed by CyberSheath. Based on Microsoft Azure, Federal Enclave can be situationally deployed on any of Azure’s cloud platforms or on premises.


The Department of Defense (DoD) was the first federal entity to roll out mandatory minimums for cybersecurity with Cybersecurity Maturity Model Certification (CMMC) in 2020, and recently released a simplified, updated version with CMMC 2.0. It’s expected that all federal agencies will eventually require cybersecurity compliance for federal contractors, which makes now a great time to get ahead of the curve as you plan future work with the federal government.


Federal Enclave adheres to CMMC v1.02 and v2.0 as well as DFARS 252.204-7012, limits organizational controlled unclassified information (CUI) data sprawl, and controls role-based allowances to CUI.


CyberSheath has helped more than 500 clients discover their compliance starting point and roadmap. Federal Enclave simplifies adherence to the difficult cybersecurity business requirements and puts CyberSheath in your corner to ensure compliance. Register for CyberSheath’s webinar to launch Federal Enclave at 12 p.m. EST on Feb. 23.

Federal Enclave Webinar


Determining what types of information your organization possesses is one of the first steps you need to take when starting efforts to enact cybersecurity controls. This classification of information dictates how the data must be controlled and protected.

Here are the different categories of information.


FCI – Federal Contract Information

As defined by 48 CFR 52.204-21, this is, “Information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information by the Government to the public (such as public websites) or simple transactional information, such as necessary to process payments.”

National Archives and Records Administration (NARA) specifies, “Non-federal systems that store, process, or transmit FCI that does not also qualify as CUI must follow, at a minimum, the basic safeguarding requirements outlined in FAR clause 52.204-21.”


It is important to note that FCI (CMMC Level 1) is the minimum if you have a Federal contract.


CUI – Controlled Unclassified Information

According to 42 CFR 2002.4, CUI is, “Information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.


“CUI does not include classified information or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency.”


Additional Safeguards / Classifications:

  • CUI Basic: Requiring or permitting agencies to control or protect the information but providing no specific controls.
  • CUI Specified: Requiring or permitting agencies to control or protect the information and providing specific controls for doing so.
  • CUI Specified, with basic controls where not specified by authority: Requiring or permitting agencies to control the information and specifying only some needed controls.


NARA states that, “NIST SP 800-171 will be the minimum standard for protecting CUI in non-federal information systems and organizations (per 32 CFR 2002.14 and 2002.16).”


CUI categories for the defense industrial base (DIB)

Refer to this chart to see how to classify your CUI.


Banner MarkingCUI CategoryOrganization Grouping
CUI//SP-CTIControlled Technical InformationDefense
CUI//SP-CEIICritical Energy Infrastructure InformationCritical Infrastructure
CUI//SP-EXPTExport ControlledExport Control
CUI//SP-FISA(B)Foreign Intelligence Surveillance Act (Business Records)Intelligence
CUI//SP-PROCUREGeneral Procurement & AcquisitionProcurement & Acquisition
CUI//SP-PROPINGeneral Proprietary Business InformationProprietary Business Information
CUI//SP-NNPINaval Nuclear Propulsion InformationDefense
CUI//SP-SRINuclear Security Related InformationNuclear
CUI//SP-PERSPersonnel RecordsPrivacy
CUI//SP-MFCProprietary ManufacturerProprietary Business Information
CUI//SP-PCIIProtected Critical Infrastructure InformationCritical Infrastructure
CUI//SP-DCNIUnclassified Controlled Nuclear Information – DefenseDefense
CUI//SP-UCNIUnclassified Controlled Nuclear Information – EnergyNuclear


Learn More


While this blog can get you started on determining how to classify your information, the experts at CyberSheath would be happy to help your company identify your FCI and CUI and create plans for safeguarding it. Contact us to take the next step in learning how to protect your sensitive information.


Since the revision of the CMMC cybersecurity requirement was announced last month, we have been analyzing and reporting on some of the changes in a series of blogs. So far we’ve covered a range of topics, including the context for the update, the impact on assessments, and changes to plans of action and milestones (POA&M). This blog will address what we currently know about how the DoD will address the rulemaking of this revision. 


Timeline of Rulemaking Process

Much has been made of this change to the codifying of CMMC 2.0. The government has said that it will take nine to 24 months to review and complete the rulemaking requirements. Also, it is important to keep in mind that what has been presented and proposed could change. As the process unfolds, public comments will be solicited, which the government will then ingest, possibly resulting in changes to the proposed revision. 

  • If this process takes just nine months to complete, CMMC will arrive three years earlier than what had been planned with CMMC 1.0, which was scheduled to be effective in 2025.
  • If it takes two years and becomes effective in 2023, it will still be here two years earlier than with the previous version.

It appears that people are misreading this severely. When in fact, the DoD has actually taken time off the clock and expedited the need to be compliant. 


Suspension of Pilots and Certification is a Non-issue

Another change is that CMMC pilots and certification have been suspended. Which on the surface can seem sensational, but in reality it doesn’t appear to have much impact, as there really wasn’t much reporting or information shared that pilots ever really took off in any meaningful way. 

In terms of the suspension of certification, the revision states that participation in CMMC is now voluntary. In fact, complying with CMMC 1.0 had always been voluntary. Zero companies have ever been certified. 

It is our belief that the government is sending a message to say that companies wanting to do business with the DoD should focus on the foundational cybersecurity practices outlined in NIST 800-171. 


What it Means to Your Business

Many of the proposed changes appear to actually speed up the compliance requirements of cybersecurity, and appear to be favorable for those who are for national security and for defense contractors having mandatory, verifiable cybersecurity minimums. 

If you are a defense contractor, you should plan on meeting these cybersecurity minimums as laid out in NIST 800-171, including security incident and event management, vulnerability management, asset inventory, and more. The services and products that come together to get you to compliance have not changed.


Next Steps

If you have any questions on how your organization should proceed in implementing cybersecurity controls, contact us. We understand the requirements of NIST 800-171 and can help you move forward to achieve and maintain compliance.

Watch a recording of our webinar about CMMC 2.0 and learn more about how it might impact your business.

CMMC 2.0 Watch Webinar Replay

As the discussions around the impact of the newly announced CMMC 2.0 continue to swirl, we are here to apply our knowledge to our analysis of the news. In our series of blogs on the topic, we started by discussing the context and impact for the update.

Our next topic as we highlight some of the proposed changes in CMMC 2.0, is how assessments would be impacted in the proposed 2.0 revision. Let’s examine what we know for each of the new levels as defined by the revision.

  • Level One: The assessment requirement for CMMC 2.0 Level One is the same requirement that existed already. Keep in mind that many people probably have Level One CMMC compliance on their home computers, so it’s not a very high bar to clear. 
  • Level Two: Depending on the type of information involved in your business with the DoD, Level Two requires either a third-party assessment or a self-assessment. Companies can self-assess and then have a senior company official affirm their compliance and enter the self-assessment results into the Supplier Performance Risk System (SPRS). This is not a material change from CMMC 1.0. The fact of the matter is your company is still responsible for implementing and maintaining proper cybersecurity practices. 
  • Level Three: This level requires a government assessment. Again, there is no impact. In CMMC 1.0, these programs were evaluated on a case-by-case and contract-by-contract basis and that will continue to be the case in the proposed revision.


Summary of Impact on Assessments


CMMC 2.0, Level 1 (Foundational)Self assessmentNo impact – same as existing requirements
CMMC 2.0, Level 2 (Advanced) Third party assessment required for prioritized acquisitionsNo impact – same as existing requirements
Self assessment and affirmationImpact unknown – aligned with existing requirements
CMMC 2.0, Level 3 (Expert)Government Assessment No impact


As you can see, the impact on assessments is minimal, the real takeaway is that you still need one! Either complete an assessment internally or bring on a third-party but an assessment is a “must have”.  If you have any questions on how your organization should proceed in determining the current state of your cybersecurity, contact us. We understand the requirements of NIST 800-171 and can help you move forward to achieve and maintain compliance.


Next Steps

For practical, actionable next steps around CMMC 2.0 attend our upcoming webinar on Wednesday, December 15, 2021, at 9:00am (PST) | 12:00pm (EST), to learn more about CMMC 2.0 and how it might impact your business.

CMMC 2.0 Webinar Registration

Since CMMC 2.0 was announced last month, there has been a lot of supposition around what it means. Our approach is to only examine information regarding CMMC 2.0 that has come from official government bodies or authorized government bodies, like the CMMC accreditation body and the Department of Defense.


The framework remains largely unchanged

Our analysis is that CMMC 1.0 and the proposed 2.0 revision are both grounded in Defense Federal Acquisition Regulation Supplement: Safeguarding Covered Defense Information and Cyber Incident Reporting (DFARS Clause 252.204-7012), which requires the implementation of NIST Special Publication 800-171 (NIST SP 800-171). DFARS Clause 7012 was first published eight years ago and NIST 800-171 came in 2016–so they have both been around for a while. 

It’s also important to note that CMMC 2.0 as proposed completed the federal rulemaking process. All articles and information as of this writing are not representative of any final ruling. All the more reason to ground your efforts in what is both final and actually required, DFARS Clause 252.204-7012 NIST 800-171.

In this series of blogs, we will be highlighting some of the changes as outlined in the proposed CMMC 2.0. For a more in-depth walk-through, save your virtual seat at our upcoming webinar, CMMC 2.0: What it Means for Your Business. Register Now


Impacts of proposed changes

Below is a rundown of the changes that CMMC 2.0 looks to bring as outlined thus far, and the corresponding effect on companies looking to continue to engage with the DoD in a commercial capacity.


Proposed changes in CMMC 2.0Impact
L2 and L4 are projected to be eliminated.Generally speaking, most companies were aligning to CMMC 1.0 level three, so this repercussion is minimal with no material impact to the defense industrial base.
The naming nomenclature has changed. The new L1 and L2 are the old L1 and L3. Stated another way, the old L3 is now L2. 
The 20 maturity requirements and controls from CMMC 1.0, L3 have been eliminated.Simply stated, companies should adhere to NIST 800-171. The 110 requirements of NIST 800-171 have been required for the past six years, focus there. That’s plenty for most organizations to get their hands around.


Next steps

Attend our upcoming webinar on Wednesday, December 15, 2021, at 9:00am (PST) | 12:00pm (EST), to learn more about CMMC 2.0 and how it might impact your business.

CMMC 2.0 Webinar Registration

As much as the workplace and cybersecurity landscape has continued to evolve over the years, one thing that has remained constant is that many of us don’t have enough time in our days to finish all the items on our to-do lists. Applying time management to your cybersecurity efforts can help you document, tackle, and complete needed tasks.

Identifying security priorities and accomplishing them while working to maintain day-to-day operations can be a huge challenge for companies with just one or two IT people on staff. How does your company keep working towards establishing better cybersecurity controls and systems, while also handling trouble tickets, creating user accounts, onboarding new team members, and more?


Project management based approach

Following a structured process can be a good start to helping you achieve your goals.


Determine your end goal – As with any project, in order to achieve success, you need to figure out your desired end state. Find out what’s important in your company–whether it’s getting a higher SPRS score, achieving CMMC 2.0, or some other business requirement. From an enterprise security and compliance standpoint, focusing on meeting the requirements on NIST 800-171 is always a good idea.


Know your current state – Conduct an assessment to identify where your organization is in terms of meeting your objectives. Identify non-compliant items using a gap analysis to pinpoint all the areas where your company is not in compliance with your targeted goal. This analysis can be conducted by your internal team or by an outside expert, like CyberSheath.


Build your priority list – Based on your analysis, your next step is to build out a plan to specify when and how you will take care of all outstanding items. This plan of action and milestones (POAM), contains a list of each noncompliant item, outlines what you need to do to become compliant, and specifies targeted deadlines for item completion.


Partner with a provider to get it done faster

If you don’t have the time as a company to conduct an assessment, build a POAM, or tackle any of the action items, consider outsourcing these important tasks. Enlisting the support of a managed security service provider can help your company move more quickly and knock out some of the outstanding items on your priority list.

We’re here to help. Contact CyberSheath if you have any questions about how to achieve your cybersecurity goals.

As the cybersecurity landscape continues to evolve and threats continue to infiltrate the IT infrastructure of companies across the globe, it is more important than ever to ensure that your company and your data is protected, especially when doing business with the Department of Defense (DoD). One mechanism in place to help accomplish this herculean task is 48 CFR § 252.204-7012 – Safeguarding covered defense information and cyber incident reporting.


About DFARS 252.204-7012, Clause M

The DoD is requiring compliance with this mandate to help secure the supply chain of the defense industrial base (DIB). With countless contractors and subcontractors engaging with the DoD, it can be a challenge to make sure all the companies take cybersecurity seriously.

Consider all of the different layers within the supply chain. What gets overlooked sometimes is the requirements on how each supplier needs to protect controlled unclassified information (CUI). The DFARS 7012 clause states that for every subcontract, a contractor has to flow down the original information handling requirements to the companies that they are subcontracting with.


Why is it necessary?

Foreign adversaries are starting to detect and piece together information. Individually finite pieces of unclassified data might seem inconsequential, but when aggregated the information could yield intel on a classified hardware.

This clause helps ameliorate the overall impact of information loss. By ensuring that your subcontractors guard against data breaches, you are protecting your sub, your own company, and the DoD. If a breach occurs, this clause requires that not only are you notified, but you also flow that information upstream, back to the DIB Cybersecurity Assessment Center (CAC), helping secure all points of the data flow.


What you need to do

As a contractor or subcontractor, you are required to include this clause in subcontracts or similar contextual contractual agreements. The full text is available here.

As a prime contractor

  • Add the above clause in the contract with your subcontractor. Make sure to include all the verbiage within the contract, which states what the subcontractor is required to do.
  • Keep your subcontractors informed and accountable. Your subcontractors are potentially putting you at additional risk with how they handle the information you are flowing down to them. Any of your subcontractors hiring additional contractors below them also need to include this clause in their contracts.

As a subcontractor

  • Make sure you safeguard the covered defense information by maintaining adequate security to protect any CUI that flows to your organization. You are held to the requirements in NIST Special Publication, 800-171A, which details protections for CUI in non-federal information systems.
  • Report incidents or data breaches. It is required that subcontractors notify the prime contractor when submitting a request to vary from the security rules, as well as to provide the incident report number automatically signed by the DoD to the prime when a cyber incident has been identified.


Some contractors and subcontractors who are not doing this, are putting themselves at increased risk for penalties from the government. Further incentivizing compliance is the escalating severity of the consequence of non-compliance, ranging from jail time to loss of future contracts resulting in a hit to your company’s bottom line.


If you have any questions about clause M and how to secure your CUI, you can rely on the experts at CyberSheath to help. Contact us today to get started.

If you have started your journey toward Cybersecurity Maturity Model Certification (CMMC), chances are you have assessed your current state and crafted a plan of action and milestones (POAM) to help you attain compliance. As you move forward and work to address the items on your task docket, where do you start and how do you proceed?


What a POAM is and why you need one

A POAM is a document, typically an Excel spreadsheet, that’s used to outline your compliance gaps. It supplies the framework based on what you are working to achieve and helps  mitigate the differences between where you are now and where you hope to be soon. Templates are available to help with creating your own POAM structure. 


You need a POAM because: 

  1. The CMMC and NIST 800-171compliance frameworks require it. 
  2. It identifies where your company is lacking in terms of compliance and creates a game plan to mitigate those deficiencies. There is a lot of information about what to do and how to do it–breaking it down into tasks makes it easier to understand and tackle by the people who will need to accomplish these items.


While the POAMs that we work with are IT- or compliance-based and used to support our work in implementing a technical or administrative control to meet regulatory requirements, the concept of a POAM could be expanded for any framework from privacy, financials, business operations, and more.


Moving forward and tracking progress

How you decide to proceed comes down to what your corporate priority is. Starting with compliance, are you looking to attain CMMC Level tThree? If so, you will probably have to tackle the Level One compliance tasks and the DFARS issues associated with that before focusing on Level Three. You may also wonder what easy to remediate issues can be dealt with quickly. Working through the tasks that look to have fast implementation timelines while still keeping an eye on company compliance priorities can be a challenge. 


Your POAM should help you address issues such as: 

  • What is the control that was noticed to be non-compliant?
  • How was the issue with the control identified? 
  • When was the issue identified? 
  • When do you intend on addressing the issue?
  • What is the action you need to take?
  • Is this action not yet in progress, started, or completed? 


Ideally the person in charge of managing the POAMs for your company is your Chief Risk Officer (CRO). This person might have the rolled-up, high-level version of the POAM, that they divide up by functional area or by responsibility. In the absence of a CRO, It’s still good practice to have one person tracking the whole picture of what’s happening in terms of the project progress. 


Continuous monitoring means your POAM is a living document 

In terms of managing your POAM, it’s not only making sure that all of your controls are compliant and closing out each item on your task list. Assuming you’re looking to comply with CMMC Level 3, you also have to be able to monitor all of the 130 controls and make sure that all those controls continue to be implemented effectively.

CMMC is more than just getting to 100% compliance–it is also about maintaining your full adherence to the security controls. Maintenance never ends. As your business moves forward, you need to continuously monitor and maintain your processes in terms of preserving your compliant state.


Contact the compliance experts at CyberSheath for assistance in crafting your POAM and remediating the items. We’ve helped hundreds of organizations similar to yours meet their certification requirements. 


POAM Template Download

Risk management seeks to identify those factors or variables in your organization that would damage your company, including causing harm to operations, sales, and reputation. Securing your IT infrastructure is obviously one component of a robust risk management plan. From an organizational perspective, this monumental task typically resides under governance, risk, and compliance (GRC) and focuses on IT and cybersecurity risk mitigation. 

Most companies identify security as their Achilles heel, whether it be physical security, IT, or cybersecurity. Risk management is a Pandora’s box–there’s a lot of issues that pose risk to an organization, some of which are easily managed and others that can be apocalyptic. The benefit of having a risk management program is it allows you to identify what is in your Pandora’s box and to start preparing in case any of these issues arise in your environment.


Linking risk management to CMMC

The new-ish Cybersecurity Maturity Model Certification (CMMC) has multiple levels based on the business you are conducting and the type of information you have access to. For instance, level one focuses on operations and making sure you have secure capabilities and functions. Level three of CMMC starts to delve into managed services, and that’s where risk management becomes a bigger deal. Specifically, risk management is first referenced in CMMC level two, but not many companies focus on achieving that level.

In terms of level three being a managed program maturity level, you need to identify what those risks are to the management of your program. It could be the standard bad actors and nation states that everybody hears about in the news or other things related to your competition. In terms of managed processes, CMMC specifically requires that you ensure your processes are repeatable. 


What CMMC mandates in terms of risk management

  • Level 1 – At this stage, risk management is not a priority from a compliance standpoint.
  • Level 2 – At this point, CMMC starts talking about assessing the operational risk as it relates to mission, function, image, and reputation. Risks to assets and individuals resulting from controlled unclassified information (CUI) processing, storage, and transmission operation are also referenced, but there is no detail on what is required to actively manage your risk.
  • Level 3 – Here is where risk management and assessments should become more repeatable, and approaching cyclical (typically monthly or quarterly). These assessments need to be conducted based on predefined risk categories, sources, or measurements, and stem off of risk mitigation plans, which delineate how risk can be resolved. 

As you pursue your CMMC certification, it is important to have a holistic view of risk management. From a CMMC or a DFARS 800-171 assessment side, your IT team is always a key player. Involving HR, Finance and the C suite, also makes sense as all risk is interconnected. For example, if you have an IT breach and it gets in the news, your reputation is affected which impacts sales, and in turn company finances, therefore causing concern over the future of the company. 


Getting started

There are some simple steps to take as you form your risk management strategy.

  • Identify your target. It’s very difficult to know how to proceed if you don’t know what your desired end state is. Are you looking for compliance or certification with CMMC, ISO, or Sarbanes Oxley? Are you seeking privacy from a General Data Protection Regulation (GDPR) or California Consumer Privacy Act (CCPA) side? Know your goal. For CMMC, are you looking for level one or level three compliance? Or are you simply looking to log your DFARS score into the Supplier Performance Risk System (SPRS). 
  • Discover where you are in relation to your goal. Perform your assessment and create the foundation of your current state in relation to the target. In other words, determine that ‘this is where we are’ in relation to ‘that is where we want to be’.
  • Build your plan to reach your target. Once you’ve identified your goal and know your current state, it’s time to start crafting how you take the steps to reach your risk management objective.


If you have any questions about how to get started with your risk assessment and management plans about your organization’s IT security, contact the experts at CyberSheath. We are well-versed in CMMC controls and have deep expertise helping companies meet their compliance goals. Contact us today.

There has always been a risk of losing business for defense contractors that haven’t achieved compliance. That threat alone wasn’t compelling enough for the Department of Justice (DOJ), which has vowed to crack down on contractors that fail to follow required cybersecurity standards.


As we heard from Aries Security CEO Brian Markus at CMMC Con 2021, the False Claims Act has a huge influence on the Defense Industrial Base (DIB) and that legal avenue is how the DOJ says it will levy fines.


“Everyone’s role as a defense contractor is to protect the information that the government’s entrusting you with,” Markus said. “If you’re a small [contractor], it actually, in some cases, is more important and more critical because the smalls tend to have less security and the threat actors have been picking them off one by one. The nation-state attackers are able to see what the government is ordering, how many, when they’re ordering them, so they can get an understanding of what we’re actually doing as a nation and how we’re doing it.”


CMMC-AB vice chairman Jeff Dalton raised similar concerns at CMMC Con 2021, saying, “adversaries are after our intellectual property.” The willingness of nations to hack into others’ systems is expected to rise.


Dr. Robert Spalding shared at CMMC Con 2021 that artificial intelligence (AI) and quantum computing could further complicate foreign relations in the coming years. This will mark the period of a “second cold war.” Geography is a defining matrix of competition and governments will favor cyberwarfare as a means of avoiding mass casualties and destruction.


What’s at stake for a lapse in security is now too valuable for the federal government to rely simply on self-assessments or let compliance go unchecked. Contractors should have been compliant all along and now the pressure has increased to prove it. We wrote the book on how contractors should get started with CMMC, a clear playbook for how to navigate the process of compliance. We should know. CyberSheath has been performing assessments for years.


CMMC will remain important as the security landscape continues to change. Tenable CEO Amit Yoran, the keynote speaker at CMMC Con 2021, noted the government is now just as involved as private companies in cybersecurity.


“Minimum standards for security are an absolute necessity to follow,” Yoran said. “We’d really like a level of visibility, understanding, and accountability. Establish levels of care and identify what negligence looks like. Once we achieve this, we can make progress on a long-term basis. We can stop a majority of attacks today by following these standards.”


If you missed out on CMMC Con 2021, catch up with a full recording of the day’s events and speakers.

With increased security breaches and an ever-evolving threat landscape, cybersecurity in the government space continues to be a growing field offering a fulfilling career path. Factor in the added challenge of meeting security requirements like the new Cybersecurity Maturity Model Certification (CMMC), which helps protect important information shared with the Department of Defense (DoD), and it is clear that job opportunities in this space will continue to be prevalent for a long time to come.

So, whether you are a student nearing graduation or a professional looking to change career direction, cybersecurity might offer what you are seeking. We sat down to talk with our summer intern, Smriti, to get her thoughts on what she learned about pursuing a career in cybersecurity and how her time with us has taught her a lot that she can’t learn in the classroom. 


“With cybersecurity, you’re helping people. Cybersecurity is a way that you can keep people safe on the internet.”

– Smriti Simlot, CyberSheath Summer Intern



Setting the stage to pursue cybersecurity

As a computer science major, graduating in December, Smriti is perfectly positioned to take advantage of the growing urgency for cybersecurity experts. Although she is skilled in computer science, the internship gave her the chance to experience cybersecurity firsthand for the first time. She says, “I want to do cybersecurity because even though I’m a computer science major, when I have a job, I don’t just want to program all day every day. What I like about this field is the only programming that you really do is to make your life easier. For example, if you don’t feel like doing something by hand, you can write some code and it can just do it itself. So it’s programming with the purpose.”

Adding to that thought, she continues, “With cybersecurity, you’re helping people. Cybersecurity is a way that you can keep people safe on the internet.”


On the job learning

Learning by doing is a powerful and effective approach. Many people are not great auditory or visual learners, but can understand a concept and achieve mastery by applying knowledge and performing a skill. 

“I’ve learned a lot because I work in the security operation center, which is where we monitor the networks of companies and get alerts for suspicious activity. I’ve seen the different attacks that can happen and the things people do that can make their accounts more vulnerable. Also, I’ve become familiar with technology that I’ve never used before, like Azure and other cloud-based services that are popular now. It’s also exciting to witness the practical application of what you’re doing and see that it really makes a good impact for the customer.”


Cybersecurity is not just about technical skills 

People skills are also necessary in cybersecurity. “I think what has surprised me is how much the security team talks to the customer. I thought they would be in the background, doing their own thing. But they are always talking to customers, making sure activity is normal, going over our security procedures, or discussing other topics.”

“Everyone I’ve met at CyberSheath has been so patient with me. They took the time to explain things to me–and that has helped me be successful.”


Pointers on how to take the next step

  • Look on different job boards to see what skill sets and experience companies are looking for as this sets a good starting point for your search.
  • Consider getting applicable certifications that make sense for the path you wish to take.
  • Take the time to research companies that need help and contact them.
  • Don’t dismiss small to mid-size companies or organizations you may not have heard of– you might wind up somewhere that you never expected to and love it. Working for a smaller company also affords you the chance to see things end-to-end, do stuff that matters, and have a larger, more strategic view.
  • If you have the skills, be confident that you will find the right opportunity.


 “Smriti has been an incredible asset to the team and I’ve been amazed how she’s hit the ground running. She’s worked on several projects to enhance our DevOps focused Security Operations Center and I look forward to her continued contributions!” 

– Brett Powers, Vice President of Operations

Brett Powers

In the meantime, Smriti is continuing to intern at CyberSheath for the next semester and get ready for graduation. 

If you think a career in cybersecurity is right for you and that you have what it takes to join our team, check out our open positions


Determining whether you’re positioned to contract with the government can be intimidating. Requirements include registration with various databases, meeting standards, and of course, compliance with CMMC.


Fortunately, help is available free of charge through Procurement Technical Assistance Centers (PTACs).  And at CyberSheath’s CMMC Con 2021, we’re bringing together three PTAC executives for a panel to answer your most pressing contracting questions.


The panel will include Jodi Essex, PTAC Director for Iowa; Frank Migneco, PTAC Director for the NEPA Alliance; and Thomas Gerke, Regional Manager for PTAC in Utah. Essex has procurement experience in both the public and private sectors, including time at Iowa State University. Migneco has more than 20 years of experience working for an investor-owned utility in New Jersey managing a $35 million per year program portfolio. Gerke has 40 years of experience in government supply chain and logistics processes.


With 95 PTACs across the country, companies can get 1-on-1 counseling and assistance in their journey to contract with the government. Services include matchmaking and “meet the buyers” events, as well as training workshops.


The PTAC panel’s session will be held at 11:30 a.m. EDT followed by a LIVE Q&A during CMMC Con on Sept. 29. Register for CMMC Con 2021 now to join the discussion and learn more about no-cost resources available to assist companies with cybersecurity compliance.

Cybersecurity has become a priority in Washington with efforts beyond the executive order President Biden laid out in May. This month, the Cybersecurity and Infrastructure Security Agency (CISA) and Office of Management and Budget (OMB) offered technical guidance documents and are seeking public feedback on a venture to move the U.S. government toward a zero-trust model.

Contractors in the Defense Industrial Base (DIB) may know of zero trust as a vehicle to accomplish Cybersecurity Maturity Model Certification (CMMC) compliance. A memo from the OMB requires federal agencies to achieve specific zero-trust security goals by the end of 2024.

The government is getting more serious about tightening up cybersecurity and the scope of requirements is growing.

Amit Yoran, chairman and CEO of Tenable, will offer insight on what the government has done so far and what more it needs to do to address cybersecurity in the United States when he delivers his keynote address at CyberSheath’s CMMC Con 2021.

Yoran sits on the board of directors for the Center for Internet Security, previously served as president of RSA Security, and was the founding director of the United States Computer Emergency Readiness Team (US-CERT) program in the U.S. Department of Homeland Security. He will speak with CyberSheath CEO Eric Noonan about government actions and what companies can do to shore up their own cybersecurity outside of federal regulations.

Register for CMMC Con 2021 now to see Yoran’s address and understand more about the government’s growing role in cybersecurity compliance.

Meeting the requirements of DFARS and Cybersecurity Maturity Model Certification (CMMC) can seem daunting. The good news is that if you take a measured, informed approach, your organization can begin to take the necessary steps it needs to achieve and maintain compliance and, in doing so, continue to be eligible to secure lucrative contracts with the Department of Defense (DoD).


CyberSheath recently conducted training to help support the defense contractor community in meeting their compliance objectives. Our five-part cybersecurity compliance training covered a range of topics and gave attendees the knowledge and tools they needed to be successful. At the conclusion of the training module, participants who successfully completed the entire ninja training course achieved Black Belt status.  Register now for CMMC Con 2021 to see the Black Belt ninjas names displayed honoring their dedication to the training.


Steps to CMMC compliance

Here’s what we shared during our training to help participants prepare for the complexities and challenges of meeting the DoD regulatory requirements. 

Step 1 – Identify controlled unclassified information (CUI)

Protecting sensitive information starts with understanding the various information categories. The next step is being able to map the information your company holds to the contracting regulations you must adhere to. Depending on your relationship with the Department of Defense (DoD), there are a number of requirements to protect non-public information (NPI).

Information types include:

  • Federal Contract Information (FCI) – Non-public information associated with a federal contract. CMMC offers this description, “FCI means information provided by or generated for the Government under a contract not intended for public release.”
  • Covered Defense Information (CDI) – A form of CUI that is developed under a DOD contract. It is non-public information where a specific law, regulation, or government-wide policy is published that requires that information to be protected in some manner. 
  • CUI – Established by Executive Order 13556 as a way to standardize how to handle sensitive but unclassified information. According to this order, “CUI is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.”


Step 2 – Conduct an assessment

An important step toward achieving CMMC compliance at any level is to know what your starting point is. By accurately assessing your current state, you can figure out exactly what steps need to be taken to become compliant. Before getting started, determine which level of CMMC compliance you need to attain. 

  • Level 1 – Compliance with this level demonstrates the basic cyber hygiene required for contractors receiving FCI. It covers 17 controls across six domains.
  • Level 3 – This level is required for companies having CUI data. Compliance requires that an organization establish, maintain, and resource a plan demonstrating the management of activities for practice implementation. It covers 130 controls across 17 domains.

Here are some guidelines. 

  • Start with an assessment kickoff to gather the required team, discuss the CMMC framework, outline the in-scope environment, and craft a schedule.
  • Interview key personnel, complete applicable attestations, and collect relevant artifacts.
  • Analyze all the information you have assembled and compile an initial score as pertains to the controls you have already demonstrably implemented.
  • Create a report detailing the current state including an executive summary, DFARS interim scoring rule, key observations and recommendations, and a detailed analysis of each practice.
  • Present and discuss assessment results, key compliance findings, and the path forward.


Step 3 – Submit your current status to the SPRS

Once you have assessed your current state and mapped your organization’s compliance against the 130 controls, it’s time to log that information into the Supplier Performance Risk System (SPRS).

Note that admitting deficiencies can seem counter intuitive, but establishing a cybersecurity baseline for your company, and then working to improve your score–making sure to update it as you comply with controls–is a good way to show your commitment to achieving full compliance.

Here is how you can get started.

  • Set up your account by visiting the procurement integrated enterprise environment (PIEE) website and enter the required information. 
  • Access the SPRS by selecting it from the drop-down menu.
  • Select ‘SPRS Cyber Vendor User’.
  • Add roles.
  • Complete the agreement.
  • Have the admin linked to the cage code approve your account.
  • Submit your assessment score.


Step 4 – Draft your SSP and POA&M

The system security plan (SSP) and plan of action and milestones (POA&M) provide a foundation for your remediation efforts as you work to close all of your company’s cybersecurity compliance gaps.

  • SSP – Outline how your organization manages cybersecurity and determine which approach makes sense for your environment – an organizational, system-focused, hybrid or shared compliance plan. Make sure your document includes systems information, control narratives, diagrams, artifacts, and more.

POA&M – This is a corrective action tracking mechanism. Here are the key questions to address as you develop your own POA&M.

  • What are the actions that you need to take to implement each control?
  • When do you plan to have each action completed? Include interim completion dates.
  • Who is responsible for managing and completing each action?
  • What is the compliance impact, estimated cost, and risk of each?
  • How was the weakness that requires this action identified?
  • Which control does this action correspond to and address?
  • What is the status? Is this action ongoing or completed?


Step 5 – Implement controls and manage compliance

Addressing security measures can seem like a huge task, as your organization must meet all 130 controls to be CMMC compliant. Here’s an overview of how to tackle this endeavor, divided into general control categories.

  • Security Monitoring Controls
    • Security Information and Event Management (SIEM) – Regular review of logs is a key part of CMMC and NIST SP 800-171 compliance, as well as a general best practice. Keep in mind that aggregating and reviewing the massive volume of logs is not practical to accomplish with manual processes.
    • Vulnerability Scanning – Vulnerability and patch management strategy is an essential requirement to meet CMMC. Unpatched vulnerabilities are often used by threat actors to exploit systems, leading to ransomware and data theft.
  • IT Infrastructure Controls – IT Infrastructure refers to all of your company’s hardware and software, both on-premise and in the cloud. Many companies struggle implementing controls in environments where CUI is stored on-premise and they have older unsupported hardware and software which puts CUI at risk. 
  • Policy and Administrative Controls – One of the key points in gaining CMMC compliance is ensuring that your controls have maturity. Make sure you are capturing what technology you are putting in place and the processes of implementing and managing that technology. 


No matter how skilled you and your organization are, we can support your path to compliance with CMMC. Engage with us for as much as you need. Our team is happy to partner with your internal resources to help you reach your compliance goals. Contact us to learn more.


RESTON, Va. — Sept. 8, 2021 Leading managed CMMC compliance provider CyberSheath announced today that Amit Yoran will provide the keynote address at CMMC Con, the nation’s largest CMMC conference. The virtual, one-day conference kicks off at 9 a.m. EDT on Wednesday, September 29, 2021. Registration for the event is still available.


Yoran, the chairman and CEO of Tenable, sits on the board of directors for the Center for Internet Security, previously served as president of RSA Security, and was the founding director of the United States Computer Emergency Readiness Team (US-CERT) program in the U.S. Department of Homeland Security. Yoran will speak with CyberSheath CEO Eric Noonan on President Biden’s executive order on cybersecurity, what other governmental efforts are necessary to shore up cybersecurity, and what actions companies can take to better protect themselves from attacks.


CMMC Con will also include a discussion with Aries Security CEO Brian Markus and lawyer Greg Thyberg speaking on the False Claims Act case, a panel on Procurement Technical Assistance Centers (PTACs) with a live Q&A, and a session hosted by Microsoft on evolving technology.


Microsoft, a platinum sponsor for the event, will cover Microsoft 365 and Azure in its session, with a focus on CMMC ML3 preparations, and leveraging government cloud offerings. Phil West, U.S. National Director of Modern Work and Security at Microsoft, will be speaking at the session.


“Last year we saw a huge response from attendees before CMMC compliance was even required,” Noonan said. “Now that it has taken effect, and the need for comprehensive cybersecurity is greater than ever, we look forward to equipping contractors in the Defense Industrial Base (DIB) with a greater understanding of the evolving threat landscape and tools to help them face those challenges.”


CyberSheath recently conducted free training to support the defense contractor community to meet their compliance objectives. The five-part compliance training covered a range of topics and prepared attendees with the knowledge and tools that will make them successful. At the end of the training module, 30 participants were awarded “black belt” status. Those that received black belts will be honored at CMMC Con 2021 through the displaying of their names at the event.


About CyberSheath Services International, LLC

Established in 2012, CyberSheath is one of the most experienced and trusted IT security services partners for the U.S. defense industrial base. From CMMC compliance to strategic security planning to managed security services, CyberSheath offers a comprehensive suite of offerings tailored to clients’ information security and regulatory compliance needs. Learn more at



CyberSheath Services International, LLC

Kristen Morales at


As a defense contractor, you are eager to get your company compliant with the Cybersecurity Maturity Model Certification (CMMC). You’ve assessed your organization for CMMC readiness, documented your system security plan (SSP), formulated your plans of actions and milestones (POAMs)–and now it’s time to get it all done and implement any outstanding controls. How do you start? And what should you know before you dive in?

Where to start in securing your environment

If you are at the implementation stage, then you know there are 130 controls required to protect controlled unclassified information (CUI). Addressing all of these security measures can seem like a daunting task, as your organization must meet all 130 controls to be CMMC compliant. Let’s discuss the controls by general category.


Security Monitoring Controls

Security Information and Event Management (SIEM)

Regular review of logs is a key part of not only CMMC and NIST SP 800-171, as well as a general best practice. However, aggregating and reviewing the massive volume of logs is not practical to accomplish with manual processes.

Recommended tools: Microsoft Sentinel or Splunk

These tools can take in large amounts of data, and correlate that data–and then based on analytic alerts enabled inside of that SIEM environment, it will escalate events of interest to you. This allows you and your analysts to narrow your focus down in determining if there really is an incident in your environment.


Vulnerability Scanning

Vulnerability and patch management strategy is an essential requirement to meet CMMC. Unpatched vulnerabilities are often utilized by threat actors to exploit systems, leading to ransomware and data theft.

Recommended tools: Tenable and Qualys

These solutions are run in client environments to determine what vulnerabilities exist, and what patches are needed in the environment.


IT Infrastructure Controls

IT Infrastructure refers to all of your company’s hardware and software, both on-premise and in the cloud. Many companies struggle implementing controls in environments where CUI is stored on-premise and they have older unsupported hardware and software which puts CUI at risk.

The shadow IT, meaning the different individuals inside organizations spinning up servers in AWS or Azure or Google cloud, on top of what is happening in your environment, may need to be addressed under CMMC as well, if they handle CUI.


Policy and Administrative Controls

One of the key points in gaining CMMC compliance is ensuring that your controls have maturity. A POAM and SSP are both great tools to help you get there. Having documents including policies, plans, and standards explaining what the control is and how the company achieves each control is important.

Make sure you are capturing what technology you’re putting in place and the processes of implementing and managing that technology. Also create documentation about how to perform a specific function in the environment, including an incident response, vulnerability management, and risk management plans. Be mindful that these plans need to be understood, actively used, and approved across the organization.


Enclave Strategy

As your organization works to implement these controls, it might make sense to consider strategies to help you gain compliance, like creating an enclave. This is a way for companies to secure CUI without re-architecting their entire environment.

By embracing cloud infrastructure, companies can quickly stand up and secure CUI through several methods.

  • External CUI Communication – There may be times where you’re working with a partner on CUI. You may not want them to have access to your environment, and you may want to have a very secure enclave with controls, so that it is very clear who is accessing that documentation. In this scenario, set up a host in a SharePoint environment in a GCC environment.
  • Hybrid Cloud – This is where you’re allowing for segmented data that utilizes your existing Active Directory authentication structure, but also has an area inside the cloud that allows for segmentation and data storage. You have controls around that data to secure it, and individuals who don’t have clearance internally cannot get to access that data.
  • Private Cloud – This approach has an entirely separate cloud infrastructure for hosting CUI, including controls around servers and desktops, encompassing everything that resides in the cloud tenant. This strategy reduces the control burden on users who don’t need access to CUI. This is a great option to ensure that CUI data is protected.


Helpful Resources

Securing your infrastructure can be an intensive process as every environment is different. Microsoft has released a great tool mapping their products to CMMC, so you can easily visualize what tools will help you meet CMMC Level 3 compliance. 

Download Microsoft mapping tool 


No matter what stage your organization is at in working to gain CMMC compliance, the team at CyberSheath can help. From assessments and creation of SSP and POAMs to remediation and compliance management–we have the knowledge, skills, and experience to help your organization get it done. Contact us today.

As more resources move to the cloud and users increasingly work remotely, the National Security Agency issued new cybersecurity guidance. It had a line of particular importance for those companies that must meet CMMC compliance.


“NSA strongly recommends that a zero-trust security model be considered for all critical networks within National Security Systems, the Department of Defense’s critical networks, and Defense Industrial Base critical networks and systems,” the agency wrote in a February report.


The zero-trust model will evolve contractors’ compliance strategies as the CMMC rollout continues but could be key for companies outside the DIB also, because CMMC compliance may soon be required for a larger scope of contractors. The General Services Administration’s (GSA) STARS III solicitation states, “(w)hile CMMC is currently a DoD requirement, it may also have utility as a baseline for civilian acquisitions.”


Keith Nakasone, former deputy assistant commissioner of acquisition management for the GSA, will join CMMC Con to address how CMMC may soon be a requirement for all federal contracts.


Nakasone joined VMware as a federal strategist in June, after spending more than four years with the GSA. There, he oversaw roughly 300 procurement personnel and contracts worth more than $30 billion per year. Nakasone, who has 32 years of government experience, previously had senior procurement roles at the Federal Communications Commission and Defense Information Systems Agency.


Nakasone will join CyberSheath Vice President of Security Services Carl Herberger for a question and answer session on CMMC and supply chain security for all small companies working as contractors for the U.S. government. Register for CMMC Con 2021 now to join the discussion and learn how CMMC applies beyond the DoD.

A look at recent headlines would have you believe that the biggest risks for CMMC noncompliance are exposed data and ransomware demands. But many organizations are exposed to a much different kind of risk, according to an ongoing case that involves a DIB contractor.


In September 2015, Aerojet Rocketdyne Holdings, Inc. laid off Brian Markus, its CISO, two months after Markus refused to sign a document that claimed the company had met compliance and instead authored an internal memo noting his concerns. Markus, now the CEO and co-founder of Aries Security, filed suit the next month under the False Claims Act.


The qui tam, which means Markus can sue on behalf of the federal government, was amended to allege that Aerojet Rocketdyne terminated his employment based on his efforts to stop the company from defrauding the government. The ongoing case is due to be heard before a jury next March.


Markus holds several licenses and certifications in cybersecurity and is a member of the President’s National Security Telecommunications Advisory Committee. Prior to joining Aerojet Rocketdyne, Markus spent eight years at Raytheon in senior IT security and management roles and 10 years as a “security goon” for DEF CON, one of the world’s most notorious hacker conventions.


Markus, along with lawyer Greg Thyberg, will join CyberSheath vice president of security services Carl Herberger for a discussion about the importance of cybersecurity compliance for contractors within the DIB. Register for CMMC Con 2021 now to see the discussion and understand more about how the False Claims Act applies to the world of cybersecurity compliance.

It should come as no surprise that since the start of the COVID pandemic, the way that companies work has changed. Today, organizations are supporting a more dynamic, dispersed workforce powered by cloud services. As a result, end users gain an environment that is as robust as their experience in the on-prem office location, allowing them to access the file services and relevant databases that they need and providing the same or higher security than they had before.

Research the advantages of migrating your data

As your organization researches the advantages of migrating your data from your on-prem environments into the cloud, take the time to think about and act on these issues:

  1. Review your IT infrastructure and understand what you have. Perform an analysis of your existing IT resources and assets and figure out how your staff uses your environment. It’s a great opportunity to go through your servers, assess your approach, re-inventory your assets, and decide the future of your data. You can take the opportunity to consolidate equipment and applications, and determine how to move forward. Above all, make sure that your end-solution matches what your company needs in terms of technology, resilience, and reliability.
  2. Know that cloud is not always cheaper. While there are opportunities for your company to realize cost savings, also understand that migrating to and leveraging the cloud carries with it, its own expense. There are benefits that usually outweigh those costs, including dependability and better, more streamlined management. These benefits often result in a reduction of staffing levels and other monetary savings. If you are knowledgeable and informed, you can reduce costs while improving your uptime and reliability of the actual services.
  3. Understand your strategy. Know your priorities in terms of moving to the cloud and running it efficiently. As each usage of cloud has a cost to it, running things in the cloud in an effective manner is obviously very important. Only use and run what you need to in this environment. Be smart, migrate what makes sense for your business and your bottom line


Moving forward with your cloud migration

Each migration is very different, but all follow the same general approach. Here are some tips:

  • Start with analyzing what you have and coming up with a strategy of what it is you want to move into the cloud and what your plan is in terms of the services that you need high availability on.
  • Know what, if any, services will remain on-premise.
  • Break down things like applications that you have and determine whether you want to move them to be pure cloud applications.
  • Go through your file servers and weed out files that are very old as you might not want to move them to the cloud and instead might want to archive them.
  • Don’t be afraid to redesign things as part of your migration plan.
  • Make sure you have good backups of everything–yes, everything.
  • Install the appropriate agents and tools to pick your services up and move them up into the cloud.
  • Make sure that you still have connectivity to everything, perform testing, and migrate.


If you have any questions about crafting your migration plan, give the CyberSheath team a call. Having an expert help you analyze what you have currently, and come up with a solid plan to determine how or where you’re going to move things, whether to a data center, keeping it on-prem, or moving it to the cloud, can provide the necessary knowledge and assurance your company needs to have a successful migration. Contact us to get started.


The cyber universe has become the next battlefield–a place where threat actors, malicious entities, cyber criminals, activists, and nation states are challenging U.S. hegemony globally. We’ve seen instances where millions, or even billions, of dollars of research and decades’ worth of work has been stolen by hostile nation states. Against this backdrop, it is imperative to secure the supply chain to help defend cyberattacks from impacting the U.S. Department of Defense (DoD).

The DoD created the Cybersecurity Maturity Model Certification (CMMC) to address these threats and help secure the defense industrial base. Prior to CMMC, the DoD leveraged compliance with Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting and NIST 800-171 to set standards for supply chain cybersecurity. So how well are defense contractors implementing these requirements–and which controls are the most problematic?

Let’s look at the data.


How we collected the data

Over the past several years CyberSheath has conducted approximately 600+ assessments to determine NIST and CMMC readiness for a wide variety of organizations. Here is a demographic snapshot of the clients evaluated:

  • 86% privately held
  • $3M to $5B+ revenue
  • 10 to 100K+ employees
  • Industries: manufacturing, aerospace and defense, construction, telecommunications, retail, business services, software, and energy, utilities and waste industries
  • SPRS scores of -175 and as high as +10


Supplier Performance Risk System (SPRS): Note that as of last year, the government requires you to have an overall score regarding your cybersecurity compliance status. This SPRS score is determined through using government scoring mechanisms and criteria, which assess where you stand on the requirements. These results are to be used by contracting officers to evaluate cybersecurity risk when they’re issuing contracts. The score ranges from -203 to +110.


The top 5 failing controls

After we analyzed the data on the assessments we performed, we were able to determine the controls that companies most often did not have fully or properly implemented. The list is rather astounding in those two thirds to three quarters of the companies that we’ve assessed are noncompliant in these controls.


Control CategoryControl DetailNon-Compliance
1Access ControlAC.2.016: Control the flow of CUI in accordance with approved authorization.66%
2Configuration ManagementCM.2.064: Establish and enforce security configuration settings for information technology products employed in organizational systems.69%
3Identification and AuthenticationIA.3.083: Use multi-factor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.71%
4Incident ResponseIR.3.099: Test the organizational incident response capability.69%
5Media ProtectionMP.3.122: Mark media with necessary CUI markings and distribution limitations.74%


This list provides a great indication of where your company should focus its initial investment. If you only have a limited amount of dollars to work with, prioritizing these requirements in the short term might make sense but in the long term CMMC compliance is an all or nothing proposition.

In the short term…How to increase your SPRS

Let us walk through an example of the impact of the assessment, findings, and recommendations that we at CyberSheath provide to clients. Typically, a report would open with a statement noting that the assessed company has a significant amount of work to become compliant with the DFARS mandate and to close all identified DFARS and CMMC gaps.

Key recommendations are made to outline corrective actions which are typically heavy-lift items taking significant resources and time to implement. Throughout the report, we identify additional items that represent significant risk to the organization’s environment that should be addressed as soon as possible.

We then provide specific guidance on which controls should be implemented to lift the company’s SPRS score up 50 or more points. For example:

  • Security Governance Practices – 6 Controls – DoD Scoring Impact: +13 Points
  • Vulnerability Management – 4 Controls – DoD Scoring Impact: +11 Points
  • Incident Response Planning – 7 Controls – DoD Scoring Impact: +11 Points
  • Logging and Monitoring – 10 Controls – DoD Scoring Impact: +21 Points


For the long term…CMMC ML3 Data enclave use cases

Part of the compliance challenges you face could be addressed by establishing data enclaves, which will also have a positive impact on your SPRS score. Here are cascading use cases on how enclaves could help your organization.

  • Level 1: Data vault and collaboration SharePoint libraries – This secure SharePoint enclave can be hosted in GCC High or a commercial cloud depending on whether data is subject to export.
  • Level 2: Windows Virtual Desktop, SharePoint, Microsoft Office applications, and OneDrive – This approach is secured using Active Directory partitions and Windows Virtual Desktop. Desktops are shared, but data security is enforced to CMMC compliance standards. Great for users who only access Office applications, SharePoint Online, and OneDrive, there is no option to host private application servers.
  • Level 3: Level 2 plus private applications – Customers are segregated on private network segments with network security boundaries adding security beyond Active Directory partitioning. Desktops are private and only accessed by a single company. There is an option available for private application servers on the customer network segment. This approach works well for users looking for an affordable cloud platform while needing to use custom applications or file servers.
  • Level 4: All business operations enclaved – In this approach, all servers and desktops reside in the customer’s MS Azure tenant. Users access the environment using corporate credentials. It is the most expensive option, as all components including Active Directory are completely private. Companies can host any applications or files in their environment and can optionally connect the enclave to their corporate infrastructure.


Future-proof your business

Follow these steps to assess your current state, implement controls, and manage compliance to bring order to your cybersecurity challenges.

  1. Assess operations for compliance with NIST 800-171
  2. Generate a system security plan (SSP)
  3. Document plans of action and milestones (POA&Ms)
  4. Implement the security requirements
  5. Maintain compliance


As a company, you need to commit to running a cybersecurity compliance marathon–but you don’t have to do it alone. At CyberSheath, we have the expertise and experience to help you cross the finish line by continuously increasing your SPRS score and becoming compliant with your required level of CMMC. Contact us to get started.


The swiftness and severity of recent cyber attacks has dominated headlines and revealed that many organizations still don’t quite know what to do to protect themselves, as well as the businesses and government entities they’re connected to.


Ransomware attacks were a big point of discussion at the recent G7 summit and headlined the list of topics that President Biden discussed with Russian President Vladimir Putin at their summit in Geneva.


The U.S. and some of its tech giants are scrambling to find answers as to how to prevent further attacks and increase safeguards for data. As one facet of that plan to improve, the CMMC-AB has begun approving third-party assessment organizations to certify that defense contractors adhere to CMMC requirements.


Matthew Travis, who became CEO of the CMMC-AB in April, said to expect certified assessor training in mid-to-late summer. The CMMC-AB has also recently added a vice president of training and development, a director of operations, a curricula manager, and operations specialist. The board is recruiting to fill more roles as it moves closer to its goal of a full launch for assessor training.


Jeff Dalton, the vice chairman of the CMMC-AB and head of the accreditation process, will be among the speakers at CyberSheath’s CMMC Con 2021 and will give attendees an inside look at the progression of CMMC and the path forward.


Register for CMMC Con 2021 now to see Dalton’s address and learn more about how to navigate the rapidly shifting future of cybersecurity compliance.

An important step toward achieving CMMC compliance at any level is to know what your starting point is. By accurately assessing your current state, you can figure out exactly what steps need to be taken to become compliant.


Before getting started, determine which level of CMMC compliance you need to attain.

  • Level 1: Compliance with this level demonstrates the basic cyber hygiene required for contractors receiving federal contract information (FCI). It covers 17 controls across six domains, including:
    • Access Control
    • Identification and Authentication
    • Media Protection
    • Physical Protection
    • System and Communications
    • System and Information Integrity
  • Level 3: This level is required for companies having controlled unclassified information (CUI) data. Compliance requires that an organization establish, maintain, and resource a plan demonstrating the management of activities for practice implementation. The plan may include information on missions, goals, project plans, resourcing, and required training. It covers 130 controls across 17 domains, including:
    • Access Control
    • Asset Management
    • Awareness and Training
    • Audit and Accountability
    • Security Assessment
    • Configuration Management
    • Identification and Authentication
    • Incident Response
    • Maintenance
    • Media Protection
    • Physical Protection
    • Personnel Security
    • Recovery
    • Risk Management
    • Situational Awareness
    • System and Communications
    • System and Information Integrity


Assessment Process

In order to be successful, it’s important that everyone involved buys into the need for the assessment and is engaged in the process. We recommend the following approach.


Begin with an assessment kickoff, where you:

  • Provide an overview of the CMMC framework for the team members who may be included in the assessment process.
  • Outline the in-scope environment to guide the assessment team in formulating questions they should be asking about how you are controlling your data.
  • Identify points of contact across departments, including IT, your information security representative, and HR.
  • Discuss the information that will need to be shared as part of the process, including which artifacts are going to be required, and how they are going to be shared with the assessment team.
  • Craft a schedule and start planning your assessment interviews based on availability.


The assessment team then interviews key personnel, being sure to ask informed questions to confirm if you have the processes in place to meet the requirements of a control. If the point of contact for your organization is able to attest that you’ve met a specific control, the assessment team should make a note of the attestation, as well as note the relevant artifacts that should be collected to validate that attestation.

Examples of controls and related artifacts include:

  • Control: Complex password enforcement
    • Artifact: Group policy setting screenshot demonstrating that you have configured password complexity
  • Control: Training content
    • Artifact: Presentation that has been internally made, or a screenshot of a platform such as KnowBe4 or InfoSec


After interviews and follow-ups conclude, the assessment team begins analyzing the notes and compiling the initial scoring. Artifacts that have been submitted are analyzed to verify implementation. If an artifact was not submitted or was found to be improperly configured, the control would result in a failure. Keep in mind that to be considered compliant, your company must have the control fully implemented.


Once the assessment team has analyzed the data and scored the controls, the report is drafted. The draft report should include these elements.

  • Executive summary with an overall compliance breakdown for CMMC L1 or CMMC L3
  • DFARS Interim Scoring Rule with the score to be submitted into the Supplier Performance Risk System (SPRS)
  • Key observations and recommendations, including areas discovered where your company has its biggest compliance gaps
  • Detailed analysis of each practice, including observations on how your organization is meeting or not meeting a requirement. If a practice is not being met, a recommended action item is noted within the recommendations piece of the practice control

Once the draft report is complete, it should be released to your company’s leadership team and any other larger audience within your organization with ample time to review and provide feedback prior to submitting the final report.


The assessment team should then schedule one final meeting to present and discuss assessment results, key compliance findings, and the path forward for how your company can meet these requirements. This is also a great opportunity to field questions individuals may have with the compliance findings and recommendations.


CyberSheath finds the below schedule to be most successful in performing a CMMC compliance assessment.


WeekWhat to do
  • Hold kickoff meeting
  • Confirm scope and objectives
  • Identify points of contact
  • Start collecting and reviewing artifacts
2 and 3
  • Conduct the security framework review
  • Schedule interviews and follow-ups
  • Analyze the data
  • Collect remaining artifacts
4 and 5
  • Write and issue draft report
  • Share with leadership and your greater audience to review the findings and provide feedback
  • Start writing your draft system security plan (SSP)
  • Issue your final draft report
  • Hold out-briefing to review high-level findings
  • Get sign-off from leadership
  • Start talking about your path forward to remediate compliance gaps
  • Document and finalize your SSP


If you need any assistance with your assessment to determine your CMMC readiness, contact the experts at CyberSheath. We have extensive experience helping organizations identify compliance gaps and craft remediation plans addressing issues.

As your organization is gearing up to start the process of attaining Cybersecurity Maturity Model Certification (CMMC), it is important to know how this cybersecurity standard compares to other regulations.


Five Ways that CMMC Differs from Other Laws.


1. CMMC is a certification.

Most regulations, laws, and mandates are attestations, but CMMC is more than that. It requires a third-party audit to certify that your organization is adhering to the cybersecurity practices and procedures the standard outlines. The audit must be completed by a CMMC third-party assessor organization (C3PAO), that will then make a recommendation to the accreditation body (AB) as to if your organization meets the certification requirements. Often attestations simply require a company to claim that they are compliant, relying on organizations to honestly self-report on their status without requiring information and artifacts for confirmation.

Seeking certification will significantly impact organizations. Each company must decide if they are going to take CMMC seriously, dive in, and get it done. Does the potential revenue from bidding on and securing DoD contracts make this effort worthwhile? Only your organization can make that important decision for itself.


2. CMMC is an audit and not a point in time assessment.

In order to count as completed and apply toward certification, the controls must be mature. An audit typically reviews organizational policies and behavior over a period of time. With CMMC, they want to look at the maturity of the processes. It’s not just about the product, software, and tools–it’s also about the process, procedures, and organizational learning around each control.

For example, with a point in time assessment, what often happens is an organization quickly implements the control or writes the policy, but that does not mean that that policy is fully implemented. Whereas with a CMMC audit, if a company has an acceptable use policy, the audit will review that policy, including the date it was created, timeline of changes to it, and other proof that it has been in place and is truly part of the way the company operates.


3. CMMC is piloted.

Most laws or regulations are introduced quickly with organizations receiving little to no guidance, other than the necessity of being compliant by a certain date. The DoD and AB are rolling CMMC out in a controlled manner to address any issues upfront. This approach also provides companies the time they need to determine what the mandate requires, as well as the opportunity to implement any new processes or procedures before certification is mandatory. CMMC will not be fully implemented until late 2025. Each year the AB will require a few more contractors and subcontractors to be certified.


4. CMMC is pass/fail.

If your company fails to comply with the requirements of certifications, you will be forfeiting your ability to secure valuable contracts from the DoD. As mentioned above, other regulations are self-reported attestations. If a company does not initially pass CMMC certification and therefore isn’t recommended to be certified by the AB, they reportedly have a 90-day period to remediate, address minor issues, and resubmit.  Any major deficiencies will require undergoing another assessment.

Your time commitment and the difficulty of passing CMMC depends on the size of your organization and maturity level you are hoping to attain as dictated by the type of contracts you wish to bid on and the types of information your company receives.


5. Interim scoring system promotes early adherence.

The Supplier Performance Risk System (SPRS) interim scoring allows your organization as well as the DoD to see how you are doing. The score can range from negative 203 to a perfect score of 110 if your company has implemented all 110 controls of NIST special publication 800-171 properly.

Under the current DFARS rule, all companies doing business with the DoD must log their SPRS score. The assessment that happens as you determine your SPRS score is extremely helpful as you build your remediation plans to address your compliance deficiencies. As you improve your cybersecurity by implementing better practices, you may update your SPRS score, notifying the DoD of your commitment to meeting their requirements.

SPRS is a helpful centralized tool to help you get ready for CMMC. It is a stepping stone to monitor your progress and to help you get to where you’ll need to be by the 2025 deadline.


Next Steps

If you have any questions about CMMC and how to make your path to compliance easier, get in touch with the experts at CyberSheath. We can help you assess where your organization is now, build a plan to enable you to reach compliance, and help you implement the processes and technology required. Contact us today to get started.


RESTON, VA — June 15, 2021 — Leading Managed CMMC Compliance provider CyberSheath has hired Tiffany Egenes as Customer Success Director. In that role, Egenes will act as a customer champion, owning all customer success activities from onboarding to adoption to retention. Her goal, through advocacy and by collaborating across multiple business functions, is to build a customer-centric culture and long-term, high-value relationships with every customer.


“As a fast growing compliance focused MSP/MSSP, CyberSheath recognizes the opportunity to better serve the Defense Industrial Base by building out a customer success organization under a world class leader,” says Eric Noonan, CEO. “CyberSheath puts our customers at the center of everything we do, and Tiffany’s hiring represents a significant milestone on our journey to serving the 350,000 Defense contractors mandated to comply with CMMC.”


Egenes brings more than 20 years of experience as a leader in customer success, professional services, implementation, and project management for organizations ranging from Fortune 15 companies to high-growth startups. As Director, Customer Success and Implementation at Kareo, an integrated medical SaaS platform, Egenes revamped processes and rallied the team around tangible customer success and outcomes, ultimately improving customer satisfaction scores by 70%.


Prior to Kareo, Egenes managed a technical service delivery organization at McKesson that included five lines of business totaling more than $60 million in annual revenues. She also led Sungard Availability Services’ Western Region and Latin America managed services and business continuity recovery operations. There she was in charge of seven managed services data centers and business recovery work centers serving organizations in high tech, government, and other industries.


“CMMC Compliance spans IT, cybersecurity, and governance, and CyberSheath offers all three pieces of that compliance puzzle,” says Egenes. “As a result, we have to integrate with and work in lock step with our customers. As Customer Success Director, I’ll ensure our culture, our relationships, our technology, and our employees are all working in sync and all the pieces are in place to keep customers compliant and secure. Our success is literally our customers’ success.”


Customer success with CMMC starts with better understanding of both the why and how behind the new framework. Join more than 1,000 defense industrial base leaders at CMMC Con 2021 on September 29, 2021, to learn how to navigate the rapidly shifting future of cybersecurity compliance. Registration is now open.


About CyberSheath Services International, LLC


Established in 2012, CyberSheath is one of the most experienced and trusted IT security services partners for the U.S. defense industrial base. From CMMC compliance to strategic security planning to managed security services, CyberSheath offers a comprehensive suite of offerings tailored to clients’ information security and regulatory compliance needs. Learn more at



CyberSheath Services International, LLC

Kristen Morales at

The Colonial Pipeline ransomware attack has prompted soul-searching debates about what we need to prevent the next attack. Commentators have questioned whether cybersecurity best practices are enough, or whether government standards, from the Cybersecurity Maturity Model (CMMC)  CMMC to President Biden’s executive order, will actually be effective.


They are, and they will be — if they’re enforced. Ira Winkler expertly dismantled the argument that best practices don’t prevent cyberattacks, pointing out that true best practices not only prevent attacks but are also designed to respond to them to reduce risk and limit damage.


Of course there’s no standard or best practice that claims to prevent every attack. But that’s hardly proof that those standards are ineffective. Seat belts don’t prevent car accidents and smoke detectors don’t prevent fires. But they limit the potential damage, lower risk, and alert us early enough to save life and property.


Many cybersecurity standards have monitoring, alerting, information sharing, and incident reporting requirements built into them. They don’t stop 100% of all attacks, but they do position us to more quickly respond, build resilience, and share information related to these incidents with the broader community.


The real problem with best practices isn’t that they don’t work. It’s that so few organizations implement them and few have any incentive to do so.


Imagine if OSHA guidance was recommended but never enforced with inspections or fines. Imagine if no one actually checked to make sure car manufacturers install seat belts in every vehicle or to make sure drivers use them. In both cases, we’d have a lot more preventable injuries and deaths. This is exactly what’s happening in cybersecurity.


From CIS to NIST to CMMC, we have plenty of standards, frameworks, and best practices that we know work. Zero trust is the buzzword of the day and we’re all talking about critical infrastructure, software standards, and supply chain cybersecurity. But how about enforcing the regulations we already have? Let’s see what happens when we actually implement the best practices that few but the largest corporations on earth have in place.


President Biden’s executive order, with detailed timelines for implementation, will be the most successful accomplishment ever in cybersecurity, if only it actually enforces many of the regulations that have long existed for federal contractors. If the federal government stopped awarding contracts to non-compliant contractors, cybersecurity would improve exponentially overnight. Tying revenue to compliance is a surefire way to force private industry to make the investments they have largely avoided for decades. Instead of debating which law or standard might have stopped the latest attack, we should try actually picking a standard for a few years and seeing how much better we are for it.


But who is going to pay for it? We all are. We already are. Attackers have been shutting down critical infrastructure, stealing our data, and threatening our intellectual property. We need to stop treating cybersecurity like it’s some atom-splitting, mind numbingly complex domain and transfer the kinds of thinking we’ve used in every other major industry so we can start solving this problem. No business complains that the price of office space includes the cost of meeting building codes and completing inspections.


Cybersecurity is too expensive for small businesses, some will argue. It’s not, and we should stop proliferating this falsehood. We don’t waive fire detection and prevention for small business storefronts, or allow upstart auto manufacturers to opt out of safety standards. We certainly shouldn’t deceive ourselves that cyber security is too expensive for small businesses.


Everything is too expensive until it isn’t. Cybersecurity is too expensive right up until the moment you get hit with ransomware, or can’t bid on a government contract, or are breached and liable for losing information that you were supposed to protect. Insurance is also expensive, but it’s a cost every business owner has to pay, for good reason.


Until recently, cybersecurity has existed outside the bounds of other safeguards we deem necessary. But it’s getting the same treatment as other standards we now take for granted.


Many balked at seat belts when they first appeared, cutting them out of cars in protest. Businesses have long railed against the regulatory burden of OSHA standards, even though they could save billions of dollars in workers’ compensation costs alone. Business have countless examples of embedded, accepted costs that reduce risk and improve safety. They’ve been enforced to the point that they’re now the accepted cost of doing business. Cybersecurity should be no different.


We hear a lot about the need for public private partnerships, information sharing, and incident response reporting and the good news is that we already have all of that and more in an operational model that has been in place for more than a decade. The Department of Defense (DoD) has been doing all of the above with their supply chains, defense contractors, since at least 2008. The DoD model lacked a key component, auditability and the achilles heel of the program was that defense contractors could self-certify as being compliant and many did despite not having been compliant. CMMC changes that and now third-party audits will be mandatory before a defense contractor can take any DoD contracts. Inspecting defense contractors for their ability to meet cybersecurity minimums pre award is common sense. Your car requires an inspection before you can drive it right?


To learn more CMMC and how contractors — primes and subs, large and small, foreign-owned — are handling the standards and requirements, as well as the evolving compliance landscape join us on September 29, 2021 as CMMC Con returns with an all-star lineup to provide hands-on, actionable compliance strategies to the thousands of small- and medium-sized defense contractors in attendance. Register now.


Since the inaugural CMMC Con, we’ve seen some of the most malicious attacks on American infrastructure ever executed. The SolarWinds attack reverberated across the entire government as agencies scrambled to discover what nation-state attackers had accessed and stolen. The Colonial Pipeline, shut down by a ransomware attack, led to fuel shortages and higher gas prices. A ransomware attack on JBS, the world’s largest meat processor, could disrupt meat markets.


We’re at a tipping point in security. Nation-state attacks have doubled in the past three years, growing more aggressive in their targets and impact. The severity of attacks is drawing action from the federal government and enforcement of existing cybersecurity standards, drawing new attention to the need for frameworks like CMMC.


What does this escalation in nation-state attacks mean for national security and the defense industrial base? Retired Brigadier General Dr. Robert Spalding returns to CMMC Con 2021 to share his perspective on the latest attacks and their reverberations.


One of the most enjoyed speakers at the inaugural CMMC Con, Dr. Spalding has served in senior positions of strategy and diplomacy within the Defense and State Departments for more than 26 years. He was the Senior Director for Strategy to the President at the National Security Council and the chief architect for the current widely praised National Security Strategy.


A skilled combat leader and a seasoned diplomat, Dr. Spalding has written extensively on national security matters in The Washington Post, The Washington Times, Foreign Affairs, The American Interest, War on the Rocks, FedTech Magazine, Defense One, The Diplomat, and other edited volumes. His Air Power Journal article on America’s Two Air Forces is frequently used in the West Point curriculum.


Dr. Spalding is a Life Member of the Council on Foreign Relations. He has lectured globally, including engagements at the Naval War College, National Defense University, Air War College, Columbia University, S. Rajaratnam School of International Studies in Singapore, Johns Hopkins Applied Physics Laboratory, and other Professional Military Educational institutions.


Register for CMMC Con 2021 now to see Dr. Spalding’s keynote and learn more about how to navigate the rapidly shifting future of cybersecurity compliance.

One of the first steps in crafting the cybersecurity plan for your company is knowing what information needs to be protected. With all of the designations of information forming an alphabet soup, figuring out how to proceed can seem challenging.


Protecting sensitive information starts with understanding the various information categories. The next step is being able to map the information your company holds to the contracting regulations you must adhere to. Depending on your relationship with the Department of Defense (DoD), there are a number of requirements to protect non-public information (NPI).


Identify NPI and Map to Applicable Regulations

Familiarize yourself with the different kinds of NPI, which is defined as information associated with a DoD contract that is not intended for public release. There are several regulations established to protect different classes of NPI. 

  • Federal Acquisition Regulation (FAR) 52.204-21 establishes 15 requirements to protect federal contract information (FCI).
  • Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 invokes NIST SP 800-171 to protect covered defense information (CDI), which is also a term for controlled unclassified information (CUI).
  • DFARS 252.204-7021 invokes Cybersecurity Maturity Model Certification (CMMC) to protect both FCI and CDI/CUI.


What information you have dictates how you need to protect it. For example, under the CMMC framework, if what you are protecting is FCI, there are 17 cybersecurity controls required to protect that information. If you have CUI, there are 130 controls.


Important note: These regulations do not apply to commercial off-the-shelf products and services (COTS). If you are a vendor who only supplies COTS solutions, then these designations do not apply to your business. FAR 2.101 states that these items are considered COTS, “…any item of supply (including construction material) that is:

  • A commercial item (Item that can be sold, leased, or licensed to the general public);
  • Sold in substantial quantities in the commercial marketplace; and
  • Offered to the Government, under a contract or subcontract at any tier, without modification, in the same form in which it is sold in the commercial marketplace; and
  • … Does not include bulk cargo.”


COTS products and services  include catalog items such as laptops, keyboards, and printers; commercially available applications; and janitorial services for public buildings.


Determine Your Information Type



Definition – FCI is non-public information associated with a federal contract. CMMC offers this description, “FCI means information provided by or generated for the Government under a contract not intended for public release.” FAR 52.204-21 expands on this to state, “FCI means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.” 



  • Contract schedules
  • Statements of work
  • Non-technical requirements
  • Delivery information



Definition – CDI is a form of CUI that is developed under a DOD contract. It is non-public information where a specific law, regulation, or government-wide policy is published that requires that information to be protected in some manner. 


Introduced in DFARS 252.204-7012, this term means “unclassified controlled technical information or other information…that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies, and is:

  • Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
  • Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.”



  • Controlled technical information (CTI), such as engineering drawings, technical reports and notes, bills of materials, software executables and source code
  • Export controlled information (EAR or ITAR)
  • For official use only (FOUO) documentation, which is under the DoD realm, but no longer a valid classification.
  • Operations security (OPSEC) plans



Definition – CUI was established by Executive Order 13556 as a way to standardize how to handle sensitive but unclassified information. According to this order, “CUI is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.”


Examples – Same as above for CDI



  • National Archives and Records Administration (NARA) CUI Registry: This is a registry of all CUI categories. Look through it because it has links to the specific law, regulation, or government-wide policy that causes that category of information to be designated as CUI.

  • DoD CUI Registry: This registry highlights those categories that are in the NARA registry but are relevant to DoD contracts. Some of the NARA CUI categories are relevant to other federal government agencies. It also provides links to additional resources.


While this blog provides you the information you need to get started on determining how to classify your information, the experts at CyberSheath would be happy to help your company identify your CUI and create plans for safeguarding it. Contact us to take the next step in learning how to protect your sensitive information.

Sign Up Today for Your Free Training

Learn more about how to categorize non-public information in our upcoming defense contractor cybersecurity compliance training. Registration is only open May 26, 2021 until June 9, 2021. Get started today.

Cyber Compliance Training - Register Now


The constant evolution of cybersecurity standards that must be met in order to do business with the Department of Defense (DoD) can be overwhelming. Make sure your team is capable of achieving and maintaining compliance with Defense Federal Acquisition Regulation Supplement (DFARS) and Cybersecurity Maturity Model Certification (CMMC). 


CyberSheath’s Defense Contractor Cybersecurity Compliance Training is the Answer

The primary goal of DFARS and the CMMC is to ensure the protection of controlled unclassified information (CUI) stored in your environment. Your team can learn the skills necessary to tackle cybersecurity requirements, specifically those dealing with the identification of CUI and the steps you need to take to protect it. 

By the end of the training module, attendees will be able to:

  • Assess compliance
  • Compose an SPRS submittal
  • Create an SSP and POAM
  • Efficiently implement fixes to address compliance gaps

Course Details

Learn how to employ the necessary resources, tools, and policies for compliance. This training curriculum is comprised of five courses covering today’s DoD contractor laws. Each session is designed to teach the skills required for meeting DFARS and CMMC requirements.


Session       Level                  Topic
1White BeltHow to identify CUI
2Orange BeltHow to conduct an assessment
3Blue BeltStep-by-step guide for Supplier Performance Risk System (SPRS) submittal
4Brown BeltHow to draft an audit-ready system security plan (SSP) and plan of action and milestones (POAM)
5Black BeltHow to strategically address implementation and managed compliance


At the conclusion of each session, there will be a quiz. Successful completion of this 10-minute exam will earn a belt recognizing the acquired skill level. 

Sign Up Today for Your Free Training

If you are a prime or sub-contractor bidding for DoD contacts, take advantage of this training to prepare for the complexities and challenges of meeting the DoD’s regulatory requirements. Registration is only open May 26, 2021 until June 9, 2021. Get started today.

Cyber Compliance Training - Register Now

CMMC compliance stands in the way of revenue for every defense contractor in the supply chain. Now that CMMC is a reality for the Defense Industrial Base (DIB), learn how contractors — primes and subs, large and small, foreign-owned — are handling the standards and requirements, as well as the evolving compliance landscape.


On September 29, 2021, CMMC Con returns with an all-star lineup to provide hands-on, actionable compliance strategies to the thousands of small- and medium-sized defense contractors in attendance.


Register now to attend sessions focused on:


  • Evolving threats. SolarWinds is just the latest example of the escalation in nation-state cyberattacks you need to be aware of.
  • Evolving law. Stay up to date on SPRS submittal of NIST 800-171 assessment, third-party validation of CMMC compliance prior to contract award, the False Claims Act, and the potential loss of DoD revenue.
  • Evolving scope. Take a closer look at the CMMC-AB roadmap and adoption of CMMC in other federal organizations beyond the DoD.


We’ll announce our full lineup of speakers in the coming months, but we already have new names and attendee favorites from last year, including:


  • Robert Spalding, retired Brigadier General, USAF, on the threat from nation states
  • Keith K. Nakasone, Federal Strategist, VMware formally the Deputy Assistant Commissioner, IT Acquisition Operations, FAS/GSA on CMMC beyond the DoD
  • Jeff Dalton, CMMC-AB vice chairman, on the progression of CMMC and the path forward


Attendees will gain a better understanding of the evolving threat landscape, the impact of cybersecurity compliance law aimed at mitigating these threats, and the how-to for solving these challenges. Registered attendees will also receive a complimentary 2021/2022 edition of our CMMC Companion eBook to help you map out your compliance strategy.


Register today!

RESTON, Va. — May 18, 2021 — Leading Managed CMMC Compliance provider, CyberSheath, has been chosen to be a part of a select few official resellers for Microsoft GCC High and Office 365 GCC licensing. This adds another opportunity for CyberSheath to help the Defense Industrial Base (DIB) meet the federal government’s compliance and security requirements.

“The ability to sell Microsoft GCC High licensing makes CyberSheath a one-stop CMMC shop,” said Eric Noonan, CEO of CyberSheath. “Unlike other Microsoft partners who only resell the licensing, we also offer all the services — security, IT, and governance — that the DIB needs to manage CMMC compliance.”

In addition to its product and service offerings, CyberSheath has taken the lead on educating government contractors about strategies for CMMC compliance at its annual CMMC Con. The one-day event, returning on September 29, 2021, will reveal the evolving threat landscape, the impact of cybersecurity compliance law, and how to solve these challenges. Learn more and register for CMMC Con 2021.

About CyberSheath Services International, LLC

Established in 2012, CyberSheath is one of the most experienced and trusted IT security services partners for the U.S. defense industrial base. From CMMC compliance to strategic security planning to managed security services, CyberSheath offers a comprehensive suite of offerings tailored to clients’ information security and regulatory compliance needs. Learn more at



CyberSheath Services International, LLC

Kristen Morales at

CyberSheath CEO,  Eric Noonan, provides commentary for CBS’s Jeff Pegues on an episode of America Changed Forever, taking a deep dive into the Colonial Pipeline hack and the lack of regulations that leave our critical infrastructure vulnerable.

To understand just how consequential president Biden’s executive order on cybersecurity is for federal contractors, look no further than the Wall Street Journal article that bluntly explained how the new order will impact federal contractors:

“Contractors that fail to comply with the baseline standards would essentially be prohibited from selling their products to the federal government, a black mark that could be crippling to a company’s commercial viability as well.”


Mandatory Baseline Standards for all Federal Contractors

Aggressive timeframe for implementation.

The executive order calls for mandatory baseline standards for all federal contractors to replace the patchwork of inconsistent and unenforced agency-specific policy that exists today. However, unlike many executive orders, this isn’t just a call to action, the clock already started ticking, and common baseline standards are to be here within 120 days. Current federal contractors doubting that the federal government can do anything within 120 days should remember that the Cybersecurity Maturity Model Certification (CMMC) was published and made federal acquisition law within nine months. 

Effects the largest supply chain in the world.

The executive order mandates that within less than six months, the largest supply chain in the world, which includes many hundreds of thousands of large and small privately held companies and trillions of dollars of committed federal contracting dollars, will be required to meet baseline cybersecurity standards to do business with the federal government. This is one of the most common sense and consequential actions to improve cybersecurity ever proposed and largely in this administration’s control. They have tremendous influence over federal acquisition regulations. Many Americans might be surprised that we didn’t already have mandatory cybersecurity minimums for government contractors. I expect special interest groups to ask who is going to pay for this immediately. Still, in many instances, like defense contractors doing business with the Department of Defense (DoD), these mandatory minimums have been in place for nearly a decade; they just haven’t been enforced. For defense contractors, in some cases, the cost of cybersecurity should have been paid for as far back as 2015.

To meet this level of protection the cost on organizations is unavoidable.

The executive order does not leave very much room for federal contractors to find a way out of implementing mandatory cybersecurity minimums on their corporate networks. In many ways, the arguments around cost are nonsensical. Americans are paying for this one way or the other, be it the OPM hack, the Equifax hack, Colonial pipeline, SolarWinds, etc. the list goes on and on. Yet, nobody asks who paid for the fire alarms in their house or pays for the regulation to implement fire safety code in retail outlets, or even who pays for the antilock brakes and airbags mandated in our vehicles. We accept that the cost for all these things is built into the products and services we consume. We expect these protections and don’t even ask questions about their existence. We know they have to be baked into the product or service we are buying before it comes to market.

This level of expectation around minimum protections just became the new standard by which all federal contractors will be measured before the end of 2021. The federal government isn’t going to buy contractors products and services if they don’t come with assurances that you have met the mandatory minimums for cybersecurity. Certainly, you can argue with the fire inspector why you have no fire alarms in your house or the acquisition official for your federal contract about who will pay for your corporate cybersecurity, but it’s an argument you are going to lose.

CyberSheath CEO, Eric Noonan, speaks to the lack of regulation on privately controlled networks that may result in ransomware attacks like Colonial Pipeline. 

RESTON, Va. — May 12, 2021 — The nation’s largest CMMC conference is back by popular demand! CMMC Con 2021 picks up where last year’s conference left off, featuring expert speakers from across the government and Defense Industrial Base offering actionable strategies for CMMC compliance. Hosted by leading Managed CMMC Compliance provider CyberSheath, the one-day CMMC Con 2021 kicks off at 9 a.m. EDT on Wednesday, September 29, 2021. This no cost conference is now open for registration.


CMMC Con 2021 will focus on the evolving compliance landscape that small and medium-sized contractors face, with sessions focused on:


  • Evolving threats, including the escalation in nation-state cyberattacks like SolarWinds.
  • Evolving law, including SPRS submittal of NIST 800-171 assessment, third-party validation of CMMC compliance prior to contract award, the False Claims Act, and the potential loss of DoD revenue.
  • Evolving scope, examining the CMMC-AB roadmap and adoption of CMMC in other federal organizations beyond the DoD.


The conference will welcome back popular speakers as well as introduce new ones, including:


  • Robert Spalding, retired Brigadier General, USAF, to address the threat from nation states.
  • Keith K. Nakasone, Federal Strategist, VMware formally the Deputy Assistant Commissioner, IT Acquisition Operations, FAS/GSA, in a Q&A on CMMC beyond the DoD.
  • Jeff Dalton, sharing his perspective as CMMC-AB vice chairman on the progression of CMMC and the path forward.
  • Expert panel discussion with senior executives from primes and sub-contractors, including foreign-owned, large, and small contractors, who will share their experience managing CMMC compliance.


“Last year, we had more than 1,000 attendees at CMMC Con — before the law had even changed to make CMMC a reality for the Defense Industrial Base,” said Eric Noonan, CyberSheath CEO. “A year later, the conference could not come at a more critical time, as compliance stands in the way of revenue for every defense contractor in the supply chain. By attending CMMC Con 2021, defense contractors will better understand the nation state threats that made the CMMC necessary, the impact of compliance law, and most importantly, the how-to of compliance to stay eligible for future DoD contracts.”


Learn more about CMMC Con 2021 and register now.


About CyberSheath Services International, LLC


Established in 2012, CyberSheath is one of the most experienced and trusted IT security services partners for the U.S. defense industrial base. From CMMC compliance to strategic security planning to managed security services, CyberSheath offers a comprehensive suite of offerings tailored to clients’ information security and regulatory compliance needs. Learn more at



CyberSheath Services International, LLC

Kristen Morales at



There are many ways to achieve CMMC compliance, from fully insourced IT, cybersecurity and governance to fully outsourced managed services, each carrying various costs and risks. While the cost of compliance is a valid concern, there’s one constant across all your options: If you don’t meet CMMC standards, you won’t be eligible for DoD contracts. Period.

You might think managing CMMC compliance on your own will save you money, but the process is complex and expensive. Purchasing multiple software solutions and hiring an internal security team and IT team to monitor and manage those solutions, not to mention documenting and providing proof of compliance, all require resources that many small and medium sized businesses don’t have. And any mistakes can lead to a breach or non-compliance with CMMC and have much more significant costs and consequences.

CMMC managed services, on the other hand, offer assured compliance with less effort and less investment. Partial compliance doesn’t count and many managed services push small businesses to over spend and under comply.

The only real comprehensive solution is CyberSheath’s no-nonsense fixed pricing for CMMC managed services. We deliver more value and pricing models that are easy to understand and implement, with no hidden costs. We want to make it as simple as possible for you to achieve CMMC compliance and win DoD contracts. We can deliver the complete solution or just the pieces that you are missing.

And we have pricing that meets you exactly where you are right now.


A Basic, Advanced and Future-Proof Approach to Compliance

No matter where you are in your journey, whether you want to do it yourself or fully invest in managed services, there’s a model for you.

CyberSheath’s basic, advanced and future-proof pricing model offers the tailored level of service you need and a pathway to transition to fully managed compliance if you choose. Here’s what each level of service entails:

Basic: If you are not yet ready to jump fully into CMMC and want to start with an assessment and Supplier Performance Risk System (SPRS) scoring, this is the level for you. It includes everything necessary for SPRS submission including your System Security Plan (SSP) and Plan of Action & Milestones (POAMs).

Enhanced: At this level, you’re looking to outsource the problem of CMMC Maturity Level 1 compliance and achieve a positive score for SPRS submissions. While you retain overall IT management, CyberSheath handles compliance management and governance, management of technical security tools and operations, or both.

You get compliance oversight and reporting through our cloud-based dashboard, and quickly gain the ability to bid on CMMC ML1 contracts.

Future-Proof: If you want full compliance across the board, this is the level for you. With this option, you achieve all 110 controls and requirements for SPRS submission — and CMMC ML3 compliance delivering all of the required people, processes and technology in a unique shared responsibility model.

CyberSheath maintains the rigorous program, technology, engineering, and implementation required for CMMC ML3 standards. We manage your governance, security, and IT operations.


The Value of CMMC Managed Services

With a path to a fully managed CMMC program, you can lay the foundations for your compliance against any shocks to CMMC policy or implementation approaches. We’ll be responsible for ongoing program maintenance encompassing any shifts, allowing you to continue to leverage your current infrastructure and offer the option to grow into a FEDRAMP HIGH or GCC HIGH cloud infrastructure in a hosted, compliant process.

With simple fixed pricing, free options for self-attestation, and a flexible pricing model, CyberSheath meets you wherever you are and ensures you’re CMMC compliant and eligible for DoD contracts.

Contact us to meet with a CyberSheath expert today to learn how we can help bring order to the chaos of achieving CMMC compliance.

I’m a DoD contractor; what do I need to do for CMMC?

To start or continue working with the DoD, all contractors must achieve and maintain the appropriate level of cybersecurity compliance. But what do you need to do, and when does it need to be done? Simple questions deserve simple answers. The truth is that what you need to do is straightforward and can be done in a way that enables you to pay as you go, doing what is required now while laying the foundation for the future.

At a minimum, defense contractors must understand what DFARS 252.204-7012, NIST SP 800-171, and CMMC are and how non-compliance will impact their business. By now, you have probably heard of the Cybersecurity Maturity Model Certification or CMMC; in fact, you are probably tired of hearing about it.  

While everything has seemingly changed with CMMC becoming law in November 2020, in reality nothing has changed other than DoD now enforcing the regulations. The enforcement comes in the form of “no compliance, no contract,” so it’s the ultimate incentive for any business reliant on DoD revenue. The good news is that long-term compliance steps are very much the same as they have been since 2015. Everything is grounded in compliance with NIST 800-171 as an initial step. So let us look at what needs to happen and in what order:

  • Compliance with DFARS 252.204-7012 mandates NIST 800-171 compliance. 
  • Contractors are required to assess their compliance against NIST 800-171 using the DoD scoring methodology.
  • Contractor assessment scores must be submitted to Supplier Performance Risk System (SPRS) (More detail on that process here, Supplier Performance Risk System (SPRS) )
  • If you do nothing else, assess yourself against NIST 800-171 compliance, submit your score via SPRS and then start closing the gaps.
  • New DoD contract awards after November 2020 require complete and accurate SPRS submission. In other words, no assessment, no revenue.
  • CMMC at its foundation is based on NIST 800-171, so all the work you have done up to this point for NIST 800-171 will speed your CMMC compliance efforts.

If you were required to comply with DFARS 252.204-7012 and implement NIST 800-171, it’s a reasonable assumption that ultimately you will need to achieve CMMC Maturity Level 3. But again, first thing first, let us understand the basis of everything and then build from there.

Understanding DFARS 252.204-7012 and NIST SP 800-171

The Defense Federal Acquisition Regulation Supplement, or DFARS, has been updated to enforce DoD contractor compliance with specific regulatory requirements to protect America’s defense industrial base. Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, dates back to 2015 and was intended to protect Controlled Unclassified Information (CUI) on defense contractor networks.  

Under the Clause, all contractors must comply with the National Institute of Standards and Technology’s Special Publication 800-171 (NIST SP 800-171), a framework that lays out how contractors must protect sensitive defense information and report cybersecurity incidents.

The NIST framework requires you, as a defense contractor, to document how you have met the following requirements in particular:

  • Security requirement 3.12.4 requires the contractor to develop, document, and periodically update System Security Plans (SSPs) that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
  • Security Requirement 3.12.2 requires the contractor to develop and implement Plans of Action designed to correct deficiencies and reduce or eliminate vulnerabilities in their systems.

Under the Clause, DoD contractors are obliged to submit evidence of their compliance with NIST SP 800-171 to the U.S. Government. However, the Clause goes beyond NIST compliance and sets out additional rules to protect Covered Defense Information (CDI).

Supply Chain Management

DFARS Clause 252.204-7012 aims to encourage you, as a contractor, to take a proactive role in the protection of CDI. Not only are you required to demonstrate compliance within your own business, but to strengthen the entire supply chain, you must take steps to ensure that your subcontractors comply, too.

It is the responsibility of your subcontractors to inform you if their practices deviate in any way from the DFARS and NIST 800-171 guidelines, and it is your responsibility to demonstrate that an equally safe alternative approach is in place before you share CDI with that subcontractor.

Reporting Cybersecurity Incidents

A cybersecurity incident is defined as a breach of security protocols that negatively impacts, compromises, or endangers CDI held on your systems or networks or those of your subcontractors.

In the event of a cybersecurity incident, your responsibility under DFARS Clause 252.204-7012 is to report the incident to the DoD within 72 hours. You must present the affected data and all related data covering 90 days prior to the report’s date, along with any infected software. You must also conduct a thorough systems review and identify ways in which you will prevent future breaches.

If a subcontractor experiences a cybersecurity incident, they must report it to you or the next highest tier of subcontractor and present the evidence as required. As the prime contractor, you are required to report the incident to the DoD and submit the evidence, as detailed above.

The above set of requirements summarizes DFARS 252.204-7012 and NIST SP 800-171, and if you have met these requirements, you are well over half of the way to CMMC ML 3 compliance. 

Why CMMC  Maturity Level (ML) 3 Compliance?

If your current contracts call for DFARS 252.204-7012 compliance, the government believes that you have Controlled Unclassified Information (CUI), which means you should aim for CMMC ML 3 as your next step.  

CMMC ML 3 includes all 110 NIST 800-171 controls as well as 20 additional practices for a total of 130 controls. One of the most significant differences between NIST 800-171 and CMMC is that NIST 800-171 allows you to be in compliance without implementing all 110 practices, provided you have a Plan of Action and the Milestones (POAM) in place. This is a revenue-limiting difference that deserves your full attention. You either comply with all of CMMC, or you are non-compliant with CMMC.

As you look at getting to full compliance with CMMC ML 3, your company’s specific needs will vary in addressing the remaining 20 practices. Contact CyberSheath to see how we can help you achieve and maintain compliance with DFARS 252.204-7012, NIST SP 800-171, and CMMC ML3. Often, an enclave is the fastest path to CMMC ML 3 compliance, but each situation is different.  CMMC compliance requires documented, integrated and evidence-based Cybersecurity, IT, and Governance. Register now for a live webinar on April 21, 2021, at 9:00 am PST | 12:00 pm EST, to learn how you can bring order to the chaos of achieving NIST 800-171 and CMMC compliance.


Webinar CMMC - How It Started. How It's Going.



The Department of Defense (DoD) has provided Florida’s business community with a $22 billion opportunity, but there’s a catch. Before Florida’s prime and sub-contractor defense companies can win those contracts; they must meet cybersecurity regulations. These standards have become minimums that must be complete before contract award and include the Defense Acquisition Regulation Systems (DFARS) regulations and DoD’s new Cybersecurity Maturity Model Certification (CMMC). With more than $22 billion a year spent on contracted defense procurement across Florida and more than $95 billion in total annual economic impact from the state’s military defense presence, meeting these requirements is critical to the warfighter and the state economy. CMMC is the DoD’s effort to ensure all defense contractors are practicing and maintaining the proper security level to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). Moving forward compliance with meeting these requirements stands in front of any revenue opportunities with the DoD.

Eric Noonan, CyberSheath’s CEO, will be speaking at Florida Space Coast Cybersecurity Forum 2021, with a focus on the “how” behind achieving compliance. Register for the event here and tune in on March 23, 2021 at 9:00 am EST, to learn more.

As founder and CEO of CyberSheath, a Sponsor of Florida Space Coast Cybersecurity Forum 2021, Eric is well versed in the goals and efforts behind the CMMC. CyberSheath has been delivering audit-ready, compliance-focused managed services for NIST 800-171 requirements for 8+ years, and the CMMC is the next evolution of those standards. CyberSheath has been a part of the DoD public/private partnership since the beginning and is a CMMC Registered Provider Organization (CMMC-RPO), focused on enabling defense contractors to achieve compliance.

CMMC is one of the most comprehensive and impactful moves by the DoD to better secure sensitive data on defense contractors’ systems and networks. As a new set of requirements, many defense contractors are still working to understand the complexities and nuances of the standards, what they are responsible for, and how to implement those changes.

CyberSheath launched our compliance managed services for CMMC to assist DoD contractors through the process. Through our managed services, we are able to meet contractors where they are, identify gaps in CMMC compliance, implement the changes, and maintain and assure their compliance at the proper level.

We wanted to Sponsor Florida Space Coast Cybersecurity Forum 2021 because it’s advancing important conversations around the state of security and where we can go from here.

While the U.S. faces cyber threats from around the world, we have plenty of lessons to learn from and a new bar for effective cybersecurity.  We don’t know what attacks might be coming, but we do know how to prepare. We hope this year’s conference will spur all in attendance to advance the cybersecurity goals that will defend American innovation and infrastructure.

The SolarWinds hack and the subsequent Senate hearings attended by principal players in that event have made supply chain cybersecurity a national discussion. Some of the questions being asked suggest that America is for the first time considering how to protect our supply chains, form effective public/private partnerships, share cyber threat intelligence and enforce mandatory breach disclosure among a relevant group of stakeholders. However, it is not the first time; many parts of the federal government have been working hard to answer these questions with considerable progress for a long time. Specifically, I can speak from my nearly thirteen-years of experience and the progress I have witnessed firsthand between the Department of Defense (DoD) and the Defense Industrial Base (DIB).

A Public/Private Partnership 

The public/private partnership between the Department of Defense, the largest procurement authority in the world, and its supply chain has substantially answered nearly every salient question being asked in the wake of the SolarWinds breach. The partnership has spanned four presidential administrations and gained a decade of bipartisan support. The parties have operationalized threat information sharing, breach disclosure, and mandatory minimums for supply chain cybersecurity. Some of the very people I worked with more than a decade ago when the DoD, Intelligence Community and Industry came together for the first time are now leading the way for the current presidential administration. Anne Neuberger, for example, has been appointed to lead the government’s response to the SolarWinds hack for President Biden. Anne has been on the front lines of these issues since at least 2009 when I worked with her as a part of the Defense Industrial Base Cybersecurity initiative (DIBCSI), and she understands the issues inside and out. Anne knows the legal limitations of our intelligence agencies domestically, has heard all of the industry’s concerns and has long been a part of the teams working through these issues.

DIBCSI, initially led many years ago by Victoria Morgan, an unsung heroine who dragged along reluctant defense industry prime contractors, questioning, “who is going to pay for this?,” to a partnership with DoD, has evolved into the Cybersecurity Maturity Model Certification (CMMC). Led by another DoD heroine, Katie Arrington, CMMC has answered the cost question, made the program law, and dramatically increased awareness of the responsibilities that come with being a defense contractor. Defense contractors have had a seat at the table for more than a decade in this partnership and have helped DoD and the federal government answer many of the questions being posed in the wake of the SolarWinds breach.


Long Road to CMMC Timeline


Let’s look at the critical questions being asked and the answers that the DoD and their supply chain have collectively crafted throughout the decade-plus partnership.


Threat Information Sharing and Breach Disclosure

The DoD and industry partnership produced DFARS clause 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting, which mandates rapid reporting of cyber incidents to DoD. Specifically, the clause requires:

(c) Cyber incident reporting requirement.

(1) When the Contractor discovers a cyber incident that affects a covered contractor information system or the covered defense information residing therein, or that affects the contractor’s ability to perform the requirements of the contract that are designated as operationally critical support and identified in the contract, the Contractor shall—

(i) Conduct a review for evidence of compromise of covered defense information, including, but not limited to, identifying compromised computers, servers, specific data, and user accounts. This review shall also include analyzing covered contractor information system(s) that were part of the cyber incident, as well as other information systems on the Contractor’s network(s), that may have been accessed as a result of the incident in order to identify compromised covered defense information, or that affect the Contractor’s ability to provide operationally critical support; and

(ii) Rapidly report cyber incidents to DoD.

(2) Cyber incident report. The cyber incident report shall be treated as information created by or for DoD and shall include, at a minimum, the required elements.

(3) Medium assurance certificate requirement. In order to report cyber incidents in accordance with this clause, the Contractor or subcontractor shall have or acquire a DoD-approved medium assurance certificate to report cyber incidents. 

(d) Malicious software. When the Contractor or subcontractors discover and isolate malicious software in connection with a reported cyber incident, submit the malicious software to DoD Cyber Crime Center (DC3) in accordance with instructions provided by DC3 or the Contracting Officer. Do not send the malicious software to the Contracting Officer.

(e) Media preservation and protection. When a Contractor discovers a cyber incident has occurred, the Contractor shall preserve and protect images of all known affected information systems identified in paragraph (c)(1)(i) of this clause and all relevant monitoring/packet capture data for at least 90 days from the submission of the cyber incident report to allow DoD to request the media or decline interest.

(f) Access to additional information or equipment necessary for forensic analysis. Upon request by DoD, the Contractor shall provide DoD with access to additional information or equipment that is necessary to conduct a forensic analysis.

(g) Cyber incident damage assessment activities. If DoD elects to conduct a damage assessment, the Contracting Officer will request that the Contractor provide all of the damage assessment information gathered in accordance with paragraph (e) of this clause.


CMMC: A Framework that has Considered and Solved Legal, Logistical, and Operational Issues

Looking at this list of reporting requirements, we have a framework that has considered and solved many legal, logistical, and operational issues around threat information sharing and breach disclosure.  Many elements of the law have been in place for almost six years now, with some having been implemented voluntarily for more than a decade.  It changes the behavior of the largest supply chain in the world and was created to answer many of the questions currently being asked before important government bodies.

The efforts of the DoD and their industry partners have made the DoD supply chain materially stronger and continue to evolve with regulatory requirements like CMMC. Many of Sen. Mark R. Warner, D-VA, and Sen. Rubio, Marco R-FL questions have been effectively answered but require more resources and attention for implementation. Of course, there is more work to do, and the answers need updating, but we are not starting from scratch. Senator Warner and Senator Rubio have been vocal in their quest for answers. I am optimistic that the Senators’ staff will look to the DoD and DIB partnership for a decade-plus of answers and operational feedback.


Yesterday, Richard Wakeman, Senior Director – Aerospace and Defense at Microsoft, provided a terrific update to his 2019 blog post, Understanding Compliance Between Microsoft 365 Commercial, GCC, GCC-High and DoD Offerings, providing a lot of additional detail, and answering many of the questions we at CyberSheath come across on the regular from our Defense Industrial Base (DIB) customers. Today, I’d like to cover the three most interesting and impactful assertions from the article and discuss what the changes and clarifications mean for current and future customers of Microsoft’s cloud services who have defense regulatory requirements. But let’s start with the compliance matrices:





As you can see when looking between the year 2019 and 2021 of these compliance matrices, a lot of the ambiguity in the 2019 version is removed. There are no longer “Maybes” or fine print in the cells of the table, and there is an overlay highlighting the importance of data sovereignty – more on that in a minute. You can also see the introduction of CMMC Maturity Levels and the more frequently referenced term of Federal Contract Information (FCI). Let’s talk more about these three interesting bits of information.


Microsoft 365 Government Community Cloud (GCC) High

Observation 1: Still suggested (but…is it required?)

GCC High – A common buzz word in the world of DFARS 7012 and CMMC. There’s been a lot of speculation as to whether or not Microsoft 365 services on GCC High are required if you are doing defense work, and I think Microsoft’s update makes the answer much clearer. The short answer is still maybe, as it was in 2019, but the information provided is much more prescriptive in leading DIB contractors to ask the right questions about the data they are protecting.

  • Do you have the DFARS 7012 Clause in any of your Defense-related contracts?
  • Do you have Controlled Unclassified Information (CUI)?
  • Do you have Federal Contract Information (FCI)?
  • And, with added emphasis, do you have ITAR/EAR data?

This is a simplification of the thought process, and for the sake of keeping this somewhat short, I’m avoiding the thoughtfulness and consideration that should happen around where these data sets exist, how they are stored, received, shared, but depending on how these questions are answered, it becomes clear as to which Microsoft 365 services you should be using or considering. The trouble though is, are you, as a contractor, looking through the right compliance lens? There are vendors, solutions and service providers out there that attempt to solve for a control or set of controls, attempt to deliver compliance for a particular standard (NIST 800-171, CMMC), but the fact of the matter is, all the other questions must be considered to select the right product for your business.

Much of the CyberSheath team has been born and raised in the Defense Industrial Base – we understand the challenges with interpreting these requirements and the importance of all of them, which is why I was happy to see Microsoft’s emphasis on Data Sovereignty and ITAR/EAR in their update. And, like Mr. Wakeman alluded to, security and compliance practitioners are not (usually) legal counsel, but as CyberSheath’s business is focused on delivering security and compliance for the Defense Industrial Base, we have been having these discussions with our customers for years, helping them navigate the decision-making process around their data protection requirements.

If you only receive well-defined non-ITAR/EAR CUI through a secure file transfer portal, and you keep that data on on-prem file services, do you need GCC, or GCC High? Probably not. On the other hand, if you are exchanging ITAR/EAR via cloud email services, collaborating with Defense customers on Microsoft 365 – Teams, SharePoint, OneDrive – You’re going to want to strongly consider GCC High because of the US sovereignty for all the supporting Azure infrastructure and services to meet your ITAR/EAR requirements.


Microsoft 365 GCC (Not High)

Observation 2: Now with Flow Downs!

“If I can’t flow down the DFARS 7012 requirement to Microsoft, how can I ensure that I can comply with sub-paragraphs (c)-(g) on incident reporting?” This was a deal breaker for many of those considering GCC vs. GCC High for quite some time, but it appears that Microsoft is now accepting flow down of the DFARS 7012 clause for GCC proper with the publishing of this compliance update.

This means that, if it’s important for you as a DIB contractor to contractually obligate Microsoft to meet the DFARS 7012 clause, including those pesky incident reporting requirements, you can now do so, Microsoft will accept that contractual obligation, and you will remain compliant with sub-paragraphs (c)-(g), which is just as important if not more so.

But again, as I mentioned above, please ensure that GCC is the right set of services for your circumstances. If you intend to store or transmit ITAR/EAR data with Microsoft 365, it’s likely best to keep the data in the US to meet your regulatory obligations. If you don’t plan to comingle your sensitive data with Microsoft 365, it would be prudent to have the administrative and/or technical means to manage incidents for if and when these types of regulated data end up on services that are not authorized to store-process-transmit those data types. Your accreditation boundaries in your System Security Plan should be pretty clear on this.


Microsoft 365 Commercial

Observation 3: Acceptable for Federal Contract Information!

Federal Contract Information (FCI) has a wider industry footprint than it’s CUI/CDI/ITAR cousins and has a much smaller set of protection requirements.

Federal contract information means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.

My interpretation of this is, if you have information provided by or generated for the government in your work, and it’s not marked or identified as being publicly releasable, it’s safe to assume you have FCI.

With that said, if you are confident that you don’t have the more sensitive subsets of FCI that I mentioned earlier – No DFARS 7012 Clause, No ITAR/EAR requirements – but you still do business with the DoD, the security controls of Microsoft 365 commercial should be adequate to meet the 15 basic protection requirements listed in FAR 52.204-21 for FCI. This is now clearly illustrated in Microsoft’s compliance update.


In Conclusion

Moving to Microsoft 365, GCC, GCC High is not inexpensive or without effort. Many of CyberSheath’s customers are taking an approach to minimize the use of these services by establishing enclaves of GCC or GCC High services, accessible only to users who need to work on sensitive data sets – sometimes even establishing these enclaves as an insurance policy for if and when they need to work on CUI or ITAR controlled information. These are viable options for those in the DIB where defense work is only a small fraction of their business, and CUI can easily be identified and controlled. Alternatively, some customers are establishing controls to keep CUI away from their cloud services and owning the compliance burden with on-premises resources and services. Both can be done.

The fact of the matter is the industry is operating under overlapping regulatory guidelines, some of which are interim guidelines, many of which are unfolding before us. It’s great to see Microsoft’s stance on this moving target and providing substantial and informative guidance to assist in decision making related to their services.

Check out the complete 2021 compliance update from Microsoft, here.


CyberSheath is a Microsoft CSP, Microsoft Silver Partner and Microsoft Intelligent Security Association (MISA) member and CMMC AB Registered Provider Organization. Our team has been working with the DoD on DFARS related issues since 2008, initially as a part of the Defense Industrial Base Cyber Security Initiative (DIBCSI).

With hundreds of NIST SP 800-171 assessments and implementations successfully performed for DoD contractors, we can help you cut through the confusion and deliver measurable, ongoing compliance as the Cybersecurity Maturity Model Certification (CMMC) is implemented.  For more information, contact a CyberSheath expert today.



The US government, through the lead agency, the Department of Defense (DoD) is implementing a new Cybersecurity Maturity Model Certification (CMMC) requirement for all private-sector businesses that work with the DoD, and now we understand that the standard will be integrated into the GSA and DHS agencies too.  However, the standard isn’t exclusive to the US government, and is largely being rolled out through a private-public partnership and can be extended to any company, country, independent of the requirements to use the standard for specific US agencies.

In addition to these agencies, on May 15, 2019, then President Trump issued Executive Order on Securing the Information and Communications Technology and Services Supply Chain (E.O. 13873) to strengthen efforts to prevent foreign adversaries from exploiting vulnerabilities in the ICT supply chain and protect the vast amount of sensitive information being stored in and communicated through ICT products and services.

The E.O. sets out the procedures the Department of Commerce will use to prohibit the use or transaction of “information and communications technology or services designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary”, and that pose risk of sabotage or subversion; 2) catastrophic effects on the Nation’s critical infrastructure or digital economy; or 3) adverse consequences to national security and public safety.

These new research efforts and the new CMMC requirements will directly affect the roughly 350,000 businesses that are part of the DoD supply chain and now 11 million businesses as part of the GSA and likely spread throughout the entire US government. This new standard’s ripple effect is expected to be even larger, potentially replacing almost all other broadly recognized cybersecurity standards.

The CMMC is a set of security controls being developed under the DoD’s guidance in coordination with industry and academia, building on previous standards including NIST 800-171, 800-53, CSF, ISO 27002, CIS v7, Secure Controls Framework, and others.

Five Reasons ISO 27001/27002 Will Not Last Against CMMC Dominance

Reason One: CMMC is required for contracts with the US government and, the CMMC standard is US law/regulation (e.g. compulsory requirement for covered entities).

  1. By law, all DoD suppliers must comply with CMMC and increasingly most GSA and DHS suppliers as of this article’s writing.  This is a sweeping change. It doesn’t matter if you handle classified information or Controlled Unclassified Information (CUI).  If you work with the DoD, supply a DoD prime contractor, or are a supplier to a DoD sub-contractor, this applies to you.
  2. The federal government is the single largest buyer globally, with annual spending on goods and services close to $450 billion a year. In addition, as estimated US military spending is $934 billion and the Department of Homeland Security (DHS) is $60 billion.   Said simply, most of this nearly $1.5 trillion spending will require oversight or CMMC certification by Oct 1st, 2025.    How does this compare?  There is no other cybersecurity standard globally, which requires certification before their resident business can earn revenue. In other words, CMMC is a VERY different standard in that it directly impacts the underlying revenue of a company.

Reason Two: CMMC is a standard above all standards.

This new standard, driven by the US government’s regulatory might, is likely to become the de facto cybersecurity framework for all businesses—regardless of whether they work with the DoD.  The resulting simplification in approach and achievement supply-chain risk will render nearly all other cybersecurity benchmark standards obsolete.

Organizations choose to comply with an information security standard for only one reason: it makes good business sense. Sometimes there are external drivers, such as a key client’s demand, and sometimes the driver is internal, such as a clearly articulated enterprise risk management program.

However, organizations loathe complying with more than one security standard as inefficient and unnecessary.

Some of the factors that go into picking a standard to adopt include:

  • Comprehensive. Ability to be applied across a large swath of business types, sizes, geographies, and needs.
  • Legal & Reputable. National standards (like NIST) and international (like ISO) organizations have strong reputations and are well-recognized. Virtually all reputable standards address the same topics in their unique way. All businesses do the mapping of one standard to another, so a company that worked on becoming ISO 27001 compliant can explain how it is also NIST 800-53 compliant.
  • Applicable. For instance, PCI is relevant to organizations handling payment-card information, and HIPAA is relevant to US Healthcare organizations.  The NIST 800-171 is intended for organizations doing business with the US DoD.
  • Cost-effective. The organization must be able to achieve and maintain compliance without wrecking the business.

The CMMC ticks all these boxes for about +/- 350,000 DoD companies and a growing list of companies outside of those directly in coverage. Since the CMMC is based on the best of all the current reputable standards, there is no particular need to show how it maps back to them; for most of these companies, there is no compelling business reason to comply with any other standard. Because companies must be certified by an impartial, external third party, the CMMC also provides a much stronger assurance to non-DoD business partners than unsubstantiated claims of being compliant with any other standard. The cost of gaining and retaining compliance is minimal to ensure that the supply chain is secured rather than disrupted.

Also, as organizations earn certification, their CMMC level will drive out other claims about cybersecurity. The CMMC level will also simplify the interactions between businesses regarding how information is protected. Currently, mature organizations include some level of cyber due diligence in their contracting processes. With this new standard, instead of subjecting business partners to long questionnaires about their internal cybersecurity, even non-DoD organizations will only have to ask each other a straightforward question: What is your CMMC level?

Reason Three: Programmatically, CMMC auditors are better than any other auditors in the security space.

Auditors must endure and certify both knowledge, competency, ethics, and security background checks and have the quality of their reviews checked and evaluated.  Until now, only the PCI-Standard, the ISO 27001/27002, and HITRUST frameworks offered the option to be certified by a third party. Organizations could say they were compliant, satisfying most who had an interest in security but glossing over that they were not certified. CMMC will require certification by a third party. However, these auditors are very different than ISO in that ethical guidelines bind them, security background checks, knowledge qualification reviews, and qualification checks. The PCI standard is similar in this approach; however, PCI is self-governance from industry versus a legal requirement for all gaining certification.  Moreover, CMMC will police the marketing, attestations, and behavior of those participating in a way that should vet frequent offenders.

Reason Four: CMMC is revenue-focused, not policing-focused.

Up until now, NO cybersecurity standard stood in front of a contract et large.  CMMC is the only standard in which you may not move forward for fulfillment if you do not certify to the level called for by the desirable contract award.  Said another way, you must FIRST become certified not claim ignorance and deny knowledge of one’s responsibility when faced with a policing action afterward.

Reason Five: Most companies will need to be CMMC certified; ISO offers nothing more comprehensive.

Review these considerations below:

Say Hello to CMMC and Goodbye to ISO 27001

Overall, the CMMC process only became law in September 2020 and set in motion a five-year transition plan. It’s hard to determine the full impact of this new compliance approach now; however, CMMC will be the de facto standard to build around for a generation or two at the least.  Also, the DoD is willing and able to enforce these standards as 2021 has ushered in a whole new class of contract award refusals and business-process changes built around cybersecurity compliance certifications.

It also means that DoD contractors should start taking proactive steps to strengthen their security measures and consider migrating from old standards such as ISO 27001/27002 to CMMC. Consider the maturity level you’ll need to earn to continue to justify your security program’s performance (or your DoD contracts) or make the types of contracts you want to hold in the future.

NIST and CMMC will work hand in hand to make for a safer and more structurally sound data security landscape and supply chain and in its place will be a legion of old standards whose usefulness has sunsetted.

Scrutiny of defense industrial base (DIB) cybersecurity has never been higher. The costs and impacts of security lapses are on full display in the wake of the SolarWinds breach, as federal agencies continue to investigate the full scale of the intrusion, likely the work of Russia.

Even before recent events, Cybersecurity Maturity Model Certification (CMMC) loomed large among the DIB. We took a snapshot this fall of where DoD contractors stand, surveying more than 200 senior executives to find out what work still needs to be done, the risks and challenges they face, and how to ensure long-term security and compliance.

The results reveal new opportunities, including mitigation and investment strategies, and highlight some of the biggest remaining unknowns that the DIB must quickly address.

This report is designed to help the DIB, the US DoD, and the general security community better understand the level of compliance, the acceptance of new rules, the level of understanding of the cyberattack threat landscape, and current levels of preparedness and business impacts.

Once you learn what DoD suppliers are thinking, find out what they’ve been doing for the past five years. We’re opening the vault on data from the hundreds of Prime and Sub-contractor assessments we’ve completed and scored, sharing trends and benchmarks to help contractors better navigate the road to CMMC compliance. Join our free webinar on February 3, 2021 for all the findings.


Among the key findings of the Fall 2020 executive survey:


Finding 1: 21% of DIB companies surveyed have experienced a cybersecurity incident

 A little over one-fifth of DIB companies indicated that they have been a victim of a cyberattack, highlighting the risk that CMMC aims to curb. But as the demand for security professionals outpaces supply, executives are increasingly looking to public cloud and key DIB partners to assist in managing security.

Public cloud infrastructure offers some of the best bets, and allows DIB companies to compete effectively in today’s digital world and stay secure. Moreover, as cyberattacks become more rampant, DIB C-Suite professionals are looking for active management and continuous monitoring of all infrastructures.


Finding 2: 82% of DIB contractors are handling CUI, a Critical Element in DFARS Compliance (CMMC / NIST 800-171)

Of DIB companies surveyed, 82% understand that they process Controlled Unclassified Information (CUI) as first defined by a ruleset under the Obama administration. As a result, they inherit the most onerous requirements of CMMC and NIST 800-171 security standards, which are critical to ensuring future DoD revenue.

Executives are concerned about the impact security threats can have on business performance, pointing to the potential loss of customers, brand reputation, and operational productivity. Many report adjusting budget priorities to better secure networks and prevent attacks.

The impacts of attacks on DIB corporate networks can vary depending on the industry in which companies compete. Manufacturers that have long embraced automation to boost production efficiencies now plan to integrate artificial intelligence in security measures with a corresponding shift in their IT budgets.

Events that most influence how executives view their companies’ security vulnerabilities include high-profile data breaches and nation-state attacks on peer companies, cyber-attacks on their organizations, and government regulations.


Finding 3: 93% of DIB companies are aware of CMMC

The DIB C-Suite research reveals that nearly all companies in the sector – 93% – are aware of the new CMMC rules and the important sector trends. DIB companies are attempting to educate themselves about the effects of recent rule changes on security requirements. Suppliers of all sorts need to consider documentation, adherence, and, in some cases, transformation of their security practices to protect and comply with the requirements of the new DoD rules.

Fortunately, only 13 of 201 respondents cited that they were unaware of the CMMC rules. Unfortunately, many in the DIB are ill prepared to actually implement them.


Finding 4: A third of DIB companies don’t know which CMMC level to focus on

 The CMMC will encompass multiple maturity levels that range from “Basic Cybersecurity Hygiene” to “Advanced/Progressive.” The intent is to incorporate CMMC as a requirement for contract award.

While 56% of respondents said they’re focused on Levels 1-3, with 42% focused on Level 3 alone, a large portion of respondents still don’t know which level to focus on. Some 33% of respondents said the level they would focus on is “uncertain.” That will limit their speed in adopting and certifying their compliance with the level they eventually must meet.


Finding 5:  More than half of DIB companies outsource IT and security functions

DIB C-suite executives face tough choices when deciding where to invest resources to propel their businesses forward. At least 4 in 10 respondents identify increasing infrastructure complexity, digital transformation plans, integrations of artificial intelligence, and migration to the cloud as putting pressure on security planning and budget allocation.

Executives understand that compliance to DFARS, NIST 800-171, and CMMC is paramount and to transform their businesses, they must embrace the integration of new technologies.

At the same time, they’re facing an internal skills gap. One-third of respondents report dependence on their internal IT talent, promoted from within, which can create a knowledge gap in security strategy.

The internal skills gap is not easily solved because the demand for security professionals outpaces supply. As a result, more executives report the need to look to outside security vendors for assistance.

In fact, more than 54% of executives report outsourcing both IT and IT Security to gain traction on competent and quick compliance. They’ve decidedly moved toward public and private cloud environments, and the survey data also reveals a shift of network security budgets toward technologies that employ more automation, more technology integration, and the ability to operate from a sovereign US environment on government-certified FedRAMP environments.


Finding 6: China and Russia aren’t the only risks on DIB companies’ minds

DIB C-Suite executives face tough choices when deciding where to invest resources to propel their businesses forward. As the threat of network attacks becomes a question of when, not if, chief executive officers and chief security officers must carefully evaluate the risks associated with security vulnerabilities and the costs of implementing effective security solutions.

At least 4 in 10 respondents identify these factors as putting pressure on their organizations’ security planning and investment:

  • Increasing infrastructure complexity
  • Threat from China, Russia, and Iran
  • Compliance to new regulations
  • Migration to the cloud


Finding 7: 40% of DIB companies estimate the cost of an attack at more than $1 million

Data breaches are expensive. They rack up monetary costs that directly affect companies’ bottom lines, but more troubling is the damage inflicted to intangibles such as brand reputation and customer trust.

Almost 40% of respondents estimated the hard cost of every attack to be more than 1 million USD/EUR/GBP, with cost estimates surging to more than 25 million USD/EUR/GBP for 5% of respondents. While soft costs are difficult to quantify, it is likely their impact is much higher over the long run than hard costs.

Hard and Soft Costs



About the Research

On behalf of CyberSheath, BAO surveyed 201 Executives from July to September 2020. To participate in the 2020 DIB C-Suite Compliance Security Survey, respondents were required to be a company who contracts with the US DoD and by design, the survey required at least half respondents to be C-level executives, though this year’s research attracted far more C-level corporate leaders. About 2/3rds of the companies in the survey have less than 500 employees.


Don’t forget: Sign up for our free webinar on February 3, 2021 to learn what high- and low-scoring organizations have in common, variables that negatively affect most businesses, and characteristics of companies attaining compliance. Don’t miss it!

How Secure is the DIB Supply Chain?

SolarWinds, with more than 300,000 global clients, including many federal agencies in the United States and mostly Fortune 500 companies, unknowingly released a software update that included malware providing hackers unobstructed remote access to victim networks. The magnitude of this breach requires impacted customers to conduct forensics if they have the means, immediately remove the compromised SolarWinds Orion products from their network, execute an incident response action plan and rebuild the network previously monitored by SolarWinds products. 

This level of breach is catastrophic, and impacted businesses should assume total compromise. The work to recover from this event on a meaningful size network is inconceivable for those who have not been through this before.

As a Microsoft Partner and leading provider of Managed CMMC Compliance to Defense Industrial Base (DIB) contractors, CyberSheath has fielded many inquiries related to the extensive investigation into the SolarWinds breach. As nearly every business of any size has some level of Microsoft deployed in their environment, we wanted to share several items we felt would be of interest to those with Microsoft, SolarWinds, or both currently deployed.

  • Microsoft Source Code Repository Access: Microsoft detected malicious SolarWinds applications in their environment, isolated and removed. During the investigation, Microsoft detected unusual activity with a small number of accounts, which was used to view source code repositories. The accounts could not modify code, and the affected accounts were investigated and remediated. There has been no identified risk to services or customer data due to this activity. Access the full Microsoft post SolarWinds Impact and InvestigationMicrosoft provided security tools to investigate and mitigate any known SolarWinds related malicious activity. Microsoft has published several resources that can be used in response to this attack.
  • Microsoft 365 Defender: Businesses with Microsoft Defender 365 should leverage the Indicators of Compromise (IOC’s) provided by Microsoft 365 Defender to look for vulnerabilities and potentially malicious activities related to the SolarWinds attack. 
  • Microsoft Azure Sentinel: Microsoft has published recommended content to Azure Sentinel that should be used to monitor for indicators of compromise. 

Finally, the Solorigate Resource Center, which Microsoft keeps updated with their latest information, can be found here.

Regulatory Compliance Impact on SolarWinds Incident

Aside from what businesses can and should be doing to respond to and recover from this widescale attack, one of the questions heard frequently is, “Could CMMC have prevented any of this?”. We think this is the wrong question to ask and represents “silver bullet thinking”. For example, we do not use this type of thinking in regards to vehicle seatbelts. Seatbelts are required in vehicles here in the United States despite their inability to prevent 100% of injuries, because we still recognize their overall value in injury prevention. 

The fact is had DFARS clause 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting been enforced and compliance verified since 2017, rather than then selectively implemented through self-certification, the SolarWinds attack might have looked very different. The clause mandates rapid reporting of cyber incidents to DoD. Specifically, the clause requires:

Cyber Requirements under NIST 800-171 Since 2017

(c) Cyber incident reporting requirement.

(1) When the Contractor discovers a cyber incident that affects a covered contractor information system or the covered defense information residing therein, or that affects the contractor’s ability to perform the requirements of the contract that are designated as operationally critical support and identified in the contract, the Contractor shall—

(i) Conduct a review for evidence of compromise of covered defense information, including, but not limited to, identifying compromised computers, servers, specific data, and user accounts. This review shall also include analyzing covered contractor information system(s) that were part of the cyber incident, as well as other information systems on the Contractor’s network(s), that may have been accessed as a result of the incident in order to identify compromised covered defense information, or that affect the Contractor’s ability to provide operationally critical support; and

(ii) Rapidly report cyber incidents to DoD at

(2) Cyber incident report. The cyber incident report shall be treated as information created by or for DoD and shall include, at a minimum, the required elements at

(3) Medium assurance certificate requirement. In order to report cyber incidents in accordance with this clause, the Contractor or subcontractor shall have or acquire a DoD-approved medium assurance certificate to report cyber incidents. For information on obtaining a DoD-approved medium assurance certificate, see

(d) Malicious software. When the Contractor or subcontractors discover and isolate malicious software in connection with a reported cyber incident, submit the malicious software to DoD Cyber Crime Center (DC3) in accordance with instructions provided by DC3 or the Contracting Officer. Do not send the malicious software to the Contracting Officer.

(e) Media preservation and protection. When a Contractor discovers a cyber incident has occurred, the Contractor shall preserve and protect images of all known affected information systems identified in paragraph (c)(1)(i) of this clause and all relevant monitoring/packet capture data for at least 90 days from the submission of the cyber incident report to allow DoD to request the media or decline interest.

(f) Access to additional information or equipment necessary for forensic analysis. Upon request by DoD, the Contractor shall provide DoD with access to additional information or equipment that is necessary to conduct a forensic analysis.

(g) Cyber incident damage assessment activities. If DoD elects to conduct a damage assessment, the Contracting Officer will request that the Contractor provide all of the damage assessment information gathered in accordance with paragraph (e) of this clause.

Benefit of NIST 800-171 Information-Sharing Mechanism

While looking at this list of reporting requirements, it is impossible to believe that the defense industrial base would not have been better served having implemented NIST 800-171 and being part of the robust information-sharing mechanisms between DoD and industry. IOC’s Would have reached a wider audience, faster and likely with greater precision. 

It is not a leap of faith to believe that our national security and the Department of Defense supply chain will be materially strengthened because of regulatory requirements like CMMC. 

How Secure is the Defense Industrial Base Supply Chain?

We invite you to an interactive review of our analysis detailing hundreds of DoD contractors’ cybersecurity posture to discover the concerning findings and best practices that lead to compliance. During this webinar, you will learn:

  • Top 3-5 failing controls; what are they, and why are they so challenging to implement?
  • Outcomes by business profile, from professional services to the manufacturing floor.
  • Top 3 characteristics of organizations who successfully achieve compliance.

How Secure is the DIB Supply Chain?

Over 14+ years working with the Department of Defense (DoD) contractor cybersecurity compliance requirements have evolved from voluntary to self-certification to now mandatory minimums validated by independent third parties via the Cybersecurity Maturity Model Certification (CMMC); the question of cost underpins almost every discussion. 

The CyberSheath team gets asked two questions every day, all day long. How much and how long? Contractors asking the question prefer a exact answer and ideally one that fits in their existing budget. The DoD and NIST have tried to provide some level of analysis around the cost impacts of cybersecurity compliance but when released these estimates are immediately questioned by industry. In our experience these government provided estimates are interesting but irrelevant to your specific situation. Applying the analysis done by the government is like trying to calculate your tax situation based on what you think your neighbors tax bill might be. It’s a waste of your time and guaranteed to be inaccurate. So how do you get a cost of compliance for NIST 800-171 and CMMC that is relevant and specific to your organization? It’s not actually that difficult, and I will share our process here and welcome you to contact us for your evaluation.

CyberSheath has been providing firm fixed price managed cybersecurity compliance for more than six years exposing us to tremendous amount of data around cost. We also understand the differences between cost of compliance in a manufacturing environment, software development organization, research and development and just about everything in between. A significant part of our customer base includes foreign owned US based defense contractors, so we understand those unique aspects as well. Our methodology is audit approved in the sense that our customers have successfully passed third party audits repeatedly.

Our Approach to Understanding the Cost of Compliance.

Don’t ask for a “ballpark”.

With the passage of the new law that went into effect on November 30, 2020, NIST 800-171 and CMMC compliance are being enforced, and it is time to get serious about actually implementing the controls. Ballparks on CMMC cost are not serious inquiries. I understand human nature and desire to “get a ballpark,” but it is a waste of your time, and it is impossible to get an actionable and accurate “ballpark”. There are simply too many variables specific to your situation that ballparks cannot account for. Cloud-based? On-premise? Windows networked domain environment? Cloud services? Hybrid Cloud? These are just some of the questions that drive cost and prevent a ballpark answer to the cost question. It is a bit like calling a personal trainer, having never met them or provided any information, and asking them how quickly you can get into shape. Don’t fret; there is a relatively painless way to understand what your cost might be. Please skip the ballpark conversation and instead put an hour or less into getting something accurate and actionable.   

Fill out a scoping document and have a conversation.

One of the things that we don’t ask potential customers is what their budget is. Candidly your budget is independent of the cost to become compliant. It’s our job to make your budget and the costs align as closely as possible. Still, ultimately, the cost of getting your specific environment compliant is a finite number independent of your actual budget. You probably didn’t account for the 110 security requirements of NIST 800-171 when you created your budget and CMMC likely wasn’t law, so your budget is not really part of the conversation. 

Your environment, the existing people, processes, and technologies you leverage to conduct your business, hold the answers to determining your cost of compliance. At CyberSheath we have developed a relatively simple process that generally takes less than an hour to complete. 

It starts with a facilitated conversation where we walk you through and fill out for you a comprehensive scoping document. The scoping document was developed through nearly a decade of experience delivering managed compliance services and the questions are geared towards the things we have seen in our experience drive the cost of compliance. You bring the appropriate person from your organization who can answer the questions, typically the “IT guy” and we do the rest. This takes anywhere from 30 to 45 minutes and the outcome is an accurate and actionable understanding of the cost and timelines for your organization to become compliant. In our experience, this is time well spent regardless of if you decide to move forward with CyberSheath as your managed compliance partner or not.

What You Get In Exchange For Your Time

A facilitated conversation that outputs a firm fixed price statement of work tailored to your organization’s people, processes, and technologies. It includes cost, schedule, and deliverables to understand how long and what it will take to get you fully compliant. Of course, we’d love to have you as another one of our satisfied customers, but it also allows you to understand what a comprehensive solution looks like if you’re talking to other vendors. 

Next Steps

Unsure of the cost and time for you organization to become compliant with NIST 800-171 and CMMC?  Schedule a meeting with a CyberSheath expert today.  To further your knowledge on how your organization compares with the cybersecurity posture of the DIB, please join our webinar, “How Secure if the Defense Industrial Base Supply Chain?” on February 3, 2021 at 9:00 am (PST) | 12:00 pm (EST) to access our data collected from hundreds of assessments to discover the concerning findings and best practices that lead to compliance.  Register Now.


How Secure is the DIB Supply Chain?


As 2020 ends, and if you missed them, we have rounded up five of our most popular blog posts. 

This past year was filled with discussion and updates regarding CMMC and NIST 800-171, so not surprisingly, these top posts cover NIST controls, the DFARS Interim Rule, as well as the steps required to ensure new Department of Defense (DoD) regulations are met.


Let’s get started.


The first two blog posts touch on NIST 800-171 and CMMC control compliance.

1. Top Five Most Difficult Controls to Implement Under NIST 800-171

As Prime and Sub-contractors begin to learn more about the regulations required to maintain or win new DoD revenue, you may wonder if your competitors share the issues you are running up against as you work to become compliant. Questions around the topmost complicated controls to implement, the why behind their complexity, and how you can overcome the obstacles they create are covered in this post. 


2. What is the CMMC Shared Security Model and Why is it Needed?

For commercial firms providing services to the U.S. defense industry, the challenge that is cybersecurity has been growing for years but mainly without any oversight from the DoD. Specifically, the collection of Controlled Unclassified Information (CUI) on unregulated and often under secured contractor networks across the DoD supply chain has become a risk that requires addressing for the DoD. This post explains how a CMMC shared security model assures coverage of all areas of the security environment to meet compliance.  


The next two blogs posts cover the DFARS Interim Rule before becoming law on December 1st. Though each post was designed to examine the interim rule, the guidance offered still applies since the rule’s transition into law.

3. DFARS Interim Rule: What You Must Do Immediately

The post goes through what is required of you today to be compliant with the updated DFARS clause that is now law.


4. DFARS Interim Rule and Emergency Justification FAQ: Everything You Need to Know

A robust, frequently asked question post with the answers necessary to understand the law’s impact on your business and what actions you must take to maintain competitiveness.


Lastly, our final post provides a step-by-step guide assuring the latest DoD regulation is met.

5. Step-by-Step Guide to SPRS NIST 800-171 Assessment Submittal

As of December 1st, the DFARS Interim Rule has become law; reinforcing suppliers need to submit their NIST 800-171 assessment score to the government to avoid lost DoD revenue.

The CyberSheath team works with our clients to ensure they meet all DoD cybersecurity requirements, and to that end, have assisted in the submittal of their assessment to the SPRS. This post contains a step-by-step guide walking through successfully creating an account and submitting your assessment score to the government.

The Department of Defense (DoD) suppliers were notified at the end of September about the new DFARS Interim Rule designed to collect NIST 800-171 assessment scores from all DoD contractors through submittal to the Supplier Performance Risk System (SPRS). As mentioned in a previous blog post, starting in mid-October, Northrop Grumman, Lockheed Martin, General Dynamics, BAE, and other prime contractors sent letters to suppliers asking them to determine their current DoD assessment score and upload it to the SPRS by November 30th. As of December 1st, the DFARS Interim Rule has become law reinforcing suppliers need to submit their NIST 800-171 assessment score to the government to avoid lost DoD revenue.

The CyberSheath team works with our clients to ensure they meet all DoD cybersecurity requirements, and to that end, have assisted our clients in the submittal of their assessment to the SPRS.  To help suppliers navigate a potentially overwhelming process, we have created a step-by-step guide to showing how to successfully create an account and submit your assessment score to the government.


Step-by-Step Guide to SPRS Assessment Submittal

Step 1: Set up Your Account

First, you will want to visit the PIEE website. Click on REGISTER button on the top right of the screen.

PIEE Account Set Up

Next, accept the Privacy Act Statement and Terms and Conditions.

Select VENDOR from the options.

PIEE Vendor Options

If your company has a Common Access Card or Certificate, you can choose this option from the drop down. However, you can choose User ID\Password if you do not have the other information readily available.

PIEE Captacha

Enter in your security questions.

PIEE Security Questions

Provide your name and contact information.

PIEE User Profile

Enter supervisor (not required) and company contact information.

PIEE Supervisor Contacts

STEP 2: Access the Supplier Performance Risk System (SPRS)

Select SPRS (Supplier Performance Risk System) from the drop-down menu.

PIEE SPRS Drop Down Menu

STEP 3: Select SPRS Cyber Vendor User

PIEE SPRS Cyber Vendor

STEP 4: Add Roles

Next, click ADD ROLES. You will see a line at the bottom with a LOCATION CODE field. This is where you will enter the CAGE code for your company.

PIEE Add Roles

Enter in your CAGE code. If you have multiple CAGE codes, you will need to repeat Step 3 to add those additional lines.

PIEE Add Cage Code

Enter the justification for your account. Attachments would be used for justification and/or identification. However, do not attach your self-assessment here.

Step 5: Complete the Agreement

From here you will need complete the Agreement portion of the application. You should receive approval for your account promptly after completion. If you do not have a CAGE code or if the CAGE code, you have not been registered with an in-use DoD contract you may not be able to successfully create an account. If you run into this issue or your company has never won a contract, you can submit your self-assessment to *NOTE* Remember to submit your self-assessment via encrypted email.

Step 6: Admin Approval of Cage Code

Once you register you will have to have the admin who is linked to the cage code approve your account.

PIEE Log In Credentials

If you are not the Contract Administrator of the cage code and are unsure who that person is, you can look it up by going to the PIEE homepage and selecting FIND MY ACCOUNT ADMINISTRATOR from the NEED HELP WITH YOUR ACCOUNT? menu.

On the next screen you will need to input your cage code under the LOCATION CODE. You do NOT select any options from the APPLICATION or ROLE options. After the cage code has been inputted type in the numbers from the CAPTCHA Image and click SUBMIT.

PIEE Location Code

The next screen will populate who the Administrator of the cage code is and who you will need to contact for account approval. If there has not been an Administrator linked to the cage code you will need to contact PIEE support (1-866-618-5988) to get that provisioned.

You have successfully created your account. Once the account registration is approved by the cage code administrator you are ready to submit your score.

Step 7: Submit Your Assessment Score

Now that you have an account you will need to go to the PIEE website and click LOG IN.

Login Btn

Select the SPRS Icon. Then select NIST SP 800-171 Assessment from the options.


You will need to select the company name at the desired level (BASIC will be the most common unless your company went through an audit consisting of Government personnel). Once selected click ADD NEW ASSESSMENT from the menu.

PIEE Attach Assessment

Enter assessment details and click SAVE.

PIEE Enter Assessment Details

Next Steps

You have successfully submitted your assessment meeting the requirements under the DFARS rule and can now begin working toward your Plans of Actions and Milestones (POAM).

If you have not done an NIST 800-171 assessment and do not know your score, we are here to help. Please do not hesitate to reach out with any questions or talk through a project plan to avoid penalties and remain competitive in the DoD acquisition process.

At CMMC Con 2020, we heard about the threat from China, next steps for CMMC, and how no one in the Defense Industrial Base (DIB) has all the answers. After an immersion in why the CMMC is essential and what the requirements are, the one question remaining is: What now?

We wrote a book about how to get started — get your free copy here. It’s a plain-English guide to everything you need to know about achieving NIST 800-171 and CMMC compliance as a contractor in the DIB.

But next steps were a focus of the sessions at CMMC Con. The biggest takeaway: Get your self-attestation recorded or risk lost business.

One of the clearest wake-up calls came from Katie Arrington, who noted that “every vendor, every contractor as they are going to contract award will have to do a self-attestation and record it on the SPRS platform .… It’s the dawn of a new day.” She later emphasized: “All new awards as of November 30, 2020 have to have this self-assessment.”

This was a stark reminder of what the DIB has been hearing with increasing urgency for a couple months. We got the DFARS Interim Rule at the end of September. Starting in mid-October, Northrop Grumman, Lockheed Martin, General Dynamics, BAE, and other prime contractors sent letters to suppliers asking them to determine their current DoD assessment score and upload it to the SPRS by November 30th.

While everyone was supposed to be doing this for the past five years, a lot of this is new, like submitting self-attestations to the SPRS. Everyone is playing catch up. But that doesn’t mean everyone is taking it seriously just yet. And they might not until it hits their wallets.

Arrington said in her keynote there are signs of improvement in compliance, but in the assessments, we perform for our clients, we haven’t seen that. Reviewing our data, it’s clear contractors and suppliers have a way to go.

There are many reasons why. In part, the five NAICs codes cited in the DFARS interim rule are so broad they’re pulling in contractors that weren’t aware they had to comply: Research and Development in the Physical, Engineering, and Life Sciences; Engineering Services, Commercial and Institutional Building Construction, Other Computer Related Services, and Facilities Support Services. As a result, we have been working with construction and architecture firms that don’t understand why the rule applies to them.

Several other suppliers are stuck between a rock and a hard place. Organizations that are supposed to have met the standards for the last five years have been taking contracts, thereby certifying they are 100% compliant. But it was self-certification, and no one was checking. Now, do they score themselves honestly and open themselves up to False Claims Act liability for contracts they have taken? Or do they score themselves aspirationally and try to make up ground before anyone comes knocking on their door?

The answer is to get the process started as soon as possible. Read our book for more background. We’ve been performing assessments for years and understand what’s required and where and how most contractors need to improve.

The one silver lining from Arrington’s keynote is that the DoD recognizes the cost of security. She noted: “We are willing to pay for it, we are willing to say security is an allowable cost … build it into your rates.”

The challenge now, as we heard all day at CMMC Con, is to get it done on deadline.

RESTON, Va.—December 1, 2020—CyberSheath Services International today announced it has earned Cybersecurity Maturity Model Certification (CMMC) Registered Provider Organization (RPO) certification. This new achievement fortifies the company’s position as the leader in CMMC compliance solutions and services meant to eliminate theft of intellectual property and sensitive information across the Defense Industrial Base (DIB) and Department of Defense (DoD) supply chain.

This news comes on the heels of CyberSheath hosting some 1,000 registrants for an incredibly successful CMMC Con 2020 virtual conference in November. CyberSheath also wrote a book on CMMC – the CMMC Companion 2020/2021 Edition, which is widely seen as a defense contractor’s playbook.

“By staying current on certifications and changes in compliance requirements, we’re positioned as the partner of choice for CMMC compliance,” says Eric Noonan, CEO of CyberSheath. “The RPO credential formally recognizes what our existing customers already know, that DoD contractors can trust in CyberSheath’s ability to deliver turnkey solutions for cybersecurity compliance requirements. Our managed services approach to CMMC and NIST 800-171 compliance meets suppliers where they are, significantly reducing cost and complexity for their business.”

The CMMC model is a set of mandatory cybersecurity requirements that all 300,000-plus DoD contractors must implement and then validate by an independent third party before contract award. The CMMC Accreditation Body, which is managing the CMMC rollout on behalf of the DoD, announced requirements and opened applications for multiple credentialed roles, including RPO, this summer.

CyberSheath’s staff have been working with the DoD since 2008 from the inception of voluntary cybersecurity requirements all the way through the current mandatory CMMC requirements, and the RPO credential is the next logical step in this journey.

According to the CMMC-AB, RPOs are authorized to represent the organization as familiar with basic constructs of the CMMC Standard, and are qualified as:

  • Aware — Employs staff trained in basic CMMC methodology.
  • Registered Practitioner Staffed — Offers non-certified consultative services.
  • Targeted — CMMC Assessment preparation.
  • Trusted — Bound by a professional code of conduct.

RPO status means CyberSheath has agreed to the CMMC-AB Code of Professional Conduct, can deliver non-certified CMMC consulting services, and is listed on the CMMC-AB Marketplace.

For more information or details, please contact


About CyberSheath Services International, LLC

Established in 2012, CyberSheath is one of the most experienced and trusted IT security services partners for the U.S. defense industrial base. From CMMC compliance to strategic security planning to managed security services, CyberSheath offers a comprehensive suite of offerings tailored to clients’ information security and regulatory compliance needs. Learn more at



CMMC CompanionRESTON, Va.—November 24, 2020—CyberSheath Services International has published the 2020 / 2021 CMMC Companion guide to help defense contractors navigate and comply with new rules from the Department of Defense (DoD) to secure the Defense Industrial Base from cyberthreats. This new resource for defense contractors provides a clear, concise primer that summarizes the CMMC, discusses why the rule has been created, and proposes useful tips for its mandatory implementation.

“The defense industry has been clamoring for help as new rules emerge and the risk of losing out on defense contracts and revenue becomes more real,” says Eric Noonan, CEO of CyberSheath. “CyberSheath has been supporting compliance initiatives for defense contractors and other companies since 2012, and they’ve channeled that experience into this new resource. Anyone dealing with CMMC will gain enormous benefits in terms of understanding the history, terminology, approach, and future direction.”

Though the industry has been charged with meeting stringent requirements for years, recent updates with real deadlines have created urgency and angst among prime and subprime contractors. Not only are the prime contractors ensuring their own compliance, but they are also putting pressure on their suppliers to verify compliance. If defense contractors do not comply, they risk the security of the supply chain, national security, the ability to secure DoD contracts, and, thus, their revenue.

New rules under the recent DFARS interim law rule, coupled with requests from prime contractor demands mean suppliers must confirm their NIST 800-171 Assessment Score, provide a Plan of Action and Milestones (POAM) estimated completion date (ECD) for any unimplemented requirements, their status and ECD for an additional 20 CMMC practices, and their status and ECD for the CMMC Level 2 and 3 maturity processes. On top of that, suppliers have to provide updates on their progress until all practices and progress are implemented, as well as their “estimated date for closure of all NIST SP 800-171 POAM items, and the expected closure date for the additional controls.”

The new CMMC Companion guide comes on the heels of the first-ever CMMC Con, a virtual gathering hosted by CyberSheath attended by some 1,000 CMMC partners, including government stakeholders, services providers, and contractors.

For more information or details, please contact


About CyberSheath Services International, LLC
Established in 2012, CyberSheath is one of the most experienced and trusted IT security services partners for the U.S. defense industrial base. From CMMC compliance to strategic security planning to managed security services, CyberSheath offers a comprehensive suite of offerings tailored to clients’ information security and regulatory compliance needs. Learn more at

CyberSheath is pleased to introduce our distinguished CMMC Con 2020 guest and powerful industry and national resource Richard Wakeman.  Richard Wakeman is the Senior Director of Aerospace & Defense for Azure Global Engineering and is the commercial industry lead for Azure Government, Microsoft’s cloud solution specifically engineered to meet US government compliance and security requirements. He specializes in the Defense Industrial Base adopting cloud services from Microsoft and is the Program Manager for the Microsoft Cybersecurity Maturity Model Certification (CMMC) Acceleration Program. Richard engages with Microsoft partners and customers end-to-end from engineering to drive adoption of Azure Government, Microsoft 365 GCC High and Dynamics 365 GCC High as solutions within the Microsoft US Sovereign Cloud.

Richard joined Microsoft in 2007 as a developer, identity and messaging expert at the dawn of Microsoft Online Services. Shortly after joining, he was engaged by the Exchange Product Group to lead cloud deployments worldwide for Live@edu as part of the Exchange Labs program, the predecessor of Office 365. He led the charge for the integration of MCS and Premier services with cloud offerings, becoming a Senior Architect for the Microsoft Enterprise Services Business Productivity Global Domain Solution Architecture Office. During the decade of tenure in professional services, Richard had an impact on deploying over 100 million seats into the Microsoft cloud.  He deployed the first Microsoft cloud customers, to include the first million seat organization in the public multi-tenant cloud to the first Government Community Cloud customer.

Among Richard’s main roles is to overview what Microsoft is doing with CMMC concepts.

Microsoft and CMMC

Microsoft has a deep and long history of supporting government customers and their unique mission requirements; in fact, about a year ago, Richard Wakeman wrote this blog specific to the Microsoft Cloud Service Offerings. Suffice it to say Microsoft uniquely understands the U.S. Government’s mission in a way that only decades of experience working alongside one another will allow. Microsoft understands the required people, processes, and technologies to support the DoD mission from both a compliance and operational perspective so well that it can often be difficult for anyone to lay it all out in one succinct communication. Microsoft has done more for the United States Government than any other cloud provider. Their decades of successful partnership with DoD have enabled them to provide resources that will enable your journey to CMMC compliance.

Here are three resources to get you started on your journey to CMMC compliance:

1. Shared Responsibility Model

CMMC compliance for many, if not most, companies will undoubtedly rely on the cloud at some point in the journey. When in the cloud, and frankly, on-premises, it is important to understand the concept of shared responsibility. When relying on cloud services, understanding the shared responsibility model is foundational to meeting and maintaining compliance. For an excellent blog on shared responsibility in the cloud start here and as you read think about which CMMC security tasks are handled by your cloud provider and which tasks are handled by you. Now for the many companies that rely on Managed Service Providers, Managed Security Service Providers, or otherwise defined Third-Party Providers, how are you extending the shared responsibility to those entities?

Almost no MSSPs understand CMMC in the context of the shared responsibility model. To my knowledge, CyberSheath is the only one that has built our entire CMMC management platform around Microsoft Azure technology, which is detailed here along with a detailed breakdown of how CMMC has been 13 years in the making.

CMMC compliance isn’t a “go it alone” model and requires an understanding of the shared responsibility model, regardless of your CMMC compliance level. Rare is the company that does everything in-house without exception.

2. Azure Blueprints

Azure blueprints enable customers to easily create, deploy, and update compliant environments and leverage the enormous Microsoft investment in data security and privacy. Microsoft invests more than USD 1 billion annually on cybersecurity research and development, employs more than 3,500 security experts entirely dedicated to your data security and privacy and Azure has more certifications than any other cloud provider. View the comprehensive list.

Blueprints simplify largescale Azure deployments by packaging key environment artifacts, such as Azure Resource Manager templates, role-based access controls, and policies, in a single blueprint definition. Customers can easily apply the blueprint to new subscriptions and environments and fine-tune control and management through versioning. Specific to CMMC, blueprints present a tremendous advantage for customers who want to quickly address the majority of the CMMC Maturity Level 3 requirements.

The NIST SP 800-171 R2 blueprint sample provides governance guard-rails using Azure Policy that help you assess specific NIST SP 800-171 R2 requirements or controls. This blueprint helps customers deploy a core set of policies for any Azure-deployed architecture that must implement NIST SP 800-171 R2 requirements or controls. As many readers know, approximately 85% of the CMMC Maturity Level 3 requirements are essentially the NIST 800-171 security requirements, so this blueprint can be a force for progress in your CMMC compliance efforts.

3. Office 365 GCC High and DoD

As many defense contractors already know, CMMC was, in part, created to address the security of CUI, and Microsoft has long been a partner with DoD working to protect this information.

To meet the unique and evolving requirements of DoD and contractors holding or processing DoD controlled CUI or subject to International Traffic in Arms Regulations (ITAR), Microsoft offers GCC High and DoD environments. Microsoft GCC High and DoD meet the compliance requirements for the following certifications and accreditations:

  • The Federal Risk and Authorization Management Program at FedRAMP High, including those security controls and control enhancements as outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-53.
  • The security controls and control enhancements for the United States Department of Defense Cloud Computing Security Requirements Guide (SRG) for information up to Impact Level 5 (L5).

DoD Office 365 subscribers will receive services provided from the DoD exclusive environment that meets DoD SRG L5. Non-DoD subscribers will receive services from the U.S. Government Defense environment, which is assessed at L5, but uses L4 segmentation.

There is much debate and often confusion on whether CMMC requires GCC high, and it is one of many issues that highlight the need for a Managed Compliance Partner, but the point is that Microsoft has long been the partner of choice for the DoD in addressing this challenge.

For additional information join us at CMMC Con 2020

For additional information on Microsoft’s CMMC acceleration, join Microsoft’s Richard Wakeman, Senior Director of Aerospace & Defense for Azure Global, on November 18th at CMMC Con 2020.  Mr. Wakeman will host a Technology Spotlight session dedicated to discovering how Microsoft solutions are assisting the DIB in government compliance.   Register Now.

The CyberSheath team has been a part of what today is known as the Cybersecurity Maturity Model Certification (CMMC) since it was an entirely voluntary initiative in 2008, consisting of eight and then sixteen of the largest prime contractors in the DoD supply chain. At the time progress was slow because this kind of cooperation between DoD and industry was new and breaching unchartered legal ground. Progress was sluggish, participation was voluntary, and we literally shared “threat” information via FedEx as the best we could do until we had the infrastructure in place to do better. So having been in partnership with the DoD for twelve years, first as the global CISO for BAE Systems and now as one of the largest managed CMMC Compliance MSSP’s working with small and mid-sized businesses, I know from experience that the progress made in the last eighteen months is extraordinary. The foundation of partnership between DoD and industry built up over the last decade-plus was crucial. Still, the ultimate accelerant to our collective progress is Ms. Arrington’s unwavering drive to get this done.

When I first heard Ms. Arrington speak at the Professional Services Council in early 2019. She was promoting the idea of independent third-party audits of defense contractors to enforce accountability of supply chain security. I thought it was an idea that would be quickly killed off by the bureaucracy, industry associations, and lobbyists. I stand here eighteen-plus months later in awe of what has been accomplished. As the driving force behind CMMC, Ms. Arrington will be featured as the keynote speaker at CMMC Con 2020 in an extended interview format answering many questions that have yet to be asked in the countless webinars we have all had too much of.

Ms. Katherine “Katie” Arrington is a member of the Senior Executive Serves and serves as the Chief Information Security Officer for Acquisition and Sustainment (CISO(A&S)) to the Under Secretary of Defense for Acquisition and Sustainment (USD(A&S)). In this position, she serves as the central hub and integrator within the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) to align acquisition and sustainment cyber strategy and efforts to enhance cybersecurity within the Defense Industrial Base.

As the CISO(A&S), Ms. Arrington is responsible to ensure the incorporation of integrated security/cyber efforts within USD(A&S) with the purpose of providing a focused and streamlined governance approach, provide a central coordination point and common compliance standard that serves to synchronize the various existing disparate cybersecurity efforts and standards across the Department and Industry as it relates to Department of Defense acquisition and sustainment efforts.

Ms. Arrington is leading efforts that help ensure a secure Defense Supply Chain through the implementation of Trusted Capital vendors and Supply Chain Risk Management principles, enhance Defense Industrial Base security and resilience, and establish a common cybersecurity standard within Departmental acquisition efforts. She also synchronizes these efforts across the Department, other federal agencies, and works with legislators to ensure Departmental authorities and actions align and support the nation’s security goals.

Before assuming her position as CISO(A&S), Ms. Arrington has an extensive career as a legislator and senior cyber executive in the private industry. Ms. Arrington was a 2018 candidate for the US House of Representatives for South Carolina and served for 2 terms as a South Carolina State Representative. She has extensive experience in cyber strategy, policy, enablement, and implementation across a wide range of business sectors and governmental levels. She has over 15 years of cyber experience acquired through positions at Booz Allen Hamilton, Centuria Corporation, and Dispersive Networks. These positions have given her a unique experience of supporting and work with the government at large, small, and non-traditional contracting firms. Ms. Arrington is married to Robert and resides in Summerville, South Carolina, and a proud parent of three children and grandparent to four grandbabies.

Please join us on November 18th for Ms. Arrington’s keynote and our expert line-up as they engage in conversations focused on DFARS compliance, the threat from China, how cybersecurity impacts the future of doing business with the DoD, and a “how-to” session for small and medium-sized businesses struggling with NIST 800-171 and CMMC. Register Now.

RESTON, Va.—October 29, 2020—CyberSheath Services International today announced that it has been selected to join the Microsoft Intelligent Security Association (MISA) as one of the association’s first CMMC-focused managed security service providers.

“MISA members are cybersecurity industry leaders,” said Eric Noonan, CEO at CyberSheath. “They’re unified by the common goal of helping secure our customers by offering unique and valuable customized expertise and making the association more effective as it becomes more diverse.”

CyberSheath has extensive Microsoft expertise, including professional and managed security services for a wide array of U.S. defense contractors, and was nominated for MISA for their managed security service offerings for Azure Sentinel and Microsoft Defender for Endpoint. CyberSheath uses a Microsoft technology stack fueled by Microsoft Azure Sentinel, the cloud-native Security Information and Event Management (SIEM) solution that quickly identifies security threats across hybrid enterprises.

MISA began as an ecosystem of independent software vendors (ISVs) that integrated their security products with Microsoft’s to better defend against a world of increasing threats. Due to increased demand for a closely interwoven security ecosystem, the association is growing and launching an invitation-only pilot program for select managed security service providers.

MISA plays a vital role in reducing the cost and complexity of integrating disparate security tools. Adding managed security service providers promises to increase the ecosystem’s value even more by offering an extra layer of threat protection without requiring day-to-day involvement of in-house security teams,” said Andy Shooman, COO at CyberSheath. “It’s another important step in both strengthening and simplifying security at a time when risk mitigation is one of IT’s highest priorities.”

“The Microsoft Intelligent Security Association has grown into a vibrant ecosystem comprised of the most reliable and trusted security software vendors across the globe,” said Rani Lofstrom, Senior Product Marketing Manager, Microsoft Security. “Our members, like CyberSheath, share Microsoft’s commitment to collaboration within the cybersecurity community to improve our customers’ ability to predict, detect, and respond to security threats faster.”

About CyberSheath Services International, LLC

Established in 2012, CyberSheath is one of the most experienced and trusted IT security services partners for the U.S. defense industrial base. From CMMC compliance to strategic security planning to managed security services, CyberSheath offers a comprehensive suite of offerings tailored to clients’ information security and regulatory compliance needs. Learn more at



Press Contact:

Kristen Morales

Lockheed Martin and other prime contractors are contacting their suppliers and requesting a security status update; in many cases requesting a demonstration of compliance before the DoD November 30th deadline.  If you’ve received this request, you’re not alone. We’re helping many of our clients demonstrate that they’re achieving the requirements and submit the requested documentation before the deadline set by primes.

When the new DFARS Interim Rule and Cybersecurity Maturity Model Certification (CMMC) requirements were released at the end of September, we knew it would start to trickle down the supply chain. The primes heard the message loud and clear, and now suppliers do too. Lockheed Martin, for example, is requiring suppliers to complete a survey by November 5th so it can assess risk before the new rules take effect on November 30.

What is Required of Suppliers?

Suppliers must confirm their NIST 800-171 Assessment Score, provide a Plan of Action and Milestones (POA&M) estimated completion date (ECD) for any unimplemented requirements, their status and ECD for an additional 20 CMMC practices, and their status and ECD for the CMMC Level 2 and 3 maturity processes. On top of that, suppliers have to provide updates on their progress until all practices and progress are implemented, as well as their “estimated date for closure of all NIST SP 800-171 POA&M items, and the expected closure date for the additional controls.”

The primes are hard at work getting a sense of where their supply chain stands before the interim rule takes effect and the CMMC requirements start showing up in RFIs, RFPs, and contracts.

Where Should You Go from Here?

Start with this overview of the DFARS interim rule, an FAQ on everything we do, and don’t know at this point, and steps you should take immediately to meet the requirements. We’re here to help and explain the rules in plain English. Don’t hesitate to reach out with any questions or to talk through a project plan or schedule for responding to these requests by the deadline.

Join Us at CMMC Con 2020.  A Virtual Event Designed to Support Stakeholders in the DIB.

If you are a prime or subcontractor looking to better understand how to navigate the rapidly shifting future of cybersecurity compliance – CMMC Con 2020 is the event for you. Join us on November 18th for this one-day event where you will hear an expert line-up engage in conversations focused on DFARS compliance, the threat from China, and a “how-to” session for small & medium-sized businesses struggling with NIST 800-171 and CMMC.

Register Now



It’s been quite a week.

The DoD released an interim rule to “amend the Defense Federal Acquisition Regulation Supplement (DFARS) to implement a DoD Assessment Methodology and Cybersecurity Maturity Model Certification framework in order to assess contractor implementation of cybersecurity requirements and enhance the protection of unclassified information within the DoD supply chain.”

The DoD requested, and OMB authorized, emergency processing of the collection of information tied to this rule. The emergency justification impacts all DoD contractors in the long term and short term as they will now be required to prove and submit evidence of compliance with DFARS clause 252.204-7012 and NIST 800-171. Additionally, the rule creates the following new solicitation provision and contract clauses:

  • DFARS 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements;
  • DFARS clause 252.204-7020, NIST SP 800-171 DoD Assessment Requirements; and
  • DFARS clause 252.204-7021, Cybersecurity Maturity Model Certification Requirements.

The interim rule, effective 60 days from publication, has triggered a number of questions from contractors. Here are the answers we believe we know, the answers that we aren’t certain about, and the answers that are unclear, but we can surmise based on past experience.


DFARS Interim Rule and Emergency Justification FAQ


DFARS Interim Rule and Emergency Action: What We Believe We Know

What is the nature of the emergency justification?

The government is finally asking the defense industrial base to submit evidence of compliance with DFARS clause 252.204-7012 and NIST 800-171. In the past, the DoD trusted, with almost no verification, contractors to adhere to the rules and there was no compulsory submission required to prove compliance. The nature of the emergency is “The aggregate loss of sensitive controlled unclassified information and intellectual property from the DIB sector could undermine U.S. technological advantages and increase risk to DoD missions.”

Why did the change occur?

Explicitly, to make sure two things are happening:

  • The supply chain is making strong improvements to security and meeting current contractual commitments
  • To motivate contractors who have ignored the current requirements by forcing information collection

But the interim rule also codifies into the CMMC. The onboarding of the CMMC structure will ramp up over the course of the next five years. The DoD can’t afford to wait that long to ensure American IP is protected so they will move to collect evidence of compliance with DFARS clause 252.204-7012 in parallel to CMMC ramp up.

What immediate steps should a covered entity take after this rule change?

First, reconcile how long it’s been since you’ve self-attested in line with the 2017 DFARS rule and more specifically NIST 800-171. A company that has fully implemented all 110 NIST SP 800-171 security requirements, would have a score of 110 to report in Supplier Performance Risk System (SPRS) for their Basic Assessment. A company that has unimplemented requirements will use the scoring methodology to assign a value to each unimplemented requirement, add up those values, and subcontract the total value from 110 to determine their score. The  NIST SP 800-171 DoD Assessment Methodology is available here.

Your properly scored Basic Assessment and self-attestation should show you have made a habit of improving your environment over the last three years. If you have not shown improvement on your Plan of Actions and Milestones (POA&Ms), you need to take steps to demonstrate what you are doing to make progress. Ideally, you should have at least three self-assessments from the past three years against DFARS 252.204-7012, and more if you’ve made major changes to your environment that would trigger another self-assessment.

Check out our article on the five steps every organization should take to meet the NIST 800-171 requirements.

What role do my Third-Party Providers (TPPs) have in my attestation?

A major role. You have to attest that your TPPs who handle CUI meet the same or higher security standards as you do.

The biggest stumbling block for many contractors is their TPP contract language. Any organization with a DoD contract that’s handling controlled unclassified information (CUI) must have specific contract language for any of their TPPs that handle CUI, requiring them to meet or exceed the same security standards you do. How many MSPs or MSSPs are doing that today…very few.

In fact, the interim DFARs rule has this verbatim clause buried within the latest 89-page update:

2) The Contractor shall not award a subcontract or other contractual instrument, that is subject to the implementation of NIST SP 800-171 security requirements, in accordance with DFARS clause 252.204-7012 of this contract, unless the subcontractor has completed, within the last 3 years, at least a Basic NIST SP 800- 171 DoD Assessment, as described here, for all covered contractor information systems relevant to its offer that are not part of an information technology service or system operated on behalf of the Government. (3) If a subcontractor does not have summary level scores of a current NIST SP 800-171 DoD Assessment (i.e., not more than 3 years old unless a lesser time is specified in the solicitation) posted in SPRS, the subcontractor may conduct and submit a Basic Assessment, in accordance with the NIST SP 800-171 DoD Assessment Methodology, to for posting to SPRS along with the information required by paragraph (d) of this clause.

Can the government ask for my managed services contracts to demonstrate compliance with the DFARS verbiage inclusion?

Not only can they — they almost definitely will.

Is this rule retroactive? E.g. does this cover time periods of the previous self-attestation?

The truth is that this behavior and level of compliance were supposed to be in place all along and this action simply asks you to prove you’ve been doing it. This is where some contractors will find themselves between a rock and a hard place if they have self-attested but never really implemented NIST 800-171.

DFARS Interim Rule and Emergency Action: What’s Unclear

Does everyone who previously self-attested now submit documentation?

No, you don’t have to submit documentation today to the government but moving forward all DoD awards will require the submission of, at a minimum, a Basic Assessment.

It’s unclear why documentation has not been required before now. Maybe the government didn’t want to have access to the information or didn’t have a program to evaluate the information, or maybe the risk level wasn’t the same as it is today. It is also possible that lobbyists and industry trade associations fought off this requirement.

What needs to be submitted when to the government and when?

At a minimum, contractors will need to produce their assessment using the standard scoring methodology, which reflects the net effect of NIST SP 800-171 security requirements not yet implemented. There are three assessment levels (Basic, Medium, and High), which reflect the depth of the assessment performed and the associated level of confidence in the score resulting from the assessment. A Basic Assessment is a self-assessment completed by the contractor, while Medium or High Assessments are completed by the Government. The Assessments are completed for each covered contractor information system that is relevant to the offer, contract, task order, or delivery order.

Contractor assessments results are documented in the Supplier Performance Risk System (SPRS) to provide DoD Components with visibility into the scores of Assessments already completed; and verify that an offeror has a current (i.e., not more than three years old, unless a lesser time is specified in the solicitation) Assessment, at any level, on record prior to contract award.

The presumption is that the DoD wants what’s typically asked for in an audit or what prime contractors are asked to provide when they get a subcontractor: A System Security Plan (SSP), any POA&Ms, and attestation for where the program stands against NIST 800-171.

What does Basic / Medium / High mean in the release verbiage?

There are three assessment levels (Basic, Medium, and High), which reflect the depth of the assessment performed and the associated level of confidence in the score resulting from the assessment. A Basic Assessment is a self-assessment completed by the contractor, while Medium or High Assessments are completed by the Government. The Assessments are completed for each covered contractor information system that is relevant to the offer, contract, task order, or delivery order.

How does the interim rule affect CMMC roadmap and compliance?

The rule builds upon the NIST SP 800-171 and DoD Assessment Methodology mandating the CMMC framework which adds a comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level. CMMC is designed to provide increased assurance to the Department that a DIB contractor can adequately protect sensitive unclassified information such as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) at a level commensurate with the risk, accounting for information flow down to its subcontractors in a multi-tier supply chain.

DoD is implementing a phased rollout of CMMC. Until September 30, 2025, the clause at  52.204-7021, Cybersecurity Maturity Model Certification Requirements, is prescribed for use in solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial items, excluding acquisitions exclusively for COTS items, if the required document or statement of work requires a contractor to have a specific CMMC level. In order to implement the phased rollout of CMMC, the inclusion of a CMMC requirement in a solicitation during this time period must be approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment.

CMMC will apply to all DoD solicitations and contracts, including those for the acquisition of commercial items (except those exclusively COTS items) valued at greater than the micro-purchase threshold, starting on or after October 1, 2025.

If the government finds fault with your self-attestation documentation, what are the ramifications?

Contractors who are not accurate in their assessment reporting could be subject to the False Claims Act (FCA) which imposes civil and potentially criminal liability on anyone who knowingly presents a false or fraudulent claim for payment to the federal government, or knowingly makes, uses, or causes to be made or used, a false record or statement material to a false or fraudulent claim. This is not theoretical, read more on the most visible DoD FCA case for cybersecurity.

Can an outside provider or third-party submit my documentation on my behalf?

This is unclear, but probably not. The government doesn’t want you to have the ability to say your service provider submitted it incorrectly or made material errors.  An outside provider can prepare the materials you can send along yourself, much like a CPA might prepare your taxes, but you sign them.  The exception would likely be the Medium or High Assessments that are completed by the Government in which they would submit the results.

What is the process if you want to dispute your compliance rating under the pre-CMMC assessment process?

We don’t know the answer to this one. There needs to be some sort of arbitration or dispute process to go through judgments against you and revisions to documents, as you might do with taxes, but the process is not obvious right now.

Is there any arbitration or a process of procedural review of negative findings?

Same answer as above — as of right now there is not an obvious process, but there should be one.


DFARS Interim Rule and Emergency Action: What We Know

What is the difference between DFARS 252.204-7012 and the new DFARS 252.204-7021?

7012 is universally applied and 7021 requires a demonstration of maturity based on the risk level of the contract.

7012 involves self-attesting and self-submitting documentation, and 7021 requires third-party assessments, but also self-submitting.

7012 is based on policing and enforcement and 7021 is based on the winning of revenue and contracts.

7012 allows tolerance for not having certain controls in place at the moment so long as you’ve identified those and you have a plan to rectify them, and 7021 is intolerant — you must not only have evident practices in place but also show they’re habitually deployed.

In five years, 7012 will be sunsetting, and 7021 will be sunrising. DFARS 252.204-7021 is the new law of the land.

How many CMMC driven contracts are expected in FY2021? 

 The rule says:

“Based on information from the Federal Procurement Data System (FPDS), the number of unique prime contractors is 212,657 and the number of known unique subcontractors is 8,309. Therefore, the total number of known unique prime contractors and subcontractors is 220,966, of which approximately 163,391 (74 percent) are estimated to be unique small businesses. According to FPDS, the average number of new contracts for unique contractors is 47,905 for any given year.”

The document also includes a chart showing how many contracts to expect at each CMMC level each year:Proposed-CMMC-Contracts-by-Levels+Year

Will my self-disclosures be made public? Is it disclosable in a FOIA request?

 There is no mention of that in DFARS 252.204-7021, but the feeling is that the information will not be generally available to the public, but it might be subject to a FOIA request.

When you are self-attesting and going on record about what you do and don’t do from a security perspective, that invites hackers to open up the database and see where organizations are vulnerable. This information could also materially affect the way companies and investors view mergers and acquisitions, due diligence, and so forth. So, it is unlikely that the self-disclosures will be truly public.


The Bottom Line

Time’s up to get compliant or forgo DoD revenue, it is that simple.  The government is getting more aggressive in cracking down on cybersecurity to protect American assets throughout the defense industrial base and has been very specific as to their expectations.

The DoD means business. The time to take action is now.

The experts at CyberSheath understand your challenges – and we can help. Contact us to make sure your assessment gets – and stays – on track.


Next Steps

Sprint to compliance in less than 60 days with CyberSheath’s proven methodology based on three core disciplines: Assess, Implement, Manage (AIM™)

DFARS Interim Rule 60 Day Sprint Timeline

Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041) is here. Often referred to as CMMC this long-awaited and hotly debated Interim Rule harmonizes legacy (DFARS clause 252.204-7012) and future (CMMC) requirements with the following statement:

“DoD has developed the following assessment methodology and framework to assess contractor implementation of cybersecurity requirements, both of which are being implemented by this rule: the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 DoD Assessment Methodology and the Cybersecurity Maturity Model Certification (CMMC) Framework.”

Specifically, the rule creates the following new solicitation provision and contract clauses:

  • DFARS 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements;
  • DFARS clause 252.204-7020, NIST SP 800-171 DoD Assessment Requirements; and
  • DFARS clause 252.204-7021, Cybersecurity Maturity Model Certification Requirements.

Assessment Methodology to ensure NIST 800-171 Compliance

DFARS clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, included in all solicitations and contracts, requires contractors to apply the security requirements of NIST SP 800-171 to “covered contractor information systems” or those that “are not part of an IT service or system operated on behalf of the Government”, i.e your contractor networks, labs, cloud environments, etc.  This clause has long existed but rarely been enforced by DoD or adhered to by contractors. Rare contractors who have been audited for compliance have been evaluated against the NIST SP 800-171 DoD Assessment Methodology for assessment of a contractor’s implementation of NIST SP 800-171 security requirements. The NIST SP 800-171 DoD Assessment Methodology is available, here.

If you are not familiar with the assessment methodology it is probably because you have not been audited or have done a quick internal assessment that did not adhere to the scoring defined within the methodology. Time to get familiar with it. Again, directly from the interim rule:

“The Assessment uses a standard scoring methodology, which reflects the net effect of NIST SP 800-171 security requirements not yet implemented by a contractor, and three assessment levels (Basic, Medium, and High), which reflect the depth of the assessment performed and the associated level of confidence in the score resulting from the assessment. A Basic Assessment is a self-assessment completed by the contractor, while Medium or High Assessments are completed by the Government. The Assessments are completed for each covered contractor information system that is relevant to the offer, contract, task order, or delivery order.”

The results of Assessments are documented in the Supplier Performance Risk System (SPRS) giving DoD visibility into completed assessment scores and an ability to verify that a contractor has a current (i.e., not more than three years old) assessment on record prior to contract award. This is something that contractors should pay careful attention to. Because of the widely unenforced existing compliance requirements, most contractors have already self-attested to compliance without ever having submitted an assessment or having been audited. This silent majority is now in the position of being required to, at a minimum, submit a self-assessment that will go into SPRS. How will contractors address the fact they have already attested to compliance and now have an assessment that shows, in our experience, on average 70% non-compliance? Squaring this conflict will require some thoughtful planning and time with your general counsel.

New Interim Rule Outlines the Purpose of CMMC

Nearly everyone expected the new rule to force CMMC implementation (it does with a new DFARS subpart (Subpart 204.75, Cybersecurity Maturity Model Certification CMMC) and mandating DFARS clause 252.204-7021, Cybersecurity Maturity Model Certification Requirements, for use in all solicitations and contracts or task orders or delivery orders) it also thoughtfully describes a long transition from NIST 800-171 to CMMC.

The purpose of this blog is not to describe CMMC in detail but for those interested in an overview please look here. What contractors really need to know right now about CMMC is that DoD is implementing a phased rollout of CMMC, essentially making it an October 1, 2025 requirement. Up until September 30, 2025 inclusion of a CMMC requirement in a DoD solicitation must be approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment. On October 1, 2025, and thereafter CMMC will apply to all DoD solicitations and contracts, except those exclusively COTS items.  After this date, DoD contracting officers will not award, or exercise an option on a contract without a current (i.e. not older than three years) certification for the required CMMC level. Additionally, and as expected, CMMC certification requirements are required to be flowed down to subcontractors at all tiers.

The new CMMC has always been about assurance, giving DoD a way to ensure all of their suppliers are adequately protecting sensitive unclassified information such as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) at a level commensurate with the risk and accounting for information flow down to its subcontractors in a multi-tier supply chain. Assurance, essentially third party validation, was and is required because DoD has proven that contractors self-attestation of compliance was optimistic to be generous. Few contractors actually implemented NIST 800-171 and the DoD is no longer going to accept that risk for its supply chain. As the new rule describes the purpose of CMMC:

“CMMC is designed to provide increased assurance to the Department that a DIB contractor can adequately protect sensitive unclassified information such as Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) at a level commensurate with the risk, accounting for information flow down to its subcontractors in a multi-tier supply chain. A DIB contractor can achieve a specific CMMC level for its entire enterprise network or particular segment(s) or enclave(s), depending upon where the information to be protected is processed, stored, or transmitted.”

Key Takeaway

DoD has previously accepted a contractor’s self-attestation and contractors have had a statistically low risk of an audit, but now they have to produce evidence of what they’ve been saying all along.  DoD acquisition just changed and they are deadly serious about securing the supply chain, this is a call to action.

Contractors may find themselves between a rock and hard place with this new requirement as they balance previous attestation claims and best intentions against minimal compliance efforts.

Taking steps now, in response to this emergency action, will not only bring you into compliance with existing requirements but prepare you for CMMC as well. By focusing on compliance with NIST 800-171, you’ll be 85% of the way to CMMC ML 3 compliance when it arrives.

So where do you start? We’ve developed a proven, audited tested methodology over hundreds of assessments to enable contractors to meet NIST 800-171 compliance. Download our 5 Step Guide to CMMC preparation that assures compliance with NIST 800-171.

5 Steps to CMMC Preparation

The Department of Defense (DoD) has instituted an emergency action, possibly to confirm what is widely already known on cybersecurity compliance among the defense industrial base (DIB). Self-certification for defense contractors has enabled “barely there” cybersecurity unless you are one of the small number of contractors who took it seriously.

The action, approved by the Office of Information and Regulatory Affairs (OIRA), requires offerors and contractors to assess their compliance with DFARS clause 252.204-7012 and NIST 800-171. All offerors and contractors must submit a basic self-assessment, or a medium or high assessment conducted by DoD assessors. Details are scarce and connection to the Cybersecurity Maturity Model Certification (CMMC) is anyone’s guess, but for contractors who have previously self-certified as compliant but not actually implemented the controls, this could be problematic, to say the least.

The DoD has previously accepted a contractor’s self-attestation and contractors have had a statistically low risk of an audit, but now they have to produce evidence of what they’ve been saying all along.  This emergency rule isn’t just a call to action. It’s the DoD calling the DIB’s bluff. If anyone doubted the seriousness of the DoD’s efforts to avert data loss, this emergency action should be evidence enough that they want the data to confirm or refute claims of compliance.

Contractors may find themselves between a rock and hard place with this new requirement as they balance previous attestation claims and best intentions against minimal compliance efforts. Many contractors kept waiting for the “cyber police” to show up and when they never came it was largely business as usual. The cyber police are here and it’s time to get your house in order.

Taking steps now, in response to this emergency action, will not only bring you into compliance with existing requirements but prepare you for CMMC as well. By focusing on compliance with NIST 800-171, you’ll be 85% of the way to CMMC ML 3 compliance if/when that it arrives. If it never arrives, an unlikely outcome, you will at least have met your current contractual obligations.


So where do you start? We’ve developed a proven, audited tested methodology over hundreds of assessments to enable contractors to meet NIST 800-171 compliance.


Follow our five-step process for success:

1. Assess current operations for compliance with NIST 800-171.

Start with a gap assessment of your current people, processes, and technology against compliance with NIST 800-171. This assessment will:

  • Directly link to Control 3.12.1 of NIST 800-171, which requires that you “periodically assess the security controls in organizational systems to determine if the controls are effective in their application.”
  • Give you a clear view of your current compliance with the remaining controls.
  • Generate a System Security Plan (SSP) and associated Plan of Actions & Milestones (POA&Ms), both of which are NIST SP 800-171 requirements.


2. Write your SSP.

NIST 800-171, Revision 1, requires contractors to develop, document, and periodically update SSPs that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.

Initially, your SSP will be an aspirational document. You’ll find that many of the 110 required NIST SP 800-171 controls are not fully implemented in your environment. A common mistake is to write an SSP that doesn’t reflect the reality of control implementation.


3. Document your POA&Ms.

Also a requirement of NIST 800-171, Revision 1, your POA&Ms will detail your plans to correct deficiencies, reduce or eliminate vulnerabilities, and achieve compliance.

These plans can be documented in a variety of formats, but at a minimum, they should detail:

  • The deficiency identified
  • The plan to correct the deficiency (people, processes, and/or technology)
  • Dates by which you intend to be compliant against the specific deficiency

Well-documented POA&Ms will enable eventual mapping to CMMC maturity levels.

Note that SSPs and POA&Ms can be documented as separate or combined documents. You should choose a format that integrates with existing business processes and can be easily maintained.


4. Implement the required controls.

Execute your POA&Ms and achieve full compliance with NIST 800-171. This is probably going to be a full-time effort and depending on your resources, you can benefit from working with a third party to implement the controls.

If you’re looking for an effective partner, make sure to ask the following questions:

  • Have they implemented the NIST 800-171 controls for similar-sized businesses?
  • Have they solved the unique challenges that come with implementing NIST 800-171 controls in manufacturing, lab, and engineering environments?
  • Can they provide several references?


5. Maintain Compliance.

Once you’ve made it this far, it’s time to plan for ongoing compliance. You’ll need to achieve the following:

  • Documented and automated compliance reporting
  • Support Request for Proposal (RFP) and other acquisition-related business development activities
  • Ongoing operational expense related to maintaining compliance


For almost two years now, we’ve been telling clients that their focus is and should always have been on NIST 800-171 compliance, as mandated in DFARS clause 252.204-7012. Now the DoD is clamping down on noncompliance. As we look ahead to CMMC, taking action now will put you in a better position when the next action arrives.


In 2019, the Department of Defense (DoD) officially announced the introduction of a Cybersecurity Maturity Model Certification (CMMC). This unique maturity model is designed to improve the cybersecurity regarding Controlled Unclassified Information (CUI) within supply chains, especially as it applies to the Defense Industrial Base (DIB).

Version 1.0 of the CMMC framework was released in January 2020. By June 2020, CMMC requirements have started to be included in DoD and later GSA Stars Contracts Request for Information (RFIs) and Requests for Proposals (RFPs). Think about that for a second, within six months of creating a new model to assess the cybersecurity of defense contractor networks the language has started appearing in official acquisition documents. The CMMC train has left the station, in a hurry.

CMMC is the latest entry in regulations from a decade long process of public/private partnership between the DoD and DIB. Critically, the DoD is moving away from contractor led self-assessment and reporting to compulsory third-party certification pre-contract award. You will need certification, from an independent third party for future DoD contracts. (See graphic below.)


Who Must Comply?

As of this post, CMMC was still working its way through the rulemaking process for DFARS (Defense Federal Acquisition Regulation Supplement), which is expected to be released in November 2020. That said if your company provides products being sold to the Department of Defense (DoD) you are required to comply with the minimum cybersecurity standards set by the current DFARS clause 252.204-7012. All DoD contractors that process, store, or transmit Controlled Unclassified Information (CUI) must meet DFARS minimum security standards or risk losing their DoD contracts. DFARS provides a set of adequate security controls to safeguard information systems where contractor data resides. Based on NIST Special Publication 800-171 “Protecting Controlled Unclassified Information in Non-Federal Information Systems and Organizations,” manufacturers must implement these security controls through all levels of their supply chain. The silver lining is that CMMC builds on NIST 800-171 so when in doubt that is where you should start as it’s the current legal requirement.

If your DoD contracts do not require you to process, store, or transmit CUI, you must still protect Federal Contract Information (FCI) under Federal Acquisition Regulation (FAR) 52.204-21. Examples of FCI include contract documents, schedules, billing information, etc. The new DFARS clause is expected to combine the cybersecurity requirements from DFARS 25.204-7012 and FAR 52.204-21 into a common framework based on the CMMC model.

Government contractors are now being asked to effectively police their supply chains to address, among other risks, cybersecurity.  Supply chain management is now a key element to ensuring a company’s compliance with laws, regulations, and its internal policies, and to identify risks that could impact a company’s ability to perform, as well as its reputation. The fact that supply chains are global, increases the risks and demands on companies.

In fact, they must not simply police their supply chain, but they are legally bound to use specific contract verbiage with providers who may interface with CUI information which is as follows:

DFARS 252.204-7012(m):  “Include this clause, including this paragraph (m), in subcontracts, or similar contractual instruments, for operationally critical support, or for which subcontract performance will involve covered defense information,…”

Keypoints to this law:

  1. All third-party providers (TPPs) and Managed Security Service Providers (MSSPs) must be obligated to DFARS if they house, control, process, or maintain CUI.
  2. You are not in compliance with CMMC if your downstream MSSPs / TPPs are not compliant.
  3. You are not compliant if you don’t have contractually compliant language between you and the TPPs / MSSPs.

Navigating the dizzying world of different CMMC solutions can be a daunting task.  The recommended solutions and vendor mix can be very hard to understand.  Now let’s investigate these key points made above in more detail:

Pivotal question: Does my TPP or MSSP need to be compliant?

All TPPs and MSSPs must be obligated to DFARS if they house, control, process, or maintain CUI.   What exactly is CUI?  Let’s read on:

I want to repost an excerpt from our key business partner Microsoft in which Richard Wakeman provides a blog on CUI as follows:

What is Controlled Unclassified Information?
If you have not read the CUI History from the National Archives and Records Administration (NARA), I highly recommend it.  It’s a short read, and helpful for context. To summarize, before the advent of CUI, there was a myriad of autonomous Federal agencies and departments that had each developed its own practices for protecting sensitive information.  This non-conformity made it extremely difficult to share information with transparency throughout the Federal government and its stakeholders, such as the Defense Industrial Base (DIB). The CUI program is an ever-evolving initiative to standardize the markings and data protection practices across Federal agencies to facilitate sharing of sensitive information, transcending individual agencies.  Ultimately, NARA oversees the CUI Program and is primarily scoped to the Federal executive branch agencies.  Major contributors to the program include the DoD, the Department of Energy (DoE), the Department of Homeland Security (DHS), the Department of State (DoS), etc. NARA defines CUI as: “Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.”Presidential executive orders evolved to a rule published in 2016 called “32 CFR Part 2002 Controlled Unclassified Information”.  You can read about it here in the Federal Register. 32 CFR Part 2002 prescribes the CUI Program markings that span many categories and groupings.  The groupings consist of everything from Financial and Privacy data, all the way up to Export Controlled and Intelligence data.  You can find the list here.
Microsoft Summary CUI Registry

3 Key Questions for your MSSP to indicate CMMC Compliance

Question 1: Is the CUI housed in USA Sovereignty? –  Or – Where are the location of all operations?  Perhaps another way to ask this question is by querying if the vendor has any operations located outside of the US?

A key attribute to the US DoD supply chain is understanding where their supply chain is located, and whether the location may provide some risk to the DoD supply chain.  U.S. companies that do business abroad or handle overseas data will now have to comply with a host of new cybersecurity rules after China became the latest country to impose regulations on firms operating there.

This follows hot on the heels of the Clarifying Lawful Overseas Use of Data (CLOUD) Act, which came into force in the U.S. in March 2018, and the European Union’s (EU) General Data Protection Regulation (GDPR), introduced two months later.

The implementation of these new protocols is driven by the recent surge in cyberattacks and, in the case of China, greater protectionism, exacerbated by the U.S. trade war, as the world becomes more divided.   Regardless, there are many cybersecurity firms that maintain global operations and software maintenance stations in unassuming regions of the world and this must be understood before you select your vendor.


Question 2:  Like Amazon Web Services, Microsoft and Google, do you separate out your government CUI customers from the infrastructure of all of your other customers? Does your provider know how to make the infrastructure comply with the various forms of CUI?

Here is the issue with mixed tenants of cloud environments and the protection of CUI which was quoted by Microsoft’s blog:

“Microsoft has prescribed the US Sovereign Cloud with Azure Government and Microsoft 365 GCC High to protect CUI and CDI consistently.  Our rationale is that CUI does include ITAR regulated data, and the DoD requires DFARS 7012 to protect it.  We only accommodate that contractually across Azure, Office 365, and Dynamics 365 in the US Sovereign Cloud.  It’s that simple.  It’s true that you may demonstrate compliance for CUI in our Commercial or GCC cloud offerings, but you will not get a contractual obligation from Microsoft to protect an aggregate of CUI anywhere else other than in the US Sovereign Cloud.  It will be your sole responsibility to prove and maintain compliance for it in other clouds.”


Question 3: Have you placed the DFARs compliant verbiage on CUI into the contract with the MSSP / TPP?   Was this a standard offering in verbiage in their contracts or non-standard?

I believe this is self-explanatory however to make this point very poignant let’s look at the prescribing law:

DAU Related Policies Cloud Computing

For many organizations, their technology, and the corresponding data are among their most valued assets. An organization’s CMMC / CUI Cybersecurity Program is an ever-evolving initiative that attempts to standardize the security data protection practices across supply chains including third-party providers and managed security service providers.  If your TPP or MSSP cannot meet the full requirements of CMMC certification, it is unlikely that you will be able to successfully complete a CMMC certification assessment. When choosing TPP’s or MSSP’s, choose wisely, your DoD revenue may depend on it.

Looking for an MSSP to partner with on your journey to CMMC preparation?

Join CyberSheath’s Eric Noonan, CEO, and Carl Herberger, VP of Security Services, dive into CyberSheath’s CMMC Managed Services for Defense Contractors using Microsoft Technology Stack during our upcoming webinar September 30, 2020, at 9:00 am | 12:00 pm EST > Save Your Spot

CMMC Compliance Managed Service Launch - Register Now

The U.S. has to up-level its cybersecurity. That’s the gist of what we’ve been hearing from multiple sources, including congressional commissions and the Department of Defense (DoD). The alarm bells — and the calls for more stringent security practices — will only grow louder.

The Cyberspace Solarium Commission used the U.S. COVID-19 response as an opportunity to assess the nation’s preparedness for a major, debilitating cyberattack. It highlighted the need to implement more than 30 recommendations from a previous report, as well as five more based on its findings around the pandemic.

Eric Noonan, CyberSheath’s CEO, will be speaking about those kinds of preparations for a national cyberattack against the U.S. on a panel at Cybersecurity Forum 2020. He will be joined by Paul Anderson of Port Tampa Bay, and Michael Wee of Northrop Grumman to talk about lessons learned from the pandemic, the state of cybersecurity planning and organization, and where to focus efforts to better prepare for a major attack. Register for the event here and tune in on Wednesday, September 16 at 2:15 pm ET, if you’d like to learn more.

Another ongoing effort to shore up security is the Cybersecurity Maturity Model Certification (CMMC). This is the DoD’s effort to ensure all defense contractors are practicing and maintaining the proper level of security to better protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).

As founder and CEO of CyberSheath, the Title Sponsor of Cybersecurity Forum 2020, Eric is well versed in the goals and efforts behind the CMMC. CyberSheath has been delivering audit-ready, compliance-focused managed services for NIST 800-171 requirements for 8+ years, and the CMMC is the next evolution of those standards.

It’s one of the most comprehensive and impactful moves by the DoD to better secure sensitive data that resides on defense contractors’ systems and networks. As a new set of requirements, many defense contractors are still working to understand the complexities and nuances of the standards, what they’re responsible for, and how to implement those changes.

CyberSheath launched our compliance managed services for CMMC to assist DoD contractors through the process. Through our managed services, we’re able to meet contractors where they are, identify gaps in CMMC compliance, implement the changes, and maintain and assure their compliance at the proper level.

We wanted to be the Title Sponsor of Cybersecurity Forum 2020 because it’s advancing important conversations around the state of security and where we can go from here. In particular, we are looking forward to keynote speakers Senator Marco Rubio, who will give an overview of the risks of national cyber breaches; and Katie Arrington, CISO for the Office of the Secretary of Defense for Acquisition and Sustainment, who will speak on what’s needed for CMMC compliance.

While the U.S. faces cyber threats from around the world, we have plenty of lessons to learn from other disaster responses and a new bar for effective cybersecurity. We don’t know what attacks might be coming, but we do know how to prepare. We hope this year’s conference will spur all in attendance to advance the cybersecurity goals that will defend American innovation and infrastructure.

Recently, the National Institute of Standards and Technology (NIST) re-released the Draft Special Publication (SP) 800-171B as Draft SP 800-172. This document is in final draft review with all comments due August 21, 2020.

What is new in NIST 800-172?

The new NIST 800-172 is intended as a supplement to NIST 800-171, the cybersecurity framework required by DFARS 252.204-7012 on all DoD contracts to protect Controlled Unclassified Information (CUI). While NIST 800-171 provides the basic cybersecurity controls required to protect CUI on a majority of DoD programs and suppliers, NIST 800-172 defines enhanced cybersecurity controls intended to protect CUI subject to enhanced threats. In particular, NIST 800-172 aims to protect programs and contractors that might be the target of one or more Advanced Persistent Threats (APT). An APT is a stealthy threat actor, typically a nation-state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. As such, it requires enhanced cybersecurity activities to prevent an APT from accessing a contractor’s network, or even identifying that an APT has already gained unauthorized access to a contractor’s systems or networks.

How will NIST SP 800-172 Affect My Contracts?

One question that comes up is, “How will NIST 800-172 affect my contracts?” Currently, the answer is that it does not directly. Unlike NIST 800-171, the required cybersecurity framework imposed on all DoD contracts that handle CUI through DFARS 252.204-7012, no DFARS clause requires NIST 800-172. Once NIST 800-172 has completed the NIST Draft comment phase and been formally released, an individual contract that is considered high risk from an APT may call out part or all of the NIST 800-172 cybersecurity controls as requirements, but this is likely to be very rare. The more likely scenario for these contracts will be adopting the Cybersecurity Maturity Model Certification (CMMC) framework at Maturity Levels 4 or 5. But even this is expected to be a rare situation. Katie Arrington, CISO for Assistant Secretary for Defense Acquisition, estimates that .06% of all contractors will require CMMC Level 4 or 5 certification.

CMMC’s Incorporation of NIST 800-172

The CMMC framework was formally released in January 2020 and is currently positioned as a replacement for NIST 800-171. CMMC defines five (5) cybersecurity maturity levels. Maturity Level 3 corresponds roughly to NIST 800-171, incorporating all 110 security controls from NIST 800-171 plus 20 new controls drawn from other frameworks. CMMC Maturity Levels 4 and 5 provide 41 additional cybersecurity controls specifically targeted at contracts and contractors considered subject to an APT. CMMC Levels 4 and 5 include 15 of the NIST 800-172 (formerly NIST 800-171B) controls.

The DoD is working now to publish a new DFARS clause and contract language to allow DoD agencies to include the new CMMC framework in future requests for proposals (RFPs). Once this has completed the public comment and final release phases, the DoD plans to roll out the CMMC over the next five years, starting with approximately 15 “Pathfinder” programs in FY2021.

How to Prepare for Cybersecurity Maturity Model Certification

Compliance with ever-evolving DoD cybersecurity mandates like DFARS 252.204-7012, NIST 800-171, and CMMC is complicated and confusing. It can be hard to understand the outcomes that you should focus on and how to measure success. What does success even look like? How can I partner with a Managed Services provider to deliver measurable outcomes that ensure compliance?

Access our latest webinar, NIST 800-171 Case Study: Surviving a DoD Audit, to prepare your organization for CMMC. Go behind the scenes through a defense contractor’s journey from 35% compliance to a successful audit and “low-risk rating” by the DoD.

Access Webinar Now.

Current Compliance Landscape

Deputy Defense Secretary Patrick Shanahan spoke at the Armed Forces Communications and Electronics Association (AFCEA) on Feb 6, 2018, and said, “The culture we need to get to [around IT security] is that we’re going to defend ourselves and that we want the bar to be so high that it becomes a condition of doing business.” Fast forward two years later and we are on the cusp of one of the largest changes to DoD acquisition ever with mandatory minimums for cybersecurity across all DoD contracts.

For commercial firms providing services to the U.S. defense industry, the challenge that is cybersecurity has been growing for years but largely without any oversight from the DoD. Defense budgets and the use of contractors have grown in parallel to the storing of important, yet unclassified information on commercial defense contractor networks. This exposure, Controlled Unclassified Information (CUI) resident on unregulated and often under secured contractor networks across the DoD supply chain has become a risk that requires addressing for the DoD.

The Defense Industry has always worried about security around products and services.  However, the business systems and IT infrastructure that supported those defense contractors were not monitored or significantly regulated by the US Government although vulnerable to attack.  The Pentagon has acknowledged an urgent need to tighten cybersecurity across its vast contracting operations and hold contractors accountable for minimum standards of care around cybersecurity.  Indeed, the requirements to protect data have been expanding for more than a decade and the Federal Acquisition Regulation (FAR) and the General Services Acquisition Regulation (GSAR) are expected to add data protection requirements in 2020.  In truth, the new Cybersecurity Maturity Model Certification (CMMC) and the ambitious effort to secure the DoD supply chain has been underway for many years now (see chart below).


Overview of CMMC

The Cybersecurity Maturity Model Certification (CMMC) program will serve as a method of verifying that appropriate levels of cybersecurity controls and processes meet a specific standard and are in place to protect controlled unclassified information that may be held on the DoD’s industry partners’ networks.

The CMMC program builds on another US government acquisition regulation called DFARS Clause 252.204-7012 which requires the implementation of NIST SP 800-171, Protecting Unclassified Information in Nonfederal Information Systems, and Organizations, as the standard for defense contractors handling CUI data.  As such, compliance with NIST 800-171 has been essential for winning and sustaining contracts since 2017 but the lack of oversight and auditing has led to many self-certified contractors that might not stand up to the scrutiny of a 3rd party audit. Because CMMC is at its foundation based on DFARS Clause 252.204-7012 and NIST SP 800-171 it’s important to understand these two separate but related requirements.

Understanding DFARS Clause


CMMC, when finalized and fully mature, will require independent validation of compliance by a CMMC Third-Party Assessor Organization (C3PAO). This is a significant change from DFARS Clause 252.204-7012 which allowed for self-certification and could upend a largely unprepared supply chain that has taken advantage of lax oversight and enforcement.

CMMC is broken down into five compliance levels which a company will need to be certified to be able to be awarded a DoD contract.  The levels break down (see below) into demonstrable levels of cybersecurity maturity from which a defense contractor can acquire more and more abilities to conduct services with the DoD.

CMMC Level Requirements

Your Current Managed Security Service Provider (MSSP) Probably Isn’t Doing Enough For CMMC

Most small business defense contractors do not separate IT from cybersecurity and often the IT work takes priority, not cybersecurity or compliance. Small businesses with one or two IT staff members who are already oversubscribed have no chance of ingesting CMMC and achieving compliance without the help of a Managed CMMC Service. Maintaining the security and compliance programs required by the government is now a full-time job and failure to do so will prevent your company from doing business with the DoD.  No matter how qualified or knowledgeable, a small team simply does not have time or the breadth of skills to architect, administer, and manage their environments in alignment with CMMC requirements. You cannot do it alone.

Over the last decade, many businesses have outsourced their security and/or compliance requirements through a Managed Security Service Provider (MSSP).  Effectively MSSPs take care of the security requirements and allow a business to focus on their core competencies. Few if any MSSPs have any real skin in the game when it comes to compliance. Read their statement of work and it is lightly mentioned if at all and there are caveats galore around why they are not responsible or accountable in any meaningful way. In many cases, MSSPs introduce their own set of issues, vulnerabilities, and compliance headaches because the MSSP is not properly equipped to manage data and processes in a manner aligned with CMMC requirements.  With the MSSP handling most every piece of security and monitoring but never documenting and attesting compliance with CMMC, the current MSSP model falls short of CMMC requirements.

Investing in CMMC compliance (which includes compliance with DFARS 7012 and NIST 800-171) is a big effort because it now includes line of business systems including finance, personnel, and IT vulnerability information.  While MSSPs are valuable partners who reduce overhead costs and enable businesses to stay focused on their core mission, it is important to remember that MSSPs will have access to documents, CUI, and data including passwords, access codes, and vulnerability information about their IT environment.  Because MSSPs have this kind of sensitive data in their possession, it is critical that they make the same investment in NIST 800-171 to ensure that you stay compliant and properly manage CUI information and the security of your IT environment. Again, most MSSPs have very little if anything in their statements of work regarding compliance so small businesses are left with a false sense of security around achieving CMMC compliance.

Without clear lines of responsibilities between the owner of compliance and the business and IT operations of the host company, the failure of a compliance audit is inevitable.

That is the bad news, now for the good news.

CyberSheath’s Managed CMMC Service

In response to the new federal requirements and an ever-changing landscape, CyberSheath has created a whole new set of Managed Services to allow for any business to achieve any CMMC compliance level they desire. Unlike every other MSSP in the market today our CMMC service offerings are an evolution of our successful legacy NIST 800-171 Managed Services. Said another way, we aren’t new to this space and we have been through dozens of successful third-party audits over the past five-plus years.

We offer 5 different levels of assured compliance for you to choose from based on your business requirements. To date, 100% of our customers are focused on CMMC Maturity Level (ML) 3 as it so closely aligns with the NIST 800-171 requirements.

First Step:

  • We meet your business where it is today. We will gain visibility of your desired CMMC ML and any gaps in processes, documentation, practices, or technology.
  • Gain current and ongoing visibility into NIST 800-171 / CMMC via professional certified assessments and remediation plans.

Second Step – Select Hosted Compliance Level(s):

  • Level 1: Become compliant with CMMC ML1 over your entire infrastructure within weeks.
  • Level 2: Work with a virtual security officer and get assistance with ongoing compliance program oversight and routine reporting.
  • Level 3: Quickly gain the ability to achieve compliance and bid on CMMC ML3 contracts with our cloud-based guaranteed compliance offering.
  • Level 4 or Level 5: Leverage our expertise as we maintain the rigorous program, technology, engineering, and implementation required for the most robust security standards.
  • Beyond:
    • Future-proof your compliance to changes in CMMC policy or implementation approaches by assigning ongoing program maintenance to CyberSheath.
    • High Cloud infrastructure in a hosted compliant process.

Third Step:   We manage your compliance as an outsourced compliance program inclusive of an MSSP

CyberSheath’s CMMC Shared Security Model is the Answer to CMMC Compliance for Small Businesses

Whether it be a public, private, or hybrid architecture, businesses must take responsibility for ensuring that their data is secure. With limited resources and no time to become a CMMC expert, the solution to the problem is clearly a shared responsibility model. CyberSheath has successfully implemented and been audited against our shared responsibility model many times over the last five-plus years so our solution is tested and audit-ready. Our tailored responsibility matrix eliminates single points of failure and ensures that all required security requirements have an owner and produce the required documentation and evidence. The shared responsibility model reduces the day-to-day operational demands on your business and ensures documented, repeatable, and audit-ready compliance.

With government revenues on the line, it is crucial to determine who controls the various components of the CMMC compliant infrastructure and operations. CyberSheath defines where and how security measures should be applied, with a special focus on CUI and other sensitive government data.

CyberSheath differentiates itself by taking ownership of assured CMMC compliance and it is a contractual requirement that we put right into our statements of work. This cannot be done in isolation and requires shared and distinct responsibilities on both sides of the partnership which tend to be specific to each company.  CyberSheath offers a ‘single-pane-of-glass’ to gain visibility into CMMC compliance, continuous security monitoring, and various important datasets, analytics, and user interfaces in one place. Our CMMC management platform is built around Microsoft Azure’s FedRAMP GCC High environment which ensures infrastructure capabilities that can detect and remedy security misconfigurations, leveraging services to ensure near-real-time compliance features.

Why CyberSheath?

Cybersheath has leveraged and lived this Shared Responsibility Model for NIST 800-171 successfully for many years now, and expect that it will be a fundamental part of CMMC attestation and MSSP partnerships going forward.  The experts at CyberSheath understand your challenges – and we can help. Contact us to make sure your CMMC readiness gets – and stays – on track.

The US Department of Defense (DoD) has one of the largest supply chains in the world, scaling to hundreds of thousands of different vendors and partners. While valuable, these vital partners in our nation’s defense infrastructure pose a huge cyber risk. Today that risk is largely unchecked and unregulated as contractors can “self-attest” to their ability to protect Controlled Unclassified Information (CUI).

Commercial companies are the lifeblood of any economy and the circulatory system of modern day societies.  They provide needed innovation, new discoveries, critical high-value support as well as materials and quick solutions to a myriad of problems. From the most arcane to the most mundane, the US Defense Department has needs in nearly every aspect of procuring commercial services, but this lifeblood paradoxically may imperil the entire system by leveraging companies with little respect for cybersecurity controls. In fact, in this connected world, no government or company can perfectly protect all its data from hackers and rival states. Even so, it is astonishing that, from January 2016 to February 2018, nearly 6 percent of U.S. military and aerospace contractors reported data breaches (according to Stars & Stripes).

And experts feel this is just the tip of the iceberg – the vast majority of security incidents are never uncovered. The Pentagon needs to tighten cybersecurity across its vast contracting operations and hold contractors accountable for minimum standards of care around cybersecurity. Essentially that is the goal behind the Cybersecurity Maturity Model Certification (CMMC) and the ambitious effort to secure the DoD supply chain. The CMMC effort is not without its critics but who can argue that real change wasn’t urgently needed?  Learn More about CMMC

Let us review some major breaches of national security that hopefully can be prevented in a post CMMC world so that you might be the judge:

Example One – Jan-Feb, 2018:  Comprise of US Navy “Operation SEA DRAGON” – Chinese hackers stole sensitive U.S. Navy submarine plans from Rhode Island DoD contractor

Citing unnamed U.S. officials, the Washington Post reported in June of 2018 about a very disturbing cyberattack of a US DoD contractor.  Evidently Chinese government hackers compromised the computers of a U.S. Navy contractor and stole a large amount (approximately 600+ Gigabits) of highly sensitive data on undersea warfare, including plans for a supersonic anti-ship missile for use on U.S. submarines.

The breaches took place in January and February, the officials told the Post, speaking on condition of anonymity about an ongoing investigation led by the Navy and assisted by the Federal Bureau of Investigation.

The U.S. Navy and an unnamed defense contractor are/were working on a new missile which the Navy says will give its submarines a new, “disruptive offensive capability” to take on enemy ships. The previously unknown weapon, known as Sea Dragon, supposedly combines an existing U.S. Navy platform with an existing capability, is likely a new version of a versatile air defense missile capable of pinch-hitting as an anti-ship missile.

Example Two – March 2019:  US Navy Review Concludes it is “Under Siege” by Chinese Hackers & Attackers

An internal U.S. Navy review concluded that the service and its various industry partners are “under cyber siege” from Chinese hackers who are building Beijing’s military capabilities while eroding the U.S.’s advantage, The Wall Street Journal reported Dec 2018 – Mar 2019. Chinese hackers have repeatedly hit the Navy, defense contractors, and even universities that partner with the service. “We are under siege,” a senior Navy official told The Journal. “People think it’s much like a deadly virus — if we don’t do anything, we could die.”

Three particularly worrisome recent incidents (2018-2020) were the theft by China of highly sensitive information on naval projects left on an unclassified network (2019), last year’s breach of private information on 30,000 Pentagon employees(2018), and the exposure of 60,000 files on a publicly accessible server involving a subcontractor to Booz Allen Hamilton (2018), the firm that employed Edward Snowden. And perhaps most embarrassing was the 2016 theft of sensitive plans for the F-35 fighter — a plane that will cost taxpayers $1.5 trillion over its lifespan. A small Australian subcontractor on the project had reportedly never changed its Windows passwords from the defaults “admin” and “guest.”

Example Three – Sept-Dec 2019:  Compromise of Emails and LinkedIn Accounts of military defense companies

In a report released in June 2020 by Slovakia-headquartered ESET cybersecurity company who said the cyberattacks of mainly European aerospace and military defense firms were launched between September and December 2019. A collaborative investigation with two of the affected European companies allowed them to gain insight into the operation and uncover previously undocumented malware.

To compromise their targets, the attackers used social engineering via LinkedIn, hiding behind the ruse of attractive, but bogus, job offers. Having established an initial foothold, the attackers deployed their custom, multistage malware, along with modified open-source tools. Besides malware, the adversaries made use of living off the land tactics, abusing legitimate tools and OS functions. Several techniques were used to avoid detection, including code signing, regular malware recompilation, and impersonating legitimate software and companies.

According to their investigation, the primary goal of the operation was espionage. However, in one of the cases we investigated, the attackers attempted to monetize access to a victim’s email account through a business email compromise (BEC) attack as the final stage of the operation.

As part of the initial compromise phase, the Operation In(ter)ception attackers had created fake LinkedIn accounts posing as HR representative of well-known companies in the aerospace and defense industries. In our investigation, we’ve seen profiles impersonating Collins Aerospace (formerly Rockwell Collins) and General Dynamics, both major US corporations in the field.


With the profiles set up, the attackers sought out employees of the targeted companies and messaged them with fictitious job offers using LinkedIn’s messaging feature, as seen in Figure 1. (Note: The fake LinkedIn accounts no longer exist.)

Once the attackers had the targets’ attention, they snuck malicious files into the conversation, disguised as documents related to the job offer in question.

Example Four – 2017-2020:  The Chinese APT Threat to Cleared Defense Contractors

In a report published in June of 2020, cyber-security firm Lookout said it found evidence connecting Android malware (APT 15) that was used to spy on minorities in China to a large government defense contractor from the city of Xi’an.

Lookout’s 52-page report details a years-long hacking campaign that has primarily targeted the Uyghur ethnic minority, living in western China, but also the Tibetan community, to a lesser degree.

The campaign infected individuals in these communities with malware, allowing government hackers to keep an eye on the activities of minority communities in China’s border regions but also living abroad in at least 14 other countries.

“Activity of these surveillance campaigns has been observed as far back as 2013,” Lookout researchers said. The company attributed this secret surveillance to a hacking group they believe operates on behalf of the Chinese government.

The fact that Lookout linked an APT15 malware sample to a Chinese defense contractor is not a novel discovery. From 2017 to 2019, four other Chinese state-sponsored hacking groups have been linked to contractors hired by Chinese intelligence agencies operating in various regional offices.

This includes:

APT3 – linked to a company named Boyusec operating on behalf of Chinese state security officials in the province of Guangdong

APT10 – linked to several companies operating on behalf of Chinese state security officials in the province of Tianjin

NEW!  APT 10 – Xi’an Tianhe Defense Technology, a large defense contractor in the city of Xi’an, in central China.

APT17 – linked to several companies operating on behalf of Chinese state security officials in the province of Jinan

APT40 – linked to several shell companies operating on behalf of Chinese state security officials in the province of Hainan

Operators behind APT3 and APT10 have eventually been charged by the US Department of Justice in November 2017 and December 2018, respectively.

Based on previous threat intelligence reports published by cyber-security firms Recorded Future and CrowdStrike, the Chinese Ministry of State Security outsources hacking operations to outside contractors, who report directly to, and take orders from intelligence officials.

In an FBI warning in 2018,, specifically cites examples against “Cleared Defense Contractors” and here is an excerpt of the alert:

“APT actors in the near future likely intend to target US Cleared Defense Contractors (CDC) via spear phishing campaigns or network infrastructure compromises, according to recent intelligence. Common spear phish targets may include individuals featured on internet-facing CDC Web sites and high-ranking CDC executives.

FBI has observed APT actors over the past two years precede spear phishing campaigns with open source research of targeted US company websites, particularly sections containing contact information for company officials which include names, titles, telephone numbers, and email addresses. In one case, an APT actor sent spear phishing emails within one-to-two weeks after researching the targeted US company.

Historically, APT actors have a strong desire to collect US defense and scientific intelligence to further their interests and advance strategic goals. As a result, US CDCs and research facilities may likely be targets for cyber adversaries due to their involvement in national security and their close relationship with the US Government.”

Example Five – Feb-June 2020:  DCSA Bulletin – US Defense Focused

In a report published recently by politico, they suggest they obtained a Defense Counterintelligence and Security Agency (DCSA) bulletin marked “unclassified/for official use only” and warns that DCSA’s cyber division detected nearly 600 “inbound and outbound connections” from “highly likely Electric Panda cyber threat actors” targeting 38 cleared contractor facilities, including those specializing in health care technology.   Moreover, the bulletin goes on to say, “Nearly 40 U.S. contracting facilities with access to classified information have been targeted by a hacking group with suspected ties to the Chinese government since Feb. 1”, according to a bulletin disseminated to contractors by the Defense Counterintelligence and Security Agency.

The so-called Electric Panda group is not new and appears to have been operating since at least 2016, according to one of the indicators listed by DCSA. The bulletin goes on to say that this group has been targeting contractors that specialize in cybersecurity, aerospace, naval, health care, power generation, IT systems, telecommunications, risk analysis, and space systems.

Conclusions: How to Solve the Problem?

Given this, how safe is the US DoD Supply chain from cyberattacks?  From casual, publicly available information, there is strong evidence that the supply chain base of the US DoD system is under dedicated and constant attack, most probably needs dramatic investments in order to stay safe and sound from cyberattacks and to keep the US military safe.

The key to understanding the solution is to understand that the threat is immeasurably more serious as we must concern ourselves with the great possibility of a loss of life scenarios.

Let us hope that the new CMMC regulation is a very important step in accelerating the awareness of the real possibilities of these dangers, then to assemble a well-orchestrated cybersecurity risk and mitigation strategy for each attribute of DoD Supply chain may be placed in harm’s way.

Next Steps

If you have any questions or would like support as you ready your organization for CMMC, contact us.  We also invite you to listen to Eric Noonan, CyberSheath CEO, in a recorded webinar to learn how to start preparing your organization for CMMC by leveraging the steps you have taken to be compliant under DFARS.  Register Now

In this webinar you will learn:

  • Mapping NIST 800-171 to CMMC
  • Levels 1-5: Challenges and complexities to consider at each compliance level
  • Step by step path to attaining CMMC


We are in unprecedented times. As we all work to maintain as much normalcy in our personal and professional lives as possible, important projects such as those involving your organization’s cybersecurity might not be top of mind.

You’ve worked hard to secure your company’s valuable information technology resources to guard it against all sorts of cyberattacks. Neglecting IT security now would be a misstep. Here’s why.

Three Reasons Quarantine Shouldn’t Stall Your Cybersecurity Plans

1 – CMMC is moving forward in spite of the current crisis.

In an interview with Government Matters on March 29, Katie Arrington, the chief information security officer in the Office of the Undersecretary for Acquisition and Sustainment, announced the DoD is still moving forward with the newly launched Cybersecurity Maturity Model Certification (CMMC), even with the current challenges companies are facing due to COVID-19.

2 – Protecting controlled unclassified information (CUI) remains important.

It’s worth considering if the scope of your CUI environment has changed now that many or all of your employees are working from home. With that in mind as well as an increase in cyberattacks, including phishing and hacking, it’s possible that your dispersed and remote workforce could be more at risk – potentially exposing your company to nefarious threats.  And, unchanged is the regulatory requirement of protecting CUI under NIST 800-171. Now is not the time to be lax on IT security.

3 – Assessments can be done remotely.

While the present environment might alter some aspects of your approach, it shouldn’t change your CMMC timeline. With all of your organization’s digital capabilities – which undoubtedly have been tested and broadened in recent weeks – collaborating with a skilled provider on your CMMC assessment makes sense.

A skilled partner like CyberSheath will be able to work with you remotely to assess your current IT infrastructure and security posture, helping to get you ready for CMMC. The assessment is the first step to understand the gaps your organization is facing to meet CMMC requirements. To prepare you for the assessment process, to know what to expect, and what is needed to manage a successful engagement, we interviewed a cybersecurity practitioner to share from his years of experience, access the interview now.

As we look to the coming months and plan for an uncertain future, one thing that remains constant is the need to develop, execute, and maintain a robust cybersecurity plan. Delaying your efforts to comply with CMMC could impact your business – and making your IT security a priority is always a good idea – especially now.

The experts at CyberSheath understand your challenges – and we can help. Contact us to make sure your CMMC assessment gets – and stays – on track.

Technology photo created by freepik –

As your organization is working to secure your infrastructure, one component that can fall through the cracks is your company’s website.

While it might not be top of mind, there are impacts of not having a secure website. A website that is not secured:

  • Allows for the possibility of multiple vulnerabilities and misconfigurations to exist, which can be the entry point hackers need to infiltrate your IT systems. These attacks can cause a loss of customer trust and a diminished brand reputation.
  • Lowers the ability of clients and prospects to find your website as when delivering search results Google and other search engines prioritize sites that are secure. This translates to lost business opportunities.
  • Delivers a poor brand impression with the display of a warning in search engine results. This notification alerts site potential site visitors that the website they are considering opening is not secure.
  • Hinders your ability to partner and do business with government entities. When working with the government in any capacity, it’s even more important to have secure systems, including your website.


How do you determine if you have a secure website – and what does that mean?

The easiest way to know if your site is secure is to look at the URL of your website. If it begins with “https” instead of “http” it means the site is secured using an SSL (Secure Sockets Layer) Certificate.

SSL is a networking protocol designed for securing connections between web clients and web servers over an insecure network, such as the internet. As the standard security technology, it ensures that all data passed between the web server and browser remain private.


How else can you secure your website?

  • Produce more secure code – and make certain that your web applications minimize these risks. For your developers, that means following the Open Web Application Security Project (OWASP) guidelines. The OWASP Top 10 outlines the most critical security risks to web applications and, consequently, to your website. Being proactive and protecting your organization against these threats, is effective in changing the software development culture within your organization. Learn more
  • Conduct penetration testing of your website. Pen testing can be used to test the vulnerabilities of your website. In this case, a pen test would be performed by attempting to exploit your organization’s website to determine if its protective controls can be bypassed. As threats to your IT infrastructure and your website are constantly evolving. pen testing can help your organization gain a fresh perspective with a third party looking at your security from the viewpoint of an attacker.  Learn more


Take steps to secure your website now and reap the benefits including:

  • Protecting the privacy of web visitors
  • Improving user experience
  • Elevating search engine presence
  • Safeguarding your brand reputation


As you work to secure your web applications, give us a call. As penetration testing experts we can help identify flaws and misconfigurations within your internal and external infrastructure as well as other valuable assets.

In today’s security landscape, threats to your IT infrastructure are constantly evolving. As you work to secure your IT systems and processes, penetration testing (pen testing) is an important component of your plan. Pen testing can help your organization gain a fresh perspective with a third party looking at your security from the viewpoint of an attacker.

What is a penetration test?

A pen test is performed by attempting to exploit any of your organization’s identified vulnerabilities or configuration flaws to determine if the protective controls of a given system can be bypassed. Penetration tests can have multiple goal-based scenarios, including PII hunting, database breaches, domain control, and more.

Following the initial compromise of a host or credential set, analysts performing the pen test continue the attack lifecycle by pivoting to other hosts in the network, and then work to show how a compromised host can impact your business.

Why should you run penetration tests?

Pen testing examines the subsystems, components, and security mechanisms comprising your organization’s infrastructure and identifies weaknesses. Penetration tests can help you:

  • Validate the effectiveness of your environment
  • Meet contractual requirements
  • Satisfy compliance objectives (PCI)
  • Test your system from multiple adversary roles including potential employees, external adversaries, and more
  • Adopt an agile methodology and regularly examine your systems

How do you conduct pen testing?

  • Use commercial tools, public domain utilities, and proprietary tools to examine the security posture of a system or application and apply numerous industry frameworks like OWASP.
  • Conduct tests from both the vantage point of an unauthorized and authorized user. Working from both of these perspectives drives a more complete understanding of the threats to your organization’s security.
  • Go beyond automated tools and use manual testing methodology. Manual testing involves verifying vulnerabilities identified by the automated scanners so that any false positives can be eliminated. It also shows the business impact of a reported vulnerability. Automated scanners lack the ability to detect business logic flaws in the application. A combination of automated and manual testing provides a more thorough analysis.
  • Leverage the expertise of licensed, third party analysts holding the appropriate certifications to provide an outside view of those looking to infiltrate your systems. These professionals have no personal ties to the company, thus removing any negative theories.
  • Know when to run pen tests. This can be at defined frequencies like annually for small businesses, twice-annually for mid-size organizations or quarterly for large enterprises. Note that PCI requires pen testing annually. It is also good practice to pen test during the development of new systems, such as applications, services, or platforms, when system components or modules are in a static pre-production state. This can address vulnerabilities before exposing a system. In addition, make sure to pen test after changes to system components that are expected to have an impact on the security of a system, including the launch of new technologies, major infrastructure or application changes, modification to authentication mechanisms, or logging capability adjustments.
  • Document findings and know how to proceed. The results of the pen test should be incorporated into a report reviewing the results to ensure all findings and vulnerabilities are categorized and documented. This report should provide detailed results of the test including a summary of the findings and the technical details for significant findings per project task, in-depth conclusions identifying affected hosts or application identifiers (i.e. Internet Protocol addresses), recommendations for remediation for each significant finding, and other details such as testing limitations, tools used during the test, and any follow-on environment clean up requirements.

Other pen testing tips

  • Ensure that the scope of your pen test is appropriate for what you are protecting such as internet exposed applications and services, internet exposed APIs, access gateways and mechanisms, supporting infrastructure (authentication services and management interfaces), and sensitive data sets existing on applications, databases, and unstructured storage repositories.
  • Know and define your attacker’s perspective. An external internet-based attacker targets applications and network services exposed to the internet, whereas a malicious insider earmarks sensitive internal network applications or known network locations housing important datasets. Both types of attackers may or may not have credentials to your network and both may proceed with either a wide scope discovery or a pinpoint approach. Attackers can also test roles to see the impact of escalating privileges and pivot to other roles within an application.

Penetration testing is an important part of your security plan. Make sure you get it right. If you would like help from experienced security professionals on running penetration tests for your organization, contact us.

It has finally arrived, the Cybersecurity Maturity Model Certification (CMMC) version (v) 1.0. CMMC v1.0 changes the DoD acquisition process with certification becoming a pre-RFP requirement to bid a government contract.  Like you, CyberSheath has been aggressively following the CMMC’s progression to this final version which included 3 previous drafts 0.4, 0.6 and 0.7. Overall not much has changed from draft 0.7; however, version 1.0 does have some noteworthy updates.


Overview of CMMC Levels 1-5 per the DoD’s released CMMC v1.0

Level 1 focuses on the protection of Federal Contract Information (FCI) and the practices under the basic safeguarding requirements detailed in 48 CFR 52.204-21.  Level 1 is the only level where processes will not be assessed.

Level 2 is the step between Levels 1 and 3 and as such begins to include a portion of NIST 800-171 controls, in addition to other frameworks. The subset of frameworks introduced at Level 2 also starts to refer to Controlled Unclassified Information (CUI).  Unlike Level 1, documentation of processes and policies is a requirement in Level 2.

Level 3 requires the implementation of all 110 NIST 800-171 controls. There is also 20 new CMMC practices introduced at Level 3.  In addition to documenting processes, “Level 3 requires that an organization establish, maintain, and resource a plan demonstrating the management of activities for practice implementation.”

Level 4 concentrates on the “protection of CUI from APTs and encompasses a subset” of practices from the NIST 800-171B draft combined with other cybersecurity models.  Level 4 requires documenting, managing in addition to reviewing processes as well as improving as necessary.

Level 5, like Level 4, Level 5 concentrates on the “protection of CUI from APTs.”  Level 5 requires the continuous optimization of documentation and processes across the organization.


Key Differences between NIST 800-171 and CMMC v1.0

CMMC includes security practices in new Domains including Asset Management, Recovery, and Situation Awareness.

Level 2 requires increased standards for Incident Response

Level 2 requires an organization to review logs

Level 3 requires increased standards for Risk Management

Level 3 requires organizations to collect audit logs in one or more central repositories

Level 3 includes new requirements to protect email services

Level 3 includes new requirements to filter access to potentially malicious internet sites (DNS filtering)

Level 3 builds on Levels 1 and 2, requiring 100% compliance with NIST 800-171 plus 20 new CMMC practices (1 less than the previous draft version)


Key Differences between CMMC draft v0.7 and CMMC v1.0

Level 4 SOC is now 24/7 instead of “normal business hours”

Levels 3, 4 + 5 the new practice (P1035) requiring organizations to, “Identify, categorize, and label all CUI data” has been removed from all Levels that originally required it in draft versions. However, the original control to mark media is still there, so if you print or put media on a thumb drive, you need to mark it. But identifying and labeling CUI content is not explicitly stated as it was in all previous drafts.


If you have any questions or would like support as you ready your organization for CMMC, contact us.  We also invite you to listen to Eric Noonan, CyberSheath CEO, in a recorded webinar to learn how to start preparing your organization for CMMC by leveraging the steps you have taken to be compliant under DFARS.  Register Now

In this webinar you will learn:

  • Mapping NIST 800-171 to CMMC
  • Levels 1-5: Challenges and complexities to consider at each compliance level
  • Step by step path to attaining CMMC

There is a lot your organization is already doing that you can apply to your preparation for the impending launch of CMMC (Cybersecurity Maturity Model Certification). One important and useful component to consider is a Plan of Action and Milestones  (POA&M or POAM).

Required to achieve compliance with NIST 800-171, a POAM is an extremely useful tool in helping your organization plan for a multitude of security projects, including compliance with standards like CMMC.

How a POAM Helps Realize Project Goals

Providing a structured approach for how to approach any security issue, a POAM delivers many benefits. It:

  • Outlines activities necessary to mitigate security issues.
  • Helps identify the security issue you are having or might have, and the underlying gap in your systems or processes.
  • Assigns resources needed to mitigate issues.
  • Holds your organization accountable with projected completion of milestone activities.
  • Calls out how vulnerabilities were identified.
  • Denotes risk level, labels status, and captures the estimated cost to remediate.

It’s a good idea to be well-versed and able to use a POAM now. Once you factor in the added benefit of helping your organization get ready for proceeding with CMMC compliance, using a POAM just makes sense.

POAM and CMMC Compliance

Preparation  As you ready your organization for tackling CMMC compliance, a POAM will matter more than ever. The plan can be used as a guide to understand what is required of your organization to receive the CMMC level certification your organization needs to bid on a government contract. It will actively manage and guide your project by highlighting the timeframe and resources required to achieve a CMMC level of certification by a specific date.

Maintenance – In the constantly evolving threat and technology landscapes, the tool can also assist in maintaining your certified level. A change to the threat environment could make a security practice no longer, or less, effective. A POAM could be used to reestablish compliance with the security practice if the new threat creates a gap.

Changes to your infrastructure may also create practice or process gaps that require a POAM to remediate. For example, if you are Maturity Level 3 certified at contract bid, which requires you have resources to collect and review your audit logs, and your organization doubles in size during the contract, you could potentially need a POAM to address the resources needed to collect and review audit logs which have now doubled in volume.

Advancement – After you have achieved initial CMMC compliance, a POAM can continue to add value, assisting your organization in leveling up and reaching a new degree of certification (i.e. advancing from CMMC Level 2 to CMMC Level 3). A POAM again becomes a driving force to manage your time around a project completion date as well as the resources required to successfully reach the determined milestones.

Executive Buy-In – As you look for budget and resource approvals to tackle CMMC compliance, a POAM can be a helpful tool in communicating with and getting buy-in from senior management.

Start familiarizing yourself with this valuable tool now by downloading our sample POAM template below.

CMMC Update – Draft Version 0.6

CMMC is being further refined and another update to the standard was recently released (Version 0.7). Draft Version 0.6 includes notable updates such as:
  • Changed from 18 to 17 Domains with the elimination of the Governance domain.
  • Focused more of the Practices on NIST 800-171 Controls.
  • Identified 21 Practices through Practice Level 3 which are not attributed to NIST 800-171 R1. That is, to achieve Practice Level 3, you need to be fully compliant with NIST 800-171 R1 and implement the 21 new CMMC practices.
  • Started referencing international frameworks including those from Australia and the UK.
  • Removed the “redundant” Practices. For example, in Draft Version 0.4 of the standard, Level 1 might have a Practice that is implemented “at least in an ad hoc fashion” and the same control is fully applied in Level 2. These “ad hoc” practices were removed from Level 1.

If you have any questions or would like support as you ready your organization for CMMC, contact us.


POAM Template Download

As you are probably aware, there is a new mandatory certification model that will be required to do business with the Department of Defense (DoD). The CMMC (Cybersecurity Maturity Model Certification) builds on best practices established in NIST 800-171 (DFARS), NIST 800-53, ISO 27001, ISO 27032, AIA NAS9933, and others, to create one unified standard for cybersecurity.

CMMC will be a dynamic standard, growing and evolving with the demands of the ever-changing cybersecurity landscape. While the structure of CMMC is set, the details of the new standard are still being vetted, refined, and finalized. The target for launch is early 2020.

How CMMC Compares to NIST 800-171


The purpose of both standards is to ensure that DoD contractors employ healthy cybersecurity practices to protect sensitive information. There are several facets of security posture that must be met in order to be in compliance with both standards. Both also require demonstrated compliance to do business with DoD, via self-certification for DFARS and via an audit by certifying organization for CMMC.


One important distinction touched on above is that CMMC will not allow self-certification. Compliance with the standard will be verified by an outside third-party hired by your company to determine your compliance with the requirements.

The CMMC control framework is (currently) much larger than the 14 control families and 110 controls outlined in NIST 800-171. As of October 31, 2019, CMMC contains 18 domains, 241 practices, and 90 processes at Maturity Level 3.

CMMC Components

The elements of CMMC include:

  • Maturity Levels – These levels range from basic security controls required for level 1 through highly advanced requirements for level 5.
  • Domains – Based on cybersecurity best practices, these are key sets of capabilities for cybersecurity, such as Access Control, Incident Response, Security Assessment, and more.
  • Capabilities – These achievements are the building blocks of each domain, ensuring cybersecurity within each domain.
  • Practices – These are individual cybersecurity activities related to NIST “controls”. They range from Level 1 practices including anti-virus and ad hoc cybersecurity governance to Level 5 practices such as real-time asset tracking and device authentication.
  • Processes – These are documented standards for implementing practices based on the maturity level of your organization.

Below is an example of a cross-reference matrix between NIST and CMMC draft 0.4. It shows some interesting characteristics, such as:

– One NIST Family mapping to multiple CMMC Domains
– One NIST control mapping to multiple CMMC Levels
– One NIST control mapping to multiple CMMC Capabilities
– One NIST control mapping to multiple CMMC Practices
– New CMMC practices not found in the NIST controls

Note, as with most mappings of this kind, they are not always clean, with some aspects of a Control in one framework mapping to elements of a Practice in a different framework.

What You Can Do Now

CMMC specifically calls out the requirement for documentation for all domains in order to achieve compliance. Note that this condition was never explicitly requested in NIST 800-171; rather it is noted in the DFARS appendix that it was assumed you had the appropriate documentation.

While CMMC is continuing to evolve, you can ready your organization to meet the requirements of the new standard. Achieving CMMC compliance will not be a quick endeavor as you will need to define and record your real working processes.

Start now by cataloging your processes and building out the documentation that is called out in NIST as this will surely aid your CMMC compliance activities.

CMMC Maturity Levels 2, 3, 4, and 5 will require Policy, Process, and Plan documents. According to NIST, here are the plans you should have in place:

  • Business Continuity Plans
  • Contingency Plans
  • Continuity of Operations Plans
  • Critical Infrastructure Plans
  • Crisis Communications Plan
  • Disaster Recovery Plans
  • Incident Response Plan
  • Incident Response Testing Plan
  • Occupant Emergency Plan
  • Physical/Environmental Protection Plan
  • Plan of Action
  • Security Assessment Plan
  • Security Plan
  • System Security Plan

And here are the policies and procedure you should have as well:

  • Access Control
  • Audit and Accountability
  • Configuration Management
  • Configuration Planning
  • Incident Response
  • Identification and Authentication
  • Information Flow Control
  • Information Flow Enforcement
  • Information System Maintenance
  • Media Protection
  • Media Sanitation and Disposal
  • Mobile Code Implementation
  • Password
  • Personnel Security
  • Physical and Environmental Protection
  • Portable Media
  • Risk Assessment
  • Security Assessment and Authorization
  • Security Awareness and Training
  • Security Planning
  • Separation of Duties
  • System and Information Integrity
  • System and Services Acquisition
  • System and Communication Protection
  • System Use

Prepare yourself by understanding the latest CMMC updates and, more importantly, how your business should respond to achieve documented, audit-proof evidence of compliance. Listen to Eric Noonan, CyberSheath CEO, in this recorded webinar as he explains how to cut through the noise and jump-start your DFARS compliance efforts.  No matter where you are in your journey towards NIST 800-171 compliance this webinar is guaranteed to better equip you in understanding, implementing, and maintaining compliance!

Register Now to gain your access to the webinar. If you have any questions or would like support as you ready your organization for CMMC, contact us.

Your assessment is behind you. You have been working to create a System Security Plan (SSP) detailing a Plan of Action & Milestones (POA&Ms) based on your assessment findings.  Your goal, to remediate gaps discovered to ensure NIST 800-171 compliance with full implementation of all 110 security requirements.

Think of your SSP and POA&Ms as the required foundation and roadmap to get you to compliance. With over 110 security requirements in NIST 800-171, you need this layer of groundwork and direction to effectively tackle what is likely the most significant aspect of NIST 800-171 compliance, remediation or full implementation. So, where to start when working toward implementation?


3 Things to Consider Before Diving into Your NIST 800-171 Implementation:


1. Project Management

The SSP and POA&Ms outline the plan and timeline, but who is responsible for owning the outcome? A dedicated resource whose primary focus is ensuring the implementation of the plan is the best way to guarantee success. Implementing outstanding NIST 800-171 requirements is a large project but a project, nonetheless. By assigning a project manager, you have a clear leader to accept accountability, coach, and motivate your team. Also, they will ensure the right processes, resources, and tools are available to keep the project on schedule and within budget.


2. Staff Augmentation

NIST 800-171 has been a contractual obligation since December 2017, maybe you’re new to the DoD acquisition process or have been contracting with the DoD for some time. If you are the latter, there is a good chance one reason you are not compliant today is due to a lack of resources. As we all know, NIST 800-171 is in addition to your day job, so making it a priority is challenging. If you are already struggling to keep up with your day job due to constrained resources, then NIST compliance may not seem possible. If hiring a long-term employee is not an option contracting a third-party to partner with during the NIST 800-171 compliance project can help alleviate the stress of limited or already overworked staff.


3. Experience

Maybe you have the resources but lack the expertise.  Missing the experience, specifically, with NIST 800-171, within your team, can reduce efficiency ultimately increasing the cost.  The difference between how you handle the implementation for a tier 1 level Prime versus a small 1 to 10-person Subcontractor are significantly dissimilar, yet the same requirements apply.

We are often asked questions like, “Does CyberSheath have a list of tools for a business our size?” ” Does CyberSheath have experience implementing the NIST 800-171 controls for similar-sized businesses?”

Questions like this rely on our 10+ years of experience and 100+ successful NIST 800-171 implementations. Experience allows for decisions to be made in a manner that enables compliance as a documented, automated outcome of day-to-day operations. Hiring a third-party that has demonstrated NIST knowledge will allow your team to learn and grow through the lessons learned and best practices formed by other’s past experiences. More importantly, enable your organization to continue the work of maintaining compliance after the greater effort is complete.


Start Your NIST 800-171 Implementation Today

Overall, all three areas of consideration can be handled internally within your organization. The first step being your assessment to discover gaps.  Second, putting the SSP and POA&Ms in place to address those gaps. Lastly, creating a team dedicated to ensuring all 110 security requirements are implemented. However, partnering with a third-party organization will help ease the pains of growing an internal staff or burdening a current resource to manage the project. If partnering with a third-party interest you, check out our NIST Managed Services.  CyberSheath’s Managed Services are specifically designed to address the hurdles you will need to overcome during your implementation of the NIST requirements.  Learn More


Business photo created by pressfoto –

Cybersecurity requirements for Department of Defense (DoD) contractors continue to evolve. However, NIST 800-171 compliance is as much required by law today as it was on the December 2017 deadline. In fact, with the introduction of the Cybersecurity Maturity Model Certification (CMMC) we are fast approaching a major change in how government contracts are bid. Recently, Katie Arrington, Chief Information Security Officer for the Assistant Defense Secretary for Acquisition, spoke at the Billington CyberSecurity Summit where it was noted,  “the new Cybersecurity Maturity Model Certification framework, or CMMC, is out in draft form for public comment. It would start appearing as a requirement in pre-solicitation acquisition documents like RFIs in June. ‘In the fall, we will start putting it into [actual bid solicitation documents like] RFPs,’ Arrington said.”  

With the proposed CMMC requirements contractors will be required to demonstrate compliance as referenced in section L and M of a government Request for Proposal (RFP). Demonstration of compliance will require a third-party certification as self-certification will no longer be allowed. This update is critical, noncompliance with a requirement in section L and M means you are not qualified to bid a proposal. The risk of not meeting compliance with NIST 800-171 pre-RFP will mean the loss of existing and potential work with the DoD.  

Prepare yourself by understanding the latest updates and, more importantly, how your business should respond to achieve documented, audit-proof evidence of compliance. Listen to Eric Noonan, CyberSheath CEO, in this recorded webinar as he explains how to cut through the noise and jump-start your DFARS compliance efforts.

 In this webinar you will learn:

  • What’s New: Cybersecurity Maturity Model Certification (CMMC), NIST 800-171 Revision 2, and NIST 800-171B
  • What’s Not: Understanding DFARS Clause 252.204-7012 and NIST 800-171
  • What To Do Now and Why: How to stay competitive in the DoD acquisition process and comply with DFARS Clause 252.204-7012 and NIST 800-171

No matter where you are in your journey towards NIST 800-171 compliance this webinar is guaranteed to better equip you in understanding, implementing, and maintaining compliance!

Register Now to gain your access to the webinar.

Have contractors implemented the NIST 800-171 controls? DoD Inspector General (IG) audit suggests not, recommends third-party audits. Are you ready?

A recent audit conducted in response to a request from the Secretary of Defense determined that DoD contractors did not consistently implement DoD‑mandated system security controls for safeguarding Defense information. Specifically, Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 requires contractors that maintain Controlled Unclassified Information (CUI) to implement security controls specified in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, which lists security requirements for safeguarding sensitive information on non-Federal information systems. The requirements include controls for user authentication, user access, media protection, incident response, vulnerability management, and confidentiality of information.

DoD IG Report Findings

The findings across the DoD contractors audited included deficiencies related to:

  • Multifactor authentication;
  • Enforcing the use of strong passwords;
  • Identifying network and system vulnerabilities;
  • Mitigating network and system vulnerabilities;
  • Protecting CUI stored on removable media;
  • Overseeing network and boundary protection services provided by a third-party company;
  • Documenting and tracking cybersecurity incidents;
  • Configuring user accounts to lock automatically after extended periods and unsuccessful login attempts;
  • Implementing physical security controls;
  • Creating and reviewing system activity reports, and granting system access based on the user’s assigned duties.

The audit also found that while DoD requires contractors to protect CUI by complying with NIST 800-171 requirements, DoD contracting offices did not establish processes to:

  • Verify that contractors’ networks and systems met National Institute of Standards and Technology security requirements before contract award;
  • Notify contractors of the specific CUI category related to the contract requirements;
  • Determine whether contractors’ access, maintain, or develop CUI to meet contractual requirements;
  • Mark documents that contained CUI and notify contractors when CUI was exchanged between DoD agencies and the contractor; and
  • Verify that contractors implemented minimum security controls for protecting CUI.

The effect of these findings is that DoD does not know the amount of DoD information managed by contractors and cannot determine whether contractors are protecting unclassified DoD information from unauthorized disclosure.

The results of the audit probably don’t surprise the DoD or its many contractors but the recommendations in the DoD IG report, combined with the proposed Cybersecurity Model Certification (CMMC), should have contractors making plans to immediately implement the NIST 800-171 security requirements. All signs point to a game-changing, pre-RFP validation of compliance making cybersecurity a “go/no-go” factor for DoD contract awards.

DoD IG Report Recommendations

Recommendations out of the DoD IG report included:

  • Revise its current policy related to assessing a contractor’s ability to protect DoD information to require DoD Component contracting offices, as part of the Request for Proposal and source selection processes, and requiring activities, during the contract performance, to validate, at least annually, that contractors comply with security requirements for protecting CUI before contract award and throughout the contract’s period of performance.
  • Develop and implement a policy requiring DoD Component contracting offices and requiring activities to maintain an accurate accounting of contractors that access, maintain, or develop controlled unclassified information as part of their contractual obligations.
  • Revise its current policy to include language that would require DoD Component contracting offices to validate contractor compliance with minimum security requirements. We also recommend that the DoD Component contracting offices, in coordination with requiring activities, implement a plan to verify that the internal control weaknesses for the contractors discussed in this report are addressed.

All these recommendations are in alignment with the proposed CMMC efforts led by Katie Arrington, and DoD contractors who have delayed NIST 800-171 implementation should take notice and act now. Mandatory third-party validation of security requirements is coming in 2020 and failing to act will likely result in exclusion from contracting with the DoD. Both the recommendations from the DoD IG audit and CMMC are proposing third-party validation of control implementation as part of the Request for Proposal and source selection processes – self-certification and implementation after you win the work are going away. Contractors will need to demonstrate compliance before responding to an RFP and that means taking the necessary steps now before these inevitable changes are implemented in 2020.

Prepare for CMMC and NIST 800-171 Third-Party Verification

CMMC proposes that all companies conducting business with the DoD must be certified. The level of certification required depends upon the Controlled Unclassified Information (CUI) a company handles or processes and the intent of CMMC is to combine various cybersecurity control standards such as NIST SP 800-171 into one unified standard for cybersecurity. Given NIST 800-171 security requirements are at the core of CMMC, and NIST 800-171 implementation has been mandated for nearly two years now, that’s where DoD contractors should focus their efforts. Under CMMC the DoD is building on and strengthening, not abandoning NIST 800-171. Implementing the NIST 800-171 security requirements now is the best way to prepare for CMMC and meet your existing contractual requirements around DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting and NIST 800-171.

Implementing the NIST 800-171 requirements includes writing a System Security Plan (SSP) and with 110 security requirements, you can expect to be out of compliance with some number of those individual requirements. For requirements not yet implemented you will need to also document Plans of Action & Milestones (POA&Ms). The heavy lifting is in implementing the security requirements as you prepare for CMMC and controls like Multi-Factor Authentication and Incident Response which require time to fully implement. With 2020 less than six months away implementing all 110 security requirements will be a challenge and DoD contractors, subcontractors and vendors taking a wait and see approach to CMMC are ignoring the last decade of clear warning signs that security has become the foundation of acquisition. The DoD IG audit and recommendations are simply the most recent in a flurry of activity that should have contractors taking immediate action to comply.

5 Steps to CMMC Preparation

Download our 5 Step Guide to CMMC Preparation to plan and enable certification as a documented, automated outcome of day-to-day operations. This easy to follow guide presents a plan to prepare for CMMC in a way that fits your business and budget. Third-party certification is coming in 2020, get the compliance and control implementation expertise you need to stay competitive!

5 Steps to CMMC Preparation

CyberSheath has attended multiple listening sessions and events with DoD leadership revealing more information regarding the DoD Cybersecurity Maturity Model Certification (CMMC).  I want to expand on our previous blog with the additional details and actionable plans on what DoD contractors need to do to prepare for the changes.

What We Understand about CMMC so Far

CMMC stands for “Cybersecurity Maturity Model Certification” and will encompass multiple maturity levels that range from “Basic Cybersecurity Hygiene” to “Advanced”. The intent is to identify the required CMMC level in Request for Proposals (RFP) sections L and M to be used as a “go / no go decision.” This means that instead of the ability to bid and win a contract and then comply post-award with cybersecurity requirements, DoD contractors will have to be certified to the CMMC level required in advance, pre-bid, to even be eligible to bid. DoD will determine the appropriate tier (i.e. not everything requires the highest level) for contracts they administer and the required CMMC level will be contained in sections L & M of the RFP making cybersecurity an “allowable cost” in DoD contracts. CMMC level requirements will begin appearing in DoD RFP’s as soon fall 2020 and Version 1.0 of the CMMC framework will be available January 2020 to support training requirements. In June 2020, the industry should begin to see the CMMC requirements as part of Requests for Information. DoD contractors are expected to begin achieving certification sometime after June 2020. That is less than 12 months away so if you have not started implementing the NIST 800-171 security requirements, you had better get moving.

How to Best Prepare for CMMC and Stay Eligible for DoD Contracts

All companies conducting business with the DoD must be certified. The level of certification required depends upon the Controlled Unclassified Information (CUI) a company handles or processes. The intent of the CMMC is to combine various cybersecurity control standards such as NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933 and others into one unified standard for cybersecurity. In addition to cybersecurity control standards, the CMMC will also measure the maturity of a company’s institutionalization of cybersecurity practices and processes. If you have worked to implement NIST 800-171, your hard work will not go to waste. Unlike NIST SP 800-171, CMMC will implement multiple levels of cybersecurity and does not allow for self-certification. There will be no CMMC self-certification, instead, DoD contractors will coordinate directly with an accredited and independent third-party commercial certification organization to request and schedule your CMMC assessment.

Everything You Should Do to Effectively Prepare for Certification

All the information shared to date on CMMC maturity levels aligns with the implementation of the 110 security requirements of NIST 800-171. The DoD is building on and strengthening not abandoning NIST 800-171. While the specific maturity levels for individual contracts have not been determined it’s understood that implementing the NIST 800-171 security requirements is the best way to prepare for CMMC. Meeting your existing contractual requirements around DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting and NIST 800-171 implementation is how you prepare for CMMC.

Implementing the NIST 800-171 requirements includes writing a System Security Plan (SSP) and with 110 security requirements, you can expect to be out of compliance with some number of those individual requirements. For requirements not yet implemented you will need to also document Plans of Action & Milestones (POA&Ms). The heavy lifting is in implementing the security requirements as you prepare for CMMC and controls like Multi-Factor Authentication and Incident Response which require time to fully implement. DoD contractors, subcontractors and vendors taking a wait and see approach to CMMC are ignoring the last decade of clear warning signs that security has become the foundation of acquisition. Act now!

5 Steps to CMMC Preparation

Download our 5 Step Guide to CMMC Preparation to plan and enable certification as a documented, automated outcome of day-to-day operations. This easy to follow guide presents a plan you can follow to prepare for CMMC in a way that fits your business and budget.

5 Steps to CMMC Preparation

When shopping for a Managed Security Services Provider (MSSP), there are plenty of checklists that you can download to help funnel you right to that vendor’s particular product. This isn’t that blog post, although at some point I am sure we have published one too. While checklists are helpful in narrowing down the capabilities and tools that you want to add to your probably already too big portfolio of tools, the focus should really be on the services that you will be adding to your existing team.

Candidly, the capabilities are generally similar across MSSP’s and cover some kind of SIEM platform, monitoring, incident response (IR), vulnerability management (VM) and a number of other competencies that are bundled into a managed service offering. They are bundled in part because these are what the vast majority of business lack and need, but also because the bundling enables sales, at scale, for product vendors and MSSP’s. It’s been our experience that the material difference from one product vendor or MSSP to the next, in your favorite version of a Magic Quadrant, covers features and capabilities that don’t ultimately make your business more secure or compliant. Often, it’s a distinction without a difference, especially for a security program that is still struggling with the blocking and tackling of cybersecurity-related patching, asset management, and incident response. So, beyond checklists, “threat hunting” and “advanced intelligence platforms”, where should your business focus when trying to make a mid to long term commitment with your first or a new MSSP?

Where Should Your Business Focus When Deciding on an MSSP?

Start with service, as in the service your business specifically needs to extract value from the MSSP relationship. The service your business needs are, in fact, unique to your business. If it wasn’t, you could pick the first Google Ads result that comes up (which isn’t the best MSSP for your business, just the best MSSP at creating Google Adword campaigns on any given day). Instead of analysis that is overly focused on the most advanced capabilities and toolsets, it will pay dividends to meet with a potential MSSP and align their offering with your business requirements. Selecting an MSSP is a business decision, even if the vendor marketing is geared towards making it a technology decision. For example, if you are in a highly regulated industry like Defense Contracting, and NIST 800-171 compliance is fundamental to your ability to win business, your MSSP should have core expertise in delivering on these security requirements. The technology, SIEM, VM, IR, etc. are a given but the ability of your MSSP to enable documented, automated and auditable compliance with your customer requirements isn’t. Ultimately, the MSSP you choose in this scenario should make compliance a natural outcome of day-to-day security operations so that over time you can focus more resources on actual defense. What does this look like in practice?

Achieving Compliance as a Natural Outcome of Day-to-Day Security Operations

For most businesses, it doesn’t look like a laundry list of acronyms and industry jargon about threat intelligence and advanced threat hunting capabilities. It looks like an integrated team, your internal staff (to the extent you have one) and that of your MSSP, working together on a weekly basis to deliver measurable outcomes over time. The tools leveraged by your MSSP can produce beautiful charts and endless trends but the critical questions to answer relate to outcomes achieved. It’s nice that an MSSP can tell you the top 10 vulnerabilities in your environment, but the outcome you should be focused on is remediating those vulnerabilities. If your team is too busy to patch or otherwise remediate the “top 10 vulnerabilities”, you just end up with a pretty graphic that doesn’t make you more secure or compliant.

To drive outcomes, instead of charts and trendlines, you must have a regular cadence of meetings with your MSSP focused on the things that matter most at any given point in time to your business. Ideally, these meetings are weekly and are more aligned with the initiatives underway within IT and Security and not just focused on the tools that the MSSP brought to the party. In our experience, the MSSP relationship is a combination of managed services and staff augmentation. Staying with the same example of NIST 800-171 compliance, if you are struggling to implement all 110 security requirements then drive your MSSP to help at a minimum, but ideally lead the efforts. Eliminate redundant meetings for your already oversubscribed team by incorporating your compliance and operational project management meetings into your weekly MSSP meetings. Create an integrated project plan with specific accountabilities for your team and the MSSP. Your MSSP should be working on your agenda and not driving theirs. If implementing Multi-Factor Authentication or Privileged Account Management is an internal priority for your business, a great MSSP will make it a priority for their business.

Partnering with the Right MSSP for Your Business

None of this is easy, but nothing worth doing ever is. Contractually it’s hard to create this kind of defined yet flexible arrangement and it generally requires an acceptance that outside of the core service offerings there will be a shifting list of priorities that you are going to rely on your MSSP to tackle. Not every MSSP is going to have the staff or program management skills to partner this way. If you have had a series of successful engagements and measurable outcomes with a professional services partner that knows your people, processes, and technologies but doesn’t show up on the “Top MSSP” list of the day, weight your personal experience over the pay to play marketing that dominates our industry.

To better understand what it means to contract for Managed Security Services that matter and what that experience can look like for your business, schedule a 30-minute introductory call with CyberSheath today and start your journey by focusing on outcomes instead of checklists.


A recently released 10-month review consisting of 10 years’ worth of inspector general’s (IG) reports across eight federal agencies by the Permanent Subcommittee on Investigations of the Senate Homeland Security Committee found that “Agencies currently fail to comply with basic cybersecurity standards.” The full report can be found here and the major themes identified in the report highlighted yet again the fundamental work that isn’t being done to comply with basic cybersecurity standards. So why isn’t the work being done? Is it a lack of money, tools, people, all the above? Buried on page 46 of the report then-DHS CIO Richard Staropoli is quoted in a 2017 interview with the Subcommittee on the state of the OCIO saying, “You can write this down and quote me, the problem is piss-poor management.”

That blunt assessment, it’s a management problem, is worth considering. Better outcomes can be achieved, across the Federal government and industry, with a disciplined, framework-based approach to cybersecurity. This approach and the guaranteed better outcomes that will follow require a recognition that many of the management disciplines inherent in other business supporting functions like finance and engineering are missing in cybersecurity. The problems in cybersecurity are different but the principles required to improve them are not. Said another way by the late W. Edwards Deming:

“A common disease that afflicts management and government administration the world over is the impression that “Our problems are different.” They are different, to be sure, but the principles that will help to improve quality of product and of service are universal in nature.” W. Edwards Deming

Many of the failures identified in the Subcommittee review focused on people and processes, management, rather than the need to buy more vendor tools and products. Too often the answer to a cybersecurity failure is a procurement activity. Instead of focusing on the root cause, a breakdown in process, lack of auditable process or some other management issue.

The Audit Results

The agencies reviewed included the Department of Homeland Security and seven other agencies cited by OMB as having the lowest ratings regarding cybersecurity practices based on NIST’s cybersecurity framework in the fiscal year 2017.  The IGs identified several common, repeat historical failures at the eight agencies reviewed by the Subcommittee including:

Protection of PII. Agencies failing to properly protect the PII entrusted to their care included State, DOT, HUD, Education, and SSA. The HUD IG has noted this issue in nine of the last eleven audits.

Comprehensive list of IT assets. A persistent, recurring issue with agencies failing to maintain an accurate and comprehensive inventory of its IT assets is a recurrent problem for State, DOT, HUD, HHS, and SSA.

Remediation of cyber vulnerabilities. Over the past decade, IGs for all eight agencies reviewed by the Subcommittee found each agency failed to timely remediate cyber vulnerabilities and apply security patches. HUD and State IGs identified the failure to patch security vulnerabilities seven of the last ten annual audits. HHS and Education cybersecurity audits highlighted failures to apply security patches eight out of ten years. For the last nine years, USDA failed to timely apply patches. Both DHS and DOT failed to properly apply security patches for the last ten consecutive years.

Authority to operate. Failure to ensure systems had valid authorities to operate were observed at DHS, DOT, HUD, USDA, HHS, and Education. Again, a recurring issue, HHS systems lacked valid authorities to operate for the last nine consecutive audits and DHS operated systems without valid authorities in seven of the last ten audits.

Overreliance on legacy systems. All eight agencies examined by the Subcommittee relied on legacy systems. The DHS IG noted the use of unsupported operating systems for at least the last four years, including Windows XP and Windows 2003.

If these findings sound all too familiar what is the solution?

The issues above will look familiar to almost any cybersecurity professional and the problems generally lend themselves to the same solution. The principles required, both in the private sector and across the Federal government, truly are universal in nature.

The solution, choose a Cybersecurity Framework.  There are many to pick from and we recommend one that best aligns with your existing regulatory requirements. There are many frameworks and standards and if you can’t decide which one best fits your business ask for help. Regardless of your industry, there is a suitable framework and the time wasted debating best fit is time that should be spent remediating issues. When all else fails the NIST Cybersecurity Framework is flexible and detailed enough to meet just about any business requirements that you might have and should easily map to all your regulatory and compliance requirements.

Assess Yourself Against the Framework

The assessment is not an audit so don’t describe it that way; socialize it appropriately with your management and your team. How? Every culture and set of circumstances is different but something along the lines of, “We’ve got a good understanding of what we need to do in security to better align with the business and we are using this assessment to validate that thinking and create a multi-year investment strategy that will drive measurable improvement as opposed to the one-off point solution improvements.”  If this assessment is going to be transformative you need to build support before it starts and ultimately you will have a burning platform off which you can launch your strategy. The assessment is a tactic that will enable the execution of your strategy.

Don’t do the assessment yourself; you won’t have the time to do it justice and somehow having a third party conduct the assessment is always more effective. When you select a third party make sure they invest the time to know what you want to get out of this assessment. Many mediocre companies can produce assessments that follow a boilerplate template and answer all your obvious questions leaving you no better off than where you started and a little poorer. Take the time up front to write a statement of work that forces your provider to deliver real value and not just a 100-page report. Define the value for your business in doing the assessment and the expected outcomes. Need help? CyberSheath has delivered hundreds of framework-based assessments that deliver compliance and improved operational security, find out how here.

Create a Project Plan, Remediate Assessment Findings, and Track Progress

Once you have the assessment completed you can prioritize the findings and give management a detailed, multi-year plan for how you are going to transform security into a transparent, measurable business supporting function. Your assessment results should change security conversations from procurement driven discussions around products to strategic discussions around compliance and enabling more resources to be spent on actual defense. You will have objective, fact-based data to articulate risk and prioritize resources.

Remediation efforts should be actively managed in a project plan and briefed to business stakeholders on a recurring basis. Take this opportunity to transform the security discussion from event-driven fire drills to documented, measurable progress against a prioritized list of cybersecurity improvements. Depending on the size and culture of your business the project plan related to remediation can be part of a company-wide strategy that the security function can be measured against.

Obviously, none of this is simple but it is critical if you want to transform from a reactive event-driven cybersecurity organization into a strategic business partner. Don’t Fight Phishing Attacks Alone.

With the federal agencies and commercial companies facing many of the same cybersecurity problems year in and year out, it’s time to try a better approach. Get hands-on professional and managed security services from CyberSheath and apply the universal principles that will improve the quality and effectiveness of your cybersecurity efforts. Contact us now to find out how we can help.


NIST 800-171 Revision 2 and 800-171B drafts were released for comment last week, and as expected there have been no major changes proposed to the controls in NIST 800-171 Revision 2. For DoD contractors waiting to implement the required security requirements of NIST 800-171 Revision 1 pending the latest updates, the proposed updates won’t buy you any time. The fact is enforcement is underway and compliance with DoD cybersecurity requirements is a go/no go decision if you are serious about being eligible to do business with the DoD.

The 800-171B draft enhanced security controls are in addition to 800-171 controls, in cases where the information held by the contractor is determined to be a high-value target. The enhanced requirements are to be applied to nonfederal systems and organizations processing, storing, or transmitting controlled unclassified information (CUI), when such information is contained in a critical program or designated high-value asset. The enhanced security requirements of the 800-171B draft were designed to address advanced persistent threats (APTs) and are mapped to the security controls in NIST 800-53. The implied maturity level required and associated costs with implementing the 800-171B draft enhanced security controls is significant.

The enhanced security requirements include three, mutually supportive and reinforcing components:

(1) penetration resistant architecture;

(2) damage limiting operations; and

(3) designing for cyber resiliency and survivability.

The Path Forward for DoD Contractors

With a tremendous amount of activity related to The Cybersecurity Maturity Model Certification (CMMC), DCMA audits of NIST 800-171 compliance, False Claims Act litigation, and the 800-171 revisions and supplements, the path forward for DoD contractors is clear:

Fund and execute compliance with NIST 800-171 now. Despite all of the proposed changes, the fact remains that the DFARS 252.204-7012 clause in ANY of your contracts requires the implementation of NIST 800-171. That is your contractual requirement and all changes proposed so far rely on NIST 800-171 as a foundation of compliance.

There has been a level of paralysis by analysis across industry caused by the questions of cost reimbursement, proposed changes and uneven auditing of compliance. This is the kind of noise that has caused many DoD contractors across the supply chain to delay their DFARS compliance efforts but that high-risk approach invites legal and competitive pain that should be avoided. While there are many changes to be aware of CyberSheath advises focusing on what you are required to do today as the best approach to current and future compliance requirements. Nothing that has been proposed eliminates the requirement to implement NIST 800-171.

Compliance with the DFARS and NIST 800-171 requirements involves much more than writing a System Security Plan (SSP) and vendors selling you a tool to get compliant are misleading you. There are 110 security requirements in NIST 800-171 and you have to actually implement them, there isn’t a single product to solve this problem.

5 Steps To DFARS Compliance

Download our 5 Steps to DFARS Compliance Guide to plan and enable compliance as a documented, automated outcome of day-to-day operations. This easy to follow guide presents a plan you can follow to achieve compliance in a way that fits your business and budget. DoD contractors, subcontractors and vendors taking a wait and see approach before achieving compliance are ignoring the last decade of clear warning signs that security has become the foundation of acquisition. Act now!

5 Steps to DFARS Compliance


The recently announced Cybersecurity Maturity Model Certification (CMMC) scheduled for completion by January 2020 has many DoD contractors scrambling to anticipate how to prepare (learn more about the CMMC announcement here). While there are many unknowns regarding what the CMMC will ultimately look like, DoD contractors should focus on what is already known and currently mandatory with DFARS 252.204-7012, which requires the implementation of NIST 800-171. Stop trying to read the tea leaves and doing the bare minimum by writing System Security Plans (SSP’s) and start implementing the 110 security requirements of NIST 800-171. Demonstrable action, that is NIST 800-171 control implementation, is the best way to prepare for the CMMC.

Katie Arrington, the special assistant to the Assistant Secretary of Defense for Acquisition for Cyber in the Office of the Under Secretary of Acquisition and Sustainment in DoD, recently said that only 1% of the Defense Industrial Base has implemented the required controls.  “If we were doing all the necessary security controls, we wouldn’t be getting exfiltrated to the level that we are. We need to level set because a good portion of our defense industrial base doesn’t have robust cyber hygiene. Only 1% of [Defense Industrial Base] companies have implemented all 110 controls from the National Institute of Standards and Technology. We need to get to scale where the vast majority of DIB partners can defend themselves from nation state attacks.”

Why are Contractors Delaying NIST 800-171 Implementation?

Across hundreds of NIST 800-171 implementations, CyberSheath has found the most common reason for delay by DoD contractors has come down to, “Who is going to pay for this?”

Arrington clearly spoke to that concern last week at an event sponsored by the Professional Services Council in Arlington, Virginia, saying “I need you all now to get out your pens and you better write this down and tell your teams: Hear it from Katie Arrington, who got permission to say it from Mr. [Kevin] Fahey [the assistant secretary of Defense for Acquisition in the Office of the Under Secretary of Acquisition and Sustainment] security is an allowable cost. Amen, right?”

After more than a decade of policy, law, memorandums and continued momentum towards enforcement businesses who continue to delay actual implementation of the 110 security requirements will be in a far worse position come January 2020 when the CMMC rolls out. Don’t wait, implement the NIST 800-171 security requirements in a way that is actionable, measurable and audit ready.

Beyond Your SSP’s and POA&Ms

Compliance with the DFARS and NIST requirements involves much more than writing a SSP’s and vendors selling you a tool to get compliant are misleading you. There are 110 security requirements in NIST 800-171 and you have to actually implement them, there isn’t a single product to solve this problem. Implementing security requirements like multifactor authentication, incident response, encryption and more require thoughtful decisions leveraging what you already own. For the gaps identified in your existing people, processes, and technologies a product purchase, if required, needs to be part of the larger plan to achieve compliance. Too often businesses are over-sold on silver bullet product purchases that aren’t thoughtfully integrated into a system of documented and repeatable control implementation.

5 Steps to DFARS Compliance

To enable compliance as a documented, automated outcome of day-to-day operations download our 5 Steps to DFARS Compliance Guide. This easy to follow guide presents a plan you can follow to achieve compliance in a way that fits your business and budget. Act now to move from thinking about implementation to taking action towards full compliance.



The window of opportunity for achieving compliance with DFARS 252.204-7012, which requires the implementation of NIST 800-171 across the DoD supply chain, continues to get smaller as the ability to self-certify is set to expire.

CyberSheath attended the Professional Service Council’s 2019 Federal Acquisition Conference where Special Assistant to DoD’s Assistant Secretary of Defense Acquisition for Cyber Katie Arrington stated clearly that “…cost, schedule, and performance cannot be traded for security.” Security is the foundation of defense acquisition.

Much has been written about The Defense Department (DoD) Office of the Under Secretary Acquisition of Sustainment creation of a new certification model to enforce compliance, but the fact is compliance is already required. So, while it is important to understand where the DoD is headed in enforcing compliance, it’s more important to stop delaying and act now. The DoD has been working with industry for more than a decade to address the cybersecurity problem across the supply chain and contractors who continue to self-certify with Plans of Action & Milestones (POA&Ms) that never actually get implemented will be frozen out of acquisition as DoD makes cybersecurity a “go/no-go” part of procurement.

Cybersecurity Maturity Model Certification (CMMC) and the New Certification

The Cybersecurity Maturity Model Certification (CMMC) and the new certification will have required CMMC levels once the certification is released, with levels ranging between one and five –from basic cyber hygiene requirements through “state-of-the-art” cybersecurity capabilities.

Arrington is moving quickly to complete the CMMC by January 2020, and contractors can expect to start seeing the certification in contract requests for information by June 2020.

Within CMMC, a third-party cybersecurity certifier will also conduct audits, collect metrics, and information risk mitigation for the entire supply chain.

“With 70 percent of my data living in your environment, I’m home, so we need to work together to secure it,” Arrington said. “Who is the government? You are when you’re the taxpayer. That’s your money. That’s your data that you have paid for that our adversaries are taking and using it against us. We should be infuriated as a nation about our data. With $600 billion a year being expelled by our adversaries; this room should be irate.”

All of these developments, coupled with the May 8, 2019, California court Civil False Claims Act decision as the first reported FCA decision involving allegations of non-compliance with DFARS 252.204-7012 should spur action towards immediate compliance. Checklist compliance and continued delays of actual control implementation will absolutely cost you more in the long run so get started now, make a plan and execute.

5 Steps To DFARS Compliance

Compliance with the DFARS and NIST requirements involves much more than writing a System Security Plan (SSP) and vendors selling you a tool to get compliant are misleading you. There are 110 security requirements in NIST 800-171 and you have to actually implement them, there isn’t a single product to solve this problem.

Download our 5 Steps to DFARS Compliance Guide to plan and enable compliance as a documented, automated outcome of day-to-day operations. This easy to follow guide presents a plan you can follow to achieve compliance in a way that fits your business and budget. DoD contractors, subcontractors and vendors taking a wait and see approach before achieving compliance are ignoring the last decade of clear warning signs that security has become the foundation of acquisition. Act now!


You may have heard of phishing, which is the practice of sending fraudulent texts or emails that appear to come from a legitimate source, with the intention of encouraging the recipient to provide personal information.

Businesses have been struggling to protect their networks from phishing, and with attacks up 65% in the past year, it seems the fight is far from over. To make matters worse, a more sophisticated and destructive offshoot of phishing has recently emerged — spear phishing.

What is Spear Phishing?

Phishing messages are usually generic, sent to a large number of people in order to cast a wide net in the hopes that somebody will bite. Spear phishing, as the name implies, is much more precise and is targeted at a specific victim.

The spear phisher gathers personal information about the target, such as an employer, hometown, or friends, in order to craft messages that seem more credible. No red flags are raised, and the recipient happily does as the phisher requests, sharing highly sensitive data and information about themselves in the process.

What Spear Phishing Means for Your Business

Spear phishing presents a major problem for businesses. Phishers are increasingly seeing businesses like yours as lucrative targets, with a staggering 95% of all attacks on business and enterprise networks thought to be the result of successful spear phishing. How does this happen?

The Weak Link in Your Network Security

Spear fishers usually gain access to your sensitive data and business networks via your employees. For example, they might gather information on your employee and use it to craft an email to them appearing to come from your IT team, asking them to click on a link and re-submit their credentials to access one of your network systems.

The link leads to a dummy site that’s barely distinguishable from yours. When your employee logs in, the phisher records their credentials and uses them to access your real system. There, they can steal data, spy on your business, or bring your system crashing down, and you likely won’t even know it’s happened until the damage has been done.

4 Steps to Keep Your Business Safe from a Spear Phishing Attempt

Despite your best efforts to secure your business, you’re only as strong as your employees. Adequately protecting yourself from spear-phishing, then, relies on comprehensive training and awareness. Here are four steps you can take to keep your business safe…

Step 1 – Educate Your Employees

Knowledge is power, so train your employees on how to spot spear phishing and what to do about it. And because threats like spear-phishing evolve rapidly, ensure that your training and awareness programs are refreshed and updated at least annually to stay ahead of phishers.

Step 2 – Practice Good Password Hygiene

Passwords are at the very core of your network security and as such, they deserve the utmost attention. For each of your systems, require that users create long, complex passwords and change them on a regular basis. Don’t just ask users to do this and trust that they’ll comply; make it a mandatory requirement for using the system. And of course, the sharing of company passwords should be discouraged in the very strongest terms, even between other employees.

Step 3 – Implement Multi-Factor Authorization

Multi-factor authorization, or MFA, adds an extra layer of security to your systems. After the user enters their password, they’re typically required to pass through a further verification stage by entering another password/code, answering a question, submitting biometric information, or responding to an email or text. If somebody does obtain the user’s password, MFA means they’ll usually be thwarted at this second stage.

Step 4 – Take Good Practices Home

In order to be effective, good security practices must go beyond the office. Spear phishers will usually target a victim outside of work too, so your employees must be encouraged to apply the same awareness, caution, and protection to their personal and home networks.

That means practicing good password hygiene on any devices or online systems they use outside of work, from banking to social media to online grocery shopping and everything in between. Where available, they should be encouraged to set up multi-factor authorization, too.

Personal phones, computers, and other devices should be password-protected, encrypted, and secured with up-to-date antivirus and malware programs. This is especially true if they use these devices for business-related activity, in which case you should embed usage rules into company policy.

Your employees should be encouraged to take all reasonable measures to protect company data that’s taken outside of the workplace, whether on a business trip or to a home office. Physical documents and devices should be stored securely when not in use, such as in a locked briefcase or filing cabinet.

Finally, employees should think carefully about the work information they share with their personal network. Your employee might think they’re bringing their old high school buddy up to speed on all the exciting projects they’ve been working on, but there could be a phisher on the other end of the email conversation, gathering data about your business.

Don’t Fight Phishing Attacks Alone

With 76% of businesses falling victim to a phishing attack last year, it seems phishers are winning the fight for your sensitive data. That doesn’t have to be the case. Protect your business now with expert training and managed security services from CyberSheath. Contact us now to find out how we can help.

A privileged account is one used by administrators to log in to servers, networks, firewalls, databases, applications, cloud services and other systems used by your organization.

These accounts give enhanced permissions that allow the privileged user to access sensitive data or modify key system functions, among other things. You can imagine, then, why they’re such an attractive target to hackers.

By gaining access to a privileged account, a hacker can wreak havoc on your business. For example, they can steal customer data, bring down your website, or shut you out of critical systems. And because the hacker is using legitimate credentials, it’s often difficult to pinpoint where an attack is coming from — if you detect it at all.

3 Reasons to Consider a Privileged Access Risk Assessment

To improve security posture and meet regulatory compliance, consider these three reasons why your business should conduct a detailed privileged access risk assessment:

Reason #1 – A Glaring Security Loophole

With the potential for exposure so high, you’d assume that businesses would be way ahead of this threat. However, many organizations are failing to devote the proper attention to closing the glaring security loophole that is privileged account management.

In many cases, weak passwords are used to protect these highly sensitive accounts. In fact, some use the default password — literally ‘password’ in some cases — and some use none at all. Others use stronger passwords, but share the same account between multiple users, increasing the account’s risk profile.

Even when privileged accounts are assigned to single users and adequately protected, they’re often not revoked when a user no longer needs them. Depending on the size of the organization, it’s estimated that there are up to four times as many privileged accounts as regular user accounts, many of them no longer in use. With every single account presenting hackers with an avenue of attack, this means that organizations are exposing themselves to a staggering amount of unnecessary risk.

Reason #2 – The Consequences of Exposure

A data breach costs the average organization as much as $150m in losses. At least one-third of customers take their business elsewhere when a breach is made public, even if they’re not personally affected. Then there is the cost of legal penalties that can result from failure to comply with security measures around the protection of sensitive data.

Many businesses can’t survive these legal and financial blows and quickly find themselves in the ground, but securing privileged accounts is not as simple as merely changing your passwords.

Reason #3 – The Problem with Privileged Account Security

The first step to securing privileged accounts is to perform a detailed audit. However, with so many of these accounts scattered across networks, servers and other key infrastructure, it can be almost impossible to get a true picture of how many there are, how (and if) they’re being used, and how secure they are.

Traditionally, a privileged account audit was a manual job requiring hundreds and hundreds of hours of IT man-hours, which of course carried a significant financial cost, too. The process was long and complex, and many organizations avoided it because they simply found it too daunting, expensive, or both. Today, that doesn’t have to be the case.

That’s Where CyberSheath Comes In

CyberSheath’s expert team uses advanced technology to perform privileged access risk assessments in a fraction of the time, helping you to:

  • Identify all privileged accounts on-site, in the cloud, and in your dev-ops environments.
  • Locate all privileged credentials, such as passwords, access keys, and SSH keys.
  • Discover weaknesses and highlight accounts that are vulnerable to credential theft.

With our technology and expertise, there’s no reason to shy away from a privileged account security audit — and no excuse to put your business at risk. Contact us today to find out how we can help keep your privileged accounts and your business safe and secure.

“Those who do not learn from history are condemned to repeat it.”

Over the years, variations of this famous quote have been spoken by everyone from philosophers to world leaders. The message — that we must learn from our mistakes or continue to repeat them — is also highly relevant to cybersecurity.

Both the National Institute of Standards and Technology (NIST) and the SANS Institute describe the learning phase of incident response as one of the most crucial steps, helping businesses to refine and strengthen both their prevention and response protocols.

However, 42% of businesses fail to review and update their incident response plans on a regular basis. If you find yourself experiencing the same security breaches over and over again, you might be one of them. Here’s why you should actively learn from the experience, and how to go about it.

Lessons Learned Session

A lessons learned session takes place after the resolution of a security incident. It involves taking stock of the incident; getting to the root of how and why it happened; evaluating how well your incident response plan worked to resolve the issue; and identifying improvements that need to be made.

Identifying Areas of Weakness

The most obvious benefit of a lessons learned session is that it helps you to identify gaps in your organizational security practices. Was the lapse due to human error? Systems failure? Inadequate security practices? If you don’t know these problems exist, you can’t take the appropriate action to fix them.

Improving Incident Response

Lessons learned sessions help you to understand not only why the incident occurred, but also how effective your response was. For example, were you able to respond quickly and effectively, or did red tape get in the way? Did your team know exactly what to do, or did they struggle to remember their training? Questions like these will highlight areas that need to be improved for next time.

Recognizing the Positive

Don’t just focus on what went wrong in a lessons learned session; it’s also important to highlight what went well. Taking the time to identify successful elements of your response can help to inform robust future security practices while acknowledging and rewarding positive employee performance will set a standard and incentivize similar behaviors in the future.

Lessons Learned Training

Just as frameworks like NIST 800-171 require you to periodically test your Incident Response processes using activities like tabletop exercises, incorporate your lessons learned sessions into these activities as well. Not only will that lead to improvements in your incident response plan, but it will train your teams in how to do effective lessons learned analysis.

The Lessons Learned Process

According to Lessons learned: taking it to the next level, an incident response paper by Rowe and Sykes, lessons learned sessions are most effective when they follow a well-defined five-step process:

  1. Identify and collect all comments and recommendations that may be useful for future projects.
  2. Document all findings and share them with key stakeholders.
  3. Analyze and organize all documentation for future application.
  4. Store documentation in a repository that can be accessed by all key stakeholder.
  5. Retrieve documentation for use on current or future incidents.

This process should be implemented as soon as possible after an incident when the particulars are still fresh in everybody’s minds. In fact, if the incident will take an especially long time to resolve, then beginning the process even sooner might uncover helpful information to support the resolution.

Stakeholders from as many key groups as possible should be present for lessons learned sessions. It’s especially important to have representatives from your IT and executive teams, as the former will be able to implement recommendations and the latter will be able to authorize action and remove bureaucratic obstacles.

We’ve Held a Lessons Learned Session — What Next?

Your lessons learned session will likely turn up numerous security gaps, weaknesses, and other areas that need attention. This is the part that often discourages businesses from lessons learned sessions in the first place — after all, if you go looking for problems to fix, then you must fix them! If you don’t have the time or money to do this, then it’s tempting to skip this step altogether and hope for the best.

With the financial impact of the average data breach running into hundreds of millions, this strategy is only going to cost you more money in the long run. Instead, face the incident head-on and use the lessons learned session as an opportunity to proactively fortify your business against future threats.

Here are some examples of actions you might take to improve your cybersecurity and incident response for next time:

  • If you found that the incident occurred because your staff missed the signs of a threat or were unsure how to respond, then you may invest in more comprehensive and/or frequent training.
  • If bureaucratic layers slowed down your response, you might meet with the C-suite to request executive delegation in future emergency situations, and enshrine this in your incident response plan.
  • If a loophole in one of your systems was exploited, conduct a thorough review of the system to ensure it is fit for purpose and replace if necessary.

Whatever you do, though…

Don’t Let History Repeat Itself

Every incident has a lesson to teach you, but we know that implementing these lessons isn’t always easy. That’s why CyberSheath specializes in providing comprehensive, affordable incident response solutions to businesses like yours. Contact us today to find out how we can help.


With the Department of Defense (DoD) promising the release of an update to NIST Special Publication 800-171, it is imperative defense contractors understand what DFARS 252.204-7012 and NIST SP 800-171 Clause is and how noncompliance with the Clause will impact their business.  Compliance is mandatory for contractors doing business with the DoD and the incentives to act now are many and include:

  • Compliance was mandatory as of December 2017; regardless of when you found out about the requirement, it’s been on the books for several years now
  • Noncompliance penalties for failure to meet the requirements can lead to criminal, civil, administrative, or contract penalties that include:
    • Breach of Contract Damages
    • False Claims Act Damages
    • Liquidated Damages
    • Termination for Default
    • Termination for Convenience
    • Poor Past Performance
    • Suspension/Debarment

Ultimately the DoD has been preparing the contractor community for more than a decade and with audits underway there is little doubt that cybersecurity compliance is becoming a competitive discriminator.

Read more about DoD audits of cybersecurity compliance here.

Understanding DFARS 252.204-7012 and NIST SP 800-171

The Defense Federal Acquisition Regulation Supplement, or DFARS, has been working to encourage DoD contractors to proactively comply with certain frameworks in order to achieve this goal. Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, is the latest mandatory addition.

Under the Clause, all contractors must comply with the National Institute of Standards and Technology’s Special Publication 800-171 (NIST SP 800-171), a framework that lays out how contractors must protect sensitive defense information and report cybersecurity incidents.

The NIST framework requires you, as a defense contractor, to document how you have met the following requirements in particular:

  • Security requirement 3.12.4 requires the contractor to develop, document, and periodically update System Security Plans (SSPs) that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
  • Security Requirement 3.12.2 requires the contractor to develop and implement Plans of Action designed to correct deficiencies and reduce or eliminate vulnerabilities in their systems.

Read more about implementing SSPs and POAs.

Under the Clause, DoD contractors are obliged to submit evidence of their compliance with NIST SP 800-171 to the U.S. Government. However, the Clause goes beyond NIST compliance and sets out additional rules for the protection of Covered Defense Information (CDI).

Supply Chain Management

DFARS Clause 252.204-7012 aims to encourage you, as a contractor, to take a proactive role in the protection of CDI. Not only are you required to demonstrate compliance within your own business, but in order to strengthen the entire supply chain, you must take steps to ensure that your subcontractors comply, too.

It is the responsibility of your subcontractors to inform you if their practices deviate in any way from the DFARS and NIST 800-171 guidelines, and it is your responsibility to demonstrate that an equally secure alternative practice is in place before you share CDI with that subcontractor.

Reporting Cybersecurity Incidents

A cybersecurity incident is defined as a breach of security protocols that negatively impacts, compromises, or endangers CDI held on your systems or networks, or those of your subcontractors.

In the event of a cybersecurity incident, your responsibility under DFARS Clause 252.204-7012 is to report the incident to the DoD within 72 hours. You must present the affected data and all related data covering the 90 days prior to the date of the report, along with any infected software. You must also conduct a thorough systems review and identify ways in which you will prevent future breaches.

If a subcontractor experiences a cybersecurity incident, they must report it to you, or to the next highest tier of subcontractor, and present the evidence as required. As the prime contractor, you’re then required to report the incident to the DoD and submit the evidence, as detailed above.

Cloud Service Provision

If you offer your own cloud services as part of your DoD contract, then DFARS states that you must enact the safeguards set forth in the Cloud Computing Security Requirements Guide (SRG), unless waived by the Chief Information Officer of the DoD. If you use a third-party cloud service, then you’re required to ensure that your cloud service provider follows the security provisions therein.

Not DFARS Compliant?

A quick look at documents like the above and it’s clear to see why some contractors are still struggling with compliance long after the December 31st, 2017 deadline has passed. Bringing your business in line with these extensive regulations is required and the stakes are so high.

Download our 5 Steps to DFARS Compliance Guide to avoid penalties and make compliance a documented, automated outcome of day-to-day operations. This easy to follow guide presents a plan you can follow to achieve compliance in a way that fits your business and budget.

5 Steps to DFARS Compliance


The management of organizational risk is a key element in any organization’s information security program, particularly those like Department of Defense (DoD) contractors that process highly sensitive, critical data.

With this in mind, the National Institute of Standards and Technology (NIST) has developed the Risk Management Framework (RMF), a set of processes for federal bodies to integrate information security and risk management into their systems development life cycles.

The Six Steps of the Risk Management Framework (RMF)

The RMF consists of six steps to help an organization select the appropriate security controls to protect against resource, asset, and operational risk. They are:

Step 1: Categorize the system and the information that is processed, stored and transmitted by the system.

Step 2: Select an initial set of baseline security controls for the system based on the categorization, tailoring and supplementing as needed.

Step 3: Implement the security controls and document how they are deployed.

Step 4: Assess the security controls to determine the extent to which they are meeting the security requirements for the system.

Step 5: Authorize system operation based upon a determination that the level of risk is acceptable.

Step 6: Monitor and assess selected security controls in the system on an ongoing basis and reporting the security state of the system to appropriate organizational officials.

Who Needs to Implement the RMF and Why?

Industries with critical or highly sensitive data needs are increasingly adopting the RMF in an effort to cope with growing risk and comply with their strict legislation— think defense (DFARS), healthcare (HIPAA), and retail/payment (PCI).

However, it’s our professional opinion that every organization that handles sensitive data can benefit from adopting the RMF. Why?

First, the RMF functions as a very effective security planning tool that gives you a comprehensive picture of your organizational risk. This helps to inform a solid risk management strategy and focus your attention on the areas that matter most to your organizational security.

Second, the RMF is not specific to any one agency or body, which gives it the flexibility to be adopted and applied by organizations of all shapes, sizes, and industries — including yours.

Finally, the RMF is seen as the gold standard on which many risk management approaches are modeled. For that reason, it wouldn’t be surprising to see it mandated in some form in the near future, particularly for high-risk industries, but possibly across the board.

This happened recently with the EU’s General Data Protection Regulation (GDPR), which mandated that any and every company handling sensitive data comply with the regulations, regardless of industry.

By adopting RMF in your own organization, you’ll be automatically compliant if and when any similar legislation comes into force on our own shores, while your competitors will likely be scrambling to catch up.

RMF and Defense Contractors

Contractors of the DoD have a set of legal obligations under the Defense Federal Acquisition Regulation Supplement, or DFARS. This legislation requires such contractors to demonstrate proactive compliance with, among other frameworks, the NIST Special Publication 800-171 (NIST 800-171), which lays out how they must protect sensitive defense information and report cybersecurity incidents.

So, if a contractor is already DFARS-compliant, and they’re already implementing the security controls set out in NIST 800-171, why do they need to adopt the RMF too? (Not DFARS Compliant? Download our 5 Steps to DFARS Compliance Guide to avoid penalties and make compliance a documented, automated outcome of day-to-day operation.)

In working with our defense clients on securing their acquisitions processes, we’ve consistently observed the need for security controls above and beyond what NIST 800-171 requires. That’s exactly what the RMF provides, paying attention to areas such as resilience enhancements and tailoring requirements.

It’s our opinion, then, that the RMF can help defense contractors to plan risk-based security control implementation in a much more broad, holistic manner than DFARS and NIST 800-171 compliance alone.

Limitations of RMF

Because it’s a framework, the NIST RMF doesn’t tell you how to achieve the recommended steps. That means that for small and medium organizations without significant information security experience, or the resources to obtain it, implementing the framework can be a challenge.

That’s Where CyberSheath Comes In

Our cybersecurity experts can help you to minimize your organizational risk with comprehensive risk management planning, including the implementation of the NIST Risk Management Framework. Contact us now to find out how we can help protect your organization.

As a subcontractor on a Department of Defense contract, you have likely had flow down requirements from your primes related to DFARS clause 252.204-7012, commonly referred to as NIST 800-171. Many subcontractors, as they scramble to secure their infrastructure to be in compliance before the December 2017 DFARS deadline, are also asking, “When should DFARS clause 252.204-7012 flow down to our subcontractors?”

To help you answer that question, here are some basics related to DFARS clause 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting (effective October 21, 2016) and NIST 800-171.

The Basics of DFARS Clause 252.204-7012

This clause is required in all contracts except for those contracts solely for the acquisition of COTS items. It requires contractors and subcontractors to:

  1. Safeguard covered defense information (CDI) that is resident on or transiting through a contractor’s internal information system or network.
  2. Report cyber incidents that affect covered defense information or that impact the contractor’s ability to perform requirements designated as operationally critical support.
  3. Submit malicious software discovered and isolated in connection with a reported cyber incident to the DoD Cyber Crime Center.
  4. If requested, submit media and additional information for damage assessment.

What is Covered Defense Information (CDI)?

This term is used to identify information that requires protection under DFARS Clause 252.204-7012. Covered defense information is unclassified controlled technical information (CTI) or other information as described in the controlled unclassified information (CUI) Registry that requires safeguarding or dissemination controls*, and is either:

  • Marked or otherwise identified in the contract, task order, or delivery order and provided to contractor by or on behalf of DoD, in support of the performance of the contract or
  • Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor, in support of the performance of the contract.

* Pursuant to and consistent with law, regulations, and Government-wide policies

Does DFARS clause 252.204-7012 flow down to subcontractors?

The clause impacts subcontractors when performance will involve operationally critical support or CDI. You should determine in consultation with your contracting officer if necessary, if the information required for subcontractor performance is or retains its identify as CDI, and requires safeguarding or dissemination controls. Flowdown is to be enforced by the prime contractor. If a subcontractor does not agree to comply with the clause, CDI should not be on that subcontractor’s information system.

What does DFARS Clause 252.204-7012 require?

Simply stated, this DFARS clause mandates adequate security. The contractor shall provide sufficient security on all covered contractor information systems. To provide satisfactory security for covered contractor information systems that are not part of an IT service or system operated on behalf of the Government, at a minimum, the contractor must implement NIST SP 800-171, as soon as practical, but not later than December 31, 2017.

What is NIST SP 800-171?

This standard:

  • Enables contractors to comply using systems and practices likely already in place.
  • Significantly reduces unnecessary specificity, as requirements are performance-baseda, and more easily applied to existing systems.
  • Provides standardized, uniform set of requirements for all CUI security needs.
  • Allows non-federal organizations to consistently implement safeguards for the protection of CUI (i.e., one CUI solution for all customers).
  • Allows contractors to implement alternative, but equally effective, security measures to satisfy CUI security requirements.

If you are struggling with interpreting these requirements or need help implementing the security controls? CyberSheath can help you determine a path forward for achieving compliance by conducting a gap assessment of your compliance with NIST 800-171, writing the required System Security Plan (SSP) and leading your remediation efforts. Contact Us today to get started!

Who’s Been Playing Solitaire on the Domain Controller?

It’s a classic scene. You’re sorting through the attic and you end up browsing through old memories: photos from a forgotten road trip, souvenirs, and trinkets from your world travels, old board games you bought in a flash of excitement and only played once. Things you once loved, but that now sit unused, gathering dust and taking up space.

In the workplace, computer systems often end up cluttered in the same way. We end up with stacks of unnecessary software sitting around in files and folders where we’ve long stopped looking. But unlike the charming, nostalgic relics laying around the attic, that unused software sitting on your computer might be leaving you open to danger in the form of vicious cyberattacks.

Cybercriminals are constantly looking for ways into your system. Software like browsers (Firefox, Chrome, Edge), plug-ins (Java, Adobe Flash, Silverlight) and random applications (games, messaging apps, etc.) are well-known to be extremely vulnerable to malware and other forms of data hacking, particularly if they’re out of date.

This begs the question: how many useless apps are lying around on your system right now, putting your business at unnecessary risk? Here’s how to find out, and what to do about it…

Inventory Your Software Assets

The first step is to dig through your systems and figure out what’s absolutely necessary — and what’s not. If you have a contract that requires compliance with DFARS 252.204-7012, a software inventory is required, but further, it’s just common sense: You have to know what you have before you can protect it.

Nowadays, there’s an app for everything. Chances are that you and your employees have loaded up on them in an attempt to find more efficient ways to manage time, stay connected, or even have more fun at work.

That schedule management software you downloaded may have seemed useful at the time, but if it’s no longer in use then it’s time to send it to the trash.

Any piece of software not essential to your business should be considered potentially harmful and promptly cleared from your system. Delete software installers, remove unnecessary browser add-ons and extensions, and of course, make sure to update any apps that will be sticking around.

Eliminate Redundant Apps

There are so many solutions available for every problem that you’ll often discover you have several applications doing the same job. Figuring out what pieces of software are currently being used to solve the same problem can help you see where you need to cut the fat.

Do you need three browsers, or would one be sufficient? If you’re using Google Hangouts for video conferencing, do you need to have Skype on your system as well?

It’s also a good idea to take a look at the software that was already installed on your device when you took it out of the box. Known as bloatware, many new computers, tablets, and mobile devices come pre-packaged with lots of this third-party software to increase revenue for the vendor.

If you have bloatware on your systems, you might find that many of these extra apps have sat unused since day one. And some bloatware behaves like spyware, sending information about you and your system to outside agents without your knowledge. If they’re not currently in use, or they’re performing simple functions you can do through more essential applications, consider getting them off of your systems ASAP.

Limit Access

Sometimes system clutter grows out of control simply because we’ve given too many people the green light to do whatever they please. For this reason, it’s probably best to adopt a tougher approach to access privileges.

Keeping your systems clean and organized is undoubtedly easier if you allow fewer people to access and install software. Consider using special permissions to allow only top-level decision-makers to install new software. Carefully monitor who is adding new applications and require that they justify why these programs are needed. And finally, terminate dormant accounts so that hackers can’t use them to infiltrate your system and install harmful malware.

Get Superior Protection Today

If cleaning house feels like a major job, it’s time to call in reinforcements! CyberSheath’s comprehensive managed cybersecurity services can help you to conduct a professional software risk assessment, simplify your systems, and save you from putting your business at unnecessary risk. Contact Us now to find out how.

Companies are becoming increasingly enamored with the advantages offered by cloud computing. However, many mistakenly assume that once you upload your data, it’s up to the cloud service provider (CSP) to keep it all safe and sound. In reality, most CSPs use what’s known as a shared responsibility model for security, meaning that only certain aspects of your cybersecurity plan are their responsibility. Ultimately, YOU are responsible for the security of YOUR data.

With cybercriminals attacking from every direction, it’s your responsibility to prevent misunderstandings that might lead to damaging data breaches. For this reason, having a full picture of the risks associated with your chosen CSP, along with a clear agreement on roles and responsibilities, is paramount if you hope to keep your sensitive data protected.

Review Your Security Documentation

In the excitement of exploring the capabilities of the cloud, it’s easy to be less than thorough in your assessment of your CSP’s security practices.

However, you need to be sure that your CSP is employing industry-leading incident response tools, consistently auditing its security systems, rigorously testing for weaknesses, and protecting against emerging threats. You can do this by taking a look at your provider’s System Security Plan (SSP).

Reviewing an SSP is the most accurate way to assess the security controls your CSP is implementing. As the main document in a security package, an SSP gives you a detailed report on security protocols and highlights any gaps that may need to be addressed.

If you have a contract that requires compliance with DFARS 252.204-7012, then your CSP must meet the standards set by the FedRAMP moderate level of protection, and support government incident response efforts.

Doing your due diligence and insisting on rigorous compliance certifications, such as SOC Type II or PCI DSS, will give you peace of mind that your CSP is following the latest regulatory measures and maintaining the highest levels of data security.

Treat the Cloud like It’s Your Home

Some businesses are under the illusion that, since the cloud is not an on-site system, it doesn’t need to be treated in the same way they’d treat their personal systems. If you’ve made that mistake, then it’s imperative that you start viewing the cloud like the extension of your business it truly is.

It’s critical to be proactive in this regard, as opposed to waiting for a problem to occur and then addressing your security gaps. In the same way that you don’t allow every employee unrestricted access to your in-house systems, it’s essential to manage and control access to the cloud within your company.

Create written guidelines that specify who can use which cloud services, what data can be stored there, and for which purposes the cloud is to be used. Train your staff on the risks of cloud use and make sure they are aware of the latest trends in cybercrime that affect cloud users.

Encrypting the data you move to and from the cloud is also an absolute must. You want to take particular care to ensure that data is encrypted during transit when it is most open to attacks. Also, verify that your CSP encrypts your data at rest and on backup media to prevent data leaks.

In short, make sure you’re treating the cloud-like you would your own home. Lock the doors, turn on the alarms, and train yourself on how to respond to emergencies, so you can sleep easy knowing you’re adequately protected.

Stay Alert About Your Cloud Vendor

The world of cybersecurity moves quickly and, in the event that there’s a breach or a threat concerning your specific vendor, it’s best that you know as soon as possible. If your cloud provider has security alerts, make sure you have notifications enabled, and check resources such as the US-CERT for announcements about threats that have been reported.

Looking for Secure Cloud Solutions?

If you want to stay ahead of developing cyber threats and you’re wondering how to implement strong security measures for your cloud services, let the cloud experts help you. CyberSheath’s cloud solutions are second to none, so contact us now and let us give you a helping hand to keep your business secure.

The demand for cybersecurity talent far outstrips the supply at present, something which will likely continue for the foreseeable future. This insatiable demand has created more and more opportunities than ever before for those interested in a career in cybersecurity.

That said, many aspiring cybersecurity professionals are left wondering how to make the transition. Where do I start? What should I read? Should I get certified? What qualifications do I need? These are just some of the questions I’m frequently asked by Uber drivers, waiters, and a host of other people looking to make the jump.

The good news is that, if you’re willing to put in the sweat equity and spend your free time working hard to learn what you need to know, there is a clear and rewarding path to your goal.

I’ve helped dozens of people get into cybersecurity over the years, largely by sharing my own personal experience of career transition. I’ve introduced people to potential mentors, pointed them towards self-paced educational tools and, many times, allowed them to use CyberSheath training resources at no cost.

In fact, one of the greatest joys of working at CyberSheath for me is being able to give smart, motivated people the opportunity and the tools to make career transitions, and then watching them go on great success in their new field. We have dozens of these success stories, so read on if you’d like to be one of them…


First, you must have initiative and drive. If you need to be spoon-fed instructions, you make excuses, or you’re too busy with work, life, school, kids, etc., then you’re simply not going to be able to put in the blood, sweat and tears needed to make this transition. If, on the other hand, you can think for yourself and you’re willing to do whatever it takes to make it work, you’ll likely find yourself reaping the rewards in no time.


Read incessantly and voraciously. If you’re looking for the magical reading list that will transform you into a cybersecurity pro, well…there isn’t one. Just take the initiative, pick up a book, and then pick up another, and read everything you can about cybersecurity.

You’ll have a slew of acronyms to learn, along with vendor jargon and security concepts, so any reading material that helps you to become familiar with these basics will give you a good foundation on which to build your cybersecurity knowledge. Vendor marketing materials, product installation manuals, blogs, research reports, and security frameworks are a great place to start.


You can’t become a security practitioner without practice. Set up a lab with whatever resources you can cobble together and do something, anything — it doesn’t matter what at this stage. If you’re stuck for ideas, there are endless online resources to help you get started.

I personally started in cybersecurity by approaching a company owner and convincing him that if he trained me, I could be a great employee. He provided the training, including the lab equipment and training materials, and I provided the sweat equity.

That was almost 20 years ago and nothing has changed. CEOs and company executives are still willing to invest in motivated people who are taking the initiative to better themselves. In fact, just like me, many of them will be happy to help if asked.

If you’re willing to take the steps outlined above, then you have the ingredients required for a successful career transition. If you’d like help making that transition, contact us today to learn about CyberSheath’s cybersecurity training and education resources.



With the deadline for compliance with DFARS Clause 252.204-7012 having passed on December 31st 2017, many companies are still scrambling to catch up. But in their haste, many may be ignoring a vital aspect of the mandate.

Chiefly designed to ensure adequate security in safeguarding “covered defense information” (CDI), DFARS requires Department of Defense (DoD) contractors and subcontractors to implement controls to protect sensitive data “collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.”

However, it also includes clearly specified mandates for cyber incident reporting, when a contractor or subcontractor discovers that CDI has been compromised or adversely affected within their networks. In addition to safeguarding CDI, it is imperative that companies follow these prescribed reporting requirements if they experience a cyber incident.

Report Rapidly

Collecting information on cyber incidents allows the government to investigate key details in order to monitor and hopefully contain future cyber threats. As such, DFARS cyber incident reporting mandates are designed to assure businesses turn over this information quickly.

According to DFARS, a cyber incident is defined as “actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.” If you have determined that a cyber incident has taken place, then in accordance with the “Rapid Reporting” requirement you must:

(i) Conduct a review for evidence of compromise of covered defense information, including, but not limited to, identifying compromised computers, servers, specific data, and user accounts. This review shall also include analyzing covered contractor information system(s) that were part of the cyber incident, as well as other information systems on the Contractor’s network(s), that may have been accessed as a result of the incident in order to identify compromised covered defense information, or that affect the Contractor’s ability to provide operationally critical support; and

(ii) Rapidly report cyber incidents to DoD at within 72 hours of discovery.

The DFARS provision defines a compromise as the “disclosure of information to unauthorized persons, or a violation of the security policy of a system, in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object, or the copying of information to unauthorized media may have occurred.”

Although there has been some debate as to what reporting triggers define the start of the 72-hour timeframe, implementing a clear cyber incident response plan can create a track record of internal consistency that would prove responsibility if a contractor’s reporting methods were ever to be scrutinized.

A full list of what to report can be found on this page of the DoD’s DIB Cyber Incident Reporting & Cyber Threat Information Sharing Portal.

Detect Malware

In the event that malicious software (malware) is found on a compromised system, the contractor must also collect information about the malware and submit it using a malware submission form to the DoD Cyber Crime Center (DC3) “in accordance with instructions provided by DC3 or the Contracting Officer.”

Preserve Your Media

The DoD may also choose to conduct a thorough post-incident investigation, also known as a damage assessment. To allow for this, they require companies that have been breached to “preserve and protect images of all known affected information systems” and “all relevant monitoring/packet capture data” for at least 90 days following the discovery of an intrusion.

Advice on Reporting

Opening up the lines of communication with the DoD prior to any incident ensures that the process is less complicated and helps you to report in a timely fashion.

In addition, making sure your forensics tools and procedures meet the DoD collection requirements will also ensure that you’re able to quickly gather the required information and report all the pertinent details in full.

Preparation is key. Make sure to practice using your forensics collection procedures so you can quickly report and recover without missing a beat. It’s also important to note that any report of a cyber incident must have a DOD-approved medium assurance certificate. Information on how to obtain this certificate can be found at

Need Assistance?

If you’re looking for someone to stay on top of your reporting so you don’t drop the ball, or if you just need further assistance understanding the complex process of reporting a cyber incident, Contact Cybersheath today for a free consultation.



In today’s digital world, no matter what type of sensitive data you handle, attackers are hard at work developing ways to access it. The rash of high-profile security breaches making headlines every day is clear evidence of the struggle businesses face in trying to stay ahead of these sophisticated cyber attacks.

In response to these threats, local and federal governments around the world have begun to impose increasingly stringent regulations to force companies to re-examine their internal cybersecurity standards.

DFARS clause 252.204-7012, HIPAA, PCI DSS, and GDPR are just some of the many compliance mandates that companies are currently juggling. And considering the disastrous fallout of even the smallest breach, not to mention the heavy penalties associated with non-compliance, there’s no time to waste in getting up to date.

The Risks of Non-compliance

As early as 2005, former U.S. President Barack Obama voiced his concern about cyberattacks, calling them a “national emergency.” In the years following this call to action, Federal agencies continually increased the regulatory mandates for private contractors, and over half of the state governments in the U.S. passed laws to put in place punitive measures for companies that fail to sufficiently protect sensitive data.

These include hefty fines and in some cases, jail time. Of course, these punishments are minuscule when compared to the consequences of actually being hacked. The costs of penalties, legal fees, and possible compensation for damages pile up quickly and can completely change the financial outlook of your company. Most damaging, however, is the subsequent destruction of your company’s reputation and the irreparable loss of confidence from your customer base.

Entities with the proper vision and intelligence work exceptionally hard to avoid these outcomes at all cost by prioritizing day-to-day operational security. Not only does this protect the company as a whole, but it ensures that the satisfaction of government or contractual requirements is a natural outcome of day-to-day security practices.

An Industry Leader in Cyber Protection

The unfortunate truth is that, even though compliance is absolutely essential, it’s not easy. Combing through the myriad of regulatory requirements to assess which apply to your business, coupled with the complex processes of then actually meeting these standards, leaves many companies lost.

With the right support, businesses can dramatically simplify this process. An industry leader in cybersecurity, CyberSheath has developed the one-of-a-kind systematic Measure Once, Comply Many ® approach to cybersecurity, enabling companies to reach compliance by implementing a specifically tailored security strategy.

CyberSheath starts by expertly identifying the vulnerabilities in your network and then uses this information to plan and build a strategic security organization that optimizes your personnel, security processes, and technology. We then monitor your systems in real-time, providing you early threat recognition and proactive prevention that helps eliminate the risk of attacks.

By using this proven and patented method, CyberSheath paves the way towards both reaching regulatory milestones and achieving optimal operational cybersecurity.

Measure Once, Comply Many ® utilizes the following services to provide a full-service comprehensive security platform, keep your data safe and secure, and assure across-the-board compliance:

• Centralized 24/7/365 Security Operations Center (SOC) capabilities.
• SIEM, network IDS, host IDS, file integrity monitoring, vulnerability reporting and management, and more.
• Real-time security intelligence, including correlation directives, IDS signatures, NIDS signatures, and asset fingerprints.
• Full suite of compliance reporting, including DFARS clause 252.204-7012, NIST 800-171, HIPAA, PCI DSS, GDPR, and state data breach laws.
• Instant detection and notification of ransomware and other malware variants.
• Managed Privilege Account Management Services to stop security breaches involving privileged accounts.

With these advantages in place, you’ll never be caught off-guard, regardless of the current regulatory measures. Your business will not only take the necessary steps towards compliance, but you’ll also be able to continually read and react to the latest state-of-the-art threats. It’s all part of our patented system designed to achieve compliance as a result of committing to optimal operational security.

Assure Your Cybersecurity Now

Staying on top of your cybersecurity requirements can be overwhelming, but being hacked is undoubtedly even worse. Partnering with CyberSheath can help you gain peace of mind by putting a proactive plan in place to ensure your business is not just compliant, but also efficient and thorough in every aspect of cybersecurity. Contact us today to learn more about Measure Once, Comply Many ®.



On December 31, 2017, the deadline for compliance with the NIST 800-171, a mandate for contractors serving local and federal governments, came and went.

This Special Publication provided guidance on the processes and procedures needed to adequately safeguard controlled unclassified information (CUI), defined as any information created by the government or entities on behalf of the government that is unclassified, but still must be appropriately safeguarded.

While some companies were quick to adapt to these new regulatory measures, many companies fell behind because of a lack of resources, confusion over the head-spinning compliance process, or just downright procrastination.

With the deadline long gone and the Department of Defense (DoD) making it crystal-clear that NIST 800-171 is here to stay, becoming compliant is an absolute must for those looking to remain competitive in the industry.

A Common Problem

Unlike previous security mandates, this is the first that impacts sub-contractors working further down the federal supply chain. This means that for many companies, it’s the first time they’re having to figure out compliance.

If this describes your company, you’re by no means alone. Because these standards must be met by anyone who stores, processes, or transmits CUI for the DoD, General Services Administration (GSA), NASA, or other federal or state agencies, many contractors are struggling to wrap their heads around the complex process ahead.

As it’s critical to a supplier’s ability to win new business and keep current defense contracts, both prime and sub-contractors will want to confirm that they are, at the very least, on the path to compliance with NIST 800-171.

Achieving Compliance

Of course, becoming compliant is easier said than done. The fact that there is no certification process for NIST means contractors work on the honor system, attesting that they have reviewed and heeded the applicable requirements specified in the regulation.

This also means that becoming compliant is not a one-time achievement. Rather, it’s an ongoing process of continuous evaluation. Here are the three key actions you can take to get started…

Assess Your Compliance Level

First, you’ll need to do due diligence in identifying CUI as it applies to you. Check with your contracting officers or look through your contract to see if CUI has been clearly defined. In many cases, it may not be, and you’ll have to review the CUI registry to find similar examples of CUI.

Once you’ve clearly defined what you need to protect, you can begin to figure out if it’s actually being protected sufficiently. You’ll have to carefully review your critical systems, including servers, laptops, storage devices, network devices, end-user workstations. You’ll also need to assess the physical security of those devices that contain CUI to make sure they are properly safeguarded.

Design a Plan of Action

Chances are there will be a gap between where you are now and where you need to be. This is common so don’t worry!

Fortunately, clause 3.12.4 allows for the submission of a Security System Plan (SSP) and a Plan of Actions and Milestones (POA&M) to buy yourself some time as you work towards your compliance goal. Since many contractors are not yet compliant, these documents are required to show procurement officials you are heading in the right direction.

An SSP will provide an overview of the security requirements needed for every system you use, describe the curent controls you have in place, and outline the expected behaviors of all who access them. Your POA&M will show a clearly defined corrective strategy for exactly when and how you plan to resolve any security weaknesses. 

Begin Implementation  

All this planning and assessing means nothing if you don’t step up and deliver! Once you’ve put milestones in place, you’ll need to train your staff and ensure they adhere rigorously to these deadlines. You’ll also need to document critical advancements in your quest for compliance, properly maintaining your records as you go.

Still Nowhere Near Compliance? Don’t Panic!

If you missed the December 2017 deadline and you’re starting to feel the pressure, don’t panic. CyberSheath’s Managed Security Services can help you to define your CUI obligations, create a plan of action, and move step-by-step towards full compliance. Contact us today for a free consultation.



More than two years ago, the Department of Defense (DoD) sounded the alarm for increased cybersecurity with a new set of controls designed to raise the level of safeguarding standards across the industry.
The requirements specified in Defense Federal Acquisition Regulation Supplement (DFARS) provision 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting”, were gleaned from Special Publication (SP) 800-171, authored by the National Institute of Standards and Technology (NIST).
A non-regulatory government agency designed to promote U.S. innovation and industrial competitiveness, NIST identified a set of 110 security control requirements, appropriate for non-government organizations, to be implemented by December 31st of 2017. But even with the deadline long since passed, many contractors are still struggling to meet these standards. Here are the three main reasons why…

Lack of Resources

NIST’s daunting to-do list has left many small to medium companies wondering how they’ll close the gap between what is required and what they can afford to implement.
Put at a disadvantage by budget and workforce limitations, companies find themselves falling behind due to a lack of cost-effective solutions and an inability to dedicate the manpower to keep their cybersecurity standards up-to-date.
Companies must report any shortcomings or gaps in their compliance to the DoD’s Chief Information Officer (CIO) within 30 days of any contract award. That means that the time and resource constraints are only exacerbated if the people in charge don’t have an intimate understanding of the NIST SP 800-171 security controls.
These companies need help but don’t know where to turn. As a result, they’ve found themselves exposed to increasingly advanced cybersecurity threats and will continue to accrue non-compliance penalties until they can find the assistance they need.


In an attempt to provide flexibility, make the controls technology-neutral, and allow for contractors to implement whatever solutions best fit their company, NIST has inadvertently made it difficult to know whether your company has actually achieved compliance or not.
The first challenge contractors face is assessing whether or not an information system is processing covered defense information (CDI). CDI is defined by the registry maintained by the National Archives and Records Administration and includes Controlled Technical Information (CTI) and Controlled Unclassified Information (CUI).
If these information systems are precisely specified in the awarded contract, the process is simplified. But DFARS has also included CUI that is “collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.”
This opens the door for large chunks of information that have been created or are received by contractors, but not marked, to also be considered CDI, making the process of identifying which systems process this information much more difficult.
On top of this, the DoD does not currently have any system in place to certify compliance and has not authorized any third-party certification process, leaving it up to you to accurately assess where you stand at any given moment. 

Being Human

As with any complex set of rules, the risk for human error also enters the mix. In the midst of wrapping their heads around a barrage of complicated regulations, many people simply drop the ball.
In companies that are already struggling to dedicate the necessary human resources to compliance, the overwhelm of adjusting to a whole new world of security requirements can lead to small errors that pave the way for much bigger problems.
In cases like these, it’s essential to have an extra set of eyes on the details to make sure problems don’t snowball and create an avalanche down the line.

Rising to the Challenge

If you’re a defense contractor struggling to keep up with NIST 800-171 requirements, performing a compliance assessment should be your top priority. CyberSheath’s Managed Security Services can help you identify the roadblocks on your path to NIST compliance and find cost-effective solutions to overcome them. Contact us today for a free consultation to find out more.

Every day, hackers and thieves are becoming more sophisticated, daring, and aggressive in their attempts to turn stolen data into substantial paydays. And with criminal entities regularly on the prowl for cyber weaknesses to exploit, it’s no wonder that the number of data breaches is growing at a record pace. Partially in response to this rise in cyber attacks, Ohio Attorney General Mike DeWine’s CyberOhio Initiative has introduced The Data Protection Act, signed into law by Governor John Kasich on August 3rd 2018.

Whereas most of the preceding cybersecurity legislation has sought to motivate businesses with punitive and disciplinary action, the DPA is a looking to take a new approach by giving companies a positive and confident push forward towards a more secure future.

The first law of its kind in the nation to provide an affirmative legal defense, the DPA is an absolute boon to any company involved the handling of sensitive data. Beneficial for all involved, it’s designed to inspire a proactive approach to cybersecurity to make the exchange of sensitive information safer and more comfortable for everyone.

The law incentivizes businesses to further protect themselves against cybersecurity risks by providing legal protection to those who deal with personal information in case of a breach, provided that they comply with a designated cybersecurity framework.

A Safe Harbor

Fairly or not, people affected by data breaches often look for a scapegoat. In many cases, they end up trying to hold the breached company liable for losses or damages they’ve incurred.

With even the smallest attack leaving a business vulnerable to serious legal consequences, this bill represents a valuable tool for those looking to limit their liability. Although it doesn’t provide immunity to your company if you comply, it does afford you a ‘safe harbor’ against tort claims that failed cybersecurity measures resulted in the data breach.

Both businesses and consumers should be set to benefit from this development as companies become more motivated to up their game and meet industry standards for cybersecurity.

How to Comply

As of November 2nd, 2018, your business can trigger the ‘safe harbor’ provided that you adopt a cybersecurity program designed to:

  • Protect the security and confidentiality of personal information;
  • Protect against any anticipated threats or hazards to the security or integrity of the personal information; and
  • Protect against unauthorized access to and acquisition of information that is likely to result in a material risk of identity theft or other fraud.

Since no two companies are alike, the law does acknowledge that the above guidelines are not meant to be a one-size-fits-all approach to cybersecurity. An effective program will have to be scaled to match:

  • The size, complexity, and nature of your business and its activities;
  • The level of sensitivity of the personal information your business possesses;
  • The cost and availability of tools to improve your security and reduce vulnerabilities; and
  • The resources your business has at its disposal to expand on cybersecurity.

Further guidance also advises businesses to ‘reasonably conform’ to one of the following industry-recognized frameworks:

  • The National Institute of Standards and Technology’s (NIST) Cybersecurity Frameworks;
  • NIST Special Publication 800-171, or Publications 800-53 and 800-53a;
  • The Federal Risk and Authorization Management Program (FedRAMP) Security Assessment Framework;
  • The International Organization for Standardization (ISO)/International Electrotechnical Commission’s (IEC) 27000 Family – Information Security Management Systems Standards;
  • Center for Internet Security’s Critical Security Controls for Effective Cyber Defense;
  • The Security Rule of the Health Insurance Portability and Accountability Act (HIPAA) for healthcare industry businesses subject to HIPAA oversight;
  • The Federal Information Security Modernization Act of 2014 (P.L. 113-283); and
  • The Safeguards Rule of the Gramm-Leach-Bliley Act, for certain financial institutions.

If you accept card payments, you’ll also have to comply with the Payment Card Industry’s Data Security Standards (PCI-DSS).

Challenges Ahead

Although guidelines have been provided, demonstrating full compliance may prove challenging since many of the specified frameworks lack standard certification processes.

Also, since some data security laws have more flexible requirements than others, questions remain over how to demonstrate complete conformity, or which aspects to comply with to ensure the best legal defense. For this reason, when attempting to implement frameworks, it’s a wise move to consult with cybersecurity experts like CyberSheath.

Our Managed Services enables compliance with the Ohio DPA to ensure comprehensive, framework based compliance. We’ll guide you through the process from assessment through remediation, integrating your existing people, processes, and technologies with your chosen frameworks.

A Win-win for Your Business and Your Customers

Not only will CyberSheath’s managed services help you to achieve full compliance and reduce your legal liability, but you’ll also see a demonstrable improvement to your day-to-day operational security — a true win-win for your business and your customers.


Cybersecurity at small and mid-sized businesses are often under-resourced with an “Army of One” approach to compliance and risk management. Compliance with regulatory requirements like DFARs 252.204-7012, HIPAA, PCI DSS, NERC CIP, Sarbanes Oxley (SOX) and more compete with actual cyber defense efforts to monitor, detect and respond to threats. Doing what you have always done, buying more products and surviving audits, isn’t effective and doesn’t scale. There is a better way and its effectiveness can be measured with contractual Service Level Agreements (SLA’s) that enable cybersecurity to be a force multiplier for your business.

Instead of hiring FTE’s and deploying one-off, point solution products that don’t integrate with existing investments, consider Managed Security Services that deliver:

  • Cloud-based security monitoring platform in one unified solution
  • Integrated security information and event management (SIEM) and log management
  • Asset discovery
  • Vulnerability assessment
  • Intrusion detection
  • Behavioral monitoring
  • Threat intelligence
  • Privileged account management
  • Automated and simplified regulatory compliance management

Just think about your infrastructure today. How many tools and products do you have spread across too few engineers without enough time to deploy, monitor and manage them? Do you feel like a SIEM solution is a luxury that a business your size can’t afford? Small and mid-sized businesses often have to make tough choices between resource allocation, and a SIEM solution rarely makes the cut because of cost and complexity. The irony is that a SIEM solution is a foundational investment that improves your ability to allocate resources, meet compliance requirements and defend your infrastructure. Coupled with Managed Security Services, the return on investment (ROI) for your business is measurable in a variety of ways.

Our partner, AlienVault, commissioned Forrester Consulting to conduct a Total Economic Impact™ (TEI) study that detailed the potential ROI organizations can realize by deploying the AlienVault Unified Security Management ® (USM) platform. The results aligned with our experience delivering managed services in the defense, financial, healthcare, technology and manufacturing industries. Here is what Forrester Consulting found:

Simplified compliance reporting for companies, resulting in nearly 6,000 hours of time-savings each year. Prior to adopting AlienVault USM Anywhere, key pieces of information had to be pulled from many different systems and consolidated into reports for the auditor. This process took nearly four months, but with AlienVault, onsite audits could be completed in one week as the compliance information and reports were readily available in real-time. This resulted in approximately 2,000 hours of time savings per audit and, on average, three audits were being held each year.

AlienVault USM Anywhere reduces the cost of incidents by improving threat detection and incident response time by 80%. Based on a 2017 study conducted by the Ponemon Institute, the probability that an organization will experience a breach greater than 1,000 records is 14%. However, with the deployment of USM Anywhere, the time to detect incidents was dramatically reduced, helping organizations identify and respond to attacks much faster. With 80% faster detection and response time, the impact and probability of a breach could be reduced.

An 80% security operations staff productivity improvement. Prior to adopting AlienVault solutions, organizations didn’t dedicate much time to daily monitoring tasks. On average, two to three investigations arose each week, which took the combined effort of two dedicated resources. After the deployment of AlienVault’s USM Anywhere platform, the security operations team was able to monitor and detect issues in real-time. This reduced the manual effort involved in investigative activities by 80% and allowed the resources to focus their time on more value-added tasks. “We are still responsible for monitoring alerts and logging, but it’s gone from hours per day to minutes. It allows us to focus on things like serving our customers, writing new code, and ultimately bringing more business in the door.”

Threat intelligence saves time and money. With AlienVault Labs threat intelligence, organizations no longer have to dedicate resources to sifting through multiple sources of information and bulletins to keep up with the latest intelligence. Now they can rely on the AlienVault Labs Security Research Team for continuous updates to threat correlation rules and directives. With the added benefit of not having to pay for an alternative threat intelligence subscription, the overall annual cost savings for the composite organization resulted in more than $40,000 per year.

The data from the study was clear, managed services save time and money by enabling more effective regulatory compliance and risk management. You’re probably already intuitively know that managed security services will be a game-changer for your organization and the data from the study only further strengthened your opinion. That said there are often at least two challenges to moving forward that businesses struggle with:

  1. Senior management doesn’t want to spend the money, I don’t care what your fancy study says.
  2. Managed Security Services Providers are like gas stations, there’s one on every corner and they all sell the same thing.

Getting past these barriers to realizing the benefits of managed services requires the same solution, selecting a Managed Security Services Provider that can push past them before you have spent any money. You will know when you have selected the right partner when they invest the time upfront to specifically show you how their services benefit your business. Candidly, management is right. Nobody cares what a vendor study says might happen at your business based on possibility. Your potential MSSP should be spending time documenting and demonstrating how their services will reduce risk and simplify compliance at your business. You will quickly be able to differentiate MSSP’s offering canned reporting and push-button threat detection from those with teams that span CISO through operations analyst level experience. You are buying a service and that service should have real people that can document and articulate the MSSP value specific to your business before you spend any money. Regardless of whether that takes two weeks or six months, you will know you have the right MSSP when they invest the time pre-sales to detail the value to your business.

Managed security services are the answer to your small and mid-sized business cybersecurity needs and selecting the right partner will be a force multiplier for your business.

Contact us today to learn how to save time and money with CyberSheath Managed Security Services.

Good hygiene habits are drilled into us from a young age, and for good reason! Neglect to wash your hands, take a shower, use deodorant, or brush your teeth, and you could find yourself friendless, dateless, and quite possibly sick.

While they probably won’t stop you getting a date, bad cyber hygiene habits can be just as harmful to your company’s health. They leave you, your clients, and your customers vulnerable to a host of threats, including hackers, viruses, data theft, and data loss. Ultimately, they can damage your reputation beyond repair and even land you in serious financial and legal trouble.

What is Good Cyber Hygiene?

You’ve presumably mastered the art of personal hygiene by now! But what does good cyber hygiene look like? First, let’s look at exactly why it’s necessary. There are two key reasons: performance and security.

Just like brushing and flossing every day keeps your teeth in optimum condition, good cyber hygiene keeps your IT systems working at peak performance. When your systems are functioning at their best, you’ll save valuable resources and deliver a great customer/client experience to boot. And more importantly, regular maintenance will help you to spot and close security gaps before they can be exploited.

Security threats like hacking, viruses, malware, spyware, and data theft are becoming more sophisticated by the day, and they have the potential to bring your business to its knees. Just as you can ward off illness and stay healthy with good personal hygiene, you can stay ahead of threats and minimize their impact on your business with solid cyber hygiene routines.

Now let’s talk about what these cyber hygiene routines look like in practice…

The 12-Step Program

At CyberSheath, we recommend a thorough 12-step routine for impeccable cyber hygiene. To be truly effective, this routine should be:

• Part of an official company security policy.
• Built into your organizational culture.
• Universally adopted across your business.

Why is this necessary? Well, you’re only as strong as your weakest link. It only takes one careless employee to leave your entire business vulnerable to malfunction or attack. By formalizing your routine, promoting a ‘security first’ culture, and encouraging widespread compliance, you’re sending a clear message that lapses are not an option.

The program begins with a fundamental step…

1. Take an inventory

In order to properly protect your assets, you first need to document them. The most efficient way to do this is to group them into three categories:

Hardware, such as computers, printers, scanners, smartphones, and tablets.
Software programs installed on your devices, such as web browsers or messaging systems.
Remotely hosted applications like cloud-based storage drives or smartphone apps.

Next, create an inventory of your assets under each of these categories and make a record of details like installation date, license expiry date, version number, date last used, and authorized users. This information will help you to identify security vulnerabilities, such as outdated software or unrestricted equipment usage.

2. Implement secure password practices

Password security is one of the easiest ways to practice cyber hygiene, but it’s also one of the most neglected. You’d be amazed just how much sensitive data is ‘protected’ with weak passwords such as… well, ‘password’!

Today’s computers, smartphones, and tablets come with security options ranging from simple text passwords to bio-recognition (think fingerprint and iris scanners), so there’s simply no excuse not to have your devices protected. The same applies to software and online applications, particularly those that are mission-critical or contain highly sensitive data.

The best text passwords are a complex mix of numbers, letters, and symbols, with no link to identifiable information like names, birthdays, or employee numbers. It’s important that they’re memorized, rather than written down, and they should never be shared. In fact, it’s good practice to incorporate a ‘no-sharing’ rule into your company’s formal code of conduct.

A final note on password security: encourage your team to log out of software, apps, and devices when not in use, especially if they’re leaving their desks.

3. Use multi-factor authentication

For particularly sensitive devices, programs, or applications, such as email accounts or mission-critical hardware, multi-factor (AKA two-step) authentication adds an extra layer of security.

After the user has entered their password, they’re typically required to enter another passcode, answer a question, or submit biometric information like a fingerprint in order to gain access. That means that, even if somebody does manage to obtain the user’s password, they still can’t access their accounts.

If you’re using a passcode, it’s good practice not to request the full code. Instead, ask for specific characters from the code at random. This reduces the risk of a malicious party obtaining the full code and gaining unauthorized access to your systems.

4. Keep up with software updates

We’re all guilty of ignoring those software update notifications when we’re in the middle of an important task. However, it’s essential to pay attention to these updates for several reasons.

Not only do updates increase the performance, functionality, and efficiency of your software, they usually include ‘fixes’ for security issues that have been identified after launch. If you fail to keep your software updated, you might find yourself missing out on great new features at best, and exposing yourself to serious security breaches at worst.

Another problem is that software developers often phase out support for previous versions of their software. In the same way that Apple will no longer help you with an iPhone 5, you may find that your developer will no longer be able to fix issues in software that’s five versions behind the most current one. If your essential software packs up and the developer can’t help you, where does that leave your business?

For peace of mind, resist the urge to snooze your software notifications, or even set them to automatic. Note that some malware can disable your automatic updates, so check back periodically just in case.

5. Patch up security holes regularly

Security vulnerabilities are often picked up by software developers between versions. Rather than leave their users exposed until the next update, developers will release ‘patches’ to protect them in the meantime.

Like software updates, patches are often neglected, but they’re one of the biggest security risks for your business. Think about it — if you know there’s a security hole, so do hackers. They then actively look for unpatched software that they can exploit.

Patching can be a tedious process, especially in larger organizations, but it really is worth taking the time to keep your software protected. That applies to the software on connected devices like printers, too.

6. Replace outdated hardware

Just like software, hardware is continually being updated and improved. And like software, falling behind on your hardware updates will leave you vulnerable to poor performance and avoidable security threats.

If you’ve identified outdated hardware in your inventory, update it now to maintain peak performance and full security compliance. If the hardware is no longer being used, disconnect it from your network and properly remove any sensitive data within it.

7. Control installations

Software downloads can be used as a vehicle to implant viruses, malware, and spyware on your systems. For that reason, it’s essential that users are not given free rein to install software on their company devices.

Develop a policy that governs which employees can install which software on which devices. You might decide that only certain groups of users are allowed to install software, or you might allow installations from trusted sources, or you might require that all installations are approved first. Whatever your specific policy looks like, it should be controlled centrally by you or your IT team, and not on an individual basis.

8. Limit users

In order to minimize the potential damage from a hacking or malware attack, it’s important to carefully control the level of access your employees have to devices and programs.

For example, if 200 of your employees can access a system, that’s 200 routes by which a hacker can enter that system. If only 100 of them actually need to use that system, you can cut your risk in half by restricting access to an ‘as-required’ basis.

If all 100 of those users have admin rights, that’s 100 opportunities for a hacker to inflict damage on your system. If you restrict admin rights to the 10 employees that need it, you’ve cut your risk again by 90%. You get the idea!

For each item in your inventory — hardware, software, and applications — evaluate which of your employees needs access, and what privileges they need within the system to in order to do their job. Everybody else should be restricted accordingly.

9. Back up data

Even with the very strictest of security, life still happens. Loss, damage, technical malfunction, sabotage, and theft can never be fully prevented, so make sure you have a reliable system for backing up your data — both yours and that of your clients and customers.

Ideally, you’ll have back-ups of your data in multiple formats and locations. Copies of digital data should be stored on an encrypted, cloud-based server, while copies of physical data and documents should be stored in a secure off-site location.

Build regular data back-ups into your security plan. If possible, automate the process to save time and money, and of course, to eliminate the risk of forgetting.

10. Invest in training and awareness

When it comes to keeping your business safe, knowledge truly is power, so take the time to identify knowledge gaps within your team and provide training as necessary. This will fortify your business from top to bottom, teaching everything from password etiquette and best-practice software usage to threat identification and crisis management.

11. Develop an incident response plan

Despite your best efforts, the worst has happened — you’ve been hacked. What do you do?

If you don’t have an answer to that question, then now’s the time to find one! The best incident response is the one that’s planned, rehearsed, and perfected ahead of time, ready to be rolled out seamlessly if and when disaster strikes.

Work with your IT team on developing responses to all possible threats you might face. Consider what actions will be needed, who will take responsibility for them, and whether they have the skills and knowledge necessary to do so. Make sure everyone understands their role and hold regular drills to keep the procedure fresh in everybody’s minds.

12. Employ a cybersecurity framework

For organizations that deal with particularly sensitive data — think government or defense suppliers, for example — it may be wise to consider adopting a more advanced security framework. Industry-standard protocols like the NIST Framework and the CIS Benchmark offer you standards, guidelines, and best practices to manage cybersecurity risks in critical environments, protecting both your business and your clients from a threat.

And finally, the Golden Rule…

If in Doubt, Leave It to the Experts

When it comes to cybersecurity, you can’t just wing it! If you don’t have the resources or the expertise to properly manage your security in-house, then don’t take the risk — outsource it to professionals.  A Managed Security Services Provider (MSSP) like CyberSheath can take all of the work and the worry out of cybersecurity. We already have the infrastructure and the experts in place, so we can quickly set up a bulletproof, fully staffed security system with minimal effort on your part.

CyberSheath’s MSSP is also one of the most cost-effective security options available to businesses like yours. We keep your costs consistent and predictable, which gives you much more control over your budget, and you benefit from the latest in security technology without having to invest in research and development.

To learn more about cyber hygiene and discuss how your business could benefit from the cost-effective, comprehensive protection of an MSSP, contact us now for a no-obligation discussion.

In the last decade, the way in which nation-states have targeted the U.S. has changed dramatically. Where warfare was once predictably physical in nature, more and more of today’s threats come via virtual and digital channels.

After more than a decade of massive intellectual property theft including the theft of massive amounts of highly sensitive data from a U.S. Navy contractor’s computer systems, allegedly by Chinese hackers, the Department of Defense (DoD) has sought new guidance on how to secure its $100bn supply chain in the face of modern threats.

In the recent report Deliver Uncompromised, researchers Mitre Corp. discuss how the Department of Defense (DoD) and intelligence agencies can adapt to meet the growing threat of cyber warfare. They identify a number of ways in which national security can be compromised remotely, including the virtual hijacking and sabotage of military equipment; the infiltration of software for espionage purposes; and the data theft to which the Navy contractor fell victim.

Beyond Compliance

Up until now, the focus has been on encouraging contractor compliance. A recent example is the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, a framework that lays out how contractors must safeguard sensitive defense information and report cyber security incidents. By December 2017, prime contractors were required to demonstrate exactly how they’d implemented mandatory policies and achieved full compliance.

However, the Deliver Uncompromised report argues for a full cultural shift in the way in which the issue of cybersecurity is framed, with an emphasis on the role of the contractor. Instead of simply requesting or even mandating co-operation in support of their security objectives — a reactive role — the report recommends that defense and intelligence agencies encourage contractors to share ownership of the problem itself and proactively develop solutions.

At present, the DoD chooses suppliers based on cost, schedule, and performance, but the report notes that this can actually encourage suppliers to cut corners on their security provision. Factoring in the price of implementing enhanced security measures makes the supplier less attractive to the DoD in terms of cost, but when the alternative is to eat the cost themselves, most businesses will choose to simply do the bare minimum in order to achieve compliance.

In order to avoid the ‘compliance effect’ and incentivize suppliers to go above and beyond, DoD is attempting to elevate security to a key metric in the procurement process, on par with cost, schedule, and performance. In making enhanced security a competitive advantage and not just a ‘checkbox’, the DoD is essentially leveraging its position as the primary source of revenue for many of its contractors in order to shape their behavior.

That’s not to say compliance is moving down the agenda; quite the opposite, in fact. Deliver Uncompromised identifies a number of major holes in current compliance legislation, noting that they undermine any ‘softer’ attempts by the DoD to influence suppliers.

Financial Liability

First, the report says, it’s unclear what tangible consequences a contractor will face in the event that their non-compliance with DoD mandates leads to a security breach. Because there are so few financial repercussions, the very real risk is that some suppliers will fail to commit the necessary resources to implement their contractual obligations, while others will ignore them altogether.

To address this risk, Deliver Uncompromised recommends that DoD re-examines financial liability processes for suppliers that fail to take reasonable or timely assurance measures to protect the DoD from a threat. It also implores the DoD to consider seeking the legislative authority to hold suppliers liable for gross negligence in circumstances where cybersecurity obligations have not been met.

Software Practices

Software was identified as a major area of vulnerability for the DoD supply chain, especially given the widespread use of open-source software components with uncertain origins. And yet, the report says, the current practice is to absolve users, operators, and even developers from responsibility for security threats arising from software failure.

Deliver Uncompromised calls for an overhaul of this policy and suggests that the DoD demand much higher standards of security throughout the life cycle of mission-critical software. It also recommends placing much greater accountability on users, operators, and developers, which may be achieved by soliciting the help of Congress to change laws surrounding software immunity.

What Does this Mean for You as a Defense Supplier?

If a significant proportion of your revenue depends on government contracts, it’s likely you already know that compliance is becoming an increasingly important deciding factor in the awarding of contracts. However, it’s no longer enough to simply comply.

Deliver Uncompromised is a crystal-clear statement of the DoD’s intent to reward suppliers that go above and beyond in terms of security. In fact, the cultural shift is already happening, with the 2017 case of IPKeys Technologies serving as a prime example.

IPKeys protested to the U.S. Government Accountability Office (GOA) when they lost out on a defense contract to a higher-priced competitor. While both companies met the mandatory cybersecurity compliance requirements, the awardee had demonstrated a proactive commitment to non-mandatory security frameworks, too. Despite their higher cost, the awardee went above and beyond compliance and received a higher value rating — and won the contract — as a direct result.

The GAO denied the protest, strengthening the notion that minimum security compliance is no longer enough to remain competitive. Should the DoD implement the recommendations outlined in Deliver Uncompromised — and they likely will, given the current concerns about foreign interference and cyberattacks — enhanced security will become a legal matter as well as a commercial one.

For you, that means getting ahead of the game and fortifying your cybersecurity now. While other suppliers continue to do the bare minimum in order to check off compliance boxes, your focus should be on strengthening security procedures and adding value wherever possible. Take these measures now, and when the legislative environment inevitably moves forward, you’ll be leading the way — not scrambling to keep up.

Want to Remain a Competitive Defense Supplier?

Then now is the time to start enhancing your security practices with a comprehensive, free cybersecurity evaluation from CyberSheath. Let us help you to make sense of the changing security environment and make sure your business stays one step ahead. Contact us now to arrange your free evaluation.


As cyber-attacks become more frequent and sophisticated, addressing tighter security needs has become a priority for the federal government. Enforcement of “Controlled Unclassified Information” (CUI) protection continues to intensify as private contractors and organizations are now required to upgrade their cybersecurity systems and overall procedures to keep up with these increasing threats. On April 24, 2018, the Department of Defense (DoD) issued draft guidance for assessing contractors’ System Security Plans (SSPs) and the implementation of security controls in NIST Special Publication (SP) 800-171.  If you’re a defense contractor, you’re required to comply with these regulations and provide “adequate security” for networks where covered defense information (CDI) is processed, stored, or transmitted. DoD issued two draft guidance documents. The first, “Assessing the State of a Contractor’s Information System,” provides guidance on four different objectives.  They include what must be in an RFP, how the source selection authority would evaluate the requirement, what resources are available for that evaluation, and the contract provisions that will be needed to implement the requirement during performance. The second draft guidance document, “DoD Guidance for Reviewing System Security Plans and the NIST SP 800-171 Security Requirements Not Yet Implemented,” was developed by DoD to determine the risks that an unimplemented security control has on an information system, and which of the unmet controls need to be prioritized. What does “adequate security” mean? At a minimum, defense contractors must implement the requirements in NIST SP 800-171 to become compliant. Contractors need to provide an SSP to prove the implementation of the security requirements, and also develop plans of action and milestones (POA&M) that describe how any unimplemented security requirements will be met.

Unimplemented Controls Receive a Value Rating

NIST 800-171 is comprised of 110 technical controls to ensure the best security policies and procedures.  DoD has decided to assess the risk of unimplemented controls by assigning a “DoD Value” for each security requirement ranging from 5 (highest impact on the cybersecurity system) to 1 (lowest impact on the cybersecurity system). These priority codes are used for priority rankings that NIST assigns to the NIST SP 800-53 Revision 4 security controls that are used for government information systems and which form the basis for NIST SP 800-171.

Non-Compliance is Not an Option 

In 2018, proposed DOD guidance is already moving to full enforcement of compliance. Compliance failures can lead to more serious consequences than a data breach.  Failure to comply with DFARS can lead contractors to incur penalties either by the United States Government (civil, criminal, contractual actions in law and administrative), or by individuals and private organizations that were damaged by lack of compliance (actions for damages).

  • Bid Protests: While SSPs and POA&Ms are important for determining “adequate security,” it’s still unclear the exact part they’ll play in bid protests and the implementation of NIST SP 800-171. After reviewing the implementation status during the pre-award stage, the DoD can make an unacceptable or acceptable determination, and ultimately decide if the contract should be rewarded. Another option is to evaluate implementation as a “separate technical evaluation factor.” During the pre-award process, contractors may choose to protest terms where a solicitation’s treatment of NIST SP 800-171 implementation fails to be consistent with DoD’s guidance. On the other hand, if a contract was rewarded to another contractor, disappointed offerors may consider challenging the award to another offeror where the assessment of the protester’s or awardee’s implementation of NIST SP 800-171 is inconsistent with the guidance documents. If the DoD notices inconsistencies between the implementation of NIST SP 800-171 and your SSP and POA&M, they could award the contract to another contractor. During 2018, contract protests awarded to higher-priced bidders were based in part on compliance with cybersecurity and employing more than the minimum security requirements in NIST SP-800-171.
  • Termination Risk: The accuracy of your SSP and POA&M, along with providing proof that you’re moving toward full compliance, is crucial. For the most accurate evaluation, the draft guidance states that solicitations and contracts must include contract data requirements (CDRLs) to “require delivery of System Security Plan and any Plans of action after contract award.” Now that both SSPs and POA&Ms are a contractual obligation, failure to be in compliance may provide a basis for termination if compliance isn’t completed. Or, if the SSP does not accurately state the implementation status of the contractor’s cybersecurity.
  • DCMA Audits: DoD has recently stated that as part of its audit function, DCMA will pull out all the stops to confirm all contractors have an SSP and POA&M.  However, DCMA will not be providing an analysis if the SSP fully complies with the NIST 800-171 security requirements. It’s unknown at this point if the DCMA would leverage any of DoD’s guidance in its review.
  • False Claims Act: If a contractor is audited by DoD and found not to have implemented DFARS/NIST 800-171, the contractor can be on the receiving end of numerous penalties. For example, if your SSP misrepresents your actual cybersecurity status, DoD can bring an action based on fraud, which is a False Claims Act violation. DoD may also be able to prove that the original SSP was key to the Department’s award decision. If DoD’s argument is successful, your earnings under the original contract are at risk, along with the reputation of your organization.

Make Compliance a Priority Before it’s Too Late!

At CyberSheath, we know that implementing these new security controls can seem like a daunting undertaking. We’ve successfully assessed and implemented the required NIST 800-171 controls for leading organizations in the defense industrial base supply chain.

CyberArk is considered a global leader and pioneer in providing privileged access security, and for good reason.

Because CyberArk provides the most advanced Privileged Account Management (PAM) solutions in one incredible platform CyberSheath made the strategic decision to build out our PAM professional services with a CyberArk focus.   One of the challenges for our mid-sized managed services customers was fitting CyberArk capabilities into resource-constrained budgets. CyberArk, trusted by the world’s leading businesses, and more than 50% of Fortune 100 companies, was often inaccessible to mid-sized businesses. We are happy to report, that has changed and CyberSheath now offers CyberArk as a flexible, multi-tenant, pay-as-you-go-managed service offering!

CyberArk’s Advanced Security Solutions are Accessible and Affordable to Mid-Sized Businesses

CyberArk recently unveiled an expanded offering for Managed Security Service Providers (MSSPs) like CyberSheath, featuring groundbreaking multi-tenant, pay-as-you-go-option. The new groundbreaking multi-tenant offering allows CyberSheath to extend the reach of the CyberArk Privileged Account Security Solution to companies of all sizes. CyberSheath can now enable you to meet your compliance and operational PAM objectives for DFARs 252.204-7012, NIST 800-171, Sarbanes Oxley (SOX), Payment Card Industry Data Security Standard, General Data Protection Regulation (GDPR) and more.

The multi-tenant version of the Privileged Account Security Solution offers consumption-based pricing to meet the unique needs of mid-sized businesses.

CyberArk’s flexible pay-as-you-go method enables CyberSheath to offer CyberArk’s advanced solutions without the huge up-front costs. CyberSheath delivers privileged access security as a single or multi-tenant solution, and your business only pays for what is deployed.

CyberArk’s pay-as-you-go model opens up privileged access to those businesses that previously lacked the funds or bandwidth for a large upfront investment. Mid-sized businesses will no longer be left out in the cold from obtaining CyberSheath’s award-winning PAM professional services, previously only affordable to larger organizations. CyberSheath can now help your business reduce privileged-related security risk from malicious insiders and external attackers leveraging the best PAM solution on the market.

CyberSheath offers a wide range of managed security services to a diverse range of customers, improving overall security and IT operations across multiple platforms. With CyberArk PAM now a part of that offering for mid-sized businesses we can easily accelerate onboarding, and control and monitor their privileged accounts 24/7.

CyberArk’s MSSP offering enables customers to scale their privileged-access security offering over time, and, most importantly, improve overall security. CyberSheath’s privileged-access security professional and managed services, leveraging a best in class capability, reduce risk across all environments — on-premises, in hybrid-cloud environments and at the endpoint.

CyberSheath is the Most Trusted CyberArk Professional Services Provider

We’re the most trusted experts in privileged account security. That’s why more organizations choose CyberSheath for the highest quality implementation of all CyberArk professional service and managed services. We’ve been delivering CyberArk managed services for some of the largest customers in the defense, financial and utility sectors for years and now we are thrilled to offer these services to mid-market customers.

Let CyberSheath protect and monitor your privileged accounts, enable compliance with all regulatory requirements and measurably improve your operational security.

The U.S. Securities and Exchange Commission (SEC)  issued new guidance for public companies to be more forthcoming when disclosing cybersecurity risks, expanding on previous guidance issued in 2011. In addition to warning corporate insiders not to trade shares when they have information about cybersecurity issues that isn’t public, the guidance advised that internal or law enforcement investigations cannot be used as an excuse for not informing the public. The unanimously approved guidance, was published as “interpretive guidance,” which the SEC uses to publish their views and interpret the federal securities laws and SEC regulations.

The 24-page guidance, provides some clear insight and required actions for public companies to ensure compliance with the new guidance. The full document can be found here:

A clear takeaway from the guidance is that a company’s directors, officers, and other persons responsible for developing and overseeing such controls and procedures are informed about the cybersecurity risks. While this seems like an obvious statement you might ask yourself if this information is flowing beyond the CIO or CISO.

Do you have a documented, repeatable process for informing company directors and officers of such risks or is it ad-hoc and on demand when cybersecurity put on the board agenda as a topic of discussion? One way to be ready for these ad-hoc requests and ideally help the company mature to something more formal is to contract with a 3rd party to execute a comprehensive cybersecurity risk assessment.

Assessments have earned a bad name as they often become shelf-ware that never see the light of day outside of the IT organization. Done correctly these assessments should be the foundation for board level briefings and based on a solid framework like the NIST Cybersecurity Framework. The right vendor will align the assessment with all relevant regulatory requirements or guidance in addition to the framework and provide you with a comprehensive and quantifiable view of your cybersecurity risk.

For more information on information on how to leverage an assessment that can be transformative for your organization, and enable you to comply with SEC guidance, read this blog post:

Getting back to the recent SEC guidance, it states that “Given the frequency, magnitude and cost of cybersecurity incidents, the Commission believes that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack.”

The “risks” or “negative consequences” highlighted in the SEC guidance included:

  • Remediation costs;
  • Increased cybersecurity protection costs;
  • Lost revenues resulting from the unauthorized use of proprietary information or the failure to retain or attract customers following an attack;
  • Litigation and legal risks, including regulatory actions by state and federal
  • governmental authorities and non-U.S. authorities;
  • Increased insurance premiums;
  • Reputational damage that adversely affects customer or investor confidence;
  • Damage to the company’s competitiveness, stock price, and long-term shareholder value.

The Commission stated that it is critical for public companies to take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack.

Given that every company should reasonably assume material risk related to cybersecurity and may or may not have yet been the target of a cyber-attack it’s clear that no public company escapes the guidance.

The SEC guidance encourages disclosure controls and procedures to provide a method for understanding the impact that cybersecurity risks and incidents have on the company in addition to a protocol to determine the potential materiality of such risks and incidents.

The SEC describes effective disclosure controls and procedures “as best achieved when a company’s directors, officers, and other persons responsible for developing and overseeing such controls and procedures are informed about the cybersecurity risks and incidents that the company has faced or is likely to face.”

The following issues were highlighted as important when evaluating cybersecurity risk for disclosure:

  • The occurrence of prior cybersecurity incidents, including their severity and frequency;
  • The probability of the occurrence and potential magnitude of cybersecurity incidents;
  • The adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs, including, if appropriate, discussing the limits of the company’s ability to prevent or mitigate certain cybersecurity risks;
  • The aspects of the company’s business and operations that give rise to material cybersecurity risks and the potential costs and consequences of such risks, including industry-specific risks and third-party supplier and service provider risks;
  • The costs associated with maintaining cybersecurity protections, including, if applicable, insurance coverage relating to cybersecurity incidents or payments to service providers;
  • The potential for reputational harm;
  • Existing or pending laws and regulations that may affect the requirements to which companies are subject relating to cybersecurity and the associated costs to companies; and
  • Litigation, regulatory investigation, and remediation costs associated with cybersecurity incidents.

As the regulatory drumbeat continues to gain steam, albeit slowly, companies have an opportunity to be proactive in educating their company directors and officers about cybersecurity risk. Start with an assessment and build the foundation for a documented, repeatable way to meet your obligations.

If you need help understanding the latest SEC guidance and are interested in a cybersecurity assessment that can transform your organization, contact us.

As the mandate to achieve compliance with The National Institute of Standards and Technology (NIST) SP 800-171 Rev. 1 went into effect December 31, 2017, many DoD contractors wondered how compliance, or lack thereof, will impact competitiveness in winning new contracts. We covered this topic in a blog post titled “Understanding NIST 800-171 Impact on Acquisition”, located here:

More recently, the U.S. Government Accountability Office (GAO) has provided an example of how compliance with both mandatory and non-mandatory cybersecurity requirements can be a discriminator in evaluation for awarding contracts.

The GAO denied a protest made by IPKeys Technologies, LLC (IPKeys), B-414890; B-414890.2 on October 4, 2017. The awardee was given a higher score by the Defense Information Systems Agency (DISA) for an evaluation factor specific to cybersecurity than the protestor, IPKeys was given. The GAO’s decision serves as a clear example of how seriously prime and subcontractors need to be treating cybersecurity requirements to stay competitive.

In the IPKeys decision, the Defense Information Systems Agency (DISA) issued a Request for Proposal (RFP) for the “provision of engineering, transition, implementation, sustainment, and cybersecurity monitoring support services for DISA’s Global Video Service (GVS),” used by DoD and other government departments and agencies for unclassified and classified videoconferencing services. The RFP required that offerors demonstrate their ability to provide engineering support related to cybersecurity issues with DISA’s GVS (Subfactor 2). Although the awardee’s costs were higher than the protestor, it was awarded the contract under a best value determination because the awardee was given a higher rating for two subfactors, one of which related to cybersecurity (Subfactor 2). The awardee proposed to utilize both the Risk Management Framework (RMF) (“RMF Framework”) and the NIST Framework for Improving Critical Infrastructure Cybersecurity (“Cybersecurity Framework”), which DISA evaluated as being more valuable than just meeting the requirements of the RMF Framework. DISA determined that the two standards were distinct and complementary despite the Cybersecurity Framework not being a requirement of the proposal.

In detailing why, it agreed with DISA’s evaluation, the GAO’s decision demonstrated a clear preference for a comprehensive cybersecurity solution and not check the box compliance. “NIST SP 800-37 details the NIST RMF, which is a six-step process that provides a method of coordinating the inter-related Federal Information Security Management Act of 2002 (FISMA) standards and guidelines to ensure systems are provisioned, assessed, and managed with appropriate security.” The Cybersecurity “Framework is designed to complement existing business and cybersecurity operations.” Specifically, the “framework core” provides a set of activities to achieve cybersecurity outcomes to manage cybersecurity risks that are broadly divided into five functions: identify, protect, detect, respond, and recover.  The framework core, and its functions and their constituent categories and subcategories, “is not a checklist of actions to perform.” Additionally, the RMF Framework is directed towards agencies and compliance is mandatory for the agencies. On the other hand, the Cybersecurity Framework is voluntary and targeted to the private sector. This distinction is important, said another way, compliance with the RMF Framework was a requirement of the RFP, compliance with the Cybersecurity Framework was not a requirement. DISA determined that compliance with both the mandatory requirements and the non-mandatory requirements merited a higher evaluation score.

We can expect to see more contract award decisions that treat cybersecurity as a critical factor for award. Specific to NIST 800-171 Rev. 1, it’s not likely that simply having a System Security Plan (SSP) and Plan of Action and Milestones (POA&M) will be considered comprehensive. The controls must actually be implemented and even doing that is just meeting the mandatory requirements, will that be enough?

Cybersecurity has become a competitive discriminator in contract awards, decisions are already being made, in part, based on compliance with mandatory requirements and non-mandatory requirements.

Don’t wait any longer, act now and build a comprehensive solution to the growing list cybersecurity compliance requirements. Contact CyberSheath at for immediate assistance.

There is a common push-pull of innovation and security that traditionally occurs between application developers and security teams. Applications teams are responsible for fast building and quick deployment of a functional, non-bug-ridden app stack. Meanwhile, security teams are tasked with ensuring the organization’s information and systems are secure – and that includes applications.

Securing the apps in a timely manner is extremely important for the organization. Sometimes, if apps are left unchecked, developers will hardcode credentials or keys into their apps as a quick and easy way to bypass, and in their minds satisfy, this requirement.

Hardcoding Credentials Exposes Organizations to Massive Risks

  • Hardcoded application credentials are high-value targets for bad actors. Internal applications commonly require access to sensitive information on legacy systems that don’t support newer, more secure authentication technologies. This access is often granted by a set of credentials or keys, sometimes referred to as secrets, which are occasionally over-privileged, to begin with. If bad actors get their hands on those secrets, they could ex-filtrate your organization’s most sensitive data.
  • Chances are your organization is a target-rich environment for hackers. The scale in which organizations use privileged application accounts is enormous.
    • For example, healthcare organizations deal with the patient and medical information on a massive scale. There are countless internal applications (homegrown code, scheduled tasks, services, etc.) that need to process privileged or confidential information. If a bad actor manages to obtain a secret that gives them access to this sensitive data, a major security breach results in both the potential exposure of HIPPA information and major financial implications. The 2015 breach of health insurer Anthem caused a record-setting $115-million dollar lawsuit settlement, with even greater potential losses for the firm due to loss of brand equity.

How an Organization Can Enable Secure App Development

Simply stated, you need to turn security into code – and make it part of the development lifecycle enabling your app teams. Your app teams need to start off their coding with security in mind.

Some pointers:

  1. Determine what privileged information the app needs access to.
  2. Determine how you will secure access to that privileged information.
  3. Build the code around that access and those security requirements. Making security part of the development lifecycle means that your app is secure from release one, and validated as secure in every subsequent release.
  4. Enable your developers by providing them the tools they need to do the job right. If you just tell them to do the first three steps without supporting the process, your developers will most likely default to doing things the fastest way and that often means finding ways to circumvent security.
    • Keep in mind that enabling your developers comes from a combination of tools and streamlined processes. Traditional account management tools like CyberArk’s Application Identity Manager, or DevOps tools like Conjur provide developers a secure method to authenticate their applications to those other systems. It’s not enough to just have these tools – your organization needs to make the implementation and use of theses tool simple for your app teams.

How to Answer Questions from Your App Teams

Chances are if you’re reading this, you are already imagining your app developers asking a series of questions including:

  • How does one register an app?
  • How do I write my code to use this tool?
  • Where does my secret go?
  • What’s my evergreen process?

CyberSheath develops simple, streamlined processes around these key questions to smooth the experience of securing applications. CyberSheath’s privileged access management engineers have real-world enterprise-level experience designing and implementing secure application controls, and creating the processes to enable your app teams. Whether your developers are programming in Java on Windows on-prem or loading up an application into a Docker container in the cloud, CyberSheath can work with you to help secure your apps and reduce your organization’s residual risk. Contact us to learn more.

Stay tuned for part 2 of How to Enable Applications Teams to Secure Code where we will discuss features and benefits of tools you can use to secure your applications.

2017, both professionally and personally has been a tremendously gratifying year. At CyberSheath we continued to focus on delivering cybersecurity services that materially helped customers better secure and defend their ever-expanding digital footprints. CyberSheath’s role in helping our clients implement the people, process and technologies required for day to day operational cybersecurity aligned with their specific compliance requirements is meaningful work. Our experience in 2017 was one of forward progress against the tide of emerging threats, endless vendor technology offerings and increasing regulatory requirements related to cybersecurity.

Still, there were many challenges in 2017 that highlighted some basic cybersecurity “blocking and tackling” that still isn’t getting done. Exposure to global ransomware and other threats are often a result of not addressing fundamental cybersecurity best practices. Companies are struggling to find the time and resources to address the things that can have the greatest impact on their cybersecurity. A partial list of work that should be prioritized but often isn’t includes:

  • Asset discovery and inventory
  • Vulnerability assessment and remediation
  • Privileged account management
  • Secure configurations for hardware and software
  • Data recovery capability

If you are looking for a more complete list just search the Center for Internet Security (CIS) Critical Security Controls. Fundamentals like the Critical Security Controls get buried on the never-ending to-do list of security practitioners as the scope of what they have to secure keeps growing. Product vendors are doing their best to develop tools to address new threats, but our experience suggests that the vast majority of companies have more tools than they can effectively deploy, integrate and support. Companies selectively acquire vendor tools to address specific threats or capabilities but rarely plan for:

  • Integration with existing technology investments
  • People and process changes necessary to optimize the investment
  • Ongoing operations and maintenance

Unfortunately, this product/tool centric approach to cybersecurity has left companies struggling with:

  • Point solutions that aren’t integrated to provide maximum RoI
  • Ankle deep skill set spread across several vendor tools
  • Incomplete deployment of key technologies as staff rush to the next priority
  • Unplanned fire drill regulatory compliance projects
  • Tactical approach to the strategic problem that is cybersecurity

We can’t predict the year ahead but we can be certain the same issues we have seen for the past several years will continue to be a challenge and addressing that challenge presents a tremendous opportunity.

Companies, faced with regulatory compliance, vendor product offerings, new threats, and limited resources, can take control of their cybersecurity by aligning with the right service providers to ensure measurable, compliant cybersecurity. Companies should thoroughly research Managed Security Services Providers (MSSP) and determine what is best for their short and long-term cybersecurity needs and outsource the nagging list of fundamentals that never seems to get addressed.

MSSP’s are increasingly being sought as a solution for companies who seek to eliminate staffing shortages and predictably deliver reliable, effective and compliant cybersecurity. For these companies, partnering with an MSSP makes it much more likely they will address the fundamentals of cybersecurity. An effective partnership with an MSSP should, at a minimum, enable:

  • Alignment of compliance with day to day operational security
  • Management of costs with predictable subscription-based pricing that delivers service you can measure
  • Automation and integration of regulatory compliance requirements with day to day operations
  • Basic fundamentals like asset discovery and inventory as well as vulnerability assessment
  • A more secure and fully compliant infrastructure

Guiding companies through their transition to a MSSP model should go well beyond simply collecting logs and providing dashboards, done correctly it should transform and sustain them. The service offerings should be specific to your business needs and measurable. One of the intangible benefits companies should expect from an MSSP is a strengthening of the relationship with their business, leveraging the capability and expertise the MSSP brings to bear. For all its benefits, the MSSP model may not be the right fit for everyone, but CyberSheath feels privileged to assist companies who have chosen this as the best solution for their company. For our clients, the unique relationship with a highly qualified and committed MSSP is proving irreplaceable when it comes to cybersecurity operations and compliance.

Because making the transition to an MSSP should be transformational, it requires a thoughtful consideration. Some companies wrestle with the decision for years, and others are forced into it for budgetary reasons. Ultimately if you have reached a point where too little time, a growing number of threats, staffing shortages and regulatory complexity are causing you to be tactical in every decision you make, the MSSP model is one to consider.

We are looking forward to 2018 with genuine optimism, as we have a number of initiatives underway to help our clients continue their forward progress, including:

  • Introduction of additional ways to integrate cybersecurity operations with regulatory compliance and control costs
  • Supporting the people and process legs of the cybersecurity equation with quick sprint initiatives to optimize technology investments
  • Creation of business focused cybersecurity outcomes that enable corporate security teams to explain their value to the board and other stakeholders

Challenges are inevitable, but the opportunities to address cybersecurity in a measurable way have never been greater. As every security practitioner knows, even a highly capable security operation can benefit from a knowledgeable, outcome focused partner to guide them on a complex, confusing journey. For an increasing number of companies, an MSSP will lead the way.

All of us at CyberSheath wish that your 2018 is a year of continued forward progress.

These days, it’s not easy to be in charge of your organization’s IT security. With cyberattacks increasing in frequency, severity, and reach, it’s more important than ever to develop a plan for achieving, managing, and documenting the security of all of your systems.

It’s Not Only Good Practice to Have a System Security Plan, but It’s Also a Requirement

NIST SP 800-17, Revision 1 recently added requirement 3.12.4 to the Security Assessment control family stating that organizations must “Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.”

This one-sentence requirement is based on NIST SP 800-18 – Guide for Developing Security Plans for Federal Information Systems.

Identify What Systems Need a System Security Plan

Now it’s time to figure out which systems in your organization require a System Security Plan (SSP). Each SSP should be focused on an information system, which is defined as “a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.” An application, information or technology service, platform, and infrastructure are all considered systems, and their security must be formally planned according to the NIST SP 800-171 requirement for in-scope systems.

Compile your list of systems needing an SSP and start uncovering all the information you will need to write them. Each SSP will need two types of information, both of which can be a challenge to compile. These include:

  1. System details documenting how the system operates
  2. Details about how the NIST SP 800-171 Revision 1 controls requirements are met for that particular system. Note that the control statement responses are a granular system-specific response to the 110 control requirements.

Once you have your inventory of systems that store, process, or transmit Controlled Defense Information (CDI) or Controlled Unclassified Information (CUI), it’s time to start planning.

First, create a system security planning template. The appendix to NIST SP 800-18 – Guide for Developing Security Plans for Federal Information Systems has a template, which provides a great starting point for creating your organization’s SSPs.

Next, assemble your team for the planning process, making sure to include these roles:

  • System Owner – This role is critical to the system security planning process as this person has deep knowledge about the systems and understands what the system does, how it works, and how it is controlled. The system owner owns the security plan for the system and is responsible for providing diagrams and explanations that articulate where the sensitive data is stored at rest, where and how it is transmitted, and what system interfaces exist, especially those interfacing systems that transmit the sensitive (CDI and CUI) data.
  • IT/Security Support Staff – Depending on the size of your organization, your support team may provide a set of core IT services that provide control to the broader network and computing environment. Inheritable controls could include authentication services, firewalls, network segmentation, secure system baselining, access management, and change management. A system owner will work hand-in-hand with the support team to understand how and if the controls apply to his or her particular system.
  • Administrative/Business Operations Support Staff – Some controls that apply to systems may not be technical. Administrative and/or business operations staff will need to provide input into how non-technical controls, such as background screening processes, facility security mechanisms, training and awareness programs, and staff management controls, are addressed. The people who have ownership of these functional business capabilities will need to weigh in on the security planning effort so that controls are adequately defined.

Once you have the right people involved, it’s time to get to work and write the plan. It’s a laborious process, but the intent is to provide defensible information and responses as to how a system works and how security controls are applied. An auditor or contracting official will want to know how you safeguard their sensitive data, and the information you document along with control responses should provide assurance of that protection.

Create a Master SSP

Every system used for the storage, processing, and transmission of CDI/CUI should have a security plan. Think about the roles above and the functional areas they represent. If these roles exist as a core, corporate function that is applied consistently across the organization, then consider creating a master system security plan that documents a core set of controls meeting the NIST 800-171 requirements.

A Master SSP helps you define a standard across the enterprise for inheritable controls, which provides guidance to the system owners about how they may be consuming controls that are broadly applied to the organization. The effectiveness of using the master system security planning concept depends on how effective those broad controls are applied by mandate.

  • For those organizations who strictly apply their standards, the master system security planned controls would be thoroughly applied and relied on.
  • For those organizations looser about applying standards and mandates, a master system security plan makes a good reference, but system owners should pay close attention to whether they actually inherit the standard control offering, or if a system-specific control response is required.

Build Proactive Measures into Your SSPs

Developing your System Security Plan(s) will provide a systems-focused macro-view of how your security controls are being applied. The process also helps identify non-compliance and uncover insecure practices, alerting you and helping you create a plan to resolve issues.

Consider building your Plan of Actions & Milestones (POAM) into your SSPs, and track compliance deficiencies to resolution. This helps you be proactive in your remediation and corrective action planning and moves you closer to a mature state in managing security controls.

The CyberSheath team is experienced at helping organizations like yours create System Security Plans. Contact us to learn how we can help you.

As a contractor, you need to safeguard covered defense information that is processed or stored on your internal information system or network.

To stay in the running for work from your primes, you need to comply with DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, which requires contractors to implement National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations”. You have until December 31, 20 I 7 to implement NIST SP 800-171.

How will non-compliance with NIST SP 800-171 impact contractors’ future acquisition?

On September 21, 2017, The Director, Defense Pricing/Defense Procurement and Acquisition Policy issued guidance for acquisition personnel in anticipation of the December 31, 2017 deadline, which:

  • Outlines how contractors might implement NIST SP 800-171.
  • Addresses how a contractor may use a system security plan to document the implementation of the NIST SP 800-171 security requirements.
  • Describes how DoD organizations might choose to leverage the contractor’s system security plan (SSP), and any associated plans of action, in the contract formation, administration, and source selection processes.

To not jeopardize future opportunities, contractors should focus on developing a well-written SSP and associated Plan of Action and Milestones (POA&M) to achieve compliance.

What are the SSP and POA&M requirements?

NIST SP 800-171 was revised (Revision 1) in December 2016 to require a “system security plan” and associated “plans of action.” Specifically:

  • Security requirement 3.12.4 (System Security Plan, added by NIST SP 800-171, Revision 1), requires the contractor to develop, document, and periodically update, system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
  • Security Requirement 3.12.2 (Plans of Action), requires the contractor to develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in their systems.

How do you write an SSP and POA&M?

Documenting implementation of the NIST SP 800-171 security requirements by the December 31, 2017, implementation deadline requires an SSP and associated plans of action which describe how and when you will meet unimplemented security requirements, how you will implement planned mitigations, and how and when you will correct deficiencies and reduce or eliminate vulnerabilities in the systems. System security plans and plans of action can be documented as separate or combined documents. You should choose a format that integrates with existing business processes and can be easily maintained year-over-year. Governance, Risk, and Compliance platforms can provide a technical, somewhat automated capability to meet this objective.

There is no prescribed methodology for contractors to implement the requirements of NIST SP 800-171, or even to assess your current compliance with the requirements -nor is there a prescribed format for SSPs or POA&Ms. A reasonable first step in creating an SSP and POA&M is to use company personnel or a qualified third party to execute a gap assessment against current operations compared to the NIST SP 800-171 requirements. The gap assessment will detail changes to policy and highlight areas where additional hardware or software are required to achieve compliance. A well-executed gap assessment will determine:

  1. Requirements that can be met using in-house IT personnel.
  2. Requirements that can be met using outside assistance.
  3. Plan of Action and Milestones for achieving compliance.

Which version of NIST 800-171 applies?

DFARS Clause 252.204-7012 requires the contractor to implement the version of the NIST SP 800-171 that is in effect at the time of the solicitation, or such other version that is authorized by the contracting officer.

How do you inform the Government of compliance with NIST SP 800-171 requirements?

You can inform the Government of your implementation of the NIST SP 800-171 requirements in a number of ways.

  • The solicitation provision DFARS 252.204-7008, “Compliance with Safeguarding Covered Defense Information Controls,” provides that by submitting the offer, the contractor is representing its compliance (and provides a procedure for the contractor to request the DoD Chief Information Officer (CIO) to authorize a variance from any of those requirements as being non-applicable, or because the contractor has a different but equally effective security measure).
  • Paragraph (c)(2)(ii)(A) of DFARS Clause 252.204-7012 requires the contractor that is performing a contract awarded prior to October 1, 2017, to notify the DoD CIO of any requirements of NIST SP 800-171 that are not implemented at the time of contract award.

Keep in mind, the solicitation may require or allow elements of the system security plan, which documents the implementation of NIST SP 800-171, to be included with your technical proposal, and may be incorporated as part of the contract (e.g., via a Section H special contract requirement).

What is the role of the SSP and POA&M in contract formulation, administration, and source selection?

Chapter 3 of NIST SP 800-171, Revision 1, states that Federal agencies may consider the contractor’s system security plan and plans of action as critical inputs to an overall risk management decision to process, store, or transmit CUI on a system hosted by a nonfederal organization, and whether or not it is advisable to pursue an agreement or contract with the nonfederal organization.

DFARS Clause 252.204-7012 is not structured to require contractor implementation of NIST SP 800-171 as a mandatory evaluation factor in the source selection process, but the requiring activity is not precluded from using a company’s SSP and associated POA&Ms to evaluate the overall risk introduced by the state of the contractor’s internal information system or network.

The Director, Defense Pricing/Defense Procurement and Acquisition Policy guidance for acquisition personnel provide the following examples of how the government may utilize the system security plan and associated plans of action:

  • Using proposal instructions and corresponding evaluation specifics (detailed in sections L and M of the solicitation as well as the Source Selection Plan) regarding how implementation of NIST SP 800-171 (and other applicable security measures) will be used by DoD to determine whether it is an acceptable or unacceptable risk to process, store, or transmit covered defense information on a system hosted by the offeror. The solicitation must notify the offeror whether and how its approach to protecting covered defense information and providing adequate security in accordance with DFARS 252.204-7012 will be evaluated in the solicitation.
  • Establishing compliance with DFARS 252.204-7012 as a separate technical evaluation factor and notifying the offeror that its approach to providing adequate security will be evaluated in the source selection process. The specifics of how the offeror’s implementation of NIST SP 800-171 will be evaluated must be detailed in Sections L and M of the solicitation as well as the Source Selection Plan.  If you are behind in implementing the required controls of NIST SP 800-171, are unsure of how to write your SSP and POA&M’s, or need expert help complying with the requirements, Contact CyberSheath at for immediate assistance.

As a small- or medium-sized business, you are faced with many challenges. How do you stay focused on your company’s core mission while scaling your organization’s infrastructure to accommodate growth and investing in the right technologies and solutions?

That’s where managed services come in. Instead of investing in the headcount, you can outsource key services to IT professionals focused on critical areas. Advantages of this approach include:

  • Consistent, known, and manageable costs with a good return on investment
  • Ability to leverage innovations and stay at the front of the technology curve
  • Improved security and peace of mind knowing experts are proactively handling issues
  • Internal team members can focus on strategic projects, furthering your company’s cause

How CyberSheath Can Help

You can rely on CyberSheath for your Managed Security Services or Governance, Risk, and Compliance needs. Partnering with other managed service providers while carving out our area of expertise means that you see no additional spend for licensing costs.

You need:CyberSheath offers:
A DFARS-compliant security management platform that monitors your cloud, hybrid cloud, and on-premises infrastructure to provide a unified approach to threat detection and compliance management

Needs to satisfy: NIST 800-171 Rev. 1 Requirements defined in sections 3.3.1, 3.3.4, 3.3.5, 3.3.6, and 3.3.8

Security Management Platform

  • Security Information and Event Management (SIEM) | Gathers and analyzes logs and event data from disparate security controls and devices across the network, and correlates them to identify related security events.
  • Vulnerability Management & Asset Discovery | Provides visibility into assets and user activity and identifies vulnerabilities across the environment.
  • Intrusion Detection System | Detects intrusions and monitors behavior to track events and establish a benchmark for normal conduct.
  • Threat Intelligence | Implements correlation rules, IDS signatures, vulnerability detection rules, and IP reputation updates to ensure the security management platform is appropriately maintained and detecting current threats.
A DFARS compliant incident response monitoring program that will continuously monitor your environment for malicious outsider threats as well as malicious and non-malicious insider threats.

Needs to satisfy: NIST 800-171 Rev. 1 Requirements defined in sections 3.3.3, 3.6.1, 3.6.2, 3.14.3, 3.14.6, and 3.14.7

Incident Response Monitoring Managed Service

  • Comprehensively monitors and analyzes correlated alerts derived from log feeds of selected devices feeding into the SIEM solution. Monitoring will be provided by security experts to identify and respond to security threats.
  • Provides detailed notification and recommendation for containment, eradication, and recovery from security incidents as dictated in the organizational Incident Response Plan (IRP).
  • Creates, edits, and manages all details of the incident in a tracking solution until incident closure.
  • Tracks metrics for incident occurrences, time to resolution, and other critical measurements of the IRP.
  • Provides updates and improvements to the IRP based on after-action reports and lessons learned.
An identification and authentication service that complies with the DFARS security requirements for multi-factor authentication

Needs to satisfy: NIST 800-171 Rev. 1 Requirements defined in sections 3.5.3, 3.5.5, and 3.7.5

Multifactor Authentication (MFA) Managed Service

  • Secures access to accounts by offering a layered approach to security for your VPN, privileged accounts, and Covered Defense Information (CDI) systems.
  • Work with stakeholders and end-users to test the validity of MFA solutions against the in-scope systems and defined use-cases.
  • Deployment of the capability to the in-scope users and systems.
  • Develop and deliver training material for all in-scope users who will be required to use the MFA solution.
  • Work to resolve any system irregularities or issues with the MFA solution.
A mobile device management service for mobile devices that complies with the DFARS security requirements for systems which store, process, or transmit CDI.

Needs to satisfy: NIST 800-171 Rev. 1 Requirements defined in sections 3.1.1, 3.1.8, 3.1.10, 3.1.18, 3.1.19, 3.8.6, 3.13.11, and 3.13.16

Mobile Device Management (MDM) Managed Service

  • Enforces security configuration and encryption for bring-your-own-device (BYOD) or company-provided mobile phones or tablets.
  • Work with stakeholders and end-users to test the capabilities of the mobile device management solution against the in-scope systems and defined use-cases.
  • Deployment of the capability to the in-scope users and systems.
  • Develop and deliver training material for all in-scope users.
  • Work with the organizations to administer the MDM solution as it relates to the provisioning and de-provisioning of mobile devices and users within the scoped environment.
An endpoint protection solution that complies with the DFARS security requirements for the protection of endpoints (client systems and servers) and removable media which store, process, or transmit CDI.

Needs to satisfy: NIST 800-171 Rev. 1 Requirements defined in sections 3.1.19, 3.8.6, 3.8.7, 3.13.11, 3.13.16, 3.14.2, 3.14.4, 3.14.5

Endpoint Protection Managed Service

  • Centralize management of anti-virus, anti-malware, and full disk encryption of the laptops, work stations, and servers.
  • Work with stakeholders and end-users to test the capabilities of the endpoint protection and encryption solutions against the in-scope systems.
  • Deployment of the capability to the in-scope users and systems.
  • Develop and deliver training material for all in-scope users who will be required to use the encryption solutions.
  • Work with the organization to administer the endpoint protection suite as it relates to the configuration and troubleshooting of systems within the scope environment.
A GRC program that enables the organization to track and maintain DFARS compliance after all remediation efforts have been completed

Needs to satisfy: NIST 800-171 Rev. 1 Requirements defined in sections 3.2.1, 3.2.2, 3.2.3, 3.4.1, 3.6.2, 3.12.3, 3.12.1, 3.12.3

Governance, Risk, and Compliance (GRC) Managed Service

  • Provides and maintains a repository of assets, threats, and pre-mapped controls, and assigns controls based on role throughout the organization.
  • Manages policy based on your organization’s unique risk profile, regulatory requirements, and best practice needs.
  • Inventories, tracks and manages of all vendor and service provider assessment activities.
  • Manages training with web-based information security awareness training in-line with DFARS security requirements.
  • Provides audit management with a streamlined verification process of IT security controls through defined audit workflows.
  • Identifies, tracks, and manages regulatory changes to ensure your organization maintains a state of compliance.

You can rely on CyberSheath to provide quality managed services for your IT security needs. Contact us to learn more about how we can help your organization.

As a subcontractor on a Department of Defense contract, you have likely had flow down requirements from your primes related to DFARS clause 252.204-7012, commonly referred to as NIST 800-171. Many subcontractors, as they scramble to secure their infrastructure to be in compliance before the December 2017 DFARS deadline, are also asking, “When should DFARS clause 252.204-7012 flow down to our subcontractors?”

To help you answer that question, here are some basics related to DFARS clause 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting (effective October 21, 2016) and NIST 800-171.

The Basics of DFARS Clause 252.204-7012

This clause is required in all contracts except for those contracts solely for the acquisition of COTS items. It requires contractors and subcontractors to:

  1. Safeguard covered defense information (CDI) that is resident on or transiting through a contractor’s internal information system or network.
  2. Report cyber incidents that affect covered defense information or that impact the contractor’s ability to perform requirements designated as operationally critical support.
  3. Submit malicious software discovered and isolated in connection with a reported cyber incident to the DoD Cyber Crime Center.
  4. If requested, submit media and additional information for damage assessment.

What is Covered Defense Information (CDI)?

This term is used to identify information that requires protection under DFARS Clause 252.204-7012. Covered defense information is unclassified controlled technical information (CTI) or other information as described in the controlled unclassified information (CUI) Registry that requires safeguarding or dissemination controls*, and is either:

  • Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD, in support of the performance of the contract or
  • Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor, in support of the performance of the contract.

* Pursuant to and consistent with law, regulations, and Government-wide policies

Does DFARS clause 252.204-7012 flow down to subcontractors?

The clause impacts subcontractors when performance will involve operationally critical support or CDI. You should determine in consultation with your contracting officer if necessary if the information required for subcontractor performance is or retains its identify as CDI, and requires safeguarding or dissemination controls. Flowdown is to be enforced by the prime contractor. If a subcontractor does not agree to comply with the clause, CDI should not be on that subcontractor’s information system.

What does DFARS Clause 252.204-7012 require?

Simply stated, this DFARS clause mandates adequate security. The contractor shall provide sufficient security on all covered contractor information systems. To provide satisfactory security for covered contractor information systems that are not part of an IT service or system operated on behalf of the Government, at a minimum, the contractor must implement NIST SP 800-171, as soon as practical, but no later than December 31, 2017.

What is NIST SP 800-171?

This standard:

  • Enables contractors to comply using systems and practices likely already in place.
  • Significantly reduces unnecessary specificity, as requirements are performance-based, and more easily applied to existing systems.
  • Provides a standardized, uniform set of requirements for all CUI security needs.
  • Allows non-federal organizations to consistently implement safeguards for the protection of CUI (i.e., one CUI solution for all customers).
  • Allows contractors to implement alternative, but equally effective, security measures to satisfy CUI security requirements.

If you are struggling with interpreting these requirements or need help implementing the security controls, CyberSheath can help you determine a path forward for achieving compliance ahead of the December deadline by conducting a gap assessment of your compliance with NIST 800-171, writing the required System Security Plan (SSP) and leading your remediation efforts.

There are less than 100 days left until the mandatory compliance deadline for implementing the DFARS required controls of NIST 800-171. Is your organization ready?

If you have been focusing on other strategic business initiatives and have not yet dedicated resources to NIST 800-171 compliance, you still have time. It will take a lot of work, but your organization can have a documented plan in place to guide your efforts and make material gains towards compliance this quarter.

Month-by-Month DFARS Compliance Guide

To remain competitive in your pursuit of new contracts with the Department of Defense, you should:

  1. Assess your current state and create an implementation plan for your needed controls.
  2. Formulate a DFARS-required System Security Plan (SSP).
  3. Achieve DFARS compliance.

Here’s how to accomplish that by the end of 2017.


  • Conduct security assessment – You might be tempted to save time and skip this step – but don’t assume that you already know what work needs to be done. Execute an internally or externally-led gap assessment against the fourteen families of controls in NIST 800-171. Document your compliance with each family of controls. Be sure to record the people, processes, technologies, and related artifacts involved and demonstrate that your security program is implementing the required controls as a part of your day-to-day operations.
  • Unsure of how to proceed? Work with a vendor – If you are struggling with the interpretation of the controls, enlist the help of a skilled outside party to execute the gap assessment.
    • Find a vendor – Look for a services provider with specific NIST 800-171 experience, both assessing compliance and implementing remediation programs to achieve compliance. Get references and make the vendor provide proof of past success in helping defense contractors achieve compliance. Query the vendor about the deliverable from the assessment and be clear that you are looking for more than best practice recommendations – you require information specific to your internal operations.
    • Leverage the third-party vendor to engage your executive team – Have your vendor work with your executives and get answers to the inevitable questions around DFARS compliance. You probably have already had a talented team that has been briefing NIST 800-171 internally for some time. Often the same message from a trusted third party with past experience can jumpstart the conversation at the executive level and secure the support your team needs.

November and December

  • Create a project plan and start implementing controls – Using the results of your gap assessment, create a project plan and start implementing controls that don’t currently exist in your organization and remediating the ones that fall short of meeting the requirements.
  • Be proactive in engaging procurement – If you have to purchase tools or engage a third party to assist in remediation, make sure that your purchasing is streamlined. With less than 100 days left there is little time for delays related to procurement processing. Ideally, you will have already spent time to get executive buy-in on this effort and have created the required sense of urgency around meeting the December compliance deadline.
  • Start writing your SSP – In parallel to your remediation efforts, start writing your SSP. It’s a requirement of compliance – and it will force you to be strategic about long-term compliance and not get lost in the tactical details of getting specific controls implemented before December. Your SSP should be a true reflection of your NIST 800-171 compliance program. You should plan to review and update this document annually.

CyberSheath is skilled at performing security assessments, creating remediation plans, writing SSPs, and most importantly actually implementing the required controls. If you need assistance achieving DFARS compliance before the deadline, Contact Us today.

What do you and your security team need to successfully improve privileged access controls? The first blog in this series offered direction on making the core decisions that power your overall strategy. Next we recommended ways to engage stakeholders across your organization. Now it’s time to provide guidance on the team, techniques, and tools you’ll need to drive this initiative.

Here’s What You Need to Get It Done

  1. Realistic expectations

Make sure you go into your privilege account management (PAM) deployment with a clear view of the process and its impacts on your organization. It is common to scope the initial “quick win” phases to be completed in a matter of weeks, in order to gain traction and prove the value of the initiative. From there, the initiative is often launched with a phased approach. Rolling-out better-privileged access controls across an enterprise can typically be a year to multi-year effort. Your organization can expect to see results in terms of risk reduction almost immediately after deploying improved controls around the first set of accounts.

During implementation, there will be some temporary disruption to business processes. Post-deployment, business processes are often sped up. If well-planned, improving privileged access controls can provide benefits such as increased efficiency, fewer user errors, increased uptime, and easier troubleshooting. After the initial deployment, an ongoing effort will be required to ensure that privileged access controls keep up with changes in the environment.

  1. The right people with the right skillsets

PAM deployments can be fairly complex to deploy and maintain. Solutions typically touch multiple IT domains (Windows, Unix, databases, network devices, etc.) and require a broad set of skills from basic troubleshooting to creating custom scripts and code. This typically requires at least two dedicated engineering resources, a project manager, a service owner, and some engagement from professional services.

Required skillsets include:

  • Technical/design – Members of the security team must be skilled in handling technical issues, and questions and any arguments that might arise. Areas of expertise should include:
    • The infrastructure used in the organization
    • Platforms such as Microsoft Windows and Linux
    • Applications and databases
    • Application development practices with respect to permissions
    • Privileged account security controls
    • Security control design
    • Processes around technology service management
  • Security governance and risk – The team should be able to help business and IT leaders make governance and risk decisions and guide the optimization of policies and processes. This requires a thorough understanding of business operations and goals. Knowledge of identity and access management (IAM) and account provisioning and maintenance practices are also important aspects.
  • Project management – A large-scale privileged access security initiative requires methodical planning and has many moving parts. You will need people with strong project management skills on the team to keep all of the various stakeholder groups aligned and focused on what needs to be done and to make sure it happens.
  • Soft skills – The security team will need people with diplomatic skills and an aptitude for negotiation, politics, and communication. Members of the team need to be able to explain why new processes need to be followed and be competent at listening to stakeholders and taking their concerns into consideration.
  1. Measurable and meaningful metrics

Your PAM deployment needs to deliver results and measurable outcomes. Metrics are valuable to illustrate the need for better controls, measure improvements, and demonstrate the value of the program.
Use metrics to:

  • Test effectiveness of controls – Through penetration tests, measure the potential vulnerabilities of credentials and show how vulnerabilities have been reduced after implementing improvements. Test how long it would take for an attacker to get control of domain admin accounts.
  • Show when to make course corrections – Measure access violations before and after implementing control changes. Be prepared to rework controls if expected results are not materializing.
  • Gauge the effect of controls on efficiency – Calculate the amount of time admins are spending on tedious tasks, such as resetting passwords.
  • Measure how the controls impact system availability – Applications with embedded credentials must periodically go through scheduled downtime so credentials can be changed. Take note of the amount of downtime required. Admin errors can inadvertently bring down a system. Compare the time required to recover from an outage before and after implementing control changes.
  • Assess impact on application performance – Test application performance and functionality before and after removing embedded passwords from applications.
  1. A plan with milestones

After identifying priorities, you’ll need to further break down the identified priority areas into phases. Here is one approach to how to phase your PAM deployment.

  • Phase 0: Installation and basic configuration of the PAM solution
  • Phase 1: Built-in accounts – Identify and onboard built-in accounts and enable password rotation on the accounts.
  • Phase 2: Domain admins and individual account privilege revocation – Address the onboarding of domain admin accounts into CyberArk. Isolate and monitor sessions of Tier 0 assets. Remove or minimize any local server privileged accounts or users that have been added to the “Administrators” group on local servers, with the exception of any that are required for service accounts. Create a process to do this as an ongoing process.
  • Phase 3: Databases, exchange admins and Tier 1 session isolation – Isolate and monitor Tier 1 assets. Onboard any privileged database and exchange admin accounts you may have.
  • Phase 4: Network devices, business apps, security systems, legacy systems – Identify any onboard network devices, business apps, and various security appliances. Use Privilege Session Management and the PAM’s MFA capability to protect privileged account access to legacy systems.
  • Phase 5: Service accounts – Identify and begin addressing the management of service and App IDs.
  • Phase 6: Desktop least privileged model and whitelisting of apps (OPM/EPM) – Allow only certain users to elevate their permissions. Limit which apps and commands can be run by which users.
  • Phase 7: Corporate accounts – Protect corporate communication and external financial systems accounts and other accounts. Use privilege session management to allow users to use these accounts without revealing the password.

Keep your momentum. Implementing more advanced controls across a large enterprise often requires a certain persistence and fortitude. A common reporting model is a weekly status meeting for the project team and a monthly review by an executive steering committee.

  1. The Right Tools

Start by understanding your strategic goals and formulating your approach, then find tools that will help achieve those goals. Take the time to select privileged account security and management tools that support your specific security and enterprise requirements. Adopt processes to get the most out of tools and to help you stay on track. Some technology features that are especially important include the ability to:

  • Securely store credentials in an encrypted vault
  • Create a single sign-on environment
  • Uniquely identify users and restrict their use of privileged accounts
  • Limit the length of privileged sessions for a user or application
  • Centrally monitor and record the use of privileged accounts
  • Automate password changes to run on schedule or trigger when an employee leaves the organization
  • Scale and meet performance demands in a large enterprise environment
  • Integrate with the organization’s infrastructure, applications, and other security technologies

Other key tools and technologies that can be helpful include:

  • Enhanced monitoring and alerting systems such as Security Information and Event Management systems (SIEM) and Security Analytics/Big Data Platforms
  • Technology for two-factor authentication to be used for remote access, third parties, and infrastructure administrators who have root or domain admin privileges

The theft of privileged credentials and privilege escalation are key stages in most successful cyber attacks. Today’s threat environment is prompting many enterprises to address the gaps in their security program to better protect privileged credentials. It requires a strong combination of technical and soft skills, a methodical project plan, appropriate tools, and persistence.

CyberSheath has helped implement comprehensive enterprise-wide initiatives in privileged account security. We work with over 50 organizations ranging from the largest financial, healthcare, and development firms with thousands of users to new implementations at organizations with only a handful of IT users. Contact us to get your PAM initiative started.

In less than five months your organization needs to be DFARS NIST 800-171 compliant. If you have already formulated a remediation plan to help you address your deficiencies, continue working through your prioritized roadmap to meet the compliance deadline. If you haven’t yet begun planning, get started today. Don’t jeopardize your ability to secure and execute DoD contracts by being non-compliant.

Three Areas to Focus on as You Craft Your Compliance Roadmap

After you’ve assessed your organization against the 110 security controls in NIST 800-171, you’ll need to build a plan to address your compliance gaps. An effective plan will have components that address these three areas.

  1. Multi-Factor authentication
    • What it is: Multi-Factor authentication (MFA) is a security measure where more than one method of authentication from independent categories of credentials is required to verify the user’s identity for a login or other transaction. It is an important component of any security plan as increasing authentication from a single factor greatly improves the security of your systems.
    • What you need to do: Procure an identification and authentication service that complies with the DFARS security requirements. Make sure the MFA solution is scoped and implemented to address the unique requirements of your environment. Also, work with stakeholders and end-users to conduct use-case and validity testing. Integrate with your authentication management processes to administer the user lifecycle. Make sure you have access to training, maintenance, and support of your solution.
  1. Privileged Account Management
    • What it is: Privileged account management (PAM) is managing and auditing account and data access by privileged users, who are individuals with administrative access to critical systems. Better managing access to privileged accounts can help prevent cyber adversaries and rogue insiders from going after privileged credentials as a way to gain broad and undetected access to your information systems.
    • What you need to do: Ensure your PAM solution provides automated, monitored, and controlled privileged access. Elevate administrative access to avoid granting excessive access to privileged accounts. Require the verification of a ticket or an approval to ensure administrative access is only granted when it is required for a specific activity. Work with engineers who are well versed in fine-tuning the configuration of the PAM suite and who can provide technical expertise and customization for your unique project.
  1. Vulnerability Management
    • What it is: Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities in your security infrastructure. It is important that your organization continually be monitoring for vulnerabilities to ensure you stay ahead of potential threats.
    • What you need to do: A DFARS compliant vulnerability management program will continuously assess your environment for vulnerabilities and patch compliance. Make sure your solution performs monthly vulnerability scans, as well as scans after any significant changes are made, of all your internal and public-facing systems. Also, ensure you receive a monthly report detailing new findings and findings from the previous month(s) which have yet to be remediated. Verify implementation of patches or workarounds for each fix with follow-up scans as needed.

Plan, Provision, and Outsource if Needed to Meet the December 31, 2017 Deadline

Determine what you can reasonably accomplish with your internal resources and what you need to outsource to meet the December deadline. Also, as part of your roadmap, make sure you plan for a post-compliance world where you need to maintain the controls you’ve implemented.

Regardless of where you are in your DFARS compliance process, time is of the essence. Continue your efforts or get started now – five months is not much time to affect the change mandated by NIST 800-171 compliance.

If you need support, contact us for a FREE consultation.

You’ve made the three decisions necessary to start building your privileged account management (PAM) plan. The next step is to build consensus and create stakeholder buy-in by having four pivotal conversations with key members of your executive, business process, and IT teams.

Who You Should Talk to – And What You Should Say

Executive Team – Lead with, “It’s time to make privileged account management a priority.”

Getting Ready & Intel

  • Secure buy-in from the top – The initial deployment will require senior leadership to understand the risks of unsecured privileged accounts, and just as importantly they will need to specify deadlines by which all privileged accounts need to be compliant. The prioritization of a successful PAM project will be driven from the top down. In addition to establishing accord with the CIO/CTO/CISO, It’s important that you have engagement with the compliance and financial executives.
  • Garner support to obtain budget and resources – Executive leadership can rally employees to make your PAM initiative an organizational priority, impart a sense of urgency and ownership across the organization, and prevent it from being derailed by minor issues.

Talking Points

  • Analysis of high-profile breaches – Describe how privileged access controls factored into particular breaches and relate it to your company’s own risk profile.
  • Penetration testing results – Assess how long it would take for a skilled adversary to compromise your organization’s privileged accounts. Show what assets an attacker can get to.
  • Benchmarking – Reference industry practices for securing privileged access.
  • Compliance requirements – Outline the privileged access regulations applicable to your organization.
  • Proof-of-concept results – Do a proof-of-concept in which you implement increased privileged account monitoring and report on the results.

Business and IT Process Owners – Lead with, “Let’s optimize how privileged credentials are used.”
Getting Ready & Intel

  • Emphasize teamwork and desire to increase task efficiency with initiative – Privileged accounts will be involved at some level in almost every critical business and IT process. For the most part, improving the security around privileged accounts will not deeply affect existing processes. Work closely with the owners of these processes to understand the underlying credential usage, and bring that knowledge into the design of controls and see opportunities to improve security, streamline tasks, and reduce errors.
  • Make business users allies – By helping leaders in business and IT to improve the security and efficiency of their processes, your security team can gain important allies. If prominent leaders in business and IT are champions of the initiative to improve privileged access controls, it can influence the privileged users within their groups.

Talking Points

  • Who needs elevated privileges and when – Review how privileges are used as an opportunity to reinforce the principle of least privilege.
  • Feasibility of restricting an account’s use of certain commands – Talk about automated privileged access technology and how granular restrictions can be enforced.
  • Risks and process change necessities – Balance the level of protection with the need to meet other business goals such as efficiency.
  • Principle of separation of duties for this process – Look for ways to redesign processes so that technology automatically enforces separation of duties.
  • Preventable error patterns – Talk about configuring controls to ensure certain steps require approval.
  • Applications in use – Uninstall applications with embedded credentials if the application is no longer used.
  • Session script requirements – Consider redesigning a script so that it requires shorter privileged sessions.

IT Admins and Other Privileged Users – Lead with, “We’re going to change privileged access procedures for the better.”

Getting Ready & Intel

  • Show empathy and challenge perceptions – Buy-in from IT Admins is essential for the success of your PAM initiative. The “default” view of IT administrators is that they could do their job better with unfettered access and freedom to choose their own tools. They may see any additional steps or restrictions as making their job harder and slowing them down.
  • Select security team spokesperson wisely – The team member that you put in charge of this type of conversation needs to articulate the threat and technical knowledge of the platforms and applications involved. If your security team doesn’t deal with objections at a detailed technical level, it’s possible that the process will be derailed.
  • Know that other privileged users are typically more accepting – Staff in non-IT roles who have privileged access – such as those who need to work with financial reports and bank accounts – tend to be more accepting of new controls.

Talking Points

  • Changes to workflow – Demonstrate that the PAM effort will streamline some tasks and make how they operate with credentials much more efficient .
  • Strong executive mandate – Discuss the importance of the initiative and persuade administrators to accept changes.

Developers – Lead with, “How can we better secure the use of privileged credentials in these apps?”

Getting Ready & Intel

  • Acknowledge that refactoring applications can be a challenge – Many applications, scripts, and configuration files include hardcoded privileged credentials. There are inherent difficulties in updating older code and platforms make it hard to operate with less than the highest possible permissions.

Talking Points

  • The right level of privilege for each application – Work together to determine the privilege rights for all your organization’s applications.
  • Understanding least and excessive privileges – Discuss the principle of least privilege. Help developers understand the consequences of excessive privileges.

Handling objections
Be prepared to manage objections that may emerge during deployment.

  • “You can’t take away those rights – I need them!” – Often you will need to convince people that the privileges they are losing are not necessary. Point out that the change protects them by reducing the risk that their accounts will be compromised.
  • “I tried it and it doesn’t work.” – As changes to controls are implemented, users may report problems. Proactively set up a process ahead of time for responding to concerns. Be responsive as people adopt new processes and technologies. Maximize usability of the control design.
  • “I don’t have time for this.” – When you encounter pushback, strong executive sponsorship of the initiative is extremely important. Focus on the value you bring to users and help them to see the benefits.
  • “This feels like Big Brother.”  – Administrators can be sensitive about increased monitoring. Reassure them and address governance issues such as what reports are run when and by whom.

Technical expertise and soft skills are needed to pull off these conversations. The third and final blog will expand on the skillsets you need to be successful and will explore some of the elements of an effective PAM deployment.

And if you’d like assistance from our team on how to have these conversations with your stakeholders, contact us. We’ll here to help.

With cyberattack headlines in the news each week, it’s more important than ever to do everything possible to safeguard your systems and data. One way to accomplish this to prevent the theft of highly privileged credentials. Better managing access to privileged accounts can help prevent cyber adversaries and rogue insiders from going after privileged credentials as a way to gain broad and undetected access to your information systems.

How do you improve your privileged account management?

This blog is the first in a series of three articles where we walk you through decisions you need to make to power your strategy, conversations you should have to create stakeholder buy-in, and resources you require to launch your privileged access initiative. Let’s start by discussing the core decisions your organization needs to make at the outset of the process.

  1. What should you do and when? You need to prioritize what accounts require better protection and be aware of when to make changes. A focus on privileged accounts must be done within the context of your overall security strategy and weighed against other goals. Be aware that if privileged credentials are not properly secured, other controls meant to protect the infrastructure could be rendered ineffective.
    • Conduct an initial “baseline” discovery of privileged accounts. Before beginning privileged account management (PAM) deployment, perform an initial discovery of the privileged accounts in your environment. Using a tool such as “DNA” from CyberArk can give you valuable insight into the types of accounts that exist at your organization. Having a good baseline report will help you create a phased approach to securing the privileged accounts.
    • Evaluate risks and prioritize implementation. Determining order of priority requires identifying which accounts represent the biggest risks. Focus on accounts that provide elevated access to the organization’s most critical systems and build your PAM plans from there. Engage the compliance department early, to understand the requirements behind reporting and various security controls.
    • Plan the timing and rollout of your PAM project. Once you’ve conducted a discovery, you may be in for a surprise as to just how many privileged accounts you have. Given the scope and reach of the project, it will make sense to adopt a phased approach. Deploy at least a limited proof-of-concept demo to help you identify any immediate limitation in the vendor’s platform that may require custom development for your organization. We’ll be discussing how to plan your rollout in further detail in the third blog in this series – so stay tuned for that valuable information.
  1. What’s the best mix of controls? There are many options for how to proceed. The right approach for your organization requires intelligently deploying the most effective controls for each privileged account access use case.
    • Take a layered approach. Reducing the risks around privileged accounts requires a layering of preventive and detective controls. Preventive controls can help stop the unauthorized activity. Detective controls can help to discover it when it occurs, either maliciously or by mistake before any significant damage occurs and/or provide an audit trail and accountability.
    • Use detective controls to avoid over-limiting access. The use of detective controls can often help in achieving the balance between enabling and restricting access. Rather than putting in place preventive controls that may be overly restrictive, in some cases, a better approach would be less restrictive access that is carefully monitored for any violations. Detective controls are especially important in cases where increasing restrictions is simply not feasible.
    • Secure credentials used by applications and scripts. Credentials used by applications and scripts often need better security controls. If possible, applications should meet the following requirements:
      • The credentials for the account should be stored securely.
      • The account password or SSH key should be changed regularly.
      • The application should be designed using the principle of least privilege.
    • Use compensating controls for embedded credentials. For applications that cannot be refactored right away, compensating controls might be appropriate such as:
      • Configure the account to be non-interactive and unusable for logging on.
      • Increase monitoring on the accounts.
      • Use analytics to detect possible misuse of an application’s account.
  1. How much is enough? Controls should provide better security without encumbering business processes.
    • Make sure you select a PAM solution that will scale with our business. Pick a vendor that can scale with your organization. A PAM solution may become the cornerstone of your company’s security posture, eventually requiring all IT personnel to engage with it. A great PAM solution will have SDK (Software Development Kits) and APIs (Application Program Interfaces) so that you can extend your investment into the platform to meet the complex requirements of tomorrow.
    • Seek a win-win situation. Security and usability need not always be in conflict. Unlike many other types of security controls, better processes and technologies for privileged access management can offer the business improved productivity and user satisfaction.

In our next blog, we’ll cover the four pivotal conversations you need to have with your stakeholders to help your project succeed.

If you’d like assistance launching a PAM project to help secure your enterprise, contact us. We’ve got the experience and expertise to help build you a solution to meet your privileged account access needs. Contact CyberSheath today! 


Major data breaches and an always evolving cybersecurity threat and fraud landscape mean that the financial sector is under constant pressure to keep customer and corporate data safe from hackers.

Last year saw the biggest data breach in UK history with over 20,000 Tesco Bank customers losing money from their accounts. Also in 2016, hackers used hijacked privileged credentials to steal $81 million from vulnerable customer accounts at The Bangladesh Central Bank.

It’s a tough cybersecurity landscape out there – and financial institutions need to stay ahead of hackers. Cybersecurity leaders recently gathered at the SWIFT Business Forum in London to discuss the challenges faced by banks including:

  • Changes in targets and tactics – JF Legault, cybersecurity global head at JP Morgan, spoke about the changing nature of cybersecurity threats stating, “We saw the advent of malware targeting wholesale banking platforms. Criminals stopped going after simple, low-value monetary amounts and shifted to high-value payment platforms. The reason they did that was a lot more yield on the crime(s) they committed. We also saw a shift toward business email compromise… [and] a high number of breaches affecting the financial sector that led to fraudulent messages.”
  • False positives – Banks are wasting valuable time flagging activities in the anti-money laundering monitoring systems that are not actually fraudulent. These “false positives” take time away from strategic activities. Anthony Fenwick, global head of treasury and trade solutions and AML compliance at Citi Group, pointed out, “Our biggest problem in this industry is false positives…the use of electronics and AI have to go hand-in-hand with the best humans. The idea that we remove all human activity from this process misses the point of what we are trying to do.”
  • Insider threats – Regional vice-president for UK, Ireland, and Northern Europe at CyberArk, Matt Middleton-Leal, underlined that banks most fear attacks that hide behind insider privileges. “They allow cybercriminals to appear as legitimate users, giving them unprecedented freedom to work their way up to their most valuable financial assets.” Gottfried Leibbrandt, CEO at the financial messaging vendor SWIFT chimed in that, bank customers “will always be the weakest link, but at the same time the response should not be ‘let’s fix the weakest link’ but you have to take an end-to-end view.”
  • Consumer-friendly usability – According to Royce Curtin, managing director of global intelligence at Barclays, big breach is a huge concern, but that must be balanced with providing customers with solutions that want to use. “We work very hard and take very seriously the responsibility of building systems and trust for services that people feel comfortable using.”

How Banks Can Overcome These Issues

  • Improved communication – Better communication and intelligence sharing at financial institutions is a good first step toward building a more robust cybersecurity program.
  • Multiple-layered security – Concentrating on multiple-layered security also helps safeguard valuable bank information.
  • Actionable insights – Many banks are looking for intelligence that can be quickly turned into an effective response, especially when it comes to landscapes where breaches are more likely to occur. Create actionable intelligence inside the banks and publish it out. Take a strategic view and identify suspicious behaviors (i.e. here is a set of accounts and a volume of transactions that we should be mindful of) so that proper security alerts and timely, effective responses can be undertaken.

How CyberSheath Can Help

CyberSheath can help companies in the financial sector address many of these issues with security consulting services and expert guidance. We provide Privilege Account Management, which provides strong protection inside the perimeter, security assessments, and best practices recommendations based on experience solving security-related problems for major financial clients. Contact us for your FREE security assessment.

Achieving compliance with NIST 800-171 before the mandatory December 2017 deadline can look like a daunting task. With only 6 months left in the year, time is running out to understand, evaluate, and implement the more than 100 DFARS controls. Where do you start – and how do you efficiently deploy resources to ensure success?

Here are 4 Simple Steps to Assess, Implement, Measure, and Maintain Compliance

  1. Conduct a gap assessment of your current security program. Using a trusted third party or internal resources, perform a binary, pass/fail assessment and make sure results are supported by artifacts and technical validation. Taking a pass or fail approach to each required control ensures an honest assessment and efficient process. Countless vendors have “proprietary” assessment methodologies that are ultimately subjective marketing documents. The NIST 800-171 controls are either implemented or they aren’t. This approach saves you time and endless debate that doesn’t move the needle on compliance.
  2. Turn your gap analysis into a remediation plan. Review your assessment results and start the process of remediating non-compliant controls. The project plan should identify the people, processes, and products required for control implementation. Your plan should be a “project management 101” kind of document that gives you a realistic view of cost, schedule, and performance. If you have budget constraints, look for opportunities to implement manual processes until you can automate with tools. Be sure to account for the documentation of your policies and processes as part of the plan.
  3. Execute your plan. Run your implementation of NIST 800-171 like a project with dedicated internal or third party resources if the workload requires them. Track project progress weekly and keep management informed. Be sure that after a control is fully implemented you have a way to continuously measure compliance. Like any other regulatory mandate, DFARS compliance is an ongoing requirement and not a one-time effort. This monitoring can be done manually or with a GRC (Governance, Risk, and Compliance) tool like RSA Archer or TraceCSO. If you are budget-constrained, use Excel or SharePoint to get the job done.
  4. Maintain compliance across your enterprise. Implement dashboard views of near real-time compliance and a process for on-boarding new contracts with CUI/CDI (Controlled Unclassified Information/Covered Defense Information). Budget for and perform an annual assessment to validate your compliance.

The Bottom Line

NIST 800-171 is an effective cybersecurity hygiene guide for DoD contractors. Controls like multi-factor authentication and encryption are heavy lifts initially but relatively easy to maintain after implementation. The interpretation of the controls may seem intimidating, but the pragmatic approach laid out above will go a long way in helping you meet the December 2017 deadline.

Get started! It’s likely your team is already overburdened with other work and adding this to their plate with only 6 months of the year remaining won’t be easy. That’s why CyberSheath exists. We’ve helped dozens of global companies achieve compliance – and we can help your organization too. Contact CyberSheath today for a FREE consultation.

Chances are if you are involved in maintaining your organization’s cybersecurity, you’ve had more than a few sleepless nights after hearing the disastrous consequences of another entity’s breach. This story is no different.

DNS Hijack and Extremely Well-executed Spoofed Sites Fool Bank Customers

Earlier this month, the security firm Kaspersky detailed the wholesale takeover of a yet unnamed bank in Brazil. The attack itself was a quintessential DNS hijack where the attackers took over several of the bank’s domains. For a period of five hours, customers were directed by (the company that manages the bank’s DNS service and, incidentally, the domain registrar for the Brazilian top-level domain, .br) to spoofed versions of the bank’s legitimate sites. The spoofed sites were reportedly near perfect down to having their own valid SSL issued in the name of the bank.

Hackers Obtained SSL Certificate for Rogue Sites

After they could exercise control over the domain, the attackers applied for an SSL certificate from the non-profit certificate authority Let’s Encrypt. In an interview with, Josh Aas, founder of Let’s Encrypt, states that entities are issued certificates when they can properly demonstrate control of a domain – which in this case the attackers were able to do.

Per the Let’s Encrypt website (, the company only offers domain validation (DV) certificates which are sufficient for HTTPS. Kaspersky’s ThreatPost write-up of this incident revealed that the certificates were issued the day before the spoofed sites went live, suggesting that the attackers could exercise a level of control over the bank’s domains in the days leading up to the attack.

Countless Bank Customers Duped into Providing Account Details

These days, consumers are much savvier regarding how, when, and where they share their confidential information. With the HTTPS designation and the seemingly identical spoofed sites, a large number of bank customers were tricked into providing their account details on the spoofed sites.

How to Make it More Difficult for Attackers to Infiltrate Your Organization

There are several lessons to learn from this hack. First of all, it is important for organizations to work to stay ahead of hacker tactics. Perhaps if the bank in Brazil had followed the tips listed below, the bank and its customers would have been protected from a breach.

  1. Include external accounts in your privilege access management strategy. When identifying privileged accounts in your organization include internal accounts as well as external accounts that could pose a risk to your organization. Locking down internal root and administrator accounts is not sufficient. Privilege access management must include all accounts that provide elevated access or could impact your organization’s system or reputation, including those for your social media presence; or in the bank’s case, the organization’s DNS service provider. If the affected bank had included their account in their privileged access management solution, they may have been able to prevent this attack.
  2. Rotate passwords frequently both in your organization and with your personal accounts. Also, two-factor authentication should be used when possible. Had this bank rotated the password more frequently, there is the possibility they may have been able to protect themselves from this attack. If the password for their account at changed frequently, the attackers would have needed to compromise it each time.
  3. Get organization validation (OV) or extended validation (EV) certificates when appropriate for your organization. Certificates are not created equally. In this case Let’s Encrypt offers Domain Validation (DV) certificates, not OV or EV certificates. To the general public the nuanced difference between these is likely lost especially when their browser simply displays a site as “secure”, but the reality is theses certificates have significant differences. OV and EV certificates offering more validation and provide more trust.

Don’t let a hack happen to you. Contact Cybersheath to learn more about our recommendations for safeguarding your organization. Contact us today for a FREE consultation and we’ll make sure you have a strong cybersecurity defense strategy!





There’s a lot at stake right now with your company’s DFARS / NIST 800-171 compliance. What you do – or don’t do – in the next six months could impact your ability to secure and execute DoD contracts.

Is your company compliant with all 110 security controls in NIST 800-171?

As a supplier, chances are you’ve received a letter from one of your Prime’s asking if you are compliant with the DFARS mandate and reminding you of the compliance deadline of December 31, 2017. If your Prime uses Exostar as their sourcing and collaboration tool as the major Defense Contractors do, you will have to fill out a DFARS questionnaire before a PO can be issued for your part of the contract.

There are three ways to handle the situation:

  • Misrepresent the truth about your organization’s infrastructure security and answer the questionnaire in a knowingly untruthful way and claim compliance in the hopes that the truth is never discovered and that your firm is never flagged for a security audit.
  • Determine where you are non-compliant and develop a plan to become compliant by year’s end.
  • Write a letter to the DoD explaining where you are not compliant, and why.

Of these options, I think we can agree that the first is ill-advised, and the third is not a way to build trust and foster confidence in your firm. That leaves the second option – becoming compliant. How do you proceed?

What exactly is the DFARS mandate and why it’s important?

NIST Special Publication 800-171 Protecting Covered Defense Information in Nonfederal Systems and Organizations, otherwise known as DFARS (Defense Federal Acquisition Regulation Supplement), details the fourteen families of security requirements for protecting the confidentiality of Covered Defense Information (CDI). This document outlines each of the controls your firm needs to meet in order to be able to continue providing services and products to your Prime and ultimately to the DoD.

The fact is, the controls outlined in DFARS are security measures that your firm should already be implementing as part of maintaining good security hygiene. Each item on the checklist helps your firm safeguard important information and, ultimately, helps your firm protect the confidentiality of CDI.

What should you do to keep your current contracts?

Right now your firm is probably compliant with about half of the 110 controls within NIST 800-171. Chances are the areas your company is deficient in include:

  • SIEM (security information and event management)
  • Multi-factor authentication
  • Applied encryption, both at rest and in-transit
  • Policies and written authentication for your security procedures and protocol

While addressing these deficiencies may seem onerous, it’s important to remember that becoming compliant is good for your company – and good for your bottom line. Perhaps you think you don’t have the resources, budget, or buy-in needed to move forward. Keep in mind that the path to compliance is the only viable option you have. Here is a plan on how to address and achieve DFARS compliance:

  • Get a security assessment to help you interpret what is required and if your company is in compliance with each of the 110 controls.
  • Create a plan to achieve compliance on all the items identified as deficient in your security assessment. Your remediation plan should solve for operational issues as well as protect covered defense information in a manner that demonstrably shows compliance. Note that remediation typically takes about 6 months – so you need to get started now.
  • Partner with a trusted, experienced company that:
    • Has truly walked a mile in your shoes and has experience implementing the controls required for DFARS compliance.
    • Tailors the control implementations to fit your reality and achieve compliance.
    • Understands the practical realities of implementing controls like multi-factor authentication in an operational environment on a limited budget.

CyberSheath uniquely understands the DFARS security requirements and can assist you with assessing compliance with these DoD mandated security requirements and creating a road map of how you can become compliant by December 31, 2017.

The clock is ticking. Get started on your DFARS compliance today.

Don’t scramble to do research to address your security shortcomings. Get your current security state assessed now and formulate a plan to become compliant – before your Primes come to hold you accountable to this new mandate.

Contact us today for a FREE consultation and we’ll make sure you have a strong cybersecurity defense strategy!

In December of 2016 the National Institute of Standards and Technology (NIST) finalized the first revision to it’s Special Publication 800-171, Protecting Controlled Unclassified Information (CUI) in Systems and Organizations. The updated document, NIST SP 800-171 Revision 1 is the new standard for which government contractors who store, transmit or process CUI, are required to comply with by the December 2017 deadline for compliance.

While many of the updates are verbiage changes to clarify the defined scope of the current controls, there are two major changes that need to be noted by those who are required to adhere to the regulation.

In the original 800-171 release, Control 3.1.19 specified the requirement to encrypt CUI on mobile devices. In the updated revision, the control is amended with the additional stipulation to include mobile computing platforms. Further, mobile devices and mobile platforms are more clearly defined to include smartphones, tablets, E-readers, and notebook computers. This additional specification is intended to remove any doubt as to the scope of the control. Encryption of mobile devices and mobile computing platforms is an instrumental step to help limit a data breach as these devices are often lost or stolen. If you are interested in additional information I have covered the importance and scope of the encryption of data at rest requirements required by the 800-171 in a previous blog post.

At the time of the original release, in June of 2015, NIST SP 800-171 was published with 14 Control Families which contained 109 security controls in total. The newly released revision publication has added just one control bringing the total number to 110. This added requirement is contained in the Security Assessment Control Family (3.12) and is defined as follows:

3.12.4-  Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.

Additionally, SP 800-171 Rev 1 notes there is no prescribed format or a specified level of detail for ‘system security plans’. However, organizations must ensure the required information in Control 3.12.4 is appropriately conveyed in the plans that are developed.

Aside from the requirement being imposed to have a formally documented security plan, having such a plan is a good indicator of the maturity of your organization’s overall security program. No matter how large or small your company is, it is important to have a plan to define the security of your information assets. The plan development process will help make you think more holistically about your organization’s security and will bring the many elements of your security model to one place. This will help provide the framework for keeping your company at the desired security level required by the 800-171.

It is important to understand the new control requires the following components in a security plan:

  • Documentation of its systems and environments of operation, including boundaries
  • Description of how security measures are implemented to satisfy the controls of the regulation
  • Definition of relationships with, and/or connections to other integrated systems

While these elements meet the minimum requirements for the new control, it is imperative to recognize this is only a baseline. A security program plan is never ‘done’ per se and should be a living document. The new control further reinforces that thought by requiring organizations to ‘periodically update’ the plan. This concept is also true for the 800-171 regulation itself, shown with the release of the current revision we are discussing. The ever-changing nature of the document ensures your organization is continuously adapting to the dynamic IT environment and the associated threats that we are faced with every day.

Does your organization need assistance becoming compliant with NIST SP 800-171 before the December 2017 DFARS compliance deadline? CyberSheath has the expertise to provide you with the specialized guidance you need and deliver industry-leading solutions. We have a specialized team of Cybersecurity Professionals with proven experience to guide and assist your business in achieving compliance.

Contact us today for a FREE consultation and we’ll make sure you have a strong cybersecurity defense strategy!

On Friday of last week, Europol reported that a worldwide attack using a piece of ransomware known as “WannaCry” hit more than 150 countries and infected at least 200,000 victims. Europol Director Rob Rainwright said that “the global reach [of the attack] is unprecedented. The attack appears to be targeting businesses and large corporations in the healthcare, financial and infrastructure sectors; these sectors have highly sensitive information ripe for a hostage.

Ransomware is malicious software, a virus, that has two purposes. The first is to encrypt the contents of a machines hard drive, preventing the user from accessing the information without entering a unique key or password. The second purpose is to act as a worm and spread to as many machines as possible. With a large footprint of infected machines, the attacker can then hold the data for ransom, promising to provide the password or key to decrypt the data once the ransom is paid in bitcoin (untraceable digital currency).

The WannaCry ransomware appears to exploit a vulnerability in the Microsoft XP operating system that was discovered as a result of the recent NSA tool dump. It’s unclear at this time whether the ransomware was developed by the NSA or just as the result of the NSA’s day one exploit stockpiling. Microsoft president and chief legal officer Brad Smith responded to the attack stating that it “provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem”. Smith continued his comment stating that “this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today — nation-state action and organized criminal action.

While IT and Security teams have no doubt been working around the clock over the weekend to prevent the spread and manage the fallout, some key actions organizations should take in the immediate fallout are as follows:

  • Immediately backup important and sensitive data in case you are infected soon.
  • Update to the latest Microsoft security patches.
  • Update all anti-virus and conducting immediate scans.
  • Scan all inbound and outbound emails for malicious attachments.
  • Send out a companywide awareness email warning employees about the attack and to be cautious of scams and malicious emails.

Moving forward, organizations should consider a more proactive approach to dealing with ransomware as opposed to reactive. In August of last year, CyberSheath Security Engineers wrote about the rise of ransomware and how using sandboxing techniques in daily operations can be 100% effective against malware attacks when used in combination with least-privilege. Adding to defense in depth, implementing a privileged account management solution can be used to prevent ransomware from spreading to critical servers by securing privileged accounts, and in combination with isolating critical servers with a secure jump host such as CyberArk’s PSM, can be a highly effective combination in combating malicious threats.

Let the security professionals at CyberSheath help you become proactive, not reactive. You can learn more about our approach by viewing our Privileged Access Management service area or clicking the button below to download our detailed Privileged Access Management datasheet.

Last week’s global ransomware attack on unpatched computer systems, labeled a “cyber pandemic” by the Wall Street Journal, once again pointed out that basic cybersecurity defense is still being ignored. While not all breaches are preventable, most of the ones that make news headlines are. Below we’ll discuss what Board of Directors should be doing differently.

The current landscape of cyber defense is dominated by OEM’s pushing tools onto under-resourced security teams who don’t have a battle plan for success. It’s like going to Home Depot and buying all the tools and materials to build a house and architecting the build as you go. It’s expensive, inefficient and the ad-hoc nature of this approach is guaranteed to disappoint.

What is the Best Cybersecurity Defense Approach?

Cybersecurity defense should be approached like every other business problem where you develop a strategy that you can execute against and measure your success. Human Resources has a plan and supporting processes to manage and measure employee hiring, onboarding,  retention, and engagement. Finance has a plan and supporting processes to manage and measure revenue, profits, cash, orders and a host of business-relevant metrics. Cybersecurity should steal a page from these mature business supporting functions and develop the same. Pick a framework or control set (NIST 800-53, NIST Cybersecurity Framework, there are many to choose from, just pick one!) and identify, assess and manage your cybersecurity risk.

Why take this approach instead of following the marketing noise? For starters, organizations like the National Institute of Standards and Technology (NIST) have no profit interest in your implementation of their work. Their publications are the result of years-long collaboration between the government and private sector and are continuously being reviewed and updated. NIST accurately summarizes the benefits of the Cybersecurity Framework in saying:

“Utilizing the Framework as a cybersecurity risk management tool, an organization can determine activities that are most important to critical service delivery and prioritize expenditures to maximize the impact of the investment.”

Surely any company utilizing this framework would have identified unpatched systems as critical service delivery and a priority in the operational execution of cybersecurity. As last weeks “cyber pandemic” proved, this isn’t the case.

Cybersecurity Added Benefits

An added benefit of managing your cybersecurity program against a defined framework or set of controls is the ability to explain to your Board or Executives your priorities and resource requirements. This demystifies cybersecurity and enables them to make informed business decisions rather than a decision to fund a specific tool. In-time decision making is transformed from tactical to strategic and allows the organization to take a proactive, rather than reactive, approach to cybersecurity.

Compliance requirements like SOC Type 1 and 2 reporting, DFARS, Sarbanes Oxley, HIPAA, and others can be integrated into your chosen framework to align and simplify management of cybersecurity compliance and operations. As practitioners well know, the scope of these compliance audits is often so narrow by design that it becomes an exercise to just ‘get through’ rather than a data point for holistic risk management.

If you are on a Board don’t accept a compliance audit, penetration test or vulnerability scan as evidence of cybersecurity effectiveness. Push for the implementation of a framework and give the accountable teams the resources to succeed.

Contact us today for a FREE consultation and we’ll make sure you have a strong cybersecurity defense strategy!

Thanksgiving Day is almost here and with it, our focus turns to our family, friends, food, and most importantly, football. As we celebrate one of our country’s most cherished traditions, we give thanks to health, wealth, good company, and of course, turkeys. However, this holiday season, we should recognize our nation’s involvement in cybersecurity and how much we’ve grown with it! Whether it be booking your flight home online, posting a picture of your Thanksgiving feast to Instagram or Facebook, streaming the big game, or FaceTiming your relatives that can’t be there in person, being online is a huge part of this and every day. I’d like to take a moment to share with you some news within our industry that we should be thankful for this year.

Automatic Threat Analysis and Response with New Technologies such as IBM’s Watson:

  • Watson, an artificially intelligent computer system capable of answering questions posed in natural language, was developed by a research team working on IBM’s DeepQA (QA stands for question answering) project. It was named after IBM’s first CEO, Thomas J. Watson. Although it was initially designed to answer questions on the popular game show, Jeopardy, its development has opened several doors for cognitive computing. Cognitive security will change the game entirely for both federal and commercial organizations. Built upon existing security intelligence, it will help accelerate responses to threat and reduce the cost and complexity of managing cybercrime. Watson will help analysts find new, more efficient ways of managing security events and building your defenses by searching for solutions in a vast, ever-growing database of software vulnerabilities, countless research articles, and blogs. Cognitive systems bring the ability to spot anomalies and flawed logic and provide evidence-based reasoning — enabling analysts to weigh alternative outcomes and improve decision making. “Analysts will call on cognitive systems to augment or even automate their understanding of a threat — at depth, and with speed and scale, like never before” (IBM). Cognitive security is a tool that will continue to develop as it learns how the human brain functions and thus, security teams will be able to get better at preemptively protecting their networks from the threat with each new interaction.

Politically Driven Security:

  • It’s been a tough election season and it was frustrating for all citizens to see the country so divided over the two main candidates. One beneficial result from the media frenzy of the presidential election was the increase in visibility of issues within our nation’s cybersecurity. Members of both major political parties on Capitol Hill have emphasized the importance of building a forum for legislation change regarding cybersecurity. Senator Mark Warner (D-Va) and founder of Nextel, established the Senate Cybersecurity Caucus, which launched just this past summer. The caucus aims to educate lawmakers by introducing them to cybersecurity experts and providing a means of studying cybersecurity’s effect on not only our national security but our economy as well. Warner said that he would work with the president-elect to continue efforts on legislation that would strengthen an organization’s data breach reporting as there is currently no federal legislation in place requiring data breach notification.

Building the Security Workforce:

  • National Science Foundation is funding programs like CyberCorps: Scholarship for Service, a “unique program designed to increase and strengthen the cadre of federal information assurance professionals that protect the government’s critical information infrastructure. This program provides scholarships that may fully fund the typical costs incurred by full-time students while attending a participating institution, including tuition and education and related fees. Additionally, participants receive stipends of $22,500 for undergraduate students and $34,000 for graduate students” (OPM). These programs are being used by over 65 large accredited universities across the United States and are helping to increase the visibility of the ever-expanding career field and build the federal workforce.
  • Mogul technology conglomerate Cisco Systems, Inc is also investing in cybersecurity centered educations, funding approximately $10 million into their Global Cybersecurity Scholarship program which hopes to increase the talent pool through services like free training, mentoring, and testing designed to aid students to achieve certifications and degrees.

These are just a few topics that are new to our ever-evolving industry. If you’d like to hear more about some of the latest and greatest in cybersecurity, our expert consultants at Cybersheath would love to hear from you. We leverage our security product experience, cutting-edge technology knowledge, and industry best practices to guide your organization through the complexities of cybersecurity implementation.

As most of you know, October heralds a variety of festive autumn events such as the epic return of the pumpkin spice everything, Halloween, and the beautiful transition of fall foliage. October also happens to be National Cyber Security Awareness Month, which provides us an opportunity to shed light on everyday dangers that we face in our vastly connected world. In addition to things that go bump in the night and the occasional monster in our closet, we face a constant threat to our online security in both our corporate and home atmospheres. Below are some tips (not tricks, we promise!), that we hope, will help make accessing the internet a little less frightening.

Don’t Overshare Your Candy

  • Become familiar with and frequently review the privacy settings of your social networking and mobile applications. We are all guilty of quickly scrolling through the privacy terms that require acknowledgment upon app installation. Take a minute to stop and read them! You might not be aware of just how much access to your personal information you are providing to the app.
  • As tempting as it is, don’t share personal details like birthdays, full family member names, and be wary of who you accept to connect with on Facebook, Twitter, LinkedIn, and other social media platforms. Often, users make weak passwords consisting of birthdates or family names and fall victim to cyber-attack when this information is shared on public forums. Don’t let it happen to you! Make strong, individual passwords across all online accounts.
    • Add further security to your logon sequence by enabling two-factor authentication. Hackers target user passwords and when one has been compromised, it is not always immediately recognizable. You can enable a seamless and cost-effective solution using a combination of something the user knows (PIN or password), something the user owns (mobile device, token), or something the user is (fingerprint, retina).

When Trick or Treating, Turn Your GPS Off

  • Be wary of having your mobile GPS enabled and from sharing where you are at all times (like checking in on FourSquare or Facebook). By sharing with your friends where you/what you’re doing every hour of the day, you run the risk of alerting potential thieves that you’re not home and you could also be enabling hackers to gain access to any location information that you share on social media.

Back-up Your Goodies

  • Perform regular or scheduled backups of your data to safely stored drives or a cloud platform.

Be Sure to Use the Best Costume Available when Transmitting Data, Encryption

  • Encryption is the process of encoding your data so it’s not decipherable by anyone other than authorized parties. Always encrypt personal information sent over the internet by using a secure network or website. You can tell if a website is encrypted by looking for the “https” and SSL lock symbol at the beginning of the URL.

Don’t Open Links or Attachments from Spooky Sources

  • Just like you should never take candy from strangers, you should never click on unknown links or attachments as you could easily fall victim to phishing and ransomware Careless clicking can lead to the automatic download and installation of malicious software, which might lead to the loss of your precious data (see #2).

Enable Anti-virus/spyware Software, Stop Bogeymen in Their Tracks

  • Daily anti-malware scanners can help detect and prevent active threats to your system. It can also aide in safe web browsing by alerting you when you attempt to access an untrusted website.

As previously discussed in the CyberSheath blog, government contractors who process, store or transmit Covered Defense Information (CDI) are required by DFARS 252.204-7008 to comply with the 14 control families of the NIST SP 800-171 by December 2017. The clause dictates the security requirements specified by DFARS 252.204-7012 for Safeguarding Covered Defense Information and Cyber Incident Reporting. The intention of the directive is to ensure the safeguards implemented to protect CDI are consistent across nonfederal information systems as they relate to work contracted by the US government.

The regulation anticipates the addition of these controls is not intended to impose a burden by requiring additional systems or incurring additional expenses in order to acquire government contracts. Although the 800-171 is derived from FIPS 200 and NIST 800-53; the new control set is intended to remove the overhead of the controls specifically geared toward federal agencies. It was expected the majority of contractors would only need to implement and update policies in order to comply. While this may be valid for contractors who have a security baseline implemented that includes many components of the recommendations of FIPS 200 or NIST 800-53, it may not be true for all. Unfortunately for those that do not, this regulation may prove to be a challenging and expensive endeavor.

One of the direct requirements imposed by the 800-171 is the need for Multi-Factor Authentication (MFA). This necessity applies to all privileged account access and users who access network resources where Controlled Unclassified Information (CUI) exists, or CDI as defined by the DFARS clause. Additionally, this applies to any users who access the network remotely by means of remote access connections. These are described in the following ‘derived security requirements’ from both the ‘Identification and Authentication’ and ‘Maintenance’ control families of the NIST 800-171:

3.5.3   Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts

3.7.5   Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete

This requirement should not come as a surprise to many. A significant and common attack vector exists when a user’s account is compromised and leveraged by a hacker who has successfully acquired that user’s password. This is even more detrimental when an account with enhanced privileges is compromised. Accounts which have been protected with multiple factors of authentication make hacking much more difficult. Research demonstrates amongst the majority of cyber-attacks, the weakest elements are users and their credentials. This was validated by Verizon’s’ 2016 Data Breach Investigations Report (DBIR). The most recent DBIR states ‘63% of confirmed data breaches involved weak, default or stolen passwords’.

So you may ask, what exactly is Multi-Factor Authentication?

The NIST 800-171 describes MFA as:

The requirement of two or more different factors to achieve authentication. Factors include:

(i) something you know (e.g., password/PIN);

(ii) something you have (e.g., cryptographic identification device, token); or

(iii) something you are (e.g., biometric).

In layman’s terms, Multi-Factor Authentication is combining more than one method or factor of authentication to verify your identity. It is critical to understand the NIST 800-171 requires a minimum of two factors of authentication to meet the requirements the MFA controls. This is commonly referred to as Two-Factor Authentication (2FA). Therefore, the use of two different passwords does not constitute multiple factors since they are both ‘something you know’ and do not include a second-factor type.

The most common factor, albeit the weakest is ‘something you know’. This is generally the password or PIN that most associate with their user account when logging into their computer systems. Passwords are commonly weak, used across many systems and also reused often by users. It is important to note, once a password is compromised by an attacker it is often unknown to the user.

‘Something you have’ is the most commonly implemented second factor and is often in the form of a uniquely generated One-Time Passcode (OTP). These OTP’s can be provided by several different methods including hardware tokens or fobs, software applications such as on a smartphone, or even provided by a USB hardware device such as a Yubikey. While this factor is more secure than the first, it is still open to compromise by loss or theft of the medium which provides the OTP. It is imperative for users to safeguard these devices in order to maintain system integrity.

The third factor described is, ‘something you are’. This factor is considered by many to be most secure, but also the most difficult to manage on a large scale. This can be satisfied by several different biometric identifiers but most commonly with the user’s fingerprints. While this authentication method is the least open to compromise, ensuring the hardware being used is hardened against common biometric vulnerabilities such as the ‘Gummi-Bear Hack’ is critical.

As mentioned above, while adherence to the 800-171 was not intended to impose an additional financial burden to contractors who seek government contracts; the implementation of an MFA solution can prove to be costly. The major expenses incurred involve the cost of third party software to manage the additional authentication factor and also hardware if choosing to utilize a biometric factor or hardware tokens (hard tokens).  If supported by the solution, software tokens (soft tokens) can be a less expensive method of providing OTP’s by leveraging users existing mobile devices. This can prove to be a large scale project depending on the size of the organization and the availability of the current IT staff. Many organizations may need to seek third party consultants who are experts in the deployment in order to streamline the process which can incur additional costs over the investment of the initial solution.

Based on the investment required, it is imperative to perform due diligence when choosing an MFA solution. The products currently available on the market vary widely with their offerings so it is important to consider the following to determine what solution is the best fit for your organization:

  • What is the ease of use for the end-users?
  • What is the additional burden to support the solution for IT staff?
  • Does the solution offer any administrative bypass to allow logins for users who have lost their hardware token or smartphone?
  • Is the solution cloud-based or internally hosted on your network? If internal, is additional hardware needed?
  • What operating systems are supported?
    • Server and Desktops
      • Windows, Linux, Mac?
    • What deployment options does it support for client installation?
    • Does it integrate with your current firewall VPN solution?
    • What happens when your machine is not able to contact the authentication server?
      • Is the client software capable of validating locally or does it deny access?
      • Does it bypass the MFA altogether?
    • What types of authentication mechanisms are supported?
      • One-Time Passcodes
        • Hard Tokens
        • Soft Tokens – what mobile operating systems are supported? (Apple, Android, Microsoft)
      • Push verification to a smartphone app
      • Biometric
    • What is the cost of ownership?
      • One-time purchase
      • Monthly based on user count

It soon becomes obvious that there is a lot to consider when choosing the best Multi-Factor Authentication solution for your business. It is important to realize the ‘true cost’ of implementation. This value factors in the cost of the system and of the resources required to successfully implement and support the solution across your firm. Following the saying, ‘Do it once and do it right’ it is a good idea with the deployment of this nature and could save you profusely in cost and resources invested.

Does your organization need assistance choosing and implementing the right solutions to become compliant before the December 2017 DFARS compliance deadline? CyberSheath has the expertise to provide you with leading solutions and give you the guidance you need. We have a specialized team of Cybersecurity Professionals who have proven industry experience to guide and assist your business in achieving compliance.

The common barrage of cyber attacks and breaches in the news has given the world a much-needed boost in awareness around the risks and best practices related to cybersecurity. However, an annual study commissioned by CyberArk uncovered that despite this increase in awareness, bad security habits still persist. Here are some highlights from the study and what we should learn from them.

There is a Wide Gap Between “Awareness” and “Preparedness”

Out of the 740 global IT and IT Security decision-makers surveyed in the annual study, 79% stated their organization has learned lessons from major cyber attacks and 82% of professionals believe the security industry, in general, is making progress against cyber attacks. The number of professionals that believe their company’s leadership provides sound cybersecurity direction is now up to 67% from last year’s findings of 57%.

The study uncovered the increased awareness is not leading to equally increased security. Organizations are often undermining their own efforts by failing to enforce now well-known security best practices. For example, nearly every organization surveyed (95%) has a cybersecurity emergency response plan of some kind, but only 45% communicate and regularly test their plan. Possibly most concerning, 40% of organizations still store privileged passwords in a Microsoft Word document or spreadsheet, while another 28% are using a shared server or flash drive.

Risks from Overconfidence

75% of IT decision-makers now believe they can prevent attackers from breaching their internal network, which is up from just 44% last year. Despite that confidence, 36% believe an attacker is currently on their network or has been in the last 12 months while 46% believe their organization has been the victim of a ransomware attack in the last two years.

In the most recent Data Breach Investigations Report from Verizon, the top 10 known vulnerabilities accounted for 85% of successful exploits studied. Organizations are increasingly investing in cybersecurity technology, but too often they do not follow through with best practices to mitigate known risks. Also, executives must continue to focus on making cybersecurity best practices a part of organizational culture, rather than just a project or compliance checkbox.

Future Challenges

As organizations continue to rely more on resources in the cloud, there is also continued growing concern by IT professionals for the security of their customer’s information in the cloud. 60% of customers who use the cloud store customer data in it, but 57% who store information in the cloud are not completely confident in their cloud provider’s ability to protect their data.

The most catastrophic potential threat is considered to be an attack on financial systems that could cause disruption to global markets. A very close second is a concern for attacks causing massive utility damage, and then those affecting civil services such as healthcare and hospital services.

The study also asked for the specific tactics that IT professionals are most concerned about for the next 12 months. In order of highest concern first, they are: Distributed denial of service attacks (DDos), phishing, ransomware, privileged account exploitation, and perimeter breaches.

Does your organization share any of these concerns? Discuss leading solutions like the ones from CyberArk with innovative CyberSheath security professionals. Schedule a free consultation below.

Two-factor authentication is an immensely more secure option for securing your accounts than just using a password. The process has typically been as simple as putting in a spontaneously generated code that is provided to you via an app or SMS, in addition to your password. The extra time that it takes to fetch and type in the generated codes ensures that your account stays secure even if your password is compromised, offering an extra layer of account security. The extra time is also why astoundingly few people take advantage of two-factor authentication.

Introducing Google Prompt

Google just released Google Prompt, a new two-factor authentication method that allows you to give two-factor authentication security to your Google account with a mere tap on your personal device. There is no more need to generate and enter extra numbers or letters. When logging into your Google account, simply enter your password as usual and then you will see a prompt on your personal device. Tap approve and you will be logged in. Simple and strong security for your account.

It is important to note that this solution requires that your device be connected to the internet. Other cloud-based identity providers, such as OKTA, also have similar solutions for enterprise customers with options such as “mobile push authentication”.



How to Enable Google Prompt

Before enabling Google Prompt, you will need to enable Two-factor authentication for your Google account. If you already have Two-factor authentication enabled for your account, you can skip to the next step.

Enable Two-factor Authentication:

  1. Go to the 2-Step Verification page. You might have to sign in to your Google Account.
  2. In the “2-Step Verification” box on the right, select Start setup and enter your password again.
  3. Now provide your phone number you want to use for authenticating, and choose either an SMS or phone call for verification, and click on ‘Try it.’
  4. Enter the 6-digit code from the SMS or phone call and select ‘Next.’
  5. For setting up two-step verification, click ‘Turn ON.’

Enable Google Prompt:

Google Prompt uses the Google Search app on iOS devices or the built-in Google Play app on Android devices. If you have an iOS device, start by downloading the Google Search app and sign into it with your Google account, if needed. If you have an Android device, you can simply update your Google Play app.

Once you have the latest Google Search app (for iOS) or Google Play app (for Android),

  1. On the 2-Step Verification page, select the option for ‘Google Prompt.’
  2. Select the device you’d like to enable
  3. Select ‘Try it.’ (Check out Google’s Help Center for more detailed information)




Google Prompt is now enabled, giving you simple to use and strong security for your account.

Happy authenticating.

(ISC)2 recently released a report based on the survey results of a targeted pool of executive-level government officials and contractors with the goal of reporting on the state of cybersecurity in the Federal Government. The individuals surveyed are accountable for enterprise-wide security and the key findings from the report paint a rather bleak picture for the federal workspace. While some federal entities protect their assets better than others, it’s hard not to feel like cybersecurity is still consistently put on the back burner when budgets get tight and hard decisions have to be made.

A positive aspect that (ISC)2 notes is that with all the media coverage, which isn’t enough if you ask my opinion, organizations may finally be realizing its not ‘if’ but ‘when’ you have a breach. I’m not completely convinced as we’ve talked with numerous companies that ‘just don’t think they’re that important’ to be victims of cyber-attacks, but any progress is better than none. That, however, just about wraps up the positive aspects of the report as the rest of the results are much more worrisome. Below are a few I’d like to highlight:

  • Only 67% believe their agency can appropriately respond to a cyber incident.
  • 59% believe their agency struggles to understand how cyber attackers could potentially breach their systems.
  • 40% are unaware of where their key assets are located.
  • 40% believe their incident response plan is not effective in responding to cyberattacks.

Given the 2nd, 3rd, and 4th bullets, I was actually surprised to see that 67% believed they could appropriately respond to a cyber incident. With almost 2/3rds of the respondents believing they struggle to understand how their systems could be breached and 40% unaware of where their key assets are, I’m not convinced that a majority of the respondents could effectively and efficiently detect, scope, contain, and remediate an incident. Incidents are more than likely run like a fire drill, with all participants just hoping the place doesn’t burn to the ground.

While the (ISC)2 report focuses on the federal government, our work in the private sector, unfortunately, doesn’t leave me to believe they’re any better off. The heavy hitters tend to do a decent job, or at least have the budget to try, but security practices, in general, are abysmal. The latest DFARS requirements and looming December 2017 deadline have at least got these organizations discussing security, though not always in a positive light. Most of these organizations still struggle with the ‘how’ and the overall ‘why’, but the fact it has to be done is no longer up for debate.

Regardless of whether it’s the private or public sector, I think the statistics are probably pretty similar and speak for themselves. Security can’t be an afterthought.

On July 26, the Obama administration released a framework for incident handling around cyber-attacks.  The framework is part of the Presidential Policy Directive on United States Cyber Incident Coordination and action plan that was released in February of this year.  It provides a clear standard of when and how government agencies will handle cyber security incidents. Included in the directive is a new color-coded scale that assigns specific colors and response levels to the danger of a cyber-attack.


The intent of the color-coded scale and directive will ensure that the agencies that are responsible for handling cybersecurity, respond to incidents and threats with the “same level of urgency and investment.”  The scale is broken out into different levels, each representing a severity.  Level 0 (White), is considered unsubstantiated, while level 5 (Black) is considered an emergency and the attack poses an imminent threat to the provision of wide-scale critical infrastructure services, national government stability, or to the lives of US persons.  An incident that ranks at level 3 or above is considered significant and triggers the coordination of the Departments of Justice and Homeland Security, as well as the Office of the Director of National Intelligence.  Also, the organizations that are involved in the incident contribute to the response of the attack.

How will your organization be able to respond to a cyber-attack?  Let CyberSheath assess your capabilities so you can move your security program from a reactive to a proactive, well-defined security operation.

Cybersecurity has historically been viewed as something you HAVE to pay for, not want to. This way of thinking is outdated today. Highly successful organizations today understand that confidence in their cybersecurity is what enables them to grow boldly in today’s world. Confidence in cybersecurity as a foundation for success is still not often talked about at the executive leadership level. The following are three core values that today’s high-performing organizations understand:

Confidence in Cybersecurity Drives Business Value

Organizations with high levels of cybersecurity confidence grow, advance, and develop at a rate that outpaces the rest. Without confidence in the organization’s cybersecurity, the organization won’t have the confidence needed to take the risks associated with today’s opportunities. The safety features in a high-performance race car allow the driver to not only drive safely but to focus all of their energy on driving as quickly as possible. Confidence in the security measures in place allows people to perform at their best. When people are confident in their organization’s cybersecurity, they also are less likely to try to circumvent it and are more likely to adhere to safe security practices, minimizing risk for the organization.

A 2016 study from FireEye revealed hard data on the value of cybersecurity confidence outside the organization also:

  • 52 percent of consumers would consider paying more for the same products or services from a provider with better data security.
  • 76 percent of consumers would likely take their business elsewhere due to negligent data handling practices.
  • 72 percent of consumers will now share fewer personal details with companies.
  • 54 percent of consumers feel more negatively of organizations breached
  • 90 percent of consumers expect to be informed within 24 hours if their service provider had suffered a data breach which could have compromised their data.

The value created by cybersecurity confidence comes from both inside an organization with its own people and from outside with its customers and partners. The successful organizations of tomorrow already understand this today.

Cybersecurity is More Than Just Protection

The digital age continues to create new opportunities for growth at all levels of an organization. New technology brings greater efficiency, more innovation, and incredible possibilities not even dreamed of before. Cybersecurity is more to an organization than just protection; Cybersecurity is the foundation that makes advancing boldly and confidently in the digital age possible. Without a growth strategy with cybersecurity at its core, an organization will have trouble moving confidently and risks running off the rails.

The old way of thinking about cybersecurity as an add-on or a project to be marked as completed is a recipe for failure today. “Ninety-seven percent of Fortune 500 companies have been hacked, and likely the other 3% have too, they just don’t know it,” says Peter Singer – Director of the Center for 21st Century Security and Intelligence at D.C. think tank Brookings Institution. High-performing organizations today do not view cybersecurity as mere protection; instead, they understand cybersecurity is the foundation for doing business in the modern world, and they define their vision for the future with confident cybersecurity foundation at its foundation. Anyone on a shaky foundation will be quickly left behind.

See how crucial industries are still very slow to evolve.

The  Key to an Organization’s Security is Its People

Many people are left uninspired by their organization’s attempts to provide them security training. In Cisco’s 2016 Annual Security Report, only 45% of people said they were confident in their organization’s cybersecurity defenses.  This is a huge loss for an organization. People who feel confident in an organization’s security are far more likely to pay attention to what they can do to improve it. Even more importantly, they are far more likely to trust an organization with their future.

Great people are at the center of having great security, and great security is an essential part of having great people. It’s important to share the whole story with your workforce and inspire them to join the organization’s view of security as a foundation – not as a side note to remind them to work around.

Read more about the challenge of security and risk training.

Low cybersecurity confidence costs an organization energy, innovation, and productivity. At the end of the day, it costs an organization growth and potential. For help efficiently and effectively gaining security confidence in your organization, schedule a free assessment with our experienced and innovative security professionals.

You may have heard all the buzz about Pokémon Go, Nintendo’s latest generation of games developed after the popular animated show from the 90’s, created as a mobile phone app. In people’s haste to download and install the latest and greatest, users are also falling victim to additional malicious apps disguised as tutorials or alternate versions of the game. As the app is only officially offered in the US, New Zealand, UK, and Australia, users in other countries are passing around Android Package Kit (APK) files in an attempt to play the game as well. However, users are required to “sideload” the app in order to download the APK which modifies their core Android security settings and allows their device to install applications from untrusted third-party sources.

Users have been cautioned against these illegal downloads as one of the popular APK files has been modified to install a backdoor known as DroidJack. DroidJack is a Remote Access Tool (RAT) that allows third parties to take remote control of a user’s device, record private conversations, read emails, browsing the history, and texts, and tracks the user’s physical location all without their knowledge. If a user has downloaded DroidJack on any device linked to their bank accounts, corporate/personal email, all that information is now available to untrusted third parties.

The threat of this malicious software is very real, as the security firm Proofpoint discovered the infected version of the app within 72 hours of the game’s launch in New Zealand and Australia on July 4th. To verify the version, malicious or not, of the app you have installed on your device, navigate to your Android device settings for Pokemon Go and scroll through the list of app permissions. If the version installed on your device has permission to directly call phone numbers, read/edit your SMS messages, record audio, read browser history, read/edit your contacts, read/edit call logs, and edit network connectivity, then you should wipe your device immediately. This is the only guaranteed method of removal from your device. Business leaders, especially those overseas, caution your employees about this application as the user base is not exclusive to any age group.

When working with CyberSheath, we will empower your organization against common threats such as these to effectively reduce risk through proper security and awareness training.

Business owners rely on internet connectivity for everything from business operations, productivity and collaboration services to maintaining customer relationships. Unfortunately, the reliance on internet connectivity and cloud services also increases the risks and enhances the exposure to the threat of cybercrime. In addition to stealing money by fraud and deception with things like ransomware, cybercriminals can also cause damage to your businesses reputation and put you out of business completely depending on the impact and headline worthiness of an incident. As a small business, the risk of a cyber incident or breach can be much more impact on your ability to do business than a large enterprise that has the ability to absorb the costs that incident response may present.

A business can never be completely safe from the threat of cybercrime but most cyberattacks can be mitigated with some basic security practices. Online security should be taken as seriously as locking the doors of your business and storing cash and valuables in a safe location. Clients have the expectation and right to the security of their data and it’s essential that steps are taken to prevent it from being exposed on the internet due to poor security practices. The following tips will enhance your defenses against cyber attacks:

1) Use strong passwords, credentials, and manage your access.

Strong authentication mechanisms are an essential layer of protection. All staff should understand the need to have suitable passwords and the risks of writing them down or sharing them. A long password with a mix of letters, numbers and other characters is well known as a best practice. Common words, names, and consecutive numbers are particularly vulnerable to hackers. Depending on the nature of the business and the information and data used or derived, consider applying multi-factor authentication as an additional measure of password protection. Additionally, ensure that you understand the extent of authentication services utilized by your business. You may use Gmail or Active Directory as your core authenticator and manage password requirements in those areas, but also consider cloud or internet-based services that have authentication not connected to your core authentication service. Ensure all authentication services are managed and audited, meaning that users access provisioning and deprovisioning should occur by a formal process as the employment status of your staff changes.

2) Use cybersecurity tools.

A firewall and antivirus software can mitigate many cyberattack risks and are better than no security tools at all. Don’t cut corners with your protection mechanisms as you put your business at risk if you connect to the internet without them. Antivirus software and any signature-based security tools must be updated on a regular basis to ensure the latest forms of malware identified and deleted. Also consider tools that provide additional capabilities such as host intrusion prevention, file integrity monitoring, and web browsing protection. From a network standpoint, many firewalls also have packaged capabilities like network intrusion prevention and malware detection.

3) Restrict personal use of company IT assets and company work on personal IT assets.

Accessing non-work email accounts and social media on company computing assets can increase the likelihood of compromise. Staff should be given clear acceptable use instructions on their cybersecurity responsibilities and the dangers of accessing websites not related to company business. Malware can be hidden in online games, apps, and attachments sent with emails. Staff members using personal assets for work tasks present different risks, with unmanaged IT assets potentially processing sensitive work-related information that can be compromised by an attacker due to unknown vulnerabilities or the potential for an employee acting as an insider threat, leaving the company with your sensitive business information.

4) Understand and protect your web presence.

Your website and the internet services you use are valuable resources that must be protected. Hackers may attempt to corrupt information on a website or use your computing resources for their own needs (i.e. attack pivoting, distributed denial of service campaigns, or bitcoin mining). Privileged level access should be tightly controlled as this is one of the routes cybercriminals leverage in attacks. Hackers are constantly scanning websites and web services for vulnerabilities and sensitive information. Software on your website should be updated regularly to make sure they are the latest versions, vulnerabilities should be assessed, and your security tools and configuration should be appropriately applied. For other web services such as cloud collaboration tools such as Slack, development platforms such as GitHub, understand how these services are being used and the potential for data exposure then ensure these tools are used in a secure way.

5) Be cautious and proactively apply security.

Cyber attacks are becoming increasingly more sophisticated with attack methods constantly evolving, and evasion techniques to circumvent security tools. Your protection mechanisms may not protect against all of the strategies they use and you must be prepared for the inevitability of security incidents by proactively planning to manage them. For example, cybercriminals might copy the identity of legitimate businesses and use these to deceive you. Common sense and caution are as valuable as antivirus software when it comes to cybersecurity. Keep your staff aware of cybersecurity risk with regular training, move away from security being an afterthought, and consider security in all aspects of your business.

6) Plan for security failures.

Security standards and regulations advise that planning and preparing for an attack are critical. Does your business have the subject matter expertise and resources to manage a cybersecurity incident? If not, do you have a relationship established or even contacts for a firm who can assist when such a situation arises? Having a response plan and capability can make the difference between a few days downtime or significant long term impact on your ability to do business. Ensure that all incidents and incident response tests include lessons learned and corrective actions for adequate incident preparation.

The threat landscape is constantly changing with business becoming ever more entwined with the internet and technology. Smaller businesses are well known as being less protected by cybercriminals and steps should be taken to mitigate the likelihood of becoming a successful target of attackers. Know your threat profile, know your exposures, know your risks, know what you’re protecting, know your regulatory and contractual security obligations, and let CyberSheath help you apply a cybersecurity strategy accordingly.

This past week has been riddled with cyber attacks.  Three major industries – Healthcare, Banking, and Telecommunications – have either had customer data stolen or held hostage.   And last but not least, a historic face-off between technology and policy with Apple refusing to provide the FBI with the necessary information to access data on a known criminal’s iPhone.

So whether you are returning from a well-deserved vacation or drowning in looming project deadlines, we don’t want you to miss out on this week’s cybersecurity happenings.  To help you get caught up, we have compiled links to the top four trending cybersecurity news stories of the week.

Happy reading!

4 Trending Cybersecurity News Stories of the Week

Hospital Declares ‘Internal State of Emergency’ After Ransomware Infection

Once again a Ransomware attack has infected a hospital’s computer network.  Unlike the attack on Hollywood Presbyterian Medical Center, which we discuss in our blog here, this recent attack of Methodist Hospital based in Kentucky is currently positioning themselves to not pay the ransom.  The article describes the details of the attack as well as delves into its aftermath.

Read more here

Crooks Steal, Sell Verizon Enterprise Customer Data

Verizon Enterprise Solutions has confirmed that their network has been hacked resulting in the “theft and resale of customer data”. KrebsOnSecurity learned that Verizon recently identified a vulnerability in its site that allowed hackers to access customer information.

Read more here

Federal Grand Jury Indicts 7 Iranians for “Campaign of Cyber Attacks”

The US Justice Department announced this week that a federal grand jury has issued indictments for seven Iranians employed by two information technology companies.  The indictments allege the companies were contracted by the Iranian government to conduct cyberattacks against US banking institution websites and attempt to breach the supervisory control and data acquisition (SCADA) network of a dam near Rye, NY.

Read more here

In Apple vs. the FBI, technology wins

The showdown between Apple vs the FBI has garnered a lot of media attention with privacy advocates and policymakers all weighing-in.  According to a recent article published by TechCrunch, it is not surprising. The article explains why technology will almost always win over policy.

Read more here

ARS Technica recently published an article on the security of inflight Wi-Fi.  Providers like GoGo Wireless and Global Eagle Entertainment offer passengers to pay for use of Wi-Fi services.  While customers may think their communications and activities are secure, think again, says USA Today columnist Steve Petrow.  Mr. Petrow was “hacked” while on an American Airlines flight – a man claimed to have been able to read his email communication with a source for a story.  Given the overall Wi-Fi security lapses, as addressed in this post from ComputerWorld, it is easy to begin to understand how this can happen.  But what can be done about it?

First, Wi-Fi on an airplane operates similar to public Wi-Fi networks.  Access is granted through a “captive portal” where you have to provide login details and/or payment info and accept the terms of service.  Once that is done – the user is granted access to the web.  There is no password protection on the connection, which means the traffic that is carried on the Wi-Fi network’s packets is being transmitted in the clear.  This means anyone listening can grab the data that passes through the access point.

Second, inflight wireless networks have taken a further step that affects the privacy of the network by blocking basic network security tools such as secure HTTP and some virtual private networks.  Without these basic building blocks of security, it becomes clear how Mr. Petrow was “hacked.”  When you are on a public Wi-Fi your device becomes visible to other people on the network.  Unencrypted traffic is visible and in cases where the user is using POP/SMTP, that traffic is also readily visible.

While it appears that blocking basic security measures appears to be an oversight, it is indeed intentional.  Gogo and Global Eagle Entertainment block some commercial VPN networks and GoGo was issuing its own certificates for secure websites such as Google.  By stripping away SSL encryption this allows Gogo to prevent passengers from accessing sites with inappropriate content and gives law enforcement more visibility into the browsing and search habits of GoGo customers.  ARS Technica reported that GoGo works closely with law enforcement and designed their inflight network with law enforcement in mind:

“In designing its existing network, Gogo worked closely with law enforcement to incorporate the functionalities and protections that would serve public safety and national security interests…”

While the jury is still out as to whether or not Wi-Fi networks do not pose a threat to airplane communications or functionality, the passengers using the service should be aware of what they are signing up for. Attackers sitting on flights wishing to hack into a passenger’s device can easily set up a fake access point, rerouting legitimate traffic to their laptop with two Wi-Fi signals. While SSL would still protect passengers from accessing other user sessions, a determined attacker can overcome this with tools like SSL Strip.

To protect your session, ARS technica recommends using a VPN connection (if it will work), and ensure that sharing has been disabled.  Also, pay attention to the certificate warnings.  If chrome or firefox warns of a bad or unknown certificate, don’t proceed – wait until you are on the ground with a better network to connect to.  Of course, the best defense is to turn off your Wi-Fi and work offline.

What does this mean for your organization?  As your organization sends workers around the globe, it is important to develop good security habits.  Start with security awareness training.  Ensure devices are protected.   An employee who travels a lot is likely to introduce something back into the network when she connects with the “mothership” so it is imperative that devices are routinely patched and monitored for vulnerabilities.

Whether or not you send your employees on the road frequently, CyberSheath can help you build your security program to make informed and secure travelers.  

Venafi, a product vendor for Internet Security, recently revealed results from a global survey of CIOs that believe security defenses are less effective and that they expect to suffer from an attack.  The underlying issue, according to Venafi, is due to the prevalence of unprotected and unmanaged cryptographic keys and digital certificates.  CIOs admitted in the survey that they are “spending millions of dollars on layered security defenses,” effectively trusting keys and certificates without being able to differentiate between trusted and compromised keys.

Even more troublesome is Gartner’s prediction that by 2017, approximately 50% of the attacks against an enterprise network will come from encrypted traffic, bypassing controls put in place to stop attacks.   This prediction means that tools like IDS, behavior-anomaly detection, next-generation firewalls will only function at about 50% capacity, letting through half of the attacks.   Additionally, the Ponemon Institute recently revealed that approximately 54% of organizations said: “they lack policy enforcement and remediation for keys and certificates.”

While the survey does point out worrying figures about the underlying digital trust that enterprises rely on, it is important to note that there are ways to rebuild confidence in your keys.

3 Steps to Rebuild Confidence in Your Cryptographic Keys and Certificates

1: Know and understand where your keys are located
Many CIOs in the survey admitted to not knowing where all of their keys and certificates are located.  Having a program in place to manage and monitor keys, who has access to them and most importantly, where they are located, will help build confidence in your cryptographic key management program.  Knowing that your keys are accounted for will help you reduce the risk of untrusted keys.

2: Establish policies and procedures for how certificates and keys are handled
Having policies and procedures for key management, including those that ensure formal assignment of key management responsibilities in a key custodian role, will make employees managing cryptography more accountable.  An established procedure will ensure that key management is handled the right way every time and when there is turnover, the next employee will be following the same procedure, and so on.  The main takeaway is that the policies must be, without doubt, enforceable, and the procedures must be known, aligned with policy, implemented, and followed accordingly by key management staff.

3: Log and document all key management activities
Every time key management activity is performed (updated, changed, expired), that activity needs to be logged and documented.  Metrics should be collected to get an idea of what is normal behavior and what is not.  Suspicious activity or suspected key compromise should be reported and investigated.

While these are just some of the ways to protect your keys and certificates, it goes without saying that attacks coming over SSL/TLS are a real concern (as evidenced by the Heartbleed bug).  The survey, which was conducted by an independent market research company, provides some important data on the health of cryptographic key management across industries, according to respondent CIO’s.  Given the reliance on cryptography to protect sensitive data, protecting cryptographic keys and understanding encrypted data flows are smart first steps to combating these evolving attacks designed to evade your perimeter defenses using the same techniques used to protect your sensitive data.

Did You Like This Post?  

Subscribe to CyberSheath’s blog today to receive email updates as new posts become published.

Product vendor’s marketing focuses on advanced persistent threats – Stuxnet, China and all of the other fear, uncertainty, and doubt (FUD) – that are almost completely out of your control.  So take a step back from the overwhelming advertisements leaving you feeling insecure and spend some time on something that you can actually control, your organization’s information security policy.  Exciting right? Maybe not, but a policy represents the foundation upon which your security program can and should be built. Here are 3 reasons why a documented security policy endorsed by corporate executives materially improves security.

3 Reasons Why a Documented Security Policy Endorsed by Corporate Executives Materially Improves Security

1: Corporations Take a Policy Seriously

Corporations tend to take policy seriously, especially larger companies where policies get reviewed by all functional leaders for input, then the final version goes to the CEO for signature and publication. This executive endorsement gives security practitioners the leverage they need when enforcing a policy, requesting resources and generally executing the mission of delivering security services. When you are challenged on the “why” behind a reduction in administrative rights you now have something tangible to refer to rather than trying to educate one engineer at a time.

2: A Policy Presents an Opportunity to Lead the Security Conversation

The process of documenting, socializing and getting an executive endorsement of a security policy is an often overlooked opportunity to engage executive leadership in a conversation about security. At the top of every organization, busy executives have many number one priorities and getting security onto their already overcrowded plate is difficult, even in the age of continuous front-page data breach headlines. Creating a security policy presents an opportunity to lead the security conversation in a way that ensures the most important security agenda items are the focus of the discussion, rather than headlines about the most recent breach that may or may not be relevant to your organization.

3: A Policy Can Help Drive Resource Allocation

When endorsed and published, a policy can help drive resource allocation. Advocating for resources is often easier when the reasons for the “ask” are anchored in compliance requirements. Compliance might not be as thrilling a topic as nation-state attackers but executives understand compliance better than they ever will advanced persistent threats. You should leverage that executive understanding to secure the resources you need to accomplish your mission.
In an overworked and under-resourced security organization, I completely understand the tendency to focus on “doing things” rather than documenting things but that approach will keep you on the hamster wheel and in the long run hobble your opportunity for success.

Don’t Know Where To Start?

CyberSheath’s Strategic Security Planning service will assist you in successfully creating a policy for your business that will materially improve security. A security policy can be the first step in your journey to an optimized information security environment and the foundation necessary to promote the endorsed support of your executive leadership.

Predictably cyber/data security continues to be a rising concern from within the Healthcare industry, according to Modern Healthcare’s 26th annual Survey of Executive Opinions on Key Information Technology Issues. That being said the percentage of total IT spend devoted to security is still woefully inadequate if the survey numbers are to be believed. You simply can’t be secure on the spend levels highlighted in this survey.

I’m always skeptical of survey numbers because you can’t qualify the data or responses and there is no right answer as to how much to spend on security. However, there are best practices and industry standards that will ensure your organization is spending the money you have wisely.

4 Steps to Ensure a Wisely Spent Cybersecurity Budget

1: Make Security a Line Item in the Budget, Separate from IT

There is no right metric for security spend but you should at least be able to articulate what you are spending annually. With a defined security budget you can slice and dice any way you want, as a percentage of IT spend, cost per employee, as a percentage of revenue, etc.

2: Select a Framework

NIST, ISO, 20 CSC, just pick one! Whatever you select will give you a way to measure your current capabilities and prioritize investments, you can always change your mind later.

3: Assess Yourself

If you don’t take the time to objectively measure what you are doing today against a selected framework you will be doomed to keep doing the same things year over year. Maybe that works for some organizations, but my experience is that a comprehensive assessment against an accepted framework can serve as the burning platform for year over year improvement.

4: Roadmap the Journey

Use your assessment results to create a multi-year roadmap that ties security compliance efforts to operational efforts and tell the story to your business. Share the vision for security and articulate just how much the business is getting for its investment in security so you can have a conversation around outcomes and expectations rather than fear, uncertainty, and doubt (FUD).
Articulating the value of security and defending the budget is hard, but it’s not impossible if you use facts and figures relevant to your business and organization.

Don’t Know Where To Start?

CyberSheath’s Strategic Security Planning service offering can help you plan, build, and manage a strategic information security organization that enables your business. Our operational strategy and budgeting plans aggressively drive security organizations towards pursuing higher levels of performance.  Our Strategic Security Planning service will assist you in successfully creating a security budget that directly aligns with your business needs and goals.

Recently, Hollywood Presbyterian Medical Center paid attackers for the decryption key that held the hospital’s systems and data hostage. While this style of attack is not new, increased attacks have businesses on edge. Ransomware is malicious software that blocks access to a network or system until a ransom is paid. In many cases, the data is encrypted and there is no economical way to retrieve the data until the decryption key is given to the victim. Usually this only occurs when a ransom is paid. In the case of the Hollywood Presbyterian, they decided to pay the ransom of about 40 bitcoins, worth approximately $17,000.

Security consultants who have assessed healthcare practices have likely interviewed medical staff and got a strong sense (if not directly told) that their work was diverting attention away from patient care. This mentality is one of the reasons why the healthcare industry is facing challenges when it comes to information security. The culture of providing healthcare over all else, the justification for neglecting information security, has finally hit an impasse – patient health and safety was jeopardized by a cybersecurity incident. The attitude toward information security – the time it takes, the costs – has to change. It’s unfortunate, but it seems to have taken an incident like the one seen at Hollywood Presbyterian to highlight how information security actually aligns with the healthcare industries health-first ideals.

A New Precedence

The precedent has been set with this recent attack and the people behind these ransomware campaigns, given Hollywood Presbyterian paid the ransom, now know that attacking healthcare organizations is lucrative. The weeks of incident response required to strong-arm a computing environment away from attackers, recover operations, and the economic impact of such an endeavor, it’s no surprise that Hollywood Presbyterian paid. The incident exposed industry-wide neglect toward information security and put a target on the backs of medical practices throughout the entire industry.

Blindly Accepting the Risk is Unacceptable

Is $17,000 is a bargain compared to building an information security program and capability?  Remember that these attackers will get bolder with demands, and for an organization to accept risk based on that price is misguided. It should be expected that the demands will get higher as we see more of these incidents, especially if they begin to target healthcare specifically. The Hollywood Presbyterian incident should be seen for what it really was, a digital hostage situation. Preventing medical care is not much different than holding a gun to someone’s head. Once the magnitude of this comparison is realized, there will surely be more risk for the attackers by way of law enforcement, and the demands for reward will reflect that risk.

It’s time the healthcare industry took information security as seriously as something like infection control. Poor information security, just like poor hand hygiene, for instance, put’s patients at risk. Patients expect sterile, safe environments to receive healthcare services, and in this digital age, that expectation should extend to the confidentiality, availability, and integrity of the systems, devices, and information managed by healthcare service providers.

5 Actions Necessary to Produce an Effective Information Security Program

If your organization is new to information security, or you have only a partially implemented information security capability, consider taking the following steps:

1: Identify Your Sensitive Data

Determine where your most sensitive and critical data is stored, whether that be in your data center, a server closet, a third-party service provider, or in the cloud. It is difficult to take a strategic approach to information security without knowing what you are protecting. Continuously maintain this awareness.

2: Inventory Your Critical Systems

Evaluate what systems and system components are storing, processing and transmitting your sensitive data, or are providing critical services to your operations. Understand the data flow, and know which systems present the highest risk to your operations as it relates to the confidentiality, availability, and integrity of those systems and the data they process.

3: Assess Your Risks

Assess your environment for risk. Anything from electronic records, physical media, and the availability of critical systems, services, or devices should be considered. Consider an independent assessment by a respected third party firm if internal resources and expertise are unavailable.

4: Implement Security Controls

Select, apply and manage security controls programmatically based on risk. The PC that cycle’s employee event information in the lobby is not as important as your electronic health record repository where careful consideration of security controls should be taken.

5: Monitor Effectiveness

Periodically evaluate the effectiveness of your risk-based information security strategy, the security controls applied, and the proper implementation of security technologies proactively, and apply corrective actions, remediation, and lessons learned to ensure preparedness for the evolving threat landscape.

How CyberSheath Can Help?

In order to implement an effective information security program, a picture of your network must first be obtained.  Whatever your security needs are, CyberSheath can assist you along the way.  From conducting an information security assessment, to building a security program, let us help you secure your data. 

In a recent Wall Street Journal article President Obama announced a new “Cybersecurity National Action Plan” which would increase federal cybersecurity funding north of $19 billion. Although, it is unclear if any of this spending will actually be funded as House Budget Committee Chairman Tom Price (R-GA) and Senate Budget Committee Chairman Mike Enzi (R-WY) have already declared that both committees will not hold a hearing to review the president’s FY 2017 Budget. Politics aside, it’s encouraging to see a dialogue happening at the highest levels of our government on such an important topic.

The Four Major Priorities that are Being Proposed

1: $3 Billion Fund to Kick-start an Overhaul of Federal Computer Systems

First, the President is proposing a $3 billion fund to kick-start an overhaul of federal computer systems and going forward, agencies will be required to increase protections for their most valued information and make it easier for them to update their networks. Additionally, he’s proposed creating a new federal position, Chief Information Security Officer, a position he notes that most major companies have already established. Of course the devil is in the details as to how the money is spent but in general the government, like most corporations, needs to invest more in cybersecurity. In our experience, the investment should prioritize people and process rather than the short-sighted rush to procure more tools supported by an already overworked staff following undocumented processes.

2: Stepping Up Efforts to Build a Corps of Cyber Professionals Across Government Agencies
Second, the President has proposed stepping up efforts to build a corps of cyber professionals across government agencies to push best practices at every level. This includes offering scholarships and forgiving student loans to recruit talent from Silicon Valley and across the private sector.  I’m sure loan forgiveness would be appreciated by many, but creatively funding internships, certifications or co-ops that would integrate classroom studies with professional work experience should also be considered to propel this effort to create cybersecurity practitioners.

3: Strengthening Partnerships with the Private Sector to Deter, Detect and Disrupt Threats

Third, the President is strengthening partnerships with the private sector to deter, detect and disrupt threats, including to the nation’s critical infrastructure. This has been an ongoing effort for several years and many of the team here at CyberSheath were a part of the initial efforts on this front in 2007 and 2008; I personally had the privilege of testifying before the House Armed Security Committee on the effectiveness of the Defense Industrial Base Cybersecurity Initiative. Ultimately those efforts matured and resulted in the most recent iteration, NIST 800-171,  which will become mandatory for tens of thousands of contractors in 2017. Having seen the potential for transformation firsthand we believe strongly in these partnerships.

4: Empower Americans to Protect themselves Online by Launching a New National Awareness Campaign

Lastly, the President wants to do more to empower Americans to protect themselves online by launching a new national awareness campaign to raise awareness of cyber threats and encourage more Americans to move beyond passwords—adding an extra layer of security like a fingerprint or codes sent to your cellphone. Done correctly this could collectively do a lot of good. Two-factor authentication technology is widely available and relatively easy to use so de-mystifying it and encouraging Americans to take advantage of the additional level of security it provides would be a welcome improvement.
Again, it’s unclear how much if any of these initiatives are tied to a proposed budget that may not even be reviewed but I am encouraged that the government continues to recognize the national security implications of cybersecurity and is doing something about it.

Did You Like This Post?

Subscribe to CyberSheath’s blog today to receive email updates as new posts become published.


CyberSheath Blog

2022 in Review: The CyberSheath Story Expands

This year marked a deluge of messaging about the Cybersecurity Maturity Model Certification (CMMC) and federal contractors were rightfully confused. With our keystone event, CMMC CON, we aimed to set the record straight and offer the best guidance for those in the Defense Industrial Base (DIB).   CMMC CON 2022…

CyberSheath Endorsed by Frost & Sullivan in First Independent Analyst Commentary on CMMC

Independent analyst firms have weighed in with commentary on nearly every discipline of information technology. Security has garnered a large portion of that IT discussion, yet until recently, Cybersecurity Maturity Model Certification (CMMC) compliance has been left out.   Frost & Sullivan changed that by selecting CyberSheath as its preferred…

Be Prepared: CMMC 2.0 Is Coming

Cybersecurity is increasingly important to safeguard your company, your customers, and your partners. We're moving into a global cyber era and we've got to get better at protecting ourselves.   Our adversaries are capitalizing on the lack of security controls in place in the defense industrial base (DIB) and we…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO