there are no posts to show...

Helpful Resources


CyberSheath has attended multiple listening sessions and events with DoD leadership revealing more information regarding the DoD Cybersecurity Maturity Model Certification (CMMC).  I want to expand on our previous blog with the additional details and actionable plans on what DoD contractors need to do to prepare for the changes.

What We Understand about CMMC so Far

CMMC stands for “Cybersecurity Maturity Model Certification” and will encompass multiple maturity levels that range from “Basic Cybersecurity Hygiene” to “Advanced”. The intent is to identify the required CMMC level in Request for Proposals (RFP) sections L and M to be used as a “go / no go decision.” This means that instead of the ability to bid and win a contract and then comply post-award with cybersecurity requirements, DoD contractors will have to be certified to the CMMC level required in advance, pre-bid, to even be eligible to bid. DoD will determine the appropriate tier (i.e. not everything requires the highest level) for contracts they administer and the required CMMC level will be contained in sections L & M of the RFP making cybersecurity an “allowable cost” in DoD contracts. CMMC level requirements will begin appearing in DoD RFP’s as soon fall 2020 and Version 1.0 of the CMMC framework will be available January 2020 to support training requirements. In June 2020, the industry should begin to see the CMMC requirements as part of Requests for Information. DoD contractors are expected to begin achieving certification sometime after June 2020. That is less than 12 months away so if you have not started implementing the NIST 800-171 security requirements, you had better get moving.

How to Best Prepare for CMMC and Stay Eligible for DoD Contracts

All companies conducting business with the DoD must be certified. The level of certification required depends upon the Controlled Unclassified Information (CUI) a company handles or processes. The intent of the CMMC is to combine various cybersecurity control standards such as NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933 and others into one unified standard for cybersecurity. In addition to cybersecurity control standards, the CMMC will also measure the maturity of a company’s institutionalization of cybersecurity practices and processes. If you have worked to implement NIST 800-171, your hard work will not go to waste. Unlike NIST SP 800-171, CMMC will implement multiple levels of cybersecurity and does not allow for self-certification. There will be no CMMC self-certification, instead, DoD contractors will coordinate directly with an accredited and independent third-party commercial certification organization to request and schedule your CMMC assessment.

Everything You Should Do to Effectively Prepare for Certification

All the information shared to date on CMMC maturity levels aligns with the implementation of the 110 security requirements of NIST 800-171. The DoD is building on and strengthening not abandoning NIST 800-171. While the specific maturity levels for individual contracts have not been determined it’s understood that implementing the NIST 800-171 security requirements is the best way to prepare for CMMC. Meeting your existing contractual requirements around DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting and NIST 800-171 implementation is how you prepare for CMMC.

Implementing the NIST 800-171 requirements includes writing a System Security Plan (SSP) and with 110 security requirements, you can expect to be out of compliance with some number of those individual requirements. For requirements not yet implemented you will need to also document Plans of Action & Milestones (POA&Ms). The heavy lifting is in implementing the security requirements as you prepare for CMMC and controls like Multi-Factor Authentication and Incident Response which require time to fully implement. DoD contractors, subcontractors and vendors taking a wait and see approach to CMMC are ignoring the last decade of clear warning signs that security has become the foundation of acquisition. Act now!

5 Steps to CMMC Preparation

Download our 5 Step Guide to CMMC Preparation to plan and enable certification as a documented, automated outcome of day-to-day operations. This easy to follow guide presents a plan you can follow to prepare for CMMC in a way that fits your business and budget.

5 Steps to CMMC Preparation

When shopping for a Managed Security Services Provider (MSSP), there are plenty of checklists that you can download to help funnel you right to that vendor’s particular product. This isn’t that blog post, although at some point I am sure we have published one too. While checklists are helpful in narrowing down the capabilities and tools that you want to add to your probably already too big portfolio of tools, the focus should really be on the services that you will be adding to your existing team.

Candidly, the capabilities are generally similar across MSSP’s and cover some kind of SIEM platform, monitoring, incident response (IR), vulnerability management (VM) and a number of other competencies that are bundled into a managed service offering. They are bundled in part because these are what the vast majority of business lack and need, but also because the bundling enables sales, at scale, for product vendors and MSSP’s. It’s been our experience that the material difference from one product vendor or MSSP to the next, in your favorite version of a Magic Quadrant, covers features and capabilities that don’t ultimately make your business more secure or compliant. Often, it’s a distinction without a difference, especially for a security program that is still struggling with the blocking and tackling of cybersecurity-related patching, asset management, and incident response. So, beyond checklists, “threat hunting” and “advanced intelligence platforms”, where should your business focus when trying to make a mid to long term commitment with your first or a new MSSP?

Where Should Your Business Focus When Deciding on an MSSP?

Start with service, as in the service your business specifically needs to extract value from the MSSP relationship. The service your business needs are, in fact, unique to your business. If it wasn’t, you could pick the first Google Ads result that comes up (which isn’t the best MSSP for your business, just the best MSSP at creating Google Adword campaigns on any given day). Instead of analysis that is overly focused on the most advanced capabilities and toolsets, it will pay dividends to meet with a potential MSSP and align their offering with your business requirements. Selecting an MSSP is a business decision, even if the vendor marketing is geared towards making it a technology decision. For example, if you are in a highly regulated industry like Defense Contracting, and NIST 800-171 compliance is fundamental to your ability to win business, your MSSP should have core expertise in delivering on these security requirements. The technology, SIEM, VM, IR, etc. are a given but the ability of your MSSP to enable documented, automated and auditable compliance with your customer requirements isn’t. Ultimately, the MSSP you choose in this scenario should make compliance a natural outcome of day-to-day security operations so that over time you can focus more resources on actual defense. What does this look like in practice?

Achieving Compliance as a Natural Outcome of Day-to-Day Security Operations

For most businesses, it doesn’t look like a laundry list of acronyms and industry jargon about threat intelligence and advanced threat hunting capabilities. It looks like an integrated team, your internal staff (to the extent you have one) and that of your MSSP, working together on a weekly basis to deliver measurable outcomes over time. The tools leveraged by your MSSP can produce beautiful charts and endless trends but the critical questions to answer relate to outcomes achieved. It’s nice that an MSSP can tell you the top 10 vulnerabilities in your environment, but the outcome you should be focused on is remediating those vulnerabilities. If your team is too busy to patch or otherwise remediate the “top 10 vulnerabilities”, you just end up with a pretty graphic that doesn’t make you more secure or compliant.

To drive outcomes, instead of charts and trendlines, you must have a regular cadence of meetings with your MSSP focused on the things that matter most at any given point in time to your business. Ideally, these meetings are weekly and are more aligned with the initiatives underway within IT and Security and not just focused on the tools that the MSSP brought to the party. In our experience, the MSSP relationship is a combination of managed services and staff augmentation. Staying with the same example of NIST 800-171 compliance, if you are struggling to implement all 110 security requirements then drive your MSSP to help at a minimum, but ideally lead the efforts. Eliminate redundant meetings for your already oversubscribed team by incorporating your compliance and operational project management meetings into your weekly MSSP meetings. Create an integrated project plan with specific accountabilities for your team and the MSSP. Your MSSP should be working on your agenda and not driving theirs. If implementing Multi-Factor Authentication or Privileged Account Management is an internal priority for your business, a great MSSP will make it a priority for their business.

Partnering with the Right MSSP for Your Business

None of this is easy, but nothing worth doing ever is. Contractually it’s hard to create this kind of defined yet flexible arrangement and it generally requires an acceptance that outside of the core service offerings there will be a shifting list of priorities that you are going to rely on your MSSP to tackle. Not every MSSP is going to have the staff or program management skills to partner this way. If you have had a series of successful engagements and measurable outcomes with a professional services partner that knows your people, processes, and technologies but doesn’t show up on the “Top MSSP” list of the day, weight your personal experience over the pay to play marketing that dominates our industry.

To better understand what it means to contract for Managed Security Services that matter and what that experience can look like for your business, schedule a 30-minute introductory call with CyberSheath today and start your journey by focusing on outcomes instead of checklists.


Every day, hackers and thieves are becoming more sophisticated, daring, and aggressive in their attempts to turn stolen data into substantial paydays. And with criminal entities regularly on the prowl for cyber weaknesses to exploit, it’s no wonder that the number of data breaches is growing at a record pace. Partially in response to this rise in cyber attacks, Ohio Attorney General Mike DeWine’s CyberOhio Initiative has introduced The Data Protection Act, signed into law by Governor John Kasich on August 3rd 2018.

Whereas most of the preceding cybersecurity legislation has sought to motivate businesses with punitive and disciplinary action, the DPA is a looking to take a new approach by giving companies a positive and confident push forward towards a more secure future.

The first law of its kind in the nation to provide an affirmative legal defense, the DPA is an absolute boon to any company involved the handling of sensitive data. Beneficial for all involved, it’s designed to inspire a proactive approach to cybersecurity to make the exchange of sensitive information safer and more comfortable for everyone.

The law incentivizes businesses to further protect themselves against cybersecurity risks by providing legal protection to those who deal with personal information in case of a breach, provided that they comply with a designated cybersecurity framework.

A Safe Harbor

Fairly or not, people affected by data breaches often look for a scapegoat. In many cases, they end up trying to hold the breached company liable for losses or damages they’ve incurred.

With even the smallest attack leaving a business vulnerable to serious legal consequences, this bill represents a valuable tool for those looking to limit their liability. Although it doesn’t provide immunity to your company if you comply, it does afford you a ‘safe harbor’ against tort claims that failed cybersecurity measures resulted in the data breach.

Both businesses and consumers should be set to benefit from this development as companies become more motivated to up their game and meet industry standards for cybersecurity.

How to Comply

As of November 2nd, 2018, your business can trigger the ‘safe harbor’ provided that you adopt a cybersecurity program designed to:

  • Protect the security and confidentiality of personal information;
  • Protect against any anticipated threats or hazards to the security or integrity of the personal information; and
  • Protect against unauthorized access to and acquisition of information that is likely to result in a material risk of identity theft or other fraud.

Since no two companies are alike, the law does acknowledge that the above guidelines are not meant to be a one-size-fits-all approach to cybersecurity. An effective program will have to be scaled to match:

  • The size, complexity, and nature of your business and its activities;
  • The level of sensitivity of the personal information your business possesses;
  • The cost and availability of tools to improve your security and reduce vulnerabilities; and
  • The resources your business has at its disposal to expand on cybersecurity.

Further guidance also advises businesses to ‘reasonably conform’ to one of the following industry-recognized frameworks:

  • The National Institute of Standards and Technology’s (NIST) Cybersecurity Frameworks;
  • NIST Special Publication 800-171, or Publications 800-53 and 800-53a;
  • The Federal Risk and Authorization Management Program (FedRAMP) Security Assessment Framework;
  • The International Organization for Standardization (ISO)/International Electrotechnical Commission’s (IEC) 27000 Family – Information Security Management Systems Standards;
  • Center for Internet Security’s Critical Security Controls for Effective Cyber Defense;
  • The Security Rule of the Health Insurance Portability and Accountability Act (HIPAA) for healthcare industry businesses subject to HIPAA oversight;
  • The Federal Information Security Modernization Act of 2014 (P.L. 113-283); and
  • The Safeguards Rule of the Gramm-Leach-Bliley Act, for certain financial institutions.

If you accept card payments, you’ll also have to comply with the Payment Card Industry’s Data Security Standards (PCI-DSS).

Challenges Ahead

Although guidelines have been provided, demonstrating full compliance may prove challenging since many of the specified frameworks lack standard certification processes.

Also, since some data security laws have more flexible requirements than others, questions remain over how to demonstrate complete conformity, or which aspects to comply with to ensure the best legal defense. For this reason, when attempting to implement frameworks, it’s a wise move to consult with cybersecurity experts like CyberSheath.

Our Managed Services enables compliance with the Ohio DPA to ensure comprehensive, framework based compliance. We’ll guide you through the process from assessment through remediation, integrating your existing people, processes, and technologies with your chosen frameworks.

A Win-win for Your Business and Your Customers

Not only will CyberSheath’s managed services help you to achieve full compliance and reduce your legal liability, but you’ll also see a demonstrable improvement to your day-to-day operational security — a true win-win for your business and your customers.


Cybersecurity at small and mid-sized businesses are often under-resourced with an “Army of One” approach to compliance and risk management. Compliance with regulatory requirements like DFARs 252.204-7012, HIPAA, PCI DSS, NERC CIP, Sarbanes Oxley (SOX) and more compete with actual cyber defense efforts to monitor, detect and respond to threats. Doing what you have always done, buying more products and surviving audits, isn’t effective and doesn’t scale. There is a better way and its effectiveness can be measured with contractual Service Level Agreements (SLA’s) that enable cybersecurity to be a force multiplier for your business.

Instead of hiring FTE’s and deploying one-off, point solution products that don’t integrate with existing investments, consider Managed Security Services that deliver:

  • Cloud-based security monitoring platform in one unified solution
  • Integrated security information and event management (SIEM) and log management
  • Asset discovery
  • Vulnerability assessment
  • Intrusion detection
  • Behavioral monitoring
  • Threat intelligence
  • Privileged account management
  • Automated and simplified regulatory compliance management

Just think about your infrastructure today. How many tools and products do you have spread across too few engineers without enough time to deploy, monitor and manage them? Do you feel like a SIEM solution is a luxury that a business your size can’t afford? Small and mid-sized businesses often have to make tough choices between resource allocation, and a SIEM solution rarely makes the cut because of cost and complexity. The irony is that a SIEM solution is a foundational investment that improves your ability to allocate resources, meet compliance requirements and defend your infrastructure. Coupled with Managed Security Services, the return on investment (ROI) for your business is measurable in a variety of ways.

Our partner, AlienVault, commissioned Forrester Consulting to conduct a Total Economic Impact™ (TEI) study that detailed the potential ROI organizations can realize by deploying the AlienVault Unified Security Management ® (USM) platform. The results aligned with our experience delivering managed services in the defense, financial, healthcare, technology and manufacturing industries. Here is what Forrester Consulting found:

Simplified compliance reporting for companies, resulting in nearly 6,000 hours of time-savings each year. Prior to adopting AlienVault USM Anywhere, key pieces of information had to be pulled from many different systems and consolidated into reports for the auditor. This process took nearly four months, but with AlienVault, onsite audits could be completed in one week as the compliance information and reports were readily available in real-time. This resulted in approximately 2,000 hours of time savings per audit and, on average, three audits were being held each year.

AlienVault USM Anywhere reduces the cost of incidents by improving threat detection and incident response time by 80%. Based on a 2017 study conducted by the Ponemon Institute, the probability that an organization will experience a breach greater than 1,000 records is 14%. However, with the deployment of USM Anywhere, the time to detect incidents was dramatically reduced, helping organizations identify and respond to attacks much faster. With 80% faster detection and response time, the impact and probability of a breach could be reduced.

An 80% security operations staff productivity improvement. Prior to adopting AlienVault solutions, organizations didn’t dedicate much time to daily monitoring tasks. On average, two to three investigations arose each week, which took the combined effort of two dedicated resources. After the deployment of AlienVault’s USM Anywhere platform, the security operations team was able to monitor and detect issues in real-time. This reduced the manual effort involved in investigative activities by 80% and allowed the resources to focus their time on more value-added tasks. “We are still responsible for monitoring alerts and logging, but it’s gone from hours per day to minutes. It allows us to focus on things like serving our customers, writing new code, and ultimately bringing more business in the door.”

Threat intelligence saves time and money. With AlienVault Labs threat intelligence, organizations no longer have to dedicate resources to sifting through multiple sources of information and bulletins to keep up with the latest intelligence. Now they can rely on the AlienVault Labs Security Research Team for continuous updates to threat correlation rules and directives. With the added benefit of not having to pay for an alternative threat intelligence subscription, the overall annual cost savings for the composite organization resulted in more than $40,000 per year.

The data from the study was clear, managed services save time and money by enabling more effective regulatory compliance and risk management. You’re probably already intuitively know that managed security services will be a game-changer for your organization and the data from the study only further strengthened your opinion. That said there are often at least two challenges to moving forward that businesses struggle with:

  1. Senior management doesn’t want to spend the money, I don’t care what your fancy study says.
  2. Managed Security Services Providers are like gas stations, there’s one on every corner and they all sell the same thing.

Getting past these barriers to realizing the benefits of managed services requires the same solution, selecting a Managed Security Services Provider that can push past them before you have spent any money. You will know when you have selected the right partner when they invest the time upfront to specifically show you how their services benefit your business. Candidly, management is right. Nobody cares what a vendor study says might happen at your business based on possibility. Your potential MSSP should be spending time documenting and demonstrating how their services will reduce risk and simplify compliance at your business. You will quickly be able to differentiate MSSP’s offering canned reporting and push-button threat detection from those with teams that span CISO through operations analyst level experience. You are buying a service and that service should have real people that can document and articulate the MSSP value specific to your business before you spend any money. Regardless of whether that takes two weeks or six months, you will know you have the right MSSP when they invest the time pre-sales to detail the value to your business.

Managed security services are the answer to your small and mid-sized business cybersecurity needs and selecting the right partner will be a force multiplier for your business.

Contact us today to learn how to save time and money with CyberSheath Managed Security Services.

Thanks to the increasingly sophisticated and aggressive cybersecurity threats facing the U.S., there has been much focus recently on reinforcing the nation’s cybersecurity. Much of this effort has revolved around strengthening the Department of Defense (DoD) supply chain.

The Defense Federal Acquisition Regulation Supplement, or DFARS, has been working to encourage DoD contractors to proactively comply with certain frameworks in order to achieve this goal. Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, is the latest mandatory addition.

Under the Clause, all contractors must comply with the National Institute of Standards and Technology’s Special Publication 800-171 (NIST SP 800-171), a framework that lays out how contractors must protect sensitive defense information and report cybersecurity incidents.

The NIST framework requires you, as a defense contractor, to document how you have met the following requirements in particular:

• Security requirement 3.12.4 requires the contractor to develop, document, and periodically update System Security Plans (SSPs) that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
Security Requirement 3.12.2 requires the contractor to develop and implement Plans of Action designed to correct deficiencies and reduce or eliminate vulnerabilities in their systems.

Read more about implementing SSPs and POAs.

Under the Clause, DoD contractors are obliged to submit evidence of their compliance with NIST SP 800-171 to the U.S. Government. However, the Clause goes beyond NIST compliance and sets out additional rules for the protection of Covered Defense Information (CDI).

Supply Chain Management

DFARS Clause 252.204-7012 aims to encourage you, as a contractor, to take a proactive role in the protection of CDI. Not only are you required to demonstrate compliance within your own business, but in order to strengthen the entire supply chain, you must take steps to ensure that your subcontractors comply, too.

It is the responsibility of your subcontractors to inform you if their practices deviate in any way from the DFARS and NIST 800-171 guidelines, and it is your responsibility to demonstrate that an equally secure alternative practice is in place before you share CDI with that subcontractor.

Reporting Cybersecurity Incidents

A cybersecurity incident is defined as a breach of security protocols that negatively impacts, compromises, or endangers CDI held on your systems or networks, or those of your subcontractors.

In the event of a cybersecurity incident, your responsibility under DFARS Clause 252.204-7012 is to report the incident to the DoD within 72 hours. You must present the affected data and all related data covering the 90 days prior to the date of the report, along with any infected software. You must also conduct a thorough systems review and identify ways in which you will prevent future breaches.

In the event that a subcontractor experiences a cybersecurity incident, they must report it to you, or to the next highest tier of subcontractor, and present the evidence as required. As the prime contractor, you’re then required to report the incident to the DoD and submit the evidence, as detailed above.

Cloud Service Provision

If you offer your own cloud services as part of your DoD contract, then DFARS states that you must enact the safeguards set forth in the Cloud Computing Security Requirements Guide (SRG), unless waived by the Chief Information Officer of the DoD. If you use a third-party cloud service, then you’re required to ensure that your cloud service provider follows the security provisions therein.

Don’t Know Where to Start?

A quick look at documents like the above and it’s clear to see why some contractors are still struggling with compliance long after the December 31st, 2017 deadline has passed. It truly is a daunting task bringing your business into line with these extensive regulations, especially when the stakes are so high.

That’s where a Managed Services expert like CyberSheath comes in. We’ve helped defense contractors large and small to achieve comprehensive DFARS and NIST compliance.

Put Your Cybersecurity Compliance in Expert Hands

We’ll take the stress and the guesswork out of compliance by handling every step of the journey, from assessment and gap identification to the development of robust System Security Plans and Plans of Action. And because we’re always monitoring the evolution of DoD frameworks, we’ll continue to update your plans in line with regulatory changes to guarantee ongoing compliance.

Let CyberSheath help you to protect your valuable DoD contracts and remain competitive in the defense supply chain. Contact us now for a no-obligation discussion to find out how.


5 Steps to DFARS Compliance

Good hygiene habits are drilled into us from a young age, and for good reason! Neglect to wash your hands, take a shower, use deodorant, or brush your teeth, and you could find yourself friendless, dateless, and quite possibly sick.

While they probably won’t stop you getting a date, bad cyber hygiene habits can be just as harmful to your company’s health. They leave you, your clients, and your customers vulnerable to a host of threats, including hackers, viruses, data theft, and data loss. Ultimately, they can damage your reputation beyond repair and even land you in serious financial and legal trouble.

What is Good Cyber Hygiene?

You’ve presumably mastered the art of personal hygiene by now! But what does good cyber hygiene look like? First, let’s look at exactly why it’s necessary. There are two key reasons: performance and security.

Just like brushing and flossing every day keeps your teeth in optimum condition, good cyber hygiene keeps your IT systems working at peak performance. When your systems are functioning at their best, you’ll save valuable resources and deliver a great customer/client experience to boot. And more importantly, regular maintenance will help you to spot and close security gaps before they can be exploited.

Security threats like hacking, viruses, malware, spyware, and data theft are becoming more sophisticated by the day, and they have the potential to bring your business to its knees. Just as you can ward off illness and stay healthy with good personal hygiene, you can stay ahead of threats and minimize their impact on your business with solid cyber hygiene routines.

Now let’s talk about what these cyber hygiene routines look like in practice…

The 12-Step Program

At CyberSheath, we recommend a thorough 12-step routine for impeccable cyber hygiene. To be truly effective, this routine should be:

• Part of an official company security policy.
• Built into your organizational culture.
• Universally adopted across your business.

Why is this necessary? Well, you’re only as strong as your weakest link. It only takes one careless employee to leave your entire business vulnerable to malfunction or attack. By formalizing your routine, promoting a ‘security first’ culture, and encouraging widespread compliance, you’re sending a clear message that lapses are not an option.

The program begins with a fundamental step…

1. Take an inventory

In order to properly protect your assets, you first need to document them. The most efficient way to do this is to group them into three categories:

Hardware, such as computers, printers, scanners, smartphones, and tablets.
Software programs installed on your devices, such as web browsers or messaging systems.
Remotely hosted applications like cloud-based storage drives or smartphone apps.

Next, create an inventory of your assets under each of these categories and make a record of details like installation date, license expiry date, version number, date last used, and authorized users. This information will help you to identify security vulnerabilities, such as outdated software or unrestricted equipment usage.

2. Implement secure password practices

Password security is one of the easiest ways to practice cyber hygiene, but it’s also one of the most neglected. You’d be amazed just how much sensitive data is ‘protected’ with weak passwords such as… well, ‘password’!

Today’s computers, smartphones, and tablets come with security options ranging from simple text passwords to bio-recognition (think fingerprint and iris scanners), so there’s simply no excuse not to have your devices protected. The same applies to software and online applications, particularly those that are mission-critical or contain highly sensitive data.

The best text passwords are a complex mix of numbers, letters, and symbols, with no link to identifiable information like names, birthdays, or employee numbers. It’s important that they’re memorized, rather than written down, and they should never be shared. In fact, it’s good practice to incorporate a ‘no-sharing’ rule into your company’s formal code of conduct.

A final note on password security: encourage your team to log out of software, apps, and devices when not in use, especially if they’re leaving their desks.

3. Use multi-factor authentication

For particularly sensitive devices, programs, or applications, such as email accounts or mission-critical hardware, multi-factor (AKA two-step) authentication adds an extra layer of security.

After the user has entered their password, they’re typically required to enter another passcode, answer a question, or submit biometric information like a fingerprint in order to gain access. That means that, even if somebody does manage to obtain the user’s password, they still can’t access their accounts.

If you’re using a passcode, it’s good practice not to request the full code. Instead, ask for specific characters from the code at random. This reduces the risk of a malicious party obtaining the full code and gaining unauthorized access to your systems.

4. Keep up with software updates

We’re all guilty of ignoring those software update notifications when we’re in the middle of an important task. However, it’s essential to pay attention to these updates for several reasons.

Not only do updates increase the performance, functionality, and efficiency of your software, they usually include ‘fixes’ for security issues that have been identified after launch. If you fail to keep your software updated, you might find yourself missing out on great new features at best, and exposing yourself to serious security breaches at worst.

Another problem is that software developers often phase out support for previous versions of their software. In the same way that Apple will no longer help you with an iPhone 5, you may find that your developer will no longer be able to fix issues in software that’s five versions behind the most current one. If your essential software packs up and the developer can’t help you, where does that leave your business?

For peace of mind, resist the urge to snooze your software notifications, or even set them to automatic. Note that some malware can disable your automatic updates, so check back periodically just in case.

5. Patch up security holes regularly

Security vulnerabilities are often picked up by software developers between versions. Rather than leave their users exposed until the next update, developers will release ‘patches’ to protect them in the meantime.

Like software updates, patches are often neglected, but they’re one of the biggest security risks for your business. Think about it — if you know there’s a security hole, so do hackers. They then actively look for unpatched software that they can exploit.

Patching can be a tedious process, especially in larger organizations, but it really is worth taking the time to keep your software protected. That applies to the software on connected devices like printers, too.

6. Replace outdated hardware

Just like software, hardware is continually being updated and improved. And like software, falling behind on your hardware updates will leave you vulnerable to poor performance and avoidable security threats.

If you’ve identified outdated hardware in your inventory, update it now to maintain peak performance and full security compliance. If the hardware is no longer being used, disconnect it from your network and properly remove any sensitive data within it.

7. Control installations

Software downloads can be used as a vehicle to implant viruses, malware, and spyware on your systems. For that reason, it’s essential that users are not given free rein to install software on their company devices.

Develop a policy that governs which employees can install which software on which devices. You might decide that only certain groups of users are allowed to install software, or you might allow installations from trusted sources, or you might require that all installations are approved first. Whatever your specific policy looks like, it should be controlled centrally by you or your IT team, and not on an individual basis.

8. Limit users

In order to minimize the potential damage from a hacking or malware attack, it’s important to carefully control the level of access your employees have to devices and programs.

For example, if 200 of your employees can access a system, that’s 200 routes by which a hacker can enter that system. If only 100 of them actually need to use that system, you can cut your risk in half by restricting access to an ‘as-required’ basis.

If all 100 of those users have admin rights, that’s 100 opportunities for a hacker to inflict damage on your system. If you restrict admin rights to the 10 employees that need it, you’ve cut your risk again by 90%. You get the idea!

For each item in your inventory — hardware, software, and applications — evaluate which of your employees needs access, and what privileges they need within the system to in order to do their job. Everybody else should be restricted accordingly.

9. Back up data

Even with the very strictest of security, life still happens. Loss, damage, technical malfunction, sabotage, and theft can never be fully prevented, so make sure you have a reliable system for backing up your data — both yours and that of your clients and customers.

Ideally, you’ll have back-ups of your data in multiple formats and locations. Copies of digital data should be stored on an encrypted, cloud-based server, while copies of physical data and documents should be stored in a secure off-site location.

Build regular data back-ups into your security plan. If possible, automate the process to save time and money, and of course, to eliminate the risk of forgetting.

10. Invest in training and awareness

When it comes to keeping your business safe, knowledge truly is power, so take the time to identify knowledge gaps within your team and provide training as necessary. This will fortify your business from top to bottom, teaching everything from password etiquette and best-practice software usage to threat identification and crisis management.

11. Develop an incident response plan

Despite your best efforts, the worst has happened — you’ve been hacked. What do you do?

If you don’t have an answer to that question, then now’s the time to find one! The best incident response is the one that’s planned, rehearsed, and perfected ahead of time, ready to be rolled out seamlessly if and when disaster strikes.

Work with your IT team on developing responses to all possible threats you might face. Consider what actions will be needed, who will take responsibility for them, and whether they have the skills and knowledge necessary to do so. Make sure everyone understands their role and hold regular drills to keep the procedure fresh in everybody’s minds.

12. Employ a cybersecurity framework

For organizations that deal with particularly sensitive data — think government or defense suppliers, for example — it may be wise to consider adopting a more advanced security framework. Industry-standard protocols like the NIST Framework and the CIS Benchmark offer you standards, guidelines, and best practices to manage cybersecurity risks in critical environments, protecting both your business and your clients from a threat.

And finally, the Golden Rule…

If in Doubt, Leave It to the Experts

When it comes to cybersecurity, you can’t just wing it! If you don’t have the resources or the expertise to properly manage your security in-house, then don’t take the risk — outsource it to professionals.  A Managed Security Services Provider (MSSP) like CyberSheath can take all of the work and the worry out of cybersecurity. We already have the infrastructure and the experts in place, so we can quickly set up a bulletproof, fully staffed security system with minimal effort on your part.

CyberSheath’s MSSP is also one of the most cost-effective security options available to businesses like yours. We keep your costs consistent and predictable, which gives you much more control over your budget, and you benefit from the latest in security technology without having to invest in research and development.

To learn more about cyber hygiene and discuss how your business could benefit from the cost-effective, comprehensive protection of an MSSP, contact us now for a no-obligation discussion.

The December 31, 2017 deadline for achieving compliance with NIST 800-171 has come and gone. If you’re still not compliant, you’re at risk for penalties, and chances of winning future contracts and bids are at great risk. The good news is it’s not too late!

It’s understandable if you haven’t yet actually implemented the required NIST 800-171 security requirements. In the past, the DOD permitted businesses to choose a future date for implementing required security controls through the Plan of Actions & Milestones (POA&M) policy. As a result, businesses and organizations used POA&M merely as a simple checkbox system, which led to weak System Security Plans and stalled control implementations. Today, the DOD has upped their game by insisting on stronger cybersecurity practices among its business partners. They’ve moved to an enforcement phase for cybersecurity compliance and requirements with recently released DoD Guidance.

On April 24th, 2018 the U.S. Department of Defense released its draft “Guidance for Reviewing System Security Plans and the NIST SP-800-171 Security Requirements Not Yet Implemented.” The extensive document contains more stringent guidelines on exactly how the DOD will enforce and assess the implementation of security controls for awarding contracts and evaluating proposals. It also provides detailed recommendations for properly assessing System Security Plans (SSPs) and Plans of Action and Milestones (POA&M).

The DoD Guidance provides additional information on how they might penalize business partners who fail to adhere to new security rules, including penalties and not being awarded new contracts.

Failure to Implement the Required NIST 800-171 Controls will Lead to Lost Bids, Vendors and Revenue

For the best chances of new contract awards and superior contract performance in the competitive cybersecurity market, you need to implement the Security Controls and heightened information security requirements as outlined in NIST SP 800-171.

NIST has a set of 110 security requirements that stem from the NIST SP 800-53, which governs the cybersecurity standards for government systems. The new guidance was also designed to help businesses assess and prioritize the most effective ways for them to begin implementing these crucial 110 security controls specified in NIST SP 800-171.

The DOD has a new tactic for reviewing SSPs and security requirements not yet implemented, which is to assign risk scores to controls. For example, security controls that are considered high risk and haven’t been implemented pose an extremely high risk to the data being protected and your ability to win DoD contracts.

Security controls that haven’t been implemented are given a DOD Risk Value for each security requirement that ranges from the highest, which is 5 (highest risk and priority for implementation) to 1 (lowest risk and priority for implementation).

If you don’t meet the 110 security requirements, it will likely lead to losing potential contracts through poorly written SSPs and high-risk scores resulting from a failure to implement the required controls.

Relax. We’ve Got This!

At CyberSheath, we know that successfully implementing these new security controls can be a daunting undertaking for your organization. We’ve successfully assessed and implemented the required NIST 800-171 controls for organizations large and small in the defense industrial base supply chain. We’ll ensure your System Security Plan (SSP) and associated Plans of Action & Milestones (POA&M) are documented and fully implemented. Our cybersecurity experts will take care of all identified gaps in your information systems, schedule implementation of any outstanding items and ensure your organization is compliant with all of the latest requirements. We follow all DOD guidance to ensure review of SSPs and POA&Ms and “assist in prioritizing the implementation of security requirements not yet implemented.” After we have delivered a fully compliant solution we offer managed services to maintain your compliance and incorporate any updates from the DoD.

Contact CyberSheath today for a no-obligation phone consultation, and learn how we can ensure compliance with NIST SP 800-171 in five steps.

Managed Security Services are an extension of your security operations enabling 24×7 security operations center support and regulatory compliance. These services integrate your existing people, processes and technology to make security a force multiplier without the tremendous investment required to build the capability internally.

Instead of investing in the headcount, you can outsource key services to an Managed Security Services Provider (MSSP) as an extension of your existing operations. Advantages of managed security services include:

  • Consistent, known, and manageable costs with excellent return on investment
  • Ability to leverage innovations and stay at the front of the technology curve
  • Improved security and peace of mind knowing experts are proactively handling issues
  • Internal team members can focus on strategic projects

Businesses have endless options available as MSSP partners and the array of choices, industry jargon, and configurable service options can cause analysis paralysis. Without a team of security experts to vet vendor service offerings, the MSSP selection process is daunting. For tips on selecting an MSSP check out this blog post:

If you want someone to solve this problem for you using best-of-breed technology and professional services that have you up and running quickly, consider CyberSheath Managed Services leveraging AlienVault technology and shared intelligence.  AlienVault® Unified Security Management® (USM) delivered by CyberSheath is quickly becoming the go-to solution for businesses of all shapes and sizes.

Like our customers, CyberSheath had an endless set of choices when selecting a technology to deliver our managed security services, and we chose Alien Vault. In addition to being a SANS Premier Affiliate Member, AlienVault technologies have been recognized globally ( and we chose AlienVault as a way to enable less expensive, faster and more effective managed security services.

CyberSheath Managed Security Services leverage the AlienVault unified approach to security which includes:

Unified Security Management® (USM)

Simple and affordable centralized threat detection & incident response which integrates with your existing IT workflow for 24/7 security coverage.

Integrated Threat Intelligence

Actionable threat intelligence updates from AlienVault Labs delivered continuously to the USM platform ensuring you always get the latest threat intelligence.

Security Orchestration & Automation with AlienApps™

Easily extend threat detection & incident response to third-party products like Office 365, Service Now, and Cisco Umbrella.

CyberSheath tailored implementation of AlienVault technologies deliver five essential security capabilities in one platform:

The comprehensive solution provides complete cloud and on-premises monitoring. USM Anywhere cloud sensors natively monitor Amazon Web Services and Microsoft Azure Cloud and On-premises, virtual sensors run on VMware and Microsoft Hyper-V to monitor your physical and virtual IT infrastructure.

The “secret sauce” of leveraging AlienVault to deliver Asset Discovery, Vulnerability Assessment, Intrusion Detection, Behavioral Monitoring and SIEM and Log Management is partnering with an MSSP that has the flexibility to deliver what you need. CyberSheath delivers, monitors and manages AlienVault technologies, but we also monitor the many third-party products and widely-used technologies you’re already running so there’s no need to rip and replace.

Operational security enables compliance and CyberSheath tailors our MSSP services to enable immediate, tangible operational security improvements that facilitate regulatory compliance. Customized Alien Vault technology solutions mapped to your requirements make your business both secure and compliant. Chances are you don’t have the time or resources to manage compliance as a separate activity from securing your business, so we document the alignment between the two and deliver the services required to survive both an attack and an audit.

Delivering on the “service” part of being an MSSP is what differentiates CyberSheath from the dozens of other MSSP’s you can choose from. Of course, SLA’s are a part of every contract we write but there is an undocumented level of service that you get with CyberSheath that can’t be captured in an SLA. Unlike other providers, CyberSheath gives you access to a technical account executive who helps you solve new business challenges as they arise. When you are in the midst of an audit, deploying a new technology or just want to run something by an expert before briefing your boss, CyberSheath’s technical account executives answer your questions within the context of your existing business. We do it because we want to earn your business every day, not sell you more tools. Contact us today to learn more.

As an owner of a small or mid-sized business, you have endless options available as you partner with a Managed Security Services Provider (MSSP) to better secure your business. The array of choices, industry jargon, and configurable service options can leave you wondering if you left something on the table that you will later regret. Without a team of security experts to vet vendor service offerings, the selection process is even more daunting.

How can you simplify the process and ensure that you are getting everything you need to be secure and compliant?

Maximize Your Chance of Success When Selecting an MSSP

  1. Document your requirements
    • Increase your likelihood of getting what you need by taking the time to compile this list. It will make you a smarter buyer and tremendously help you find the right resource for your needs.
    • Note that this doesn’t have to be a detailed spreadsheet of operational capabilities and Service Level Agreements (SLAs). You may opt to start with compliance issues as most businesses have specific regulatory requirements that they must satisfy including DFARS NIST 800-171, Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), General Data Protection Regulation (GDPR), and many others.
    • Ask potential MSSP vendors how they can help your business to measure, satisfy, or simplify compliance with any of the above compliance requirements. MSSPs should possess in-depth knowledge of the requirements, use cases from existing customers, and references.
  2. Be ready to answer questions
    • Have a technical person and someone who understands your business available to answer questions around current security tools in place including how they are used, which users need what level of access, and existing business processes. A good MSSP will want to understand your business both in terms of your existing on-premise and cloud-based infrastructure and your actual business.
    • Trust your instincts and steer clear of sales pitches that focus on technology rather than your business requirements. Know that MSSPs who don’t ask the right questions and who push technology won’t be good long-term partners. There isn’t a tool on the planet that can make you secure. Ideally, your conversations will be with the MSSP operational staff rather than salespeople as operational folks will have the experience that can be applied to your business requirements.
  3. Make sure your MSSP enables security and compliance
    • Remember that operational security enables compliance. Drive your MSSP to explain how their proposed solution to your requirements can make your business both secure and compliant. Chances are you don’t have the time or resources to manage compliance as a separate activity from securing the company. Whatever you contract for should enable both operational security and compliance and the alignment between the two should be documented.
      • Example: If an MSSP is offering a Security Incident Event Management (SIEM) and log management capability, there should be a documented alignment of the capability delivered and your specific compliance requirements. You intuitively understand why you need a firewall and anti-virus protection, but make the MSSP demonstrate how that operational need maps to your compliance requirements to become a force multiplier.
    • Keep in mind that other examples of operational technologies that your MSSP should easily be able to map to your compliance requirements include:
      • Asset Discovery and Inventory
      • Vulnerability Assessment
      • Intrusion Detection
      • Behavioral Monitoring
      • SIEM and Log Management
  4. Vet your MSSP to ensure service delivery
    • Spend time examining your MSSP to be sure that you are they are going to deliver on the “service” part of being an MSSP. SLAs should be a part of your contract but there is an undocumented level of service that you should be getting from your MSSP that can’t be captured in an SLA.
    • Consider these things:
      • Are you comfortable with their technical expertise?
      • When you call, do you know if you’ll get a knowledgeable expert who goes the extra mile to solve your problems or a tier-one analyst who just opens a ticket?
      • When compliance questions relating to a business issue arise, will you find your MSSP to be a partner working with you to solve to problems?
      • Does the MSSP have clear value-added services that go beyond “management dashboards” that only demonstrate tools are being deployed?
    • Narrow your selection to responsive, service-oriented vendors during your procurement process. Many customers has been sold MSSP “services” that do little more than collect logs and monitor.
  5. Be diligent in checking references
    • Ask for references and take the time to call these contacts. Inquire about the reference’s experience during onboarding and delivery of services months after the sale was made. Is the MSSP still engaged and delivering value or do they only surface at contract renewal time?
    • See if your chosen MSSP has delivered any remediation or implementation projects as they are indicators of hands-on experience that will benefit your business. Ideally, references will be in the same business or industry as yours, but if everything else checks out this isn’t a necessity.

Partnering with an MSSP is a great way to secure your business infrastructure. To find out how quickly CyberSheath can enable 24/7 operational security and compliance reporting for your business, contact us at


As a small- or medium-sized business, you are faced with many challenges. How do you stay focused on your company’s core mission while scaling your organization’s infrastructure to accommodate growth and investing in the right technologies and solutions?

That’s where managed services come in. Instead of investing in the headcount, you can outsource key services to IT professionals focused on critical areas. Advantages of this approach include:

  • Consistent, known, and manageable costs with a good return on investment
  • Ability to leverage innovations and stay at the front of the technology curve
  • Improved security and peace of mind knowing experts are proactively handling issues
  • Internal team members can focus on strategic projects, furthering your company’s cause

How CyberSheath Can Help

You can rely on CyberSheath for your Managed Security Services or Governance, Risk, and Compliance needs. Partnering with other managed service providers while carving out our area of expertise means that you see no additional spend for licensing costs.

You need:CyberSheath offers:
A DFARS-compliant security management platform that monitors your cloud, hybrid cloud, and on-premises infrastructure to provide a unified approach to threat detection and compliance management

Needs to satisfy: NIST 800-171 Rev. 1 Requirements defined in sections 3.3.1, 3.3.4, 3.3.5, 3.3.6, and 3.3.8

Security Management Platform

  • Security Information and Event Management (SIEM) | Gathers and analyzes logs and event data from disparate security controls and devices across the network, and correlates them to identify related security events.
  • Vulnerability Management & Asset Discovery | Provides visibility into assets and user activity and identifies vulnerabilities across the environment.
  • Intrusion Detection System | Detects intrusions and monitors behavior to track events and establish a benchmark for normal conduct.
  • Threat Intelligence | Implements correlation rules, IDS signatures, vulnerability detection rules, and IP reputation updates to ensure the security management platform is appropriately maintained and detecting current threats.
A DFARS compliant incident response monitoring program that will continuously monitor your environment for malicious outsider threats as well as malicious and non-malicious insider threats.

Needs to satisfy: NIST 800-171 Rev. 1 Requirements defined in sections 3.3.3, 3.6.1, 3.6.2, 3.14.3, 3.14.6, and 3.14.7

Incident Response Monitoring Managed Service

  • Comprehensively monitors and analyzes correlated alerts derived from log feeds of selected devices feeding into the SIEM solution. Monitoring will be provided by security experts to identify and respond to security threats.
  • Provides detailed notification and recommendation for containment, eradication, and recovery from security incidents as dictated in the organizational Incident Response Plan (IRP).
  • Creates, edits, and manages all details of the incident in a tracking solution until incident closure.
  • Tracks metrics for incident occurrences, time to resolution, and other critical measurements of the IRP.
  • Provides updates and improvements to the IRP based on after-action reports and lessons learned.
An identification and authentication service that complies with the DFARS security requirements for multi-factor authentication

Needs to satisfy: NIST 800-171 Rev. 1 Requirements defined in sections 3.5.3, 3.5.5, and 3.7.5

Multifactor Authentication (MFA) Managed Service

  • Secures access to accounts by offering a layered approach to security for your VPN, privileged accounts, and Covered Defense Information (CDI) systems.
  • Work with stakeholders and end-users to test the validity of MFA solutions against the in-scope systems and defined use-cases.
  • Deployment of the capability to the in-scope users and systems.
  • Develop and deliver training material for all in-scope users who will be required to use the MFA solution.
  • Work to resolve any system irregularities or issues with the MFA solution.
A mobile device management service for mobile devices that complies with the DFARS security requirements for systems which store, process, or transmit CDI.

Needs to satisfy: NIST 800-171 Rev. 1 Requirements defined in sections 3.1.1, 3.1.8, 3.1.10, 3.1.18, 3.1.19, 3.8.6, 3.13.11, and 3.13.16

Mobile Device Management (MDM) Managed Service

  • Enforces security configuration and encryption for bring-your-own-device (BYOD) or company-provided mobile phones or tablets.
  • Work with stakeholders and end-users to test the capabilities of the mobile device management solution against the in-scope systems and defined use-cases.
  • Deployment of the capability to the in-scope users and systems.
  • Develop and deliver training material for all in-scope users.
  • Work with the organizations to administer the MDM solution as it relates to the provisioning and de-provisioning of mobile devices and users within the scoped environment.
An endpoint protection solution that complies with the DFARS security requirements for the protection of endpoints (client systems and servers) and removable media which store, process, or transmit CDI.

Needs to satisfy: NIST 800-171 Rev. 1 Requirements defined in sections 3.1.19, 3.8.6, 3.8.7, 3.13.11, 3.13.16, 3.14.2, 3.14.4, 3.14.5

Endpoint Protection Managed Service

  • Centralize management of anti-virus, anti-malware, and full disk encryption of the laptops, work stations, and servers.
  • Work with stakeholders and end-users to test the capabilities of the endpoint protection and encryption solutions against the in-scope systems.
  • Deployment of the capability to the in-scope users and systems.
  • Develop and deliver training material for all in-scope users who will be required to use the encryption solutions.
  • Work with the organization to administer the endpoint protection suite as it relates to the configuration and troubleshooting of systems within the scope environment.
A GRC program that enables the organization to track and maintain DFARS compliance after all remediation efforts have been completed

Needs to satisfy: NIST 800-171 Rev. 1 Requirements defined in sections 3.2.1, 3.2.2, 3.2.3, 3.4.1, 3.6.2, 3.12.3, 3.12.1, 3.12.3

Governance, Risk, and Compliance (GRC) Managed Service

  • Provides and maintains a repository of assets, threats, and pre-mapped controls, and assigns controls based on role throughout the organization.
  • Manages policy based on your organization’s unique risk profile, regulatory requirements, and best practice needs.
  • Inventories, tracks and manages of all vendor and service provider assessment activities.
  • Manages training with web-based information security awareness training in-line with DFARS security requirements.
  • Provides audit management with a streamlined verification process of IT security controls through defined audit workflows.
  • Identifies, tracks, and manages regulatory changes to ensure your organization maintains a state of compliance.

You can rely on CyberSheath to provide quality managed services for your IT security needs. Contact us to learn more about how we can help your organization.


Cybersheath Blog

3 Reasons Why You Need a Privileged Access Risk Assessment

A privileged account is one used by administrators to log in to servers, networks, firewalls, databases, applications, cloud services and other systems used by your organization. These accounts give enhanced permissions that allow the privileged user to access sensitive data or modify key system functions, among other things. You can…

Incident Response – Learning the Lesson of Lessons Learned

“Those who do not learn from history are condemned to repeat it.” Over the years, variations of this famous quote have been spoken by everyone from philosophers to world leaders. The message — that we must learn from our mistakes or continue to repeat them — is also highly relevant…

What is DFARS 252.204-7012 and NIST SP 800-171?

With the Department of Defense (DoD) promising the release of an update to NIST Special Publication 800-171, it is imperative defense contractors understand what DFARS 252.204-7012 and NIST SP 800-171 Clause is and how noncompliance with the Clause will impact their business.  Compliance is mandatory for contractors doing business with…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Trace Security