Eric Noonan, Author at CyberSheath

A man sitting in a control room in front of computer monitors with maps and code on the screens

Managed Security Services That Matter

July 10, 2019 / 5 minutes of reading

When shopping for a Managed Security Services Provider (MSSP), there are plenty of checklists that you can download to help funnel you right to that vendor’s particular product. This isn’t that blog post, although at some point I am sure we have published one too. While checklists are helpful in narrowing down the capabilities and tools that you want to add to your probably already too big portfolio of tools, the focus should really be on the services that you will be adding to your existing team.

Managed Security Services That Matter Read More »

What 10 Years of Cybersecurity Across 8 Federal Agencies Means to You

July 1, 2019 / 6 minutes of reading

A recently released 10-month review consisting of 10 years’ worth of inspector general’s (IG) reports across eight federal agencies by the Permanent Subcommittee on Investigations of the Senate Homeland Security Committee found that “Agencies currently fail to comply with basic cybersecurity standards.” The full report can be found here and the major themes identified in the report highlighted yet again the fundamental work that isn’t being done to comply with basic cybersecurity standards. So why isn’t the work being done? Is it a lack of money, tools, people, all the above? Buried on page 46 of the report then-DHS CIO Richard Staropoli is quoted in a 2017 interview with the Subcommittee, on the state of the OCIO saying, “You can write this down and quote me, the problem is piss-poor management.”

That blunt assessment, it’s a management problem, is worth considering. Better outcomes can be achieved, across the Federal government and industry, with a disciplined, framework-based approach to cybersecurity. This approach and the guaranteed better outcomes that will follow require a recognition that many of the management disciplines inherent in other business supporting functions like finance and engineering are missing in cybersecurity. The problems in cybersecurity are different but the principles required to improve them are not.

What 10 Years of Cybersecurity Across 8 Federal Agencies Means to You Read More »

Complying with DOD Cybersecurity Requirements: What do NIST 800-171 Revision 2 and 800-171B Drafts Mean for Your Business?

June 24, 2019 / 3 minutes of reading

NIST 800-171 Revision 2 and 800-171B drafts were released for comment last week, and as expected there have been no major changes proposed to the controls in NIST 800-171 Revision 2. For DOD contractors waiting to implement the required security requirements of NIST 800-171 Revision 1 pending the latest updates, the proposed updates won’t buy you any time. The fact is enforcement is underway and compliance with DOD cybersecurity requirements is a go/no go decision if you are serious about being eligible to do business with the DOD.

Complying with DOD Cybersecurity Requirements: What do NIST 800-171 Revision 2 and 800-171B Drafts Mean for Your Business? Read More »

Beyond SSP’s and POA&Ms; Successfully Implementing the NIST 800-171 Security Requirements

June 18, 2019 / 3 minutes of reading

The recently announced Cybersecurity Maturity Model Certification (CMMC) scheduled for completion by January 2020 has many DOD contractors scrambling to anticipate how to prepare. While there are many unknowns regarding what the CMMC will ultimately look like, DOD contractors should focus on what is already known and currently mandatory with DFARS 252.204-7012, which requires the implementation of NIST 800-171. Stop trying to read the tea leaves and doing the bare minimum by writing System Security Plans (SSP’s) and start implementing the 110 security requirements of NIST 800-171. Demonstrable action, that is NIST 800-171 control implementation, is the best way to prepare for the CMMC.

Beyond SSP’s and POA&Ms; Successfully Implementing the NIST 800-171 Security Requirements Read More »

An aerial view of the pentagon with a computer code overlay

Recent News: Act Now to Achieve NIST 800-171 Compliance or Risk Your Ability to Contract with the DOD

June 14, 2019 / 3 minutes of reading

The window of opportunity for achieving compliance with DFARS 252.204-7012, which requires the implementation of NIST 800-171 across the DOD supply chain, continues to get smaller as the ability to self-certify is set to expire.

CyberSheath attended the Professional Service Council’s 2019 Federal Acquisition Conference where Special Assistant to DOD’s Assistant Secretary of Defense Acquisition for Cyber Katie Arrington stated clearly that “…cost, schedule, and performance cannot be traded for security.” Security is the foundation of defense acquisition.

Recent News: Act Now to Achieve NIST 800-171 Compliance or Risk Your Ability to Contract with the DOD Read More »

3 Reasons Why You Need a Privileged Access Risk Assessment

June 4, 2019 / 3 minutes of reading

Improve security posture and meet regulatory compliance by ensuring your privileged accounts are secure.

3 Reasons Why You Need a Privileged Access Risk Assessment Read More »

What is DFARS 252.204-7012 and NIST SP 800-171?

May 20, 2019 / 4 minutes of reading

With the Department of Defense (DOD) promising the release of an update to NIST Special Publication 800-171, it is imperative defense contractors understand what DFARS 252.204-7012 and NIST SP 800-171 Clause is and how noncompliance with the Clause will impact their business.

What is DFARS 252.204-7012 and NIST SP 800-171? Read More »

A man touching the screen with words security audit, an unlocked lock, and several lock icons.

Breaking News: Audits of DFARS clause 252.204-7012 are underway, Are You Ready?

February 15, 2019 / 4 minutes of reading

DOD has issued two additional guidance memoranda in the last 60 days further solidifying the DOD intent to enforce compliance. Contractors should be actively be addressing NIST 800-171 compliance.

Breaking News: Audits of DFARS clause 252.204-7012 are underway, Are You Ready? Read More »

A blue transparent gavel and block graphic overlaid with code

Compliance with DFARS 252.204-7012 & NIST 800-171; Expect 2019 to be the year of audit and enforcement

November 29, 2018 / 3 minutes of reading

In 2019 Prime and Subcontractors can expect to be audited against actual implementation the DFARS 252.204-7012 & NIST 800-171 security requirements. For those taking a wait and see approach to the impact of your ability to do business with the DOD without implementing NIST 800-171; you just got your answer, 2019 will be a year of reckoning for non-compliant Prime and subcontractors. With the ability to request a contractor’s plan to track flow down of Covered Defense Information (CDI) and request the contractor’s plan to assess the compliance of their own suppliers, Prime contractors are expected to document and demonstrate enforcement of their own supply chain’s compliance. If you have delayed documenting your SSP, POA&Ms or actually implementing the NIST 800-171 requirements, CyberSheath can lead your efforts to achieve compliance by conducting a gap assessment of your compliance with NIST 800-171, writing the required System Security Plan (SSP) and leading your implementation efforts.

Compliance with DFARS 252.204-7012 & NIST 800-171; Expect 2019 to be the year of audit and enforcement Read More »

Learn the Basics of Safeguarding Covered Defense Information and Cyber Incident Reporting

November 15, 2018 / 3 minutes of reading

As a subcontractor on a Department of Defense contract, you have likely had flow down requirements from your primes related to DFARS clause 252.204-7012, commonly referred to as NIST 800-171. Learn more about these two requirements and achieve compliance before the December 2017 mandate.

Learn the Basics of Safeguarding Covered Defense Information and Cyber Incident Reporting Read More »