Cybersecurity

A header image for DFARS Deadline with a person touching a screen

Recent DOD Audit on Controlled Unclassified Information Finds Contractors Not Secure

/ 5 minutes of reading

Have contractors implemented the NIST 800-171 controls? DOD Inspector General (IG) audit suggests not, recommends third-party audits. Are you ready?

A recent audit conducted in response to a request from the Secretary of Defense determined that DOD contractors did not consistently implement DOD‑mandated system security controls for safeguarding Defense information. Specifically, Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 requires contractors that maintain Controlled Unclassified Information (CUI) to implement security controls specified in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, which lists security requirements for safeguarding sensitive information on non-Federal information systems. The requirements include controls for user authentication, user access, media protection, incident response, vulnerability management, and confidentiality of information.

Recent DOD Audit on Controlled Unclassified Information Finds Contractors Not Secure Read More »

A blue hourglass icon with code behind it.

Everything You Should Do to Effectively Prepare for Cybersecurity Maturity Model Certification (CMMC)

/ 4 minutes of reading

CyberSheath has attended multiple listening sessions and events with DOD leadership revealing more information regarding the DOD Cybersecurity Maturity Model Certification (CMMC).  I want to expand on our previous blog with the additional details and actionable plans on what DOD contractors need to do to prepare for the changes.

What We Understand about CMMC so Far

CMMC stands for “Cybersecurity Maturity Model Certification” and will encompass multiple maturity levels that range from “Basic Cybersecurity Hygiene” to “Advanced”. The intent is to identify the required CMMC level in Request for Proposals (RFP) sections L and M to be used as a “go / no go decision.” This means that instead of the ability to bid and win a contract and then comply post-award with cybersecurity requirements, DOD contractors will have to be certified to the CMMC level required in advance, pre-bid, to even be eligible to bid.

Everything You Should Do to Effectively Prepare for Cybersecurity Maturity Model Certification (CMMC) Read More »

A man sitting in a control room in front of computer monitors with maps and code on the screens

Managed Security Services That Matter

/ 5 minutes of reading

When shopping for a Managed Security Services Provider (MSSP), there are plenty of checklists that you can download to help funnel you right to that vendor’s particular product. This isn’t that blog post, although at some point I am sure we have published one too. While checklists are helpful in narrowing down the capabilities and tools that you want to add to your probably already too big portfolio of tools, the focus should really be on the services that you will be adding to your existing team.

Managed Security Services That Matter Read More »

Cybersecurity

What 10 Years of Cybersecurity Across 8 Federal Agencies Means to You

/ 6 minutes of reading

A recently released 10-month review consisting of 10 years’ worth of inspector general’s (IG) reports across eight federal agencies by the Permanent Subcommittee on Investigations of the Senate Homeland Security Committee found that “Agencies currently fail to comply with basic cybersecurity standards.” The full report can be found here and the major themes identified in the report highlighted yet again the fundamental work that isn’t being done to comply with basic cybersecurity standards. So why isn’t the work being done? Is it a lack of money, tools, people, all the above? Buried on page 46 of the report then-DHS CIO Richard Staropoli is quoted in a 2017 interview with the Subcommittee, on the state of the OCIO saying, “You can write this down and quote me, the problem is piss-poor management.”

That blunt assessment, it’s a management problem, is worth considering. Better outcomes can be achieved, across the Federal government and industry, with a disciplined, framework-based approach to cybersecurity. This approach and the guaranteed better outcomes that will follow require a recognition that many of the management disciplines inherent in other business supporting functions like finance and engineering are missing in cybersecurity. The problems in cybersecurity are different but the principles required to improve them are not.

What 10 Years of Cybersecurity Across 8 Federal Agencies Means to You Read More »

Complying with DOD Cybersecurity Requirements: What do NIST 800-171 Revision 2 and 800-171B Drafts Mean for Your Business?

/ 3 minutes of reading

NIST 800-171 Revision 2 and 800-171B drafts were released for comment last week, and as expected there have been no major changes proposed to the controls in NIST 800-171 Revision 2. For DOD contractors waiting to implement the required security requirements of NIST 800-171 Revision 1 pending the latest updates, the proposed updates won’t buy you any time. The fact is enforcement is underway and compliance with DOD cybersecurity requirements is a go/no go decision if you are serious about being eligible to do business with the DOD.

Complying with DOD Cybersecurity Requirements: What do NIST 800-171 Revision 2 and 800-171B Drafts Mean for Your Business? Read More »

Checklists

Beyond SSP’s and POA&Ms; Successfully Implementing the NIST 800-171 Security Requirements

/ 3 minutes of reading

The recently announced Cybersecurity Maturity Model Certification (CMMC) scheduled for completion by January 2020 has many DOD contractors scrambling to anticipate how to prepare. While there are many unknowns regarding what the CMMC will ultimately look like, DOD contractors should focus on what is already known and currently mandatory with DFARS 252.204-7012, which requires the implementation of NIST 800-171. Stop trying to read the tea leaves and doing the bare minimum by writing System Security Plans (SSP’s) and start implementing the 110 security requirements of NIST 800-171. Demonstrable action, that is NIST 800-171 control implementation, is the best way to prepare for the CMMC.

Beyond SSP’s and POA&Ms; Successfully Implementing the NIST 800-171 Security Requirements Read More »

An aerial view of the pentagon with a computer code overlay

Recent News: Act Now to Achieve NIST 800-171 Compliance or Risk Your Ability to Contract with the DOD

/ 3 minutes of reading

The window of opportunity for achieving compliance with DFARS 252.204-7012, which requires the implementation of NIST 800-171 across the DOD supply chain, continues to get smaller as the ability to self-certify is set to expire.

CyberSheath attended the Professional Service Council’s 2019 Federal Acquisition Conference where Special Assistant to DOD’s Assistant Secretary of Defense Acquisition for Cyber Katie Arrington stated clearly that “…cost, schedule, and performance cannot be traded for security.” Security is the foundation of defense acquisition.

Recent News: Act Now to Achieve NIST 800-171 Compliance or Risk Your Ability to Contract with the DOD Read More »

An open envelope with three fish hooks falling out on top of another envelope with the '@' symbol

4 Steps to Protect Your Business from Spear Phishing

/ 5 minutes of reading

You may have heard of phishing, which is the practice of sending fraudulent texts or emails that appear to come from a legitimate source, with the intention of encouraging the recipient to provide personal information.

Businesses have been struggling to protect their networks from phishing, and with attacks up 65% in the past year, it seems the fight is far from over. To make matters worse, a more sophisticated and destructive offshoot of phishing has recently emerged — spear phishing.

4 Steps to Protect Your Business from Spear Phishing Read More »