Understanding DoD Frameworks
The Department of Defense or DoD provides the United States of America military with forces that are needed to deter war and ensure the nation’s security. To accomplish this mission, the DoD is partnered with the Defense Industrial Base sector, which involves over 100,000 Defense Industrial Base companies and their subcontractors to provide essential materials and services to the DoD. This includes research and development, as well as designing, producing, delivering, and maintaining military weapons systems and components or parts. Within the last decade, the DoD has worked continuously with the Defense Industrial Base sector to enhance the protection of Controlled Unclassified Information (CUI) within unclassified networks that belong to organizations within the Defense Industrial Base sector. What exactly is CUI and why does it need to be protected? The DoD has defined CUI as: Information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. To adequately safeguard CUI, the DoD has implemented several frameworks and contractual requirements that organizations within the Defense Industrial Base that handle CUI must comply with and implement. There are three main frameworks/contractual clauses that are currently being used to safeguard CUI or in the process of being implemented to safeguard CUI: The Defense Federal Acquisition Regulation Supplement also known as DFARS is the DoD’s Federal Acquisition Regulations (FAR) supplement that was published in December 2015. The primary objective of the DoD’s acquisition is to acquire quality supplies and services that satisfy users’ needs with measurable improvements and operational support at a fair and reasonable price. Within the DFARS clause there is a set of Cybersecurity requirements that DoD contractors must adhere to, to maintain or obtain a DoD contract. This requirement is in section 252.204-7012 of DFARS and is titled “Safeguarding Covered Defense Information and Cyber Incident Reporting.” The objective of this clause was to protect CUI and the flow of CUI on the contract holder’s information systems and networks. Within this clause, contractors within the Defense Industrial Base are required to provide adequate security on all covered contractor information systems. The DoD requires that the contractor’s information system and network implements the security requirements within NIST SP 800-171 which is titled “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” This publication that was developed by NIST is guidance for protecting the confidentiality of CUI when it resides on and flows through nonfederal organization’s information systems. Within NIST SP 800-171, there are 110 security controls that are spread out through 14 different control families or domains. These domains range from Access Control to System and Information Integrity. The implementation of the security controls from NIST SP 800-171 is recognized to be adequate security that protects against the loss, misuse, and unauthorized access to or modification of CUI. So, on top of the security controls from NIST SP 800-171, organizations also need to be compliant with additional requirements that were specific to DFARS section 252.204-7012. The main requirement is the Cyber Incident Reporting Requirement. This requirement in the clause states that when a contractor discovers a cyber related incident, the organization must conduct an investigation to determine the scope, impact, and results of the incident. The contractor must then submit a report of their findings to the DoD. To be compliant with the DFARS requirements, all it takes is for an organization to self-attest that they comply or will comply with the security controls and requirements within DFARS. There is no certification process for NIST 800-171 or DFARS, it is all based on the honor system. Therefore, it did not take the DoD long to realize that without a certification process, many organizations were performing self-assessments and were claiming to be DFARS compliant, without fully understanding the security controls and how to safeguard CUI within their information systems. This leads us to the creation of the CMMC. The CMMC was released on January 31st of 2020 and the intent of the CMMC is to incorporate a certification process into DFARS and use it as a requirement for contract award with the DoD. Much like DFARS, the purpose of the CMMC is to enhance the protection of CUI, within the Defense Industrial Base. CMMC measures cybersecurity maturity with 5 different levels. Each of these levels consists of a set of processes and security practices. There are a total of 171 security practices or controls throughout 17 different control families and 5 different processes within the CMMC model. Organizations within the Defense Industrial Base that handle CUI will be required to be at least CMMC level 3. CMMC level 3 consists of all 110 controls from NIST SP 800-171, as well as 20 other security practices specific to CMMC. Additionally, organizations will be required to implement 3 processes which are designed to mature the cybersecurity program. A major difference between CMMC and DFARS, is that CMMC requires assessments to be performed by 3rd party assessors only. Organizations are still responsible for implementing all of the cybersecurity requirements associated with the CMMC. However, there are no more self-assessments like there were with DFARS. All assessments must be performed by a CMMC-Accreditation Body (AB) approved assessor and then the assessment results will be sent to the CMMC-AB for review before a CMMC certification is awarded to the organization seeking certification. Does your company have the right cybersecurity plan in place? Contact us for more information on how our customizable services may help protect your business. Posted by Brendan Kenney
Cybersecurity: Where to Start (or Restart)
Every business, no matter the type or size, needs to take a proactive approach to cybersecurity. You do not want to find yourself questioning your business’s cybersecurity capabilities during a cyber incident or data breach. By having a strong cybersecurity program in place, not only will you be able to respond to a cyber incident quickly and effectively should one occur, but also mitigate the risk of becoming a target for a cyber-attack in the first place. To develop an effective cybersecurity program for your company (without requiring a lot of resources), here are some important initial steps to take: Here are some easy, but effective, actions you can take to protect your business’s sensitive data and core assets right now: 1. Harden Core Assets System hardening is the process of securing a system by reducing the amount of potential attack vectors, reducing the security risk. Some ways to secure your systems are limiting access to the system, regularly updating the system and its software, closing unused ports, removing unnecessary software, and collecting and reviewing audit logs. The Center for Internet Security (CIS) has published numerous benchmarks for different operating systems, software, network devices, mobile devices, and cloud providers. It is highly recommended that you start here for your system hardening needs. 2. Conduct Vulnerability ScansVulnerability scanning is the process of using automated tools to search for known vulnerabilities and provide details on what can occur if the vulnerability is exploited, and most importantly, how you can remediate the vulnerability. There are two types of vulnerability scanning: Internal vulnerability scanning consists of deploying a scanning device on your internal network to search for vulnerabilities on other devices on the network.External vulnerability scanning uses a special scanner which is outside your network and checks your public facing devices and websites for vulnerabilities. It is highly recommended that an organization perform internal vulnerability scans at least quarterly, and external vulnerability scans at least once annually. Once vulnerabilities are discovered, technical teams should work to follow the guidance from the scan results to remediate the vulnerabilities on your organization’s systems and network. (Nessus, OpenVAS, Qualys, and Nikto are just a few examples of free or cost-effective vulnerability scanning tools) 3. Establish Proactive Security Defenses Taking a proactive approach to cybersecurity has many advantages and is not as difficult as you may think. Here are some things you can do right now: 4. Adhere to a Cybersecurity Framework & Create Security Policy Documentation Your organization should have security policy documentation that details the organization’s security requirements. A good security policy will: The first step to creating effective security policy documentation is to identify and choose a cybersecurity framework that your organization wants to adhere to. There are many cybersecurity frameworks that your organization can adopt to provide guidance for protecting your sensitive data and core assets. We recommend the National Institute of Standards and Technology Special Publication 800-171 r2 (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf). The publication also provides guidance on how to implement these best practices, so you can protect your information and organization.
CMMC 2.0
In 2020, the manufacturing industry saw a 300% increase in cyberattacks, and moved from the 8th most targeted industry by cybercriminals to the 2nd, behind only finance and insurance. That is not surprising, as manufacturing businesses harbor a wealth of information that hackers can use to extort millions. With more than 250,000 Defense Industrial Base (DIB) companies and subcontractors involved in work related to the U.S. Government, a data breach presents a significant threat to sensitive federal and unclassified information, as well as to national security. Government agencies responded to the cyber threats by proposing stricter regulations for companies that protect sensitive data. In early 2020, the Cybersecurity Maturity Model Certification and the IoT Cybersecurity Act were both introduced to ensure minimum cybersecurity regulations for companies that work with government agencies. The CMMC defines levels of cybersecurity required for DoD contractors to bid on and complete projects for the DoD. This certification ensures all companies and subcontractors who supply DoD establish a specific framework for cybersecurity, to protect the data that the DoD entrusts them with. Not surprisingly, there have been changes to the program since CMMC 1.0’s introduction in 2020. CMMC 2.0 includes five key changes to the program: 1. The CMMC now defines 3 levels of cybersecurity required for DoD contractors to bid on and complete projects for the DoD. (The new CMMC 2.0 levels are based on the type of information DIB companies handle) 2. While CMMC 1.0 included 130 practices, CMMC 2.0, introduced in November 2021, is a 1:1 reflection of NIST SP 800-171, with 110 practices. The 20 practices added by the DoD have been removed. 3. CMMC 1.0 only let contractors and subcontractors pass with a perfect assessment score. Theres was no flexibility to remediate. CMMC 2.0 allows contractors and subcontractors to sign DoD contracts using the Plan of Actions and Milestones (POAM). Organizations who have not yet fully implemented NIST 800-171 can submit a solid plan for achieving full compliance, with specific dates and a timeline. This POAM is submitted before work begins and enables organizations to begin working for federal agencies whilst they simultaneously work towards full implementation of 800-171. 4. The maturity level is no longer based on processes and policies, but on practices used. 5. The maturation model was restructured from 5 levels to 3, to better reflect how mature and reliable a company’s cybersecurity infrastructure actually is. As threats grow, and companies address cybersecurity regulations enforced by NIST and outlined by recently introduced legislation, companies who fail to address cybersecurity will fall behind. Even worse, these unprepared organizations may become easy targets for cybercriminals. If you have any questions related to CMMC compliance, contact DataSure24 at info@datasure24.com.
The Safeguards Rule and its Impact on Financial Institutions
The Standards for Safeguarding Customer Information (Safeguards Rule) requires covered financial companies to develop, implement, and maintain an information security program with administrative, technical, and physical safeguards designed to protect customer information. Additional requirements, related to Section 314.4, are slated to go into effect June 9, 2023. Not all industries, or even all institutions within individual industries, are subject to regulatory compliance. That doesn’t mean, however, that cybersecurity should not be a business priority. More importantly, business leaders must not confuse regulatory compliance with security. While non-compliance by financial institutions can result in fines, the stakes for a proper security program are much higher. Unprepared organizations will become easy targets for cyberattacks. As mentioned in October’s Brainbytes, earlier this year the debt-collection company Professional Finance Company, Inc. reported a data breach which impacted 657 healthcare providers across the U.S., and 1.9 million patient records. Numerous high-profile data breaches and ransomware attacks have cost millions of dollars to American businesses and affected the data of millions of customers. What is PII? In just the past 20 years, national and international data breaches have affected hundreds of millions of individuals. In fact, according to UpGuard, together, 10 of the most impactful data breaches in the United State’s financial service history compromised Personally Identifiable Information (PII) of more than 485 million people and almost 800,000 businesses. The breached data varied by attack, but together included almost a dozen different types. Armed with this information, a wide range of cybercrime is possible, including identity theft, ransomware attacks and malware injection. This makes it crucial to put an appropriate cybersecurity program in place for your business. Again, when developing a program, it’s important to not confuse regulatory compliance with security. In addition to regulatory frameworks, organizations must implement additional cybersecurity systems that specifically address the vulnerabilities facilitating data breaches. The Proper Way to Build a Cybersecurity Program Ensure all of these steps are taken. And then checked, and rechecked. Think of this as the rinse and repeat steps in program development and implementation. The goals of your plan: Company decision makers, especially those with in-house IT department, will likely look to do this internally. And it’s certainly possible. However, compliance is essential, so companies who don’t have dedicated IT personnel or whose IT department lack the experience, training, or manpower to oversee this program need an alternative solution. Staff could do vulnerability scans and a qualified individual (I.e. lower tier cybersecurity personnel) could serve as the CISO. Again, it’s difficult for internal security teams to be vigilant for insider threats because they’re already exceeding their bandwidth with risk management tasks. Is it worth the risk for staff to take on program oversight as well? Learn from the Mistakes of Others Not sure what to include in your plan? Besides implementing a data protection solution specific to financial services, one of the best methods of mitigating data breaches is learning from the mistakes of others. In addition to security, software, and hardware updates, other important lessons to note are: In general, good practices for better security should always include, but are not limited to, the following: Does your company have the right cybersecurity plan in place? Contact us for more information on how our customizable services may help protect your business. Posted by Katie Cassens
Incident Response Plans: A Tool in Your Arsenal Against Cyberattacks
Currently Being Edited – Check Back for Updates! Malware. Ransomware. Phishing. DDoS. Insider Threat. Zero-Day Exploit. The number of cybersecurity attack incidents continues to increase exponentially. During the third quarter of 2022, internet users worldwide saw approximately 15 million data breaches, up 167% compared to the previous quarter. Small to medium-sized businesses were the likely targets, as these companies are three times more likely to be attacked by cyber-criminals than large businesses and corporations. These attacks have the potential for costly disruptions to operations and the loss of critical information and data. A former executive at a U.S.-based manufacturing company hit by a ransomware attack equated it to being “punched in the stomach and losing all the air in your diaphragm, and about four weeks later, learning how to breath again.” The repercussions of an attack on a business can be strong, long-lasting and expensive. A quick and clean resolution is often unrealistic. Authorities discourage businesses from paying a ransom as it can encourage further hacks and enrich cybercriminals. But some companies opt to pay off their attackers to stay in business. In recent cases: Which Response is the Correct Response? The answer lies in the company’s Incident Response Plan. According to DataSure24’s Chief Technology Officer Mark Musone, there is a huge gap in the knowledge of what to do when an intrusion occurs. That’s why it’s important for companies to work with cybersecurity professionals like DataSure24 when developing and implementing an Incident Response Plan. These companies can help ensure you have “all your ducks in a row”. According to the National Institute of Standards and Technology, an Incident Response Plan: Incident response methodologies typically emphasize preparation—not only establishing an incident response capability so that the organization is ready to respond to incidents, but also preventing incidents by ensuring that systems, networks, and applications are sufficiently secure. Although the incident response team is not typically responsible for incident prevention, it is fundamental to the success of incident response programs. An Incident Response Plan should address ALL possible scenarios in response to a successful cyberattack. For example: While it’s impossible to remove all security issues, an effective Incident Response Plan can mitigate the largest cybersecurity threats. Despite another record year of breaches—15 million data breaches between July–September 2022 alone—including Solar Winds, Colonial Pipeline and others, however, half of U.S. businesses still have not put a cybersecurity risk plan in place. Cybersecurity should always be a business priority. Unprepared organizations will become easy targets for cyberattacks. Now is the time to learn the potential cybersecurity risks for your business, and build a complete cybersecurity plan. Does your company have the right cybersecurity plan in place? Contact us for more information on how our customizable services may help protect your business. Posted by Katie Cassens
(The More Things Change), the More They Stay the Same
Over the past two years, companies shifted their business models from survival mode back toward pre-pandemic operations. With the world in constant flux, however, it’s difficult to know exactly what will happen in 2023. Over the past two years, companies shifted their business models from survival mode back toward pre-pandemic operations. With the world in constant flux, however, it’s difficult to know exactly what will happen in 2023. We believe, however, that cybersecurity will become a priority in business operations. After high-profile data breaches at Google, Twitter, Uber, LinkedIn, and Rockstar Games, among others, it seems like no company is immune to cybersecurity attacks. Cyberthieves are getting more sophisticated and cyberthreats are becoming more aggressive every day. Desperate for cash and resources, cyberthieves will continue to target small businesses who often don’t have sufficient cybersecurity systems in place. Don’t be fooled in false confidence, however. High profile businesses, with insufficient or lapses in their cybersecurity systems are also vulnerable. Going into 2023, businesses must take steps to develop security programming or evaluate their existing programming and make necessary changes. So, as you conduct year end analyses, make sure you factor in the state of your business’s cybersecurity programming. If it isn’t already, cyber protection should become a “must-have,” not a “nice-to-have,” component of your business plan. As technology evolves, so does cybersecurity’s ability to protect a business from cybersecurity attacks and threats. Company Leadership is Key In order to build a cybersecurity program, there must be a shift by business leaders, and in some cases, members of the Board of Directors, toward ownership or buy-in of the program. Decision makers must view cybersecurity as central to business operations and evolve and build current and future business models to reflect this. This is vital for a successful program. If members of leadership don’t support cybersecurity practices, there is little to no chance that employees will. Business leaders cannot protect their organization if they don’t know where the security lapses/gaps are and what is needed. It’s normal to compare your business operations with a competitor of similar size, location and assets. When it comes to cybersecurity, however, it’s important to develop and implement a plan based on the company’s individual security needs. Every organization is different, and will have different strengths, weaknesses, gaps, and areas in its cybersecurity programming requiring help. Think of cybersecurity as building a house. You must have a secure foundation in place before you build on top of it. Security should utilize multiple layers of prevention measures to safeguard assets. This includes defining policies and procedures, continuously testing them, educating staff, and measuring effectiveness for improved security operations. Building the correct foundation may mean going back to the basics. Questions to ask yourself: Note: Do NOT confuse regulatory compliance with security. In addition to regulatory frameworks, organizations must implement additional cybersecurity systems that specifically address the vulnerabilities facilitating data breaches. Along with a solid foundation, good policies and procedures help ensure that security programming is not only up-to-date, using the latest technologies where needed, but effective in safeguarding data and minimizing cyberthreats. Make sure those policies and procedures include, among other practices: These regular practices, when built on top of a solid foundation, will make for a strong security program. It all comes back to cybersecurity. The more things change, the more they stay the same. Does your company have the right cybersecurity plan in place? Contact us for more information on how our customizable services may help protect your business. Posted by Katie Cassens
FTC Safeguards Rule
The deadline for complying with the FTC’s Safeguards Rule is June 9. That’s only 4 months away! Get all of your compliance ducks in a row ahead of the deadline: perform a risk assessment now, so you can prioritize the remediation and other requirements well before June 9. DataSure24 provides a variety of FTC compliance services, including: Call us at 716.600.3724 or email info@datasure24.com with any questions and/or to schedule a date and time to talk more about how DataSure24 can help your business comply with the FTC Safeguards Rule. For more on the FTC’s Safeguards Rule, go to DataSure24’s Compliance Page.
NCUA Letter to CUs
Stricter Regulations Impact Cybersecurity Audits
Last week, the Biden Administration released the National Cybersecurity Strategy to better accelerate efforts by the Federal Bureau of Investigation and the Department of Defense (DoD) to disrupt the activities of hackers and ransomware groups around the world. According to the New York Times, for years, the government has pressed companies to voluntarily report intrusions in their systems and regularly patch their programs to fix newly discovered vulnerabilities. But the new National Cybersecurity Strategy concludes that such good-faith efforts are helpful but insufficient in a world of constant attempts by sophisticated hackers. The National Cybersecurity Strategy, along with increased accountability from regulatory bodies, including the DoD, National Credit Union Association (NCUA), and the Federal Trade Commission (FTC), would force companies to implement minimum cybersecurity measures for critical infrastructure. The NCUA, for example, is already conducting stricter audits to ensure regulatory standards by covered entities are met. Effective February 1, 2023, NCUA Examiners will be auditing credit unions using its new Information Security Examination (ISE) procedures, to identify and address information and cybersecurity risks. Requirements are based on credit union size, risk, and level of assets. Those found out of compliance may be penalized and fined. What is a Cybersecurity Audit? There are thousands of questions you could ask your internal team or your vendors about security. Identifying the most important ones will help you use your resources more efficiently and determine when it’s necessary to perform a cybersecurity audit or a cybersecurity assessment. What is the difference between a Cybersecurity Audit and a Cybersecurity Assessment?A cybersecurity audit and a cybersecurity assessment are formal processes, but there are some key distinctions between the two: What are the benefits of a cybersecurity audit?A cybersecurity audit is used to find the presence of cybersecurity controls – such as firewalls and intrusion detection services, as well as physical security controls – and validate that they are working correctly and that compliance requirements are met. Because an audit is conducted by an independent company, it provides customers and business partners with a level of assurance about an organization’s security posture How are Cybersecurity audits like vehicle inspections?Overall maintenance of a business’s cybersecurity program equates to maintenance of a motor vehicle. In this sense, regular cybersecurity assessments can be equated to regular service check-ups. Regular cybersecurity audits can be equated to regular vehicle inspections. Just as a vehicle inspection may help prevent the check engine light from coming on when your car breaks down, a cybersecurity audit will help ensure you have the protections in place if, and when, your systems have a breakdown. And if the NYS DMV, for example, implemented new and/or stricter regulations for state inspections, drivers would ensure compliance with these new and/or stricter regulations, in order to pass inspection, correct? As mentioned in March’s BrainBytes, before you navigate the open road (internet) with your company, have your vehicle (cybersecurity program) inspected. Think of it as being a safe driver and not causing undue harm to those around you (customers, vendors). Identify problems before they occur, and stay safe and secure out there.
Brainbytes
March 2023The words annual check-up or vehicle inspection likely don’t elicit happy feelings. However, most of us recognize it’s just something we have to do. The same can be said for businesses facing regular regulatory audits. Click for the PDF version of March Brainbytes: Cybersecurity Audits and Vehicle Inspections