William (Tony) Cole

With an increase in consumer banking done online post-pandemic, and the current geopolitical situation, it’s important for the Public and Private sectors to share threat intelligence to stop bad actors and Secure the Internet.

5

No mention of defense contractors or CMMC in this new DoD playbook on cybersecurity reciprocity. This is written for the government's internal use. However, I'm happy to see evidence that DoD CIO is actively thinking about reciprocity. Reciprocity is different from inheritance. Inheritance is evaluated at a granular level - control by control, requirement by requirement. In general, it is much easier to evaluate inheritance than to evaluate reciprocity. Example of cybersecurity inheritance: Assessor: "Are you performing vulnerability scans to protect your CUI?" Defense contractor: I'm not, but my managed service provider is." Assessor: "Do you have proof that they are actually doing it?" Defense contractor: "They got assessed by an independent audit firm that confirmed they perform vulnerability scans of all their customers. Here is the audit report that shows it." Assessor: "I see that a reputable company did the assessment, they verified the same criteria that I want to see for vulnerability scans, the assessment was performed a few months ago, and that the assessment scope included the department that manages your systems. Looks good. You're "MET" for vulnerability scans." In comparison to inheritance, reciprocity is evaluated as a whole. For the CMMC program, the DoD decides which frameworks are "good enough" for reciprocity. An example of reciprocity: Assessor: "Is your cloud performing all the requirements in CMMC Level 2?" Defense contractor: "No, but it was certified against this other standard, which is pretty stringent too." Assessor: "Hey DoD, do you think that standard is good enough?" DoD: "Yup, we feel it meets or exceeds CMMC Level 2." Assessor: "OK, no further questions about your cloud." No mention of SOC-2 or ISO 27001 in this playbook. This confirms to me that it is very unlikely these will count for anything from a DoD reciprocity standpoint. FedRAMP is the only real candidate I see for CMMC Level 2 reciprocity, though even that isn't official at this point. Shameless plug: Want a double-check on your CMMC preps? Contact Kieri Solutions - Authorized C3PAO to get a Gap Analysis by a Lead Assessor with real world CMMC, 800-171, and Joint Surveillance experience. Nice find, ⚡️Jil Wright! #CMMC

51

6 Comments

GSA announced last week that, "Starting June 8, 2024, GSA will begin collecting Common [#SSDF Attestation] Forms for new contracts (including micro-purchases) and the exercise of contract options, that include the use of software, regardless of whether or not the software is considered critical." This is a major update because it means all vendors dealing with GSA or a GSA contracts must comply in June and NOT in September, like originally thought. #ZeroTrust, #CyberSecurity, #SoftwareDevelopment, #DepartmentOfDefense, #InfoSec, #NationalSecurity, #DefenseTech, #CyberDefense, #SecureSoftware, #MilitaryTechnology, #DevSecOps, #InformationSecurity, #CyberAwareness, #GovernmentTech, #CyberThreats, #TechInnovation, #DigitalTransformation, #CloudSecurity, #DataProtection, #NetworkSecurity, #SecurityArchitecture, #CyberResilience, #IdentityManagement, #Encryption, #Compliance, #SecureCoding, #CyberRiskManagement, #AIInCybersecurity, #ThreatIntelligence, #CriticalInfrastructure, #CyberLaw, #CyberEthics, #TechnologyLeadership, #PublicSectorInnovation, #TechGovernance, #SecureByDesign, #PrivacyByDesign, #MilitaryInnovation, #DefenseStrategies, #CyberWarfare, #CyberDiplomacy, #GovernmentContracting, #DefenseContractors, #MilitaryTec, #TechPolicy, #SecureInfrastructure, #NationalCybersecurity, #TechForDefense, #SecureDevelopment, #GovernmentIT 

16

2 Comments

Update on the #CMMC timeline!  During the April The Cyber AB Town hall, Matthew Travis pointed out that CFR 48, the procurement side of the rule, was returned to the DoD and not accepted for release for public comment. The rule was originally expected out for public comment in March 2024; however since it was returned to the DoD on Apr 8 the timeline is unclear. Matt speculated that it could be a simple clerical error that could be quickly addressed enabling the rule to be released for public comment in May 2024. Public comments for CFR 32, the CMMC Program rule, are being adjudicated by the DoD. CFR 32 is still expected to be released in fall of 2024. This rule establishes the CMMC Program and authorizes assessments to begin. Therefore, it is likely that assessments can begin prior to being mandated in contracts. This will give the DoD additional fuel for including CMMC in more contracts once CFR 48 is finalized since organization will have plenty of time to get ready. Will your organization be ready for an CMMC assessment in time to beat the rush to ensure you can bid on contracts when CFR 48 is finalized?

31

3 Comments

Expert analysis by Drew Schmitt, Practice Lead, GRIT at GuidePoint Security, on the evolution of #RaaS. With #ransomware groups adapting recruitment tactics, the cyber threat dynamic changes. Schmitt's investigation uncovers new affiliate strategies after #OperationCronos. Learn more in his interview with Help Net Security. https://okt.to/K0ecpO #CyberCrime

4

This is technically the right approach but converging software factories on to a single DevSecOps platform for programs that are in mature development and fielding is going to be a lot of retrofitting that is not trivial. An open standards and open architecture approach for interoperability is probably the best bet, but standardize on a common platform all new programs moving forward. Great to see CYBERCOM starting to take their acquisition authorities to the next phase. Our adversaries are not constrained by their acquisition bureaucracies.

34

If you are following along on the CUI program home game, you know that the CUI program was created to apply a consistent set of requirements across the entire Executive Branch of the federal government which define what is sensitive, unclassified information and how that information should be safeguarded and disseminated. These requirements are defined in 32 CFR 2002, which was published in 2016. When the United States Department of Defense first created DoDI 5200.48 back in 2016 (DoDI 5200.48 defines DoD's implementation of the CUI program), 32 CFR 2002 was pretty new and, understandably, the early version of 5200.48 had some inconsistencies. DoD released an updated version of DoDI 5200.48 about a year and a half ago, and it addressed some of those inconsistencies. DoD recently released an updated policy memo which makes some additional changes to 5200.48. https://lnkd.in/gmsySBBq Those changes have, unfortunately, created a bit of added confusion about when CUI can be disseminated to authorized holders, and especially when: a) the disseminator is a government contractor; and b) the authorized holders are not US persons. The CMMC Information Institute put together the flowchart, below, to try to help walk government contractors through when CUI can be disseminated to someone who is not a US person (or, really, anytime). Hopefully it is helpful!

56

14 Comments

In this video, we dive into the complexities of implementing NIST special publication 800-53 in a government organization. The redundancy of federal government entities struggle with reciprocity. We delve into the challenges of implementing NIST Special Publication 800-53 within a single organization and the complexities of replicating this process across different department How Compliance Scorecard dealt with redundancy when working across different government entities and leveraged our Governance as a Service SaaS platform can help. As MSP/IT professionals, we need to understand how these frameworks create operations across various government departments and entities. Heather Noggle and I have some words of wisdom #GovernmentOperations #NIST853 #FedRAMP #EfficiencyMatters #StreamliningProcesses #GovernmentCompliance #ITSecurity #Cybersecurity #DigitalTransformation #GovernmentWorkflow

22

1 Comment

DISA Expands Thunderdome Zero Trust Program Deployment; Brian Hermann, Quoted. ExecutiveGov discusses the Defense Information Systems Agency's (DISA) expansion of the Thunderdome zero trust program. In 2023, the program was deployed to 15 sites and plans are underway to extend it to 60 more sites in 2024. The program involves four key components: 🔐 Customer security stacks 🔗 Software-defined wide area networking 📴 Secure access service edge capability, and 💯 Application security stacks. Brian Hermann, DISA's director of the cybersecurity and analytics directorate, emphasized the program's role in advancing zero trust architecture, which is crucial for organizational security. DISA has also finalized the contracting process to support the U.S. Coast Guard’s network security improvement efforts through Thunderdome. Versa Networks is at the forefront of enhancing cybersecurity with their pivotal role in DISA's Thunderdome project. Their cutting-edge solutions are setting new standards in securing our nation's digital infrastructure. For more details, you can read the full article here:-https://lnkd.in/dNvErjXS #DISA #Thunderdome #ZeroTrust #Cybersecurity #versanetworks #channelpartners

2

1 Comment

Join us on Wednesday, May 29th at 8:30 AM to discover how CERT Ukraine and CISA work together to combat cyber threats! Limited tickets available - act fast! Link in bio for more details and to get tickets. #CERTUkraine #CISA #CyberDefense #Collaboration #CyberSecurity.

7

The base requirements of the CMMC are largely based on the security control families defined in the Federal Information Processing Standard Publication 200 (FIPS 200) and used in the National Institute for Standards and Technology Special Publication 800-53 (NIST SP 800-53) , the NIST Special Publication 800-171 (NIST SP 800-171) and the NIST Special Publication 800-171 (NIST SP 800-172). Within NIST S800-53, NIST SP 800-171, and NIST SP 800-172 security controls are grouped into families of a general security topic such as access control, or awareness & training. Control families are labeled by their full name and a unique two-character identifier to make the listing of controls within the family less tedious. For example, the access control family is referred to as “AC.” CMMC uses these same control families and two-character identifiers as the NIST documents. The complete set of CMMC domains currently contains 14 groups of controls, each with a unique two-letter identifier. See Figure 2.2: CMMC Cybersecurity Domains. From the CMMC Assessment Handbook - get your on Amazon: https://buff.ly/3X0VWns

6

SUMMARY: The NSA's Cybersecurity Collaboration Center offers free, proactive cybersecurity support to businesses and federal partners to combat advanced cyber threats. MAIN POINTS: - The CCC provides free threat intelligence and cybersecurity services to private companies with DOD contracts. - Services include threat analysis, mitigation guidance, and direct incident response assistance from NSA experts. - Small and medium-sized businesses can access high-level cybersecurity resources typically reserved for national security. TAKEAWAYS: - CCC aims to bolster public-private cybersecurity cooperation. - Over 1,000 industry partners have enrolled in CCC services. - CCC processes 70 million DNS queries daily, blocking billions of malicious activities. Bailey Bickley #ccc #nsa #dibservices #dib

146

8 Comments

Automated Continuous Assessments are the only way forward if we want to keep pace. Point in time assessments can’t provide the necessary assurance and significantly delay mission access to leading tech. It’s the same issue in Commercial and Jeff Buss makes a great point.

62

6 Comments

Thought provoking and wide-ranging panel on corporate security modernization that I had the honor to moderate. Armando Leon, CPP, PSP Michael A. Clancy Steven Meincke Barry Hopkins brought diverse insights from the public and private sectors, discussing AI and GANS, insider threat, relationships, biometrics, policy, and more. Thanks, Phelim Rowe!

58

8 Comments

Check out this article in Federal News Network, where SkillStorm Advisory Board Chair Suzette Kent discusses the critical need for cyber & cloud skills within the federal government. It is clear that a skills-based hiring approach (vs. rigid four-year degree requirements) is necessary to help close the tech skills gap while enabling the government and contractors to close the tech skills gap and keep the US on the cutting edge of technology. https://lnkd.in/g6pU95uR

20