Amira Armond’s Post

It will be interesting to see how this impacts #CMMC, especially internationally. Haven't had a chance to read it yet, but I'm looking forward to it! #cyber #cybersecurity #reciprocity #informationsecurity #infosec #DoD #NIST #NIST800171 #CMMC2

Announcement: DoD Cybersecurity Reciprocity Playbook Released The Department of Defense CIO has announced the public release of the DoD Cybersecurity Reciprocity Playbook. This essential document provides comprehensive guidance on employing cybersecurity reciprocity within DoD systems. The playbook includes: 🔍 A precise definition of cybersecurity reciprocity ⚖️ An analysis of its benefits and risks 📚 Practical use cases to demonstrate its application This playbook is a valuable resource for cybersecurity professionals engaged with DoD systems. Explore the full playbook here! #Cybersecurity #DoD #Reciprocity #InformationSecurity #DoDCIO

Interesting publication by Office of DoD CIO. Well worth reading even if you do not do business with US Government. The principles are general.

Here is the long awaited DOD Reciprocity Playbook!

DoD CIO announces the public release of the DoD Cybersecurity Reciprocity Playbook. This playbook, referenced in the DSD's Reciprocity Memo, provides guidance for employing cybersecurity reciprocity in DoD systems. It defines reciprocity as it relates to cybersecurity, discusses the benefits and risks, and includes example possible use cases. For more information read the playbook here: https://lnkd.in/e4K3d8DQ

The DoD Chief Information Officer released the DoD Cybersecurity Reciprocity Playbook today. It's a highly readable document but probably takes more time to read than LinkedIn's estimate of 39 minutes... Even though the DoD has been working on reciprocity for years (DoD CIO issued a memo in Oct 2016 emphasizing that reciprocity is the default for assessment and authorization of a system already deployed), its great that the concept is being reemphasized. One key point: It's all about context. This is underscored in Section 3: "Reciprocity is not a passive acceptance of security assessments, certifications, or authorizations from other entities without careful consideration, and comprehensive review of the context, risk factors, sensitivity of the data, and relevance to the specific systems or networks within its purview. Instead, reciprocity involves a thoughtful, risk-based assessment process and a careful examination of the BoE (body of evidence) to determine their applicability and suitability within a specific security landscape. In essence, reciprocity emphasizes the importance of maintaining a strong security posture while maximizing efficiency through the re-use of the BoE. Thus reciprocity demands a discerning approach that safeguards the integrity of its systems, while leveraging the insights and efforts of trusted partners to enhance its cybersecurity resilience." The document goes on to say "Reciprocity is designed to expedite authorization through the re-use of assessments and artifacts, which leads to cost reduction. Executed appropriately, reciprocity reduces redundant testing, assessment, and documentation, and the associated costs in time and resources." Reciprocity is not a panacea or a one-size-fits-all solution; reciprocity is simply another tool in the toolbox for cybersecurity professionals to employ. #cybersecurity #rmf #innovativeAF

We all know reciprocity is good. However, we also know the devils in the details. This is a very interesting document.

would like to see a little bit more stick, but its a start (still a slow process) Receiving AOs have the right to refuse participating in reciprocity with another organization due to insufficient content demonstrating an informed understanding of the security posture, risk assessment of the system, and the rationale for the risk determination as defined on the RMF KS, or due to excessive risk to the enclave or site, as determined by the site AO. However, the Receiving AO must document and report this refusal to the Granting organization’s AO within 10 business days. If a refusal does occur, both organizations will continue to work, and re-work, the ATO package to reach an agreement, if at all possible. When AOs cannot reach an agreement to leverage re-use and reciprocity, both parties must use the following resolution process to gain assistance in resolving the impasse: 1. If a conflict arises, due to reciprocity refusal there should be an attempt to resolve it at the AO level. This could include, but not limited to, the Granting AO conducting new assessments. 2. If the conflict cannot be resolved at the AO level, the RMF TAG Secretariat will be notified and the RMF TAG Chair will attempt to mediate the dispute as appropriate. 3. If the RMF TAG Chair cannot reach a resolution, the issue will be taken to the AO Council, chaired by the DoD CISO, who will serve as a mediator for the dispute. 

"Failing to leverage reciprocity to the greatest extent possible can lead to redundant and resource-intensive efforts. Without recognizing the assessments conducted by other entities, the organization might be compelled to undertake its own comprehensive evaluations of systems and networks, even when similar assessments have already been performed by trusted partners. This results in a wasteful allocation of time, manpower, and financial resources, hindering the organization’s ability to efficiently manage and enhance its cybersecurity posture." Haven't read the whole playbook yet, but jumping straight to the above quote, I am excited to see the emphasis on reciprocity being pushed from the highest levels. This will make us better as a DoD, and hopefully will help some future action officers to not have as many late nights trying to de-mystify the ATO.

After reviewing more than a year’s worth of community feedback, NIST has released a Draft of The NIST Cybersecurity Framework (CSF) 2.0 for public comment! This draft represents a major update to the CSF—a resource first released in 2014 to help organizations reduce cybersecurity risk. The draft update reflects changes in the cybersecurity landscape and makes it easier to put the CSF into practice for all organizations. The CSF 2.0 draft reflects several major changes, including an expanded scope, the addition of a sixth function, Govern, and improved and expanded guidance on implementing the CSF—especially for creating profiles.