We are big believers in packaging your compliance needs into a single, effective standard within your organization. It doesn’t make any sense to double up on work, and streamlining compliance across multiple standards makes your efforts better and faster. In light of that, we’re discussing how you can streamline some of your existing ISO compliance… Read More
In today’s digital age, cybersecurity is not just a technical necessity but a critical compliance requirement. Organizations worldwide face rigorous regulations to safeguard sensitive data and maintain public trust. The Common Criteria certification is a pivotal standard in cybersecurity compliance among these regulatory frameworks. This article will discuss how CC plays a role in other,… Read More
We use “the digital supply chain” regularly because enterprise and government businesses rely heavily on it. The relationships between vendors, cloud providers, software, and customers are so deeply intertwined that it’s impossible to avoid the big picture–that security is a complex activity that can span dozens of entities. A recently discovered flaw in the R… Read More
We’ve previously written about the importance of NVLAP Common Criteria accreditation for lab testing and validating products for use in high-risk industries. It’s probably unsurprising that we are markedly interested in cybersecurity labs’ requirements. Here, we’re discussing NVLAP Common Criteria accreditation for cybersecurity labs–what it is, how it is unique for assessed labs, and some… Read More
International collaboration between countries in cybersecurity isn’t unheard of, but it involves several miles of red tape and regulations. That’s why many countries seek parity in their security frameworks. One such parity that Canadian officials are seeking is between their own CP-CSC and the CMMC model for handling CUI.
While typically not mandatory outside financial sectors, SOC 2 is a reliable security compliance model that any organization can follow. This can be seen in its security assessments, which include a robust list of “Common Criteria,” or broad areas of focus that any secure organization should follow. The recent revision of these criteria in 2023… Read More
The ongoing rise of state-sponsored Advanced Persistent Threats (APTs) has increased scrutiny of federal and state IT systems security systems. The latest version of CMMC includes a high-maturity level specifically designed to address these threats, which relies primarily on advanced security controls listed in NIST Special Publication 800-172.
The complex relationships between government agencies, third-party vendors, and managed service providers form a challenging web of connections that comprise the DoD digital supply chain. Both NIST 800-171 and CMMC address these at various points, expecting providers to adhere to complex security requirements. These requirements can become so complex that they may turn to Managed… Read More
We’ve regularly written about maintaining security and compliance with third-party vendors. While vendors and managed service providers are a crucial part of digital economies, it’s up to the client businesses to ensure they work with vendors that meet their needs. Following previous discussions of third-party vendor security under standards like SOC 2 and HIPAA, we’re… Read More
Security Control Assessor-Validator (SCA-V) services are a core part of many compliance frameworks, and any agency proposing to offer these services will often provide a common set of expertise, certifications, and knowledge to support their customers. Here, we’re covering the basics of SCA services and what you should look for when signing on with a… Read More
The European Cybersecurity Certification Scheme for Cloud Services (EUCS) is an initiative to establish a unified certification process for cloud services across the EU. Cloud services and associated managed services are critical to most government and business functions, and the EU follows the example of other jurisdictions in focusing explicitly on this area of cybersecurity… Read More
With all the focus on network security, SaaS compliance, and big data protection, it’s sometimes very easy to forget that the most vulnerable parts of any given system are often those tied to the user. These devices (endpoints) are where these users do most of their work and where a lack of security best practices… Read More
One of the fastest-growing security attack surfaces is the Application Programming Interface (API). These functions allow programmers to tap into distributed services like data retrieval or social media broadcasting, vastly expanding the interoperability of different software tools. Accordingly, because API access often requires connecting to or using sensitive data, this presents significant security risks. We’re… Read More
Software-as-a-Service (SaaS) is, for better or worse, the model of modern software distribution and use. There are many benefits to this arrangement, but there are also significant security issues. Unfortunately, these security issues are ever-evolving and target almost every managed service provider on the market. This article touches on some foundational realities, challenges, and considerations… Read More
The issue of cookies and user tracking has long been an issue, but the importance of these marketing and development tools has kept them a vital part of our web experiences. However, Google announced that its popular Chrome browser would no longer support third-party cookies, and in January 2024, they began rolling out anti-cookie technology. … Read More
StateRAMP is based on the FedRAMP standard, which means that it uses a similar set of documents and requirements to assess and authorize cloud service providers. One of the key documents of both StateRAMP and FedRAMP is the System Security Plan (SSP), which represents the provider’s security controls, compliance perimeter, and capabilities. In Revision 5,… Read More
Companies can only monitor some of the pieces of software that their employees use. It’s inevitable, then, that those employees will start to kludge together their solutions through personal software or freeware from the Internet. This is such a problem that Splunk recently rated shadow IT as one of the top 50 threats to cybersecurity… Read More
It’s a fact of contemporary professional life that data, people, and secure systems are all remote, interconnected, and vulnerable to evolving security threats. The challenge is that it isn’t enough to lock everything down in areas like federal security, healthcare IT infrastructure, or other sensitive areas. The solution for the past few decades has been… Read More
There’s recently been a push within FedRAMP towards modernizing the framework to meet modern security challenges and better align federal security standards across agencies and technologies. Part of this push is standardizing how security controls are measured and assessed, and the most recent blog from FedRAMP mentions a new standard–OSCAL. Here, we will discuss OSCAL,… Read More
The advent of non-human identities–encompassing service accounts, application IDs, machine identities, and more–has reshaped the cybersecurity landscape, introducing a new dimension of vulnerabilities and attack vectors. While helpful, these digital entities are an increasingly vulnerable spot where attackers focus resources. This article will cover this relatively new attack vector, how hackers leverage new technology to… Read More
A new report shines a light on some unfortunate news in the world of federal cybersecurity. According to the U.S. Government Accountability Office (GAO), only three of 23 federal agencies have reached their expected logging requirements as dictated by Executive Order 14028. In this article, we’re talking about this executive order and what it calls… Read More
The cybersecurity landscape isn’t getting any easier for any business, large or small. With high-profile cyber attacks making headlines, from ransomware attacks crippling global infrastructure to data breaches compromising millions of users’ personal information, the stakes for major corporations have never been higher. While offering unprecedented opportunities, the digital realm also presents a minefield of… Read More
The Security Operations Center (SOC) is central to this defense strategy – a dedicated hub for monitoring, detecting, and responding to security incidents. But as businesses grapple with establishing their in-house SOCs or outsourcing to specialized Managed Security Service Providers (MSSPs), many considerations come into play. In this article, we discuss the complexities of these… Read More
The development of AI has been a game-changer for nearly everyone, and that fact is no different in the world of cybersecurity. New threats powered by AI are reshaping traditional attack vectors, including cryptography, prevention, and social engineering. In this article, we’re discussing how, in the so-called AI Boom of 2023, cybersecurity is being shaped… Read More