An In-Depth Guide to SOC 2 Security Common Criteria

While typically not mandatory outside financial sectors, SOC 2 is a reliable security compliance model that any organization can follow. This can be seen in its security assessments, which include a robust list of “Common Criteria,” or broad areas of focus that any secure organization should follow. The recent revision of these criteria in 2023… Read More

What Is NIST 800-172 and Advanced Security Structures

The ongoing rise of state-sponsored Advanced Persistent Threats (APTs) has increased scrutiny of federal and state IT systems security systems. The latest version of CMMC includes a high-maturity level specifically designed to address these threats, which relies primarily on advanced security controls listed in NIST Special Publication 800-172.   

Leveraging Managed Security Service Providers for NIST 800-171 and CMMC Compliance in the Defense Supply Chain

The complex relationships between government agencies, third-party vendors, and managed service providers form a challenging web of connections that comprise the DoD digital supply chain. Both NIST 800-171 and CMMC address these at various points, expecting providers to adhere to complex security requirements. These requirements can become so complex that they may turn to Managed… Read More

CMMC, NIST 800-172, and Advanced Persistent Threats

As organizations move up the CMMC maturity model, they do so for one reason: to prepare themselves better to protect against Advanced Persistent Threats (APTs). These threats are a significant problem in the defense supply chain, and as such, CMMC leans heavily on NIST 800-171 and 800-172 to address them.  This article introduces how these… Read More

Third-Party Vendor Security and PCI DSS 

We’ve regularly written about maintaining security and compliance with third-party vendors. While vendors and managed service providers are a crucial part of digital economies, it’s up to the client businesses to ensure they work with vendors that meet their needs.  Following previous discussions of third-party vendor security under standards like SOC 2 and HIPAA, we’re… Read More

What Is Post-Quantum Cryptography and Apple’s PQ3?

The existence of quantum computers on the horizon has shaken the cryptography world, and researchers and scientists have received a massive response to build feasible Post-Quantum Cryptography (PCQ). Recently, Apple has taken an enormous step forward by announcing their own PCQ systems, PQ3, in Apple devices.  Learn more about PCQ and Apple’s announcement and the… Read More

Incident Response and the Responsibility of Your Organization for Protecting Data

As the recent Ivanti security breaches indicate, the existence of a strong and effective incident response isn’t an option but a necessity. An incident response plan (IRP) is essential to prepare an organization to respond to any security incident effectively and on time. This plan spells out processes that an organization should undergo in case… Read More

What Is A Data Privacy Impact Assessment (DPIA)?

New data security regulations include, or foreground, the role of data privacy in compliance. Many of these, like GDPR and CCPA, make data privacy a primary concern and expect businesses to meet stringent requirements about protecting the integrity of consumers’ Personally Identifiable Data (PII). One practice stemming from GDPR requirements is the Data Privacy Impact… Read More

What Is FTC Safeguards Rule Compliance?

The protection of consumer information is one of the major concerns of the businesses involved in nearly any sector of the economy, particularly financial institutions. The Federal Trade Commission (FTC) Safeguards Rule is a critical requirement for these organizations. It provides specific requirements for certain financial institutions, including a plan for ensuring compliance with the… Read More

What Are Security Control Assessor-Validator (SCA-V) Services?

Security Control Assessor-Validator (SCA-V) services are a core part of many compliance frameworks, and any agency proposing to offer these services will often provide a common set of expertise, certifications, and knowledge to support their customers.  Here, we’re covering the basics of SCA services and what you should look for when signing on with a… Read More

What Is the European Cybersecurity Certification Scheme for Cloud Services (EUCS)

The European Cybersecurity Certification Scheme for Cloud Services (EUCS) is an initiative to establish a unified certification process for cloud services across the EU. Cloud services and associated managed services are critical to most government and business functions, and the EU follows the example of other jurisdictions in focusing explicitly on this area of cybersecurity… Read More

Understanding API Security

One of the fastest-growing security attack surfaces is the Application Programming Interface (API). These functions allow programmers to tap into distributed services like data retrieval or social media broadcasting, vastly expanding the interoperability of different software tools. Accordingly, because API access often requires connecting to or using sensitive data, this presents significant security risks.  We’re… Read More

Security, Integrity, and SaaS Solutions

Software-as-a-Service (SaaS) is, for better or worse, the model of modern software distribution and use. There are many benefits to this arrangement, but there are also significant security issues. Unfortunately, these security issues are ever-evolving and target almost every managed service provider on the market.  This article touches on some foundational realities, challenges, and considerations… Read More

Rhysida and the Growth of Ransomware in 2023

Ransomware isn’t going anywhere… in fact, it’s only growing. As several studies show, the threat of ransomware associated with attacks like phishing and APTs is only increasing, and hacking groups are leveraging ransoms to generate significant revenue while also threatening proprietary data.  The latest threat, the Rhysida malware, is just the latest of these threats… Read More

Understanding GDPR in the Financial Sector

When considering security and finance, we typically consider regulations like PCI DSS, SOX, or FINRA. But if you’re a company doing business in Europe, there’s another framework you need to consider–GDPR. This set of regulations not only governs the exchange of consumer data but also has a massive impact on how financial organizations navigate commerce… Read More

StateRAMP, System Security Plans, and the Operational Control Matrix

StateRAMP is based on the FedRAMP standard, which means that it uses a similar set of documents and requirements to assess and authorize cloud service providers. One of the key documents of both StateRAMP and FedRAMP is the System Security Plan (SSP), which represents the provider’s security controls, compliance perimeter, and capabilities.  In Revision 5,… Read More

What Is Isolated Identity Management, and Do You Need It For Federal Compliance?

Identity management is one of the more essential aspects of cybersecurity. Attackers will regularly target Identity and Access Management (IAM) systems to find ways to secure them, and security experts must implement new countermeasures to protect against these incursions. One of these is isolated identity management. In this article, we’ll cover the practice of isolated… Read More

What Are Core Documents for StateRAMP Authorization?

StateRAMP, much like FedRAMP, includes a series of documents that the cloud provider and their 3PAO must complete before they are fully authorized. These documents align with several stages of the assessment process and provide regulating authorities with the proof they need to see that the cloud offering meets requirements.  Here, we summarize the documents… Read More

Shadow IT and the Foundational Threat to Cybersecurity

Companies can only monitor some of the pieces of software that their employees use. It’s inevitable, then, that those employees will start to kludge together their solutions through personal software or freeware from the Internet.  This is such a problem that Splunk recently rated shadow IT as one of the top 50 threats to cybersecurity… Read More