When we discuss cybersecurity, it’s most often done in the context of audits, assessments, or certifications. However, specific systems and components require more stringent testing standards, ensuring that the technology functions correctly and securely after construction or during ongoing operational use. To support the testing and assurance of these components, the National Institutes of Standards… Read More
Providers looking into StateRAMP authentication standards may find themselves staring into a stack of requirements documents across multiple security frameworks and government contexts. Not only is this unhelpful for these providers, but it also makes the process sound much more intimidating than it needs to be. In this article, we’ll take a high-level view of… Read More
Penetration tests sometimes seem like an extreme measure that ultra-secure companies take to fend off the most formidable threats. However, any company wanting to get serious about cybersecurity and compliance will sometimes run against the practice. This is similar to when working with the federal government. Here, we’ll discuss FedRAMP and penetration testing requirements.
FedRAMP Authorization is a complicated undertaking due in no small part to the layers of requirements that cloud offerings must meet throughout the process. As part of the government’s turn to more comprehensive security, FedRAMP requirements include significant risk management standards that all providers must meet.
Regarding cybersecurity and compliance, there is a massive benefit in having a deep field of providers and offerings that can serve large federal customers alongside smaller offerings that can serve the state, local, and municipal customers. It’s essential, however, to ensure that maintaining a competitive marketplace doesn’t compromise security. This means helping small or young… Read More
There are two clear paths through FedRAMP Authorization–the agency path and the much less-common Joint Authorization Board (JAB) path. While much more rigorous, this second course opens up several critical doors for cloud offerings that provide real and significant value to various federal agencies. However, the JAB path is exclusive and requires that cloud service… Read More
When it comes to managing FedRAMP-compliant systems, it helps to understand the entirety of the system that will fall under this jurisdiction. Unfortunately, with the complexity of cloud systems being what they are, mapping out IT systems with the right granularity can provide a challenge. This is why FedRAMP guides determining an organization’s authorization boundary.
Last week, we discussed the process for Agency Authorization under FedRAMP guidelines. This route is, by far, the most common form of Authorization and one that most cloud providers will engage with. However, there are several use cases where a provider may seek more rigorous assessment to better open doors to serve with agencies across… Read More
Cloud computing and modern service models of software or infrastructure distribution present a problem to providers and customers alike–namely, how to properly assess and certify components in a way that considers the relationship between different modules, platforms, and apps. FedRAMP requirements define how assessors and Authorization approach different cloud offering service models to mitigate the… Read More
As cloud service providers pursue their FedRAMP authorization process, they face a significant choice stemming from their ultimate goals in the federal space. This decision is based on how they are pursuing their working relationships with federal agencies and how well the provider is prepared for the rigorous FedRAMP assessment process. When a provider enters… Read More
When we talk about scans, tests, and authorization in the context of StateRAMP assessment, we tend to think that the process (and all its moving parts) are relatively stable and predictable. And, for the most part, this thinking is correct. However, it’s normal, and in some ways expected, to run into issues where scans and… Read More
Plagiarism isn’t new, and the proliferation of shady websites and questionable decisions from search engine giant Google has led to sinister and sometimes silly evolutions in what fraudsters can do with the theft of someone’s intellectual property. According to Plagiarism Daily, we’re seeing a new outgrowth of plagiarism creep up on us. Gone are the… Read More
Ongoing maintenance and upkeep are a cornerstone of all cybersecurity regulations and frameworks. And for a good reason. The rapidly changing threat landscape that businesses and government agencies face daily necessitates an ever-vigilant approach to cybersecurity. Vulnerability scanning is an important part of compliance and security across almost every data-driven industry. Here, we’re discussing what StateRAMP… Read More
We’ve covered several areas regarding data privacy and security. These discussions have covered private security frameworks, government-enforced regulations, and guidelines shoring up IT security for federal and national defense agencies and contractors. Another area of security and data privacy is law enforcement. Unsurprisingly, law enforcement and other national security agencies would handle private information, and… Read More
Words like cybersecurity and compliance are often interchangeable without much care taken with how they differ. But make no mistake: while they are related practices, both are different approaches to a common problem of cybersecurity threats. Here we break down the differences and, more importantly, why these differences are important for when you have to… Read More
As Cloud Service Providers (CSPs) work with State agencies, many of them are undergoing StateRAMP certification. Fortunately, StateRAMP is much like FedRAMP in that it follows several of the same guidelines, requirements, and process structures. Here, we’ll break down one of the basic aspects of StateRAMP Impact Levels. The StateRAMP Impact level directly relates to… Read More
Coronavirus-related Phishing Scams and Attacks on the rise Cybercriminals have been taking advantage of the coronavirus outbreak to target people with phishing scams and malware in the guise of information relevant to the disease. These attacks typically take the form of malicious apps, phishing emails, and phony websites. In addition, the US government has been… Read More
The Evolving Need for PCI DSS Compliance. The current COVID-19 pandemic has dramatically accelerated a trend that was already on the rise — a move toward many new forms of electronic payment that involve capturing and transmitting credit card data. Businesses have moved online-only transactions during this crisis, and many consumers don’t want to handle… Read More
Dark data doesn’t just cost organizations money; it also damages their cybersecurity and compliance postures Server rooms filled with digital files may look neater than the paper file rooms of old, but they’re not necessarily more organized, and “dark data” lurks around every corner. Sixty percent of respondents to a survey by big data software… Read More
A new Ponemon report on SMB cyber security reveals the top challenges and threats facing global small and medium-sized businesses If you think your company is too small to be hacked, think again. According to a new report on SMB cyber security by the Ponemon Institute and Keeper Security, 66% of small and medium-sized businesses… Read More
NIST proposes a Secure Software Development Framework to address software supply chain attacks Applying software updates and patches as soon as possible is a cyber security best practice, but what if an update contains malicious code inserted by a hacker? Software supply chain attacks are a serious and growing problem for both private-sector organizations and… Read More
Formjacking allows hackers to steal payment card data and other information submitted through online forms As individuals become more savvy about avoiding phishing emails, and enterprises get better at filtering them out before they ever reach employees’ inboxes, it’s become more difficult for hackers to infect enterprise systems with ransomware and cryptojacking malware. Companies are… Read More
Hackers Can Use DICOM Bug to Hide Malware in Medical Images DICOM bug enables hackers to insert fully functioning executable code into medical images A newly discovered design flaw in DICOM, a three-decade-old medical imaging standard, could be used to deliver malware inside what appears to be an innocuous image file, a researcher from Cylera… Read More
Dragonblood flaws in WPA3 impact the very technology that was supposed to make it safer than WPA2. Last year, the Wi-Fi Alliance announced the launch of the WPA3 WiFi security standard, which was developed to eliminate a number of security problems with WPA2. One of the major defense measures in WPA3 is the Simultaneous Authentication… Read More