CMMC for Small Businesses: Getting Ready for Compliance

Starting in Q1 2025, software providers in the DoD supply chain must align their security with CMMC 2.0 standards. While many enterprise customers have been spending that past year getting ready, the reality is that most businesses don’t share this level of preparedness–specifically, small businesses.  Meeting the challenges of a complex framework like CMMC can… Read More

Automapping Cybersecurity Controls to CMMC

CMMC is a crucial framework developed by the Department of Defense to enhance the cybersecurity posture of contractors within the Defense Industrial Base. The CMMC model is crucial for organizations dealing with Controlled Unclassified Information (CUI) because it ensures that these entities meet specific cybersecurity requirements to protect sensitive information.  More likely than not, however,… Read More

Risk Assessment Requirements for GDPR Compliance

Cybersecurity trends are moving from checklist compliance to comprehensive, risk-driven security. This is just as true in the European Union, where data subject privacy and security requirements are strict.  Fortunately, GDPR provides significant guidance on general risk management and specific risk assessment requirements. We’ll cover those requirements here.   

Integrating ISO 27001 with other ISO Standards: Preparing for Long-Term Security and Compliance

We are big believers in packaging your compliance needs into a single, effective standard within your organization. It doesn’t make any sense to double up on work, and streamlining compliance across multiple standards makes your efforts better and faster.  In light of that, we’re discussing how you can streamline some of your existing ISO compliance… Read More

The Common Criteria in Well-Known Security Frameworks

In today’s digital age, cybersecurity is not just a technical necessity but a critical compliance requirement. Organizations worldwide face rigorous regulations to safeguard sensitive data and maintain public trust.  The Common Criteria certification is a pivotal standard in cybersecurity compliance among these regulatory frameworks.  This article will discuss how CC plays a role in other,… Read More

The Digital Supply Chain and Security Flaws in the R Programming Language

We use “the digital supply chain” regularly because enterprise and government businesses rely heavily on it. The relationships between vendors, cloud providers, software, and customers are so deeply intertwined that it’s impossible to avoid the big picture–that security is a complex activity that can span dozens of entities.  A recently discovered flaw in the R… Read More

NVLAP Accreditation for Cybersecurity Labs

We’ve previously written about the importance of NVLAP Common Criteria accreditation for lab testing and validating products for use in high-risk industries. It’s probably unsurprising that we are markedly interested in cybersecurity labs’ requirements.  Here, we’re discussing NVLAP Common Criteria accreditation for cybersecurity labs–what it is, how it is unique for assessed labs, and some… Read More

The Kaiser Data Breach and the Importance of HIPAA for Vendor Relationships

Unfortunately, HIPAA data breaches are increasingly common. Kaiser Permanente, one of the largest healthcare insurance providers in the U.S., recently reported a massive exposure of millions of patient records (Protected Health Information, or PHI).  This unfortunate event also serves as a learning moment for companies who may not understand how to avoid such unintended consequences.… Read More

Understanding NVLAP Common Criteria Testing

Government agencies (and their vendors and partners) are increasingly entrusted with sensitive data. Accordingly, protecting critical infrastructure and cybersecurity are both top priorities. The tools they use must come from time-tested and verified protocols to ensure they are secure and not tampered with. In turn, this means that these tools must come from labs that… Read More

Controlled Unclassified Information: A Basic Introduction to CUI

We’ve written extensively about CMMC and NIST Special Publication 800-171, which cover the handling and protection of Controlled Unclassified Information (CUI). But what is CUI? How is it created, and why is it so important to protect? Here, we’re digging into CUI and why it’s integral to significant cybersecurity frameworks in the federal marketplace.   

CMMC and Level 2 Assessment Guidelines

Our previous articles on CMMC Level 1 certification focused on what organizations need to know when conducting self-assessments. These documents relied primarily on the fact that the contractor would do their assessments and reporting.  With Level 2 certification, the game changes. Not only are nearly all assessments performed by C3PAOs, but their requirements expand nearly… Read More

Performing Level 1 Self-Assessments Under CMMC Requirements

Our previous article discussed what it meant to scope your self-assessment while pursuing Level 1 Maturity under CMMC. This approach included identifying the boundaries of FCI-holding systems and comprehensively cataloging technology, people, and processes that play a part in that system.  Here, we take the next step and cover CIO guidelines for performing your self-assessment. … Read More

CAVP, FIPS, and Securing Cryptography Systems

Most security standards, including government standards, require cryptography. We are generally familiar with implementing a cryptographic algorithm that meets these requirements and calling it a day. However, to ensure security, NIST also publishes standards for validating encryption modules to ensure they serve their purpose under federal standards.  Here, we’re discussing the Cryptographic Algorithm Validation Program… Read More

CMMC and Scoping Level 1 Self-Assessments

One of the more significant changes in the new CMMC 2.0 guidelines was the move from third-party to self-assessment at Level 1 maturity. At Level 1, contractors can perform a self-assessment rather than engage with a C3PAO, significantly reshaping their obligations and the associated costs and effort for compliance.  Here, we’re covering the CIO’s guidance… Read More

NIAP and Protection Profiles

IT security in the federal market is layered and multifaceted. Specific requirements exist for different types of data platforms and technologies. At a more granular level, standards have been developed for individual IT products: NIAP Protection Profiles. This article will cover why these profiles are essential for federal security, how to find them, and what… Read More

CVE-2024-3094 Utils and Vulnerabilities in Federal Linux Systems

Over the past week, a new vulnerability in the Linux operating system and the XZ compression utility has led to a new security alert and an immediate call to roll back some new updates. While this threat is a massive problem for federal IT systems relying on specific Linux distributions, it also highlights how poorly… Read More

The New Roadmap for FedRAMP

Recently, FedRAMP announced that, per stakeholder feedback, the federal market’s needs for cloud SaaS products are not being met. A significant part of this is the program’s bottleneck.  To address this issue, the Office of Management and Budget (OMB) has released a draft memo offering significant program changes, including updates to infrastructure, leadership, and authorization. … Read More

FedRAMP and Penetration Testing Guidance Updates in 2024

Recently, the FedRAMP program (via the OMB) released a request for feedback on new guidance documentation for penetration testing under the program. The new guidance standards target organizations and 3PAOs undergoing or performing penetration tests under FedRAMP requirements. The new guidance addresses new attack vectors targeting subsystems in IT infrastructure.  Here, we’ll cover his newest… Read More

When Should You Work with a CMMC RPO vs. a C3PAO?

CMMC is a complex undertaking. Depending on where you are in your certification journey, you could require consulting, assessment, or both. Fortunately, the CMMC program includes training and authorization for two distinct types of organizations: Registered Provider Organizations (RPOs) and Certified Third-Party Assessment Organizations (C3PAOs), each offering different services.  We’re discussing these organizations and which… Read More