Most security standards, including government standards, require cryptography. We are generally familiar with implementing a cryptographic algorithm that meets these requirements and calling it a day. However, to ensure security, NIST also publishes standards for validating encryption modules to ensure they serve their purpose under federal standards. Here, we’re discussing the Cryptographic Algorithm Validation Program… Read More
CMMC and Scoping Level 1 Self-Assessments
One of the more significant changes in the new CMMC 2.0 guidelines was the move from third-party to self-assessment at Level 1 maturity. At Level 1, contractors can perform a self-assessment rather than engage with a C3PAO, significantly reshaping their obligations and the associated costs and effort for compliance. Here, we’re covering the CIO’s guidance… Read More
NIAP and Protection Profiles
IT security in the federal market is layered and multifaceted. Specific requirements exist for different types of data platforms and technologies. At a more granular level, standards have been developed for individual IT products: NIAP Protection Profiles. This article will cover why these profiles are essential for federal security, how to find them, and what… Read More
CVE-2024-3094 Utils and Vulnerabilities in Federal Linux Systems
Over the past week, a new vulnerability in the Linux operating system and the XZ compression utility has led to a new security alert and an immediate call to roll back some new updates. While this threat is a massive problem for federal IT systems relying on specific Linux distributions, it also highlights how poorly… Read More
The New Roadmap for FedRAMP
Recently, FedRAMP announced that, per stakeholder feedback, the federal market’s needs for cloud SaaS products are not being met. A significant part of this is the program’s bottleneck. To address this issue, the Office of Management and Budget (OMB) has released a draft memo offering significant program changes, including updates to infrastructure, leadership, and authorization. … Read More
FedRAMP and Penetration Testing Guidance Updates in 2024
Recently, the FedRAMP program (via the OMB) released a request for feedback on new guidance documentation for penetration testing under the program. The new guidance standards target organizations and 3PAOs undergoing or performing penetration tests under FedRAMP requirements. The new guidance addresses new attack vectors targeting subsystems in IT infrastructure. Here, we’ll cover his newest… Read More
When Should You Work with a CMMC RPO vs. a C3PAO?
CMMC is a complex undertaking. Depending on where you are in your certification journey, you could require consulting, assessment, or both. Fortunately, the CMMC program includes training and authorization for two distinct types of organizations: Registered Provider Organizations (RPOs) and Certified Third-Party Assessment Organizations (C3PAOs), each offering different services. We’re discussing these organizations and which… Read More
CP-CSC, CMMC, and North American Cybersecurity
International collaboration between countries in cybersecurity isn’t unheard of, but it involves several miles of red tape and regulations. That’s why many countries seek parity in their security frameworks. One such parity that Canadian officials are seeking is between their own CP-CSC and the CMMC model for handling CUI.
The OCR HIPAA Report and Proper Breach Requirements
HIPAA is a core cybersecurity framework for patients and healthcare providers in the U.S. Unfortunately, a new report from the OCR shows an increase in significant events and a lack of resources to follow up on critical compliance issues. We’re covering some of this report and the underlying HIPAA requirements reflected in it.
The 2023 Revisions to SOC 2 Compliance
In 2023, the American Institute of CPAs (AICPA) launched a revision of its SOC 2 standard. This revision focused specifically on security issues and emphasized “points of focus” to boost SOC 2 audits’ ability to address modern security threats.
An In-Depth Guide to SOC 2 Security Common Criteria
While typically not mandatory outside financial sectors, SOC 2 is a reliable security compliance model that any organization can follow. This can be seen in its security assessments, which include a robust list of “Common Criteria,” or broad areas of focus that any secure organization should follow. The recent revision of these criteria in 2023… Read More
The CMMC Proposed Rule and Expectations in 2024
In December 2023, the Department of Defense announced its new Proposed Rules for CMMC. This release comes two years after their initial proposal for CMMC 2.0 as a framework. Many of CMMC’s expected requirements are coming to pass, and the DoD is looking to finalize and aggressively roll out the program over the next three… Read More
What Is NIST 800-172 and Advanced Security Structures
The ongoing rise of state-sponsored Advanced Persistent Threats (APTs) has increased scrutiny of federal and state IT systems security systems. The latest version of CMMC includes a high-maturity level specifically designed to address these threats, which relies primarily on advanced security controls listed in NIST Special Publication 800-172.
Leveraging Managed Security Service Providers for NIST 800-171 and CMMC Compliance in the Defense Supply Chain
The complex relationships between government agencies, third-party vendors, and managed service providers form a challenging web of connections that comprise the DoD digital supply chain. Both NIST 800-171 and CMMC address these at various points, expecting providers to adhere to complex security requirements. These requirements can become so complex that they may turn to Managed… Read More
CMMC, NIST 800-172, and Advanced Persistent Threats
As organizations move up the CMMC maturity model, they do so for one reason: to prepare themselves better to protect against Advanced Persistent Threats (APTs). These threats are a significant problem in the defense supply chain, and as such, CMMC leans heavily on NIST 800-171 and 800-172 to address them. This article introduces how these… Read More
Third-Party Vendor Security and PCI DSS
We’ve regularly written about maintaining security and compliance with third-party vendors. While vendors and managed service providers are a crucial part of digital economies, it’s up to the client businesses to ensure they work with vendors that meet their needs. Following previous discussions of third-party vendor security under standards like SOC 2 and HIPAA, we’re… Read More
What Is Post-Quantum Cryptography and Apple’s PQ3?
The existence of quantum computers on the horizon has shaken the cryptography world, and researchers and scientists have received a massive response to build feasible Post-Quantum Cryptography (PCQ). Recently, Apple has taken an enormous step forward by announcing their own PCQ systems, PQ3, in Apple devices. Learn more about PCQ and Apple’s announcement and the… Read More
What Are the Ivanti Vulnerabilities, and How Do They Impact You?
An emergency vulnerability has emerged in Ivanti products and appliances, and it has sent many service providers, especially those in the federal space, in a rush to close their gaps and respond as best they can. This article covers the incident, the government’s response, and what it means for service providers.
Incident Response and the Responsibility of Your Organization for Protecting Data
As the recent Ivanti security breaches indicate, the existence of a strong and effective incident response isn’t an option but a necessity. An incident response plan (IRP) is essential to prepare an organization to respond to any security incident effectively and on time. This plan spells out processes that an organization should undergo in case… Read More
What Is A Data Privacy Impact Assessment (DPIA)?
New data security regulations include, or foreground, the role of data privacy in compliance. Many of these, like GDPR and CCPA, make data privacy a primary concern and expect businesses to meet stringent requirements about protecting the integrity of consumers’ Personally Identifiable Data (PII). One practice stemming from GDPR requirements is the Data Privacy Impact… Read More
What Is FTC Safeguards Rule Compliance?
The protection of consumer information is one of the major concerns of the businesses involved in nearly any sector of the economy, particularly financial institutions. The Federal Trade Commission (FTC) Safeguards Rule is a critical requirement for these organizations. It provides specific requirements for certain financial institutions, including a plan for ensuring compliance with the… Read More
What Are Security Control Assessor-Validator (SCA-V) Services?
Security Control Assessor-Validator (SCA-V) services are a core part of many compliance frameworks, and any agency proposing to offer these services will often provide a common set of expertise, certifications, and knowledge to support their customers. Here, we’re covering the basics of SCA services and what you should look for when signing on with a… Read More
What Is the European Cybersecurity Certification Scheme for Cloud Services (EUCS)
The European Cybersecurity Certification Scheme for Cloud Services (EUCS) is an initiative to establish a unified certification process for cloud services across the EU. Cloud services and associated managed services are critical to most government and business functions, and the EU follows the example of other jurisdictions in focusing explicitly on this area of cybersecurity… Read More
Endpoint Security and Modern Compliance
With all the focus on network security, SaaS compliance, and big data protection, it’s sometimes very easy to forget that the most vulnerable parts of any given system are often those tied to the user. These devices (endpoints) are where these users do most of their work and where a lack of security best practices… Read More