StateRAMP, System Security Plans, and the Operational Control Matrix

StateRAMP is based on the FedRAMP standard, which means that it uses a similar set of documents and requirements to assess and authorize cloud service providers. One of the key documents of both StateRAMP and FedRAMP is the System Security Plan (SSP), which represents the provider’s security controls, compliance perimeter, and capabilities.  In Revision 5,… Read More

What Is Isolated Identity Management, and Do You Need It For Federal Compliance?

Identity management is one of the more essential aspects of cybersecurity. Attackers will regularly target Identity and Access Management (IAM) systems to find ways to secure them, and security experts must implement new countermeasures to protect against these incursions. One of these is isolated identity management. In this article, we’ll cover the practice of isolated… Read More

What Are Core Documents for StateRAMP Authorization?

StateRAMP, much like FedRAMP, includes a series of documents that the cloud provider and their 3PAO must complete before they are fully authorized. These documents align with several stages of the assessment process and provide regulating authorities with the proof they need to see that the cloud offering meets requirements.  Here, we summarize the documents… Read More

Shadow IT and the Foundational Threat to Cybersecurity

Companies can only monitor some of the pieces of software that their employees use. It’s inevitable, then, that those employees will start to kludge together their solutions through personal software or freeware from the Internet.  This is such a problem that Splunk recently rated shadow IT as one of the top 50 threats to cybersecurity… Read More

What Is the Open Security Controls Assessment Language (OSCAL)?

There’s recently been a push within FedRAMP towards modernizing the framework to meet modern security challenges and better align federal security standards across agencies and technologies.  Part of this push is standardizing how security controls are measured and assessed, and the most recent blog from FedRAMP mentions a new standard–OSCAL.  Here, we will discuss OSCAL,… Read More

Non-Human Access Vulnerabilities and Modern Cybersecurity

The advent of non-human identities–encompassing service accounts, application IDs, machine identities, and more–has reshaped the cybersecurity landscape, introducing a new dimension of vulnerabilities and attack vectors. While helpful, these digital entities are an increasingly vulnerable spot where attackers focus resources.  This article will cover this relatively new attack vector, how hackers leverage new technology to… Read More

Logging Requirements for Federal Agencies and the Importance of Logging for Cybersecurity

A new report shines a light on some unfortunate news in the world of federal cybersecurity. According to the U.S. Government Accountability Office (GAO), only three of 23 federal agencies have reached their expected logging requirements as dictated by Executive Order 14028. In this article, we’re talking about this executive order and what it calls… Read More

Identity Governance and Compliance

Identity, authorization, and authentication are some of the hottest topics in cybersecurity right now, with 80% of attacks involving some form of compromised identity. The proliferation of cloud-based and managed infrastructure and primarily data-driven organizations has made identity and security a top priority for organizations and regulatory bodies.  Here, we’ll talk about identity governance–what it… Read More

Biometric Encryption and Protecting Personal Data

With traditional passwords becoming increasingly vulnerable to breaches, the focus has shifted towards more secure and unique identifiers – our biometric data. Biometric encryption stands at the forefront of this evolution, merging individual biological traits’ uniqueness with cryptographic techniques’ robustness.  This article will discuss how biometric encryption works, its applications, and challenges in the rapidly… Read More

Introduction to Targeted Risk Analysis (TRA) in PCI DSS 4.0

The Payment Card Industry Security Standards Council (PCI SSC) recently released a new document guiding targeted risk analysis. This approach to security is a cornerstone of the PCI DSS 4.0 update, and yet, for many businesses, this is something new that they may need help understanding.  This article will discuss Targeted Risk Analysis, its role… Read More

What Is NVLAP and How Do I Seek Accreditation?

We’ve often focused on security and maintenance from the perspective of technology itself–specifically, how it is deployed and used by individuals in the real world. But, the truth is that assessments of security technologies don’t start when an enterprise deploys them. Rather, in cases of tech like cryptography modules and biometrics, it begins in the… Read More

Europrivacy and GDPR Assessments

One of the ongoing challenges of GDPR is its (until recently) fragmented compliance and assessment approach. The requirements of GDPR are relatively open–they focus on standards and expectations, not implementation. Therefore, many assessment tools and frameworks have emerged to address the situation. Recently, Europrivacy has risen as a potential centralization of assessments under a common… Read More

The Role of IT Decision Makers in StateRAMP Compliance

The journey towards StateRAMP compliance is complex, with IT decision-makers at the strategic forefront. ITDMs are responsible for an organization’s infrastructure, including security and regulations, guiding their organizations through the nuances of the compliance process.  While working with a framework like StateRAMP, these decision-makers will inevitably have to take leading roles in guiding company culture… Read More

Evaluating Vendors for SOC 2 Compliance

Modern enterprise relies increasingly on a complex network of vendors and service providers to handle their infrastructure. From security and cloud computing to applications and logistics, these providers will often take the most important data that the enterprise generates or processes.  That’s why organizations must look at their vendors with more scrutiny. For example, getting… Read More

Revising FedRAMP Continuous Monitoring with the New OMB Memo

The draft memo released by the OMB signals many potential changes for the FedRAMP program, especially for the continuous monitoring process. Continuous monitoring is a crucial part of FedRAMP that ensures that CSPs maintain compliance.  However, this process can also prove complicated and costly for cloud providers, especially small or unique companies offering innovative solutions.… Read More

Authorization Paths in the New FedRAMP OMB Memorandum

In the ever-expanding cosmos of cloud computing, the Federal Risk and Authorization Management Program (FedRAMP) is the primary standard for cloud service providers working with federal agencies. Recognizing this, the Office of Management and Budget (OMB) has released a draft memorandum to revitalize FedRAMP, signaling a pivotal transformation to enhance the program’s efficiency, agility, and… Read More

The California Delete Act and CCPA Privacy Law

Companies and data brokers, armed with sophisticated data collection techniques, amass vast amounts of personal data, often without the explicit consent or awareness of the individuals concerned. The urgency of the matter has propelled jurisdictions worldwide to enact stringent data protection laws.  This article explores a new development in privacy law: the Data Delete Act.… Read More

Implementing SOC 2 Requirements for Cloud Environments

SOC 2 compliance provides a structured approach to ensuring data security, availability, and processing integrity, among other aspects. This article will dive into the specifics of SOC 2 and its impact on cloud security, shedding light on the technical controls, best practices, and the vital role of third-party attestations in bolstering trust between service providers… Read More

CMMC 2.0 and Level 2 Maturity

CMMC 2.0, while retaining the foundational principles of its predecessor, introduces refined maturity levels, each delineating a progressive enhancement in cybersecurity practices and protocols. Transitioning from Maturity Level 1 to Level 2 is not just about adding additional requirements to an organization. It’s about committing to security strategies to protect critical Controlled Unclassified Information (CUI). … Read More

Advanced Threat Techniques: Living off the Land

In an era where cybersecurity threats continuously evolve, organizations face many challenges to secure digital assets. Among these threats, a sophisticated and stealthy approach known as Living Off the Land (LotL) attacks has emerged, leaving a minimal footprint and often evading traditional security measures.  This article discusses Living Off the Land attacks, highlighting real-world case… Read More

Secure Data Sharing and Compliance Frameworks

Several prominent security frameworks and regulations have been established to guide organizations through this intricate landscape. These range from international standards like ISO/IEC 27001 to more sector-specific regulations such as HIPAA for healthcare and PCI DSS for payment data.  This article delves into these pivotal frameworks and how they speak to secure data sharing between… Read More