The new CMMC rule proposal is out, and some organizations are getting their first introductions to the cost of doing business in the federal sector. This new rule includes several estimates for the total costs of adopting the framework for small and larger businesses. But is this the final word? We break down some of… Read More
With Executive Order 14028’s requirements coming into effect, government agencies and their software partners are looking for ways to meet these stringent requirements. These include managing system security across all potential attack vectors, including those introduced during the development cycle. Here, we discuss how the Secure Software Development Framework is a good baseline for approaching… Read More
The Secure Software Development Framework, outlined in NIST Special Publication 800-218, provides guidelines and best practices to enhance the security and integrity of software development processes. NIST developed it to help organizations implement secure software development practices and mitigate risks associated with software vulnerabilities.
Modern industry relies heavily on automation and control systems to maintain efficiency, productivity, and safety. With the increasing integration of these systems into broader networks, the risk of cyberattacks has significantly grown. ISASecure, a globally recognized cybersecurity certification program, is a critical certification body providing standards and assessments to protect these integral systems against modern… Read More
Like any other agency, the IRS works with a network of technology providers and third parties to support its mission of managing sensitive financial data. These relationships present unavoidable security risks. IRS 4812 helps address these security challenges by outlining security requirements and best practices for contractors working with the IRS to handle specific forms of… Read More
We’ve talked quite a bit about the technical compliance requirements in this space, and IT and security support are the most critical parts of your CMMC strategy. However, business leadership is the backbone of ongoing compliance strategies (and their success). Business leaders set the tone for compliance strategies, prioritizing organizations’ resources and attention to ensure… Read More
Starting in Q1 2025, software providers in the DoD supply chain must align their security with CMMC 2.0 standards. While many enterprise customers have been spending that past year getting ready, the reality is that most businesses don’t share this level of preparedness–specifically, small businesses. Meeting the challenges of a complex framework like CMMC can… Read More
Generative AI is in the news, as usual. However, one of the big pushes we’re seeing lately is how the practices used by AI providers like OpenAI may violate user privacy. This, of course, is a big no-no for jurisdictions like the EU. Here, we’re dipping into the world of AI to talk about the… Read More
We’ve previously written about the importance of NVLAP Common Criteria accreditation for lab testing and validating products for use in high-risk industries. It’s probably unsurprising that we are markedly interested in cybersecurity labs’ requirements. Here, we’re discussing NVLAP Common Criteria accreditation for cybersecurity labs–what it is, how it is unique for assessed labs, and some… Read More
Government agencies (and their vendors and partners) are increasingly entrusted with sensitive data. Accordingly, protecting critical infrastructure and cybersecurity are both top priorities. The tools they use must come from time-tested and verified protocols to ensure they are secure and not tampered with. In turn, this means that these tools must come from labs that… Read More
We’ve written extensively about CMMC and NIST Special Publication 800-171, which cover the handling and protection of Controlled Unclassified Information (CUI). But what is CUI? How is it created, and why is it so important to protect? Here, we’re digging into CUI and why it’s integral to significant cybersecurity frameworks in the federal marketplace.
Most security standards, including government standards, require cryptography. We are generally familiar with implementing a cryptographic algorithm that meets these requirements and calling it a day. However, to ensure security, NIST also publishes standards for validating encryption modules to ensure they serve their purpose under federal standards. Here, we’re discussing the Cryptographic Algorithm Validation Program… Read More
IT security in the federal market is layered and multifaceted. Specific requirements exist for different types of data platforms and technologies. At a more granular level, standards have been developed for individual IT products: NIAP Protection Profiles. This article will cover why these profiles are essential for federal security, how to find them, and what… Read More
Recently, the FedRAMP program (via the OMB) released a request for feedback on new guidance documentation for penetration testing under the program. The new guidance standards target organizations and 3PAOs undergoing or performing penetration tests under FedRAMP requirements. The new guidance addresses new attack vectors targeting subsystems in IT infrastructure. Here, we’ll cover his newest… Read More
In 2023, the American Institute of CPAs (AICPA) launched a revision of its SOC 2 standard. This revision focused specifically on security issues and emphasized “points of focus” to boost SOC 2 audits’ ability to address modern security threats.
In December 2023, the Department of Defense announced its new Proposed Rules for CMMC. This release comes two years after their initial proposal for CMMC 2.0 as a framework. Many of CMMC’s expected requirements are coming to pass, and the DoD is looking to finalize and aggressively roll out the program over the next three… Read More
The complex relationships between government agencies, third-party vendors, and managed service providers form a challenging web of connections that comprise the DoD digital supply chain. Both NIST 800-171 and CMMC address these at various points, expecting providers to adhere to complex security requirements. These requirements can become so complex that they may turn to Managed… Read More
We’ve regularly written about maintaining security and compliance with third-party vendors. While vendors and managed service providers are a crucial part of digital economies, it’s up to the client businesses to ensure they work with vendors that meet their needs. Following previous discussions of third-party vendor security under standards like SOC 2 and HIPAA, we’re… Read More
The protection of consumer information is one of the major concerns of the businesses involved in nearly any sector of the economy, particularly financial institutions. The Federal Trade Commission (FTC) Safeguards Rule is a critical requirement for these organizations. It provides specific requirements for certain financial institutions, including a plan for ensuring compliance with the… Read More
When considering security and finance, we typically consider regulations like PCI DSS, SOX, or FINRA. But if you’re a company doing business in Europe, there’s another framework you need to consider–GDPR. This set of regulations not only governs the exchange of consumer data but also has a massive impact on how financial organizations navigate commerce… Read More
The Payment Card Industry Security Standards Council (PCI SSC) recently released a new document guiding targeted risk analysis. This approach to security is a cornerstone of the PCI DSS 4.0 update, and yet, for many businesses, this is something new that they may need help understanding. This article will discuss Targeted Risk Analysis, its role… Read More
We’ve often focused on security and maintenance from the perspective of technology itself–specifically, how it is deployed and used by individuals in the real world. But, the truth is that assessments of security technologies don’t start when an enterprise deploys them. Rather, in cases of tech like cryptography modules and biometrics, it begins in the… Read More
Modern cybersecurity is about more than just reacting to threats as they emerge. Adopting proactive cybersecurity measures is not just a strategic advantage; it’s an operational necessity that can spell the difference between business as usual and breaches that erode customer trust and shareholder value. Whether you’re a cybersecurity veteran or new to the domain,… Read More
Digital payments are, for the most part, the norm for commerce in the modern world. From swiping credit cards, tapping phones, or using credit card information in digital storefronts, a lot of payment information is moving through digital networks… and potentially insecure technologies. This is why credit card networks created the PCI DSS standard to… Read More