FedRAMP and Penetration Testing Guidance Updates in 2024

Recently, the FedRAMP program (via the OMB) released a request for feedback on new guidance documentation for penetration testing under the program. The new guidance standards target organizations and 3PAOs undergoing or performing penetration tests under FedRAMP requirements. The new guidance addresses new attack vectors targeting subsystems in IT infrastructure.  Here, we’ll cover his newest… Read More

Leveraging Managed Security Service Providers for NIST 800-171 and CMMC Compliance in the Defense Supply Chain

The complex relationships between government agencies, third-party vendors, and managed service providers form a challenging web of connections that comprise the DoD digital supply chain. Both NIST 800-171 and CMMC address these at various points, expecting providers to adhere to complex security requirements. These requirements can become so complex that they may turn to Managed… Read More

Third-Party Vendor Security and PCI DSS 

We’ve regularly written about maintaining security and compliance with third-party vendors. While vendors and managed service providers are a crucial part of digital economies, it’s up to the client businesses to ensure they work with vendors that meet their needs.  Following previous discussions of third-party vendor security under standards like SOC 2 and HIPAA, we’re… Read More

What Is FTC Safeguards Rule Compliance?

The protection of consumer information is one of the major concerns of the businesses involved in nearly any sector of the economy, particularly financial institutions. The Federal Trade Commission (FTC) Safeguards Rule is a critical requirement for these organizations. It provides specific requirements for certain financial institutions, including a plan for ensuring compliance with the… Read More

Understanding GDPR in the Financial Sector

When considering security and finance, we typically consider regulations like PCI DSS, SOX, or FINRA. But if you’re a company doing business in Europe, there’s another framework you need to consider–GDPR. This set of regulations not only governs the exchange of consumer data but also has a massive impact on how financial organizations navigate commerce… Read More

What Is NVLAP and How Do I Seek Accreditation?

We’ve often focused on security and maintenance from the perspective of technology itself–specifically, how it is deployed and used by individuals in the real world. But, the truth is that assessments of security technologies don’t start when an enterprise deploys them. Rather, in cases of tech like cryptography modules and biometrics, it begins in the… Read More

What Is Proactive Cybersecurity? Preparing for Threats Before They Strike

Modern cybersecurity is about more than just reacting to threats as they emerge. Adopting proactive cybersecurity measures is not just a strategic advantage; it’s an operational necessity that can spell the difference between business as usual and breaches that erode customer trust and shareholder value. Whether you’re a cybersecurity veteran or new to the domain,… Read More

An Introduction to PCI DSS’s Secure Software Life Cycle

Digital payments are, for the most part, the norm for commerce in the modern world. From swiping credit cards, tapping phones, or using credit card information in digital storefronts, a lot of payment information is moving through digital networks… and potentially insecure technologies. This is why credit card networks created the PCI DSS standard to… Read More

HIPAA and the Use of Online Tracking for Marketing Purposes

Due to some recent actions against online medical providers like BetterHealth and GoodRX, the Department of Health and Human Services has released a new warning for covered entities regarding the tracking methods they use on their websites.  While web tracking has become a typical technology for most businesses, it’s not a cut-and-dry proposition for healthcare… Read More

The Impact of Executive Order 14028 on FedRAMP

Government responses to evolving security threats have, to more or less a degree, started to incorporate advanced mitigation postures that reflect a world of networked systems and complex digital supply chains.  To address this changing landscape, the president issued Executive Order 14028, “Executive Order on Improving the Nation’s Cybersecurity.” This 2021 order introduced a zero-trust… Read More

The New FedRAMP Marketplace

On February 20th, the FedRAMP PMO announced the release of the newest design for the FedRAMP Marketplace. While this news doesn’t necessarily shake the foundations of government compliance, the Marketplace it is an essential resource for agencies looking for a trustworthy source of information regarding cloud providers. In this article, we’ll break down what kind… Read More

Are Man-in-the-Middle Attacks Still a Threat?

Man-in-the-Middle attacks, where a malicious actor secretly intercepts and possibly alters the communication between two unsuspecting parties, have significantly escalated with digital connectivity and remote work surge. While the attack method is not new, its implications have grown in magnitude in the era of widespread digital transformation. Modern businesses, from multinational corporations to small and… Read More

Common Criteria and NIST Evaluation

The Common Criteria, recognized worldwide, provides a standardized framework for evaluating the security attributes of IT products and systems. From defining security requirements to testing and verifying products against these requirements, the Common Criteria assure that the evaluation process is rigorous, repeatable, and thorough. To ensure the success of the program on a national basis,… Read More

FedRAMP High Impact Level and Unique NIST Controls

In the era of digitization, the security of cloud services, particularly those engaged with federal agencies, is paramount. The government uses the Federal Risk and Authorization Management Program (FedRAMP)–to ensure cloud services meet stringent security standards to protect federal data.  This article will dig into the intricacies of the FedRAMP High Impact Level and its… Read More

HIPAA, Security Incidents, and Reportable Events

In the interconnected world of digital health information, safeguarding Protected Health Information is paramount. Healthcare providers must legally follow the Health Insurance Portability and Accountability Act (HIPAA) to protect patient privacy and maintain trust, and this compliance includes understanding what it means to identify and deal with security incidents. Among these, the concepts of security… Read More

What Are the Proposed Rule Changes to HIPAA Coming in 2023?

In response to changes in the medical industry due to COVID-19, the Department of Health and Human Services (HHS) and Substance Abuse and Mental Health Services Administration (SAMHSA) have put forth a Notice of Proposed Rulemaking to streamline how doctors can access mental health information.  This article will discuss this rule change and why it… Read More

What Is ISO 27017 and How Does it Inform Cloud Security?

As cloud computing continues gaining popularity, organizations increasingly turn to cloud services to store and process their data. However, with this increased reliance on cloud services comes a heightened risk of data breaches and cyber attacks, making cloud security a critical concern for businesses of all sizes. To address these concerns, the International Organization for… Read More

What Is NIST Special Publication 800-115 and What Does it Say About Penetration Testing?

As technology advances, the need for effective cybersecurity measures becomes increasingly important. The necessity for regular testing, including penetration testing, has raised awareness of best practices and standards for such assessments. The National Institute of Standards and Technology (NIST) has developed comprehensive guidelines and standards to help organizations safeguard their information systems from cyber threats.… Read More

ISO 31010 and Implementing Risk Assessment Techniques

We’ve previously discussed the role of risk assessment as defined by the International Organization of Standardization (ISO) 31000, and generally speaking, we’ve found that risk management is a key practice to supporting security and compliance. To better support organizations approaching risk assessment, ISO published the supplementary document, ISO/IEC 31010, “Risk assessment technique.” In this article,… Read More

What are ISO 30141 and the General Characteristics of Internet of Things (IoT) Systems?

The Internet of Things (IoT) was seen as the next big thing for the consumer market. While the impact of IoT technology is still unfolding, there is no doubt that IoT devices have made a much bigger impact in the commercial space. IoT networks are changing how we handle major industrial processes, from healthcare to… Read More

ISO 27701 and Conformance with Privacy Information Management (Part 4)

As previously discussed, ISO/IEC 27701 is a comprehensive international standard that provides specific privacy guidelines for organizations attempting to meet additional standards for handling PII in line with jurisdictions like GDPR. This document aligns ISO-compliant organizations with PII-focused standards by implementing Privacy Information Management Systems (PIMS). So far, we’ve covered how ISO 27701 refines ISO… Read More