Streamline Compliance and Documentation with Continuum GRC AI Automate reporting with machine learning and AI. The Necessity of Accurate Reporting in Compliance Documentation and reports are the end product and backbone of your compliance efforts. They are how your organization demonstrates compliance with relevant regulatory and governing bodies.
Controlled Unclassified Information: A Basic Introduction to CUI
We’ve written extensively about CMMC and NIST Special Publication 800-171, which cover the handling and protection of Controlled Unclassified Information (CUI). But what is CUI? How is it created, and why is it so important to protect? Here, we’re digging into CUI and why it’s integral to significant cybersecurity frameworks in the federal marketplace.
CMMC and Level 2 Assessment Guidelines
Our previous articles on CMMC Level 1 certification focused on what organizations need to know when conducting self-assessments. These documents relied primarily on the fact that the contractor would do their assessments and reporting. With Level 2 certification, the game changes. Not only are nearly all assessments performed by C3PAOs, but their requirements expand nearly… Read More
Performing Level 1 Self-Assessments Under CMMC Requirements
Our previous article discussed what it meant to scope your self-assessment while pursuing Level 1 Maturity under CMMC. This approach included identifying the boundaries of FCI-holding systems and comprehensively cataloging technology, people, and processes that play a part in that system. Here, we take the next step and cover CIO guidelines for performing your self-assessment. … Read More
CAVP, FIPS, and Securing Cryptography Systems
Most security standards, including government standards, require cryptography. We are generally familiar with implementing a cryptographic algorithm that meets these requirements and calling it a day. However, to ensure security, NIST also publishes standards for validating encryption modules to ensure they serve their purpose under federal standards. Here, we’re discussing the Cryptographic Algorithm Validation Program… Read More
CMMC and Scoping Level 1 Self-Assessments
One of the more significant changes in the new CMMC 2.0 guidelines was the move from third-party to self-assessment at Level 1 maturity. At Level 1, contractors can perform a self-assessment rather than engage with a C3PAO, significantly reshaping their obligations and the associated costs and effort for compliance. Here, we’re covering the CIO’s guidance… Read More
NIAP and Protection Profiles
IT security in the federal market is layered and multifaceted. Specific requirements exist for different types of data platforms and technologies. At a more granular level, standards have been developed for individual IT products: NIAP Protection Profiles. This article will cover why these profiles are essential for federal security, how to find them, and what… Read More
CVE-2024-3094 Utils and Vulnerabilities in Federal Linux Systems
Over the past week, a new vulnerability in the Linux operating system and the XZ compression utility has led to a new security alert and an immediate call to roll back some new updates. While this threat is a massive problem for federal IT systems relying on specific Linux distributions, it also highlights how poorly… Read More
The New Roadmap for FedRAMP
Recently, FedRAMP announced that, per stakeholder feedback, the federal market’s needs for cloud SaaS products are not being met. A significant part of this is the program’s bottleneck. To address this issue, the Office of Management and Budget (OMB) has released a draft memo offering significant program changes, including updates to infrastructure, leadership, and authorization. … Read More
FedRAMP and Penetration Testing Guidance Updates in 2024
Recently, the FedRAMP program (via the OMB) released a request for feedback on new guidance documentation for penetration testing under the program. The new guidance standards target organizations and 3PAOs undergoing or performing penetration tests under FedRAMP requirements. The new guidance addresses new attack vectors targeting subsystems in IT infrastructure. Here, we’ll cover his newest… Read More
When Should You Work with a CMMC RPO vs. a C3PAO?
CMMC is a complex undertaking. Depending on where you are in your certification journey, you could require consulting, assessment, or both. Fortunately, the CMMC program includes training and authorization for two distinct types of organizations: Registered Provider Organizations (RPOs) and Certified Third-Party Assessment Organizations (C3PAOs), each offering different services. We’re discussing these organizations and which… Read More
CP-CSC, CMMC, and North American Cybersecurity
International collaboration between countries in cybersecurity isn’t unheard of, but it involves several miles of red tape and regulations. That’s why many countries seek parity in their security frameworks. One such parity that Canadian officials are seeking is between their own CP-CSC and the CMMC model for handling CUI.
The OCR HIPAA Report and Proper Breach Requirements
HIPAA is a core cybersecurity framework for patients and healthcare providers in the U.S. Unfortunately, a new report from the OCR shows an increase in significant events and a lack of resources to follow up on critical compliance issues. We’re covering some of this report and the underlying HIPAA requirements reflected in it.
The 2023 Revisions to SOC 2 Compliance
In 2023, the American Institute of CPAs (AICPA) launched a revision of its SOC 2 standard. This revision focused specifically on security issues and emphasized “points of focus” to boost SOC 2 audits’ ability to address modern security threats.
An In-Depth Guide to SOC 2 Security Common Criteria
While typically not mandatory outside financial sectors, SOC 2 is a reliable security compliance model that any organization can follow. This can be seen in its security assessments, which include a robust list of “Common Criteria,” or broad areas of focus that any secure organization should follow. The recent revision of these criteria in 2023… Read More
The CMMC Proposed Rule and Expectations in 2024
In December 2023, the Department of Defense announced its new Proposed Rules for CMMC. This release comes two years after their initial proposal for CMMC 2.0 as a framework. Many of CMMC’s expected requirements are coming to pass, and the DoD is looking to finalize and aggressively roll out the program over the next three… Read More
Third-Party Vendor Security and PCI DSS
We’ve regularly written about maintaining security and compliance with third-party vendors. While vendors and managed service providers are a crucial part of digital economies, it’s up to the client businesses to ensure they work with vendors that meet their needs. Following previous discussions of third-party vendor security under standards like SOC 2 and HIPAA, we’re… Read More
What Is Post-Quantum Cryptography and Apple’s PQ3?
The existence of quantum computers on the horizon has shaken the cryptography world, and researchers and scientists have received a massive response to build feasible Post-Quantum Cryptography (PCQ). Recently, Apple has taken an enormous step forward by announcing their own PCQ systems, PQ3, in Apple devices. Learn more about PCQ and Apple’s announcement and the… Read More
What Are the Ivanti Vulnerabilities, and How Do They Impact You?
An emergency vulnerability has emerged in Ivanti products and appliances, and it has sent many service providers, especially those in the federal space, in a rush to close their gaps and respond as best they can. This article covers the incident, the government’s response, and what it means for service providers.
Incident Response and the Responsibility of Your Organization for Protecting Data
As the recent Ivanti security breaches indicate, the existence of a strong and effective incident response isn’t an option but a necessity. An incident response plan (IRP) is essential to prepare an organization to respond to any security incident effectively and on time. This plan spells out processes that an organization should undergo in case… Read More
What Is A Data Privacy Impact Assessment (DPIA)?
New data security regulations include, or foreground, the role of data privacy in compliance. Many of these, like GDPR and CCPA, make data privacy a primary concern and expect businesses to meet stringent requirements about protecting the integrity of consumers’ Personally Identifiable Data (PII). One practice stemming from GDPR requirements is the Data Privacy Impact… Read More
What Are Security Control Assessor-Validator (SCA-V) Services?
Security Control Assessor-Validator (SCA-V) services are a core part of many compliance frameworks, and any agency proposing to offer these services will often provide a common set of expertise, certifications, and knowledge to support their customers. Here, we’re covering the basics of SCA services and what you should look for when signing on with a… Read More
What Is the European Cybersecurity Certification Scheme for Cloud Services (EUCS)
The European Cybersecurity Certification Scheme for Cloud Services (EUCS) is an initiative to establish a unified certification process for cloud services across the EU. Cloud services and associated managed services are critical to most government and business functions, and the EU follows the example of other jurisdictions in focusing explicitly on this area of cybersecurity… Read More
Understanding API Security
One of the fastest-growing security attack surfaces is the Application Programming Interface (API). These functions allow programmers to tap into distributed services like data retrieval or social media broadcasting, vastly expanding the interoperability of different software tools. Accordingly, because API access often requires connecting to or using sensitive data, this presents significant security risks. We’re… Read More