As the recent Ivanti security breaches indicate, the existence of a strong and effective incident response isn’t an option but a necessity. An incident response plan (IRP) is essential to prepare an organization to respond to any security incident effectively and on time. This plan spells out processes that an organization should undergo in case… Read More
What Is A Data Privacy Impact Assessment (DPIA)?
New data security regulations include, or foreground, the role of data privacy in compliance. Many of these, like GDPR and CCPA, make data privacy a primary concern and expect businesses to meet stringent requirements about protecting the integrity of consumers’ Personally Identifiable Data (PII). One practice stemming from GDPR requirements is the Data Privacy Impact… Read More
What Are Security Control Assessor-Validator (SCA-V) Services?
Security Control Assessor-Validator (SCA-V) services are a core part of many compliance frameworks, and any agency proposing to offer these services will often provide a common set of expertise, certifications, and knowledge to support their customers. Here, we’re covering the basics of SCA services and what you should look for when signing on with a… Read More
What Is the European Cybersecurity Certification Scheme for Cloud Services (EUCS)
The European Cybersecurity Certification Scheme for Cloud Services (EUCS) is an initiative to establish a unified certification process for cloud services across the EU. Cloud services and associated managed services are critical to most government and business functions, and the EU follows the example of other jurisdictions in focusing explicitly on this area of cybersecurity… Read More
Endpoint Security and Modern Compliance
With all the focus on network security, SaaS compliance, and big data protection, it’s sometimes very easy to forget that the most vulnerable parts of any given system are often those tied to the user. These devices (endpoints) are where these users do most of their work and where a lack of security best practices… Read More
Understanding API Security
One of the fastest-growing security attack surfaces is the Application Programming Interface (API). These functions allow programmers to tap into distributed services like data retrieval or social media broadcasting, vastly expanding the interoperability of different software tools. Accordingly, because API access often requires connecting to or using sensitive data, this presents significant security risks. We’re… Read More
Security, Integrity, and SaaS Solutions
Software-as-a-Service (SaaS) is, for better or worse, the model of modern software distribution and use. There are many benefits to this arrangement, but there are also significant security issues. Unfortunately, these security issues are ever-evolving and target almost every managed service provider on the market. This article touches on some foundational realities, challenges, and considerations… Read More
Rhysida and the Growth of Ransomware in 2023
Ransomware isn’t going anywhere… in fact, it’s only growing. As several studies show, the threat of ransomware associated with attacks like phishing and APTs is only increasing, and hacking groups are leveraging ransoms to generate significant revenue while also threatening proprietary data. The latest threat, the Rhysida malware, is just the latest of these threats… Read More
Security, Compliance, and the Decline of Third-Party Cookies
The issue of cookies and user tracking has long been an issue, but the importance of these marketing and development tools has kept them a vital part of our web experiences. However, Google announced that its popular Chrome browser would no longer support third-party cookies, and in January 2024, they began rolling out anti-cookie technology. … Read More
StateRAMP, System Security Plans, and the Operational Control Matrix
StateRAMP is based on the FedRAMP standard, which means that it uses a similar set of documents and requirements to assess and authorize cloud service providers. One of the key documents of both StateRAMP and FedRAMP is the System Security Plan (SSP), which represents the provider’s security controls, compliance perimeter, and capabilities. In Revision 5,… Read More
What Are Core Documents for StateRAMP Authorization?
StateRAMP, much like FedRAMP, includes a series of documents that the cloud provider and their 3PAO must complete before they are fully authorized. These documents align with several stages of the assessment process and provide regulating authorities with the proof they need to see that the cloud offering meets requirements. Here, we summarize the documents… Read More
What Is the Open Security Controls Assessment Language (OSCAL)?
There’s recently been a push within FedRAMP towards modernizing the framework to meet modern security challenges and better align federal security standards across agencies and technologies. Part of this push is standardizing how security controls are measured and assessed, and the most recent blog from FedRAMP mentions a new standard–OSCAL. Here, we will discuss OSCAL,… Read More
What Is IRS 4812?
Understanding IRS Publication 4812 is not just about compliance; it’s about upholding a standard of trust and integrity crucial to the IRS’s operations and the taxpayers’ confidence. This relatively new standard addresses how contractors in the federal supply chain handle data specific to the Internal Revenue Service (IRS) and its mission of maintaining the privacy… Read More
Logging Requirements for Federal Agencies and the Importance of Logging for Cybersecurity
A new report shines a light on some unfortunate news in the world of federal cybersecurity. According to the U.S. Government Accountability Office (GAO), only three of 23 federal agencies have reached their expected logging requirements as dictated by Executive Order 14028. In this article, we’re talking about this executive order and what it calls… Read More
Identity Governance and Compliance
Identity, authorization, and authentication are some of the hottest topics in cybersecurity right now, with 80% of attacks involving some form of compromised identity. The proliferation of cloud-based and managed infrastructure and primarily data-driven organizations has made identity and security a top priority for organizations and regulatory bodies. Here, we’ll talk about identity governance–what it… Read More
Biometric Encryption and Protecting Personal Data
With traditional passwords becoming increasingly vulnerable to breaches, the focus has shifted towards more secure and unique identifiers – our biometric data. Biometric encryption stands at the forefront of this evolution, merging individual biological traits’ uniqueness with cryptographic techniques’ robustness. This article will discuss how biometric encryption works, its applications, and challenges in the rapidly… Read More
Europrivacy and GDPR Assessments
One of the ongoing challenges of GDPR is its (until recently) fragmented compliance and assessment approach. The requirements of GDPR are relatively open–they focus on standards and expectations, not implementation. Therefore, many assessment tools and frameworks have emerged to address the situation. Recently, Europrivacy has risen as a potential centralization of assessments under a common… Read More
The Role of IT Decision Makers in StateRAMP Compliance
The journey towards StateRAMP compliance is complex, with IT decision-makers at the strategic forefront. ITDMs are responsible for an organization’s infrastructure, including security and regulations, guiding their organizations through the nuances of the compliance process. While working with a framework like StateRAMP, these decision-makers will inevitably have to take leading roles in guiding company culture… Read More
Revising FedRAMP Continuous Monitoring with the New OMB Memo
The draft memo released by the OMB signals many potential changes for the FedRAMP program, especially for the continuous monitoring process. Continuous monitoring is a crucial part of FedRAMP that ensures that CSPs maintain compliance. However, this process can also prove complicated and costly for cloud providers, especially small or unique companies offering innovative solutions.… Read More
Compliance Automation in the New FedRAMP Memo Draft
The latest FedRAMP draft memo from the OMB shakes up quite a bit about the program. While nothing is set in stone, much ink is spilled on what it will mean for the program and participating cloud service providers. In this article, we will discuss what this new memo says about automation–specifically, how the program… Read More
FedRAMP and Evolving Requirements for MSPs and SaaS Providers
The FedRAMP OMB has recently released a memorandum on modernizing the standard to address new realities in digital technology. This shift reflects the increasing reliance on Software-as-a-Service (SaaS) and the strategic roles of Managed Service Providers (MSPs) in the federal, as well as the impact of new technologies like artificial intelligence. This article aims to… Read More
Implementing SOC 2 Requirements for Cloud Environments
SOC 2 compliance provides a structured approach to ensuring data security, availability, and processing integrity, among other aspects. This article will dive into the specifics of SOC 2 and its impact on cloud security, shedding light on the technical controls, best practices, and the vital role of third-party attestations in bolstering trust between service providers… Read More
CMMC 2.0 and Level 2 Maturity
CMMC 2.0, while retaining the foundational principles of its predecessor, introduces refined maturity levels, each delineating a progressive enhancement in cybersecurity practices and protocols. Transitioning from Maturity Level 1 to Level 2 is not just about adding additional requirements to an organization. It’s about committing to security strategies to protect critical Controlled Unclassified Information (CUI). … Read More
Secure Data Sharing and Compliance Frameworks
Several prominent security frameworks and regulations have been established to guide organizations through this intricate landscape. These range from international standards like ISO/IEC 27001 to more sector-specific regulations such as HIPAA for healthcare and PCI DSS for payment data. This article delves into these pivotal frameworks and how they speak to secure data sharing between… Read More