International collaboration between countries in cybersecurity isn’t unheard of, but it involves several miles of red tape and regulations. That’s why many countries seek parity in their security frameworks. One such parity that Canadian officials are seeking is between their own CP-CSC and the CMMC model for handling CUI.
While typically not mandatory outside financial sectors, SOC 2 is a reliable security compliance model that any organization can follow. This can be seen in its security assessments, which include a robust list of “Common Criteria,” or broad areas of focus that any secure organization should follow. The recent revision of these criteria in 2023… Read More
The ongoing rise of state-sponsored Advanced Persistent Threats (APTs) has increased scrutiny of federal and state IT systems security systems. The latest version of CMMC includes a high-maturity level specifically designed to address these threats, which relies primarily on advanced security controls listed in NIST Special Publication 800-172.
The complex relationships between government agencies, third-party vendors, and managed service providers form a challenging web of connections that comprise the DoD digital supply chain. Both NIST 800-171 and CMMC address these at various points, expecting providers to adhere to complex security requirements. These requirements can become so complex that they may turn to Managed… Read More
We’ve regularly written about maintaining security and compliance with third-party vendors. While vendors and managed service providers are a crucial part of digital economies, it’s up to the client businesses to ensure they work with vendors that meet their needs. Following previous discussions of third-party vendor security under standards like SOC 2 and HIPAA, we’re… Read More
Security Control Assessor-Validator (SCA-V) services are a core part of many compliance frameworks, and any agency proposing to offer these services will often provide a common set of expertise, certifications, and knowledge to support their customers. Here, we’re covering the basics of SCA services and what you should look for when signing on with a… Read More
The European Cybersecurity Certification Scheme for Cloud Services (EUCS) is an initiative to establish a unified certification process for cloud services across the EU. Cloud services and associated managed services are critical to most government and business functions, and the EU follows the example of other jurisdictions in focusing explicitly on this area of cybersecurity… Read More
With all the focus on network security, SaaS compliance, and big data protection, it’s sometimes very easy to forget that the most vulnerable parts of any given system are often those tied to the user. These devices (endpoints) are where these users do most of their work and where a lack of security best practices… Read More
One of the fastest-growing security attack surfaces is the Application Programming Interface (API). These functions allow programmers to tap into distributed services like data retrieval or social media broadcasting, vastly expanding the interoperability of different software tools. Accordingly, because API access often requires connecting to or using sensitive data, this presents significant security risks. We’re… Read More
Software-as-a-Service (SaaS) is, for better or worse, the model of modern software distribution and use. There are many benefits to this arrangement, but there are also significant security issues. Unfortunately, these security issues are ever-evolving and target almost every managed service provider on the market. This article touches on some foundational realities, challenges, and considerations… Read More
The issue of cookies and user tracking has long been an issue, but the importance of these marketing and development tools has kept them a vital part of our web experiences. However, Google announced that its popular Chrome browser would no longer support third-party cookies, and in January 2024, they began rolling out anti-cookie technology. … Read More
StateRAMP is based on the FedRAMP standard, which means that it uses a similar set of documents and requirements to assess and authorize cloud service providers. One of the key documents of both StateRAMP and FedRAMP is the System Security Plan (SSP), which represents the provider’s security controls, compliance perimeter, and capabilities. In Revision 5,… Read More
Companies can only monitor some of the pieces of software that their employees use. It’s inevitable, then, that those employees will start to kludge together their solutions through personal software or freeware from the Internet. This is such a problem that Splunk recently rated shadow IT as one of the top 50 threats to cybersecurity… Read More
It’s a fact of contemporary professional life that data, people, and secure systems are all remote, interconnected, and vulnerable to evolving security threats. The challenge is that it isn’t enough to lock everything down in areas like federal security, healthcare IT infrastructure, or other sensitive areas. The solution for the past few decades has been… Read More
There’s recently been a push within FedRAMP towards modernizing the framework to meet modern security challenges and better align federal security standards across agencies and technologies. Part of this push is standardizing how security controls are measured and assessed, and the most recent blog from FedRAMP mentions a new standard–OSCAL. Here, we will discuss OSCAL,… Read More
The advent of non-human identities–encompassing service accounts, application IDs, machine identities, and more–has reshaped the cybersecurity landscape, introducing a new dimension of vulnerabilities and attack vectors. While helpful, these digital entities are an increasingly vulnerable spot where attackers focus resources. This article will cover this relatively new attack vector, how hackers leverage new technology to… Read More
A new report shines a light on some unfortunate news in the world of federal cybersecurity. According to the U.S. Government Accountability Office (GAO), only three of 23 federal agencies have reached their expected logging requirements as dictated by Executive Order 14028. In this article, we’re talking about this executive order and what it calls… Read More
The cybersecurity landscape isn’t getting any easier for any business, large or small. With high-profile cyber attacks making headlines, from ransomware attacks crippling global infrastructure to data breaches compromising millions of users’ personal information, the stakes for major corporations have never been higher. While offering unprecedented opportunities, the digital realm also presents a minefield of… Read More
The Security Operations Center (SOC) is central to this defense strategy – a dedicated hub for monitoring, detecting, and responding to security incidents. But as businesses grapple with establishing their in-house SOCs or outsourcing to specialized Managed Security Service Providers (MSSPs), many considerations come into play. In this article, we discuss the complexities of these… Read More
The development of AI has been a game-changer for nearly everyone, and that fact is no different in the world of cybersecurity. New threats powered by AI are reshaping traditional attack vectors, including cryptography, prevention, and social engineering. In this article, we’re discussing how, in the so-called AI Boom of 2023, cybersecurity is being shaped… Read More
Modern cybersecurity is about more than just reacting to threats as they emerge. Adopting proactive cybersecurity measures is not just a strategic advantage; it’s an operational necessity that can spell the difference between business as usual and breaches that erode customer trust and shareholder value. Whether you’re a cybersecurity veteran or new to the domain,… Read More
The Federal Information Processing Standard (FIPS) 199 provides organizations and individuals with the necessary guidance to determine a cybersecurity threat’s impact level accurately. These impact levels define the level of security a system should have to protect the data contained therein adequately. This article will take you through an overview of FIPS 199 and how… Read More
The U.S. Department of Defense launched the Cybersecurity Maturity Model Certification (CMMC) in response to the escalating cyber threats. This initiative underscores the increasing emphasis on the maturity of cybersecurity programs as a benchmark for assessment and standardization within the Defense Industrial Base and its extensive supply chain. Yet, a surprising revelation from Infosecurity Magazine… Read More
According to a recent report by IT Governance, there were over 70 data breaches in June 2023 alone–accounting for compromising over 14 million data records. Once these records are out in the open, they are often sold on the dark web. Following that, it’s just a matter of time before hackers can use this data… Read More