The Imprimis "CyberDeck" Blog

Cybersecurity Tips & Techniques and Best Practices from the "Assessment & Remediation Trenches"...

  

draftCMMC04banner

CMMC Review Part 1 of 3:

A Green Paper: Analysis of The DoD Cybersecurity Maturity Model Certification (CMMC) Soliciting Input and Comments

Overview

This month, (during National Cyber Security Awareness Month), and responding to recent developments in the DoD's cybersecurity assessment and certification processes for both governement and civilian commercial companies who do business with the government, I've decided to provide an indepth review of the recently announced DoD initaitive for updating and expanding it's cybersecurity frameworks and standards or what is called the "CMMC".  I'm also extending an offer for my readers, customers, members and alliance partners of Imprmis and the National Cyber Exchange to review our Green Paper, to provide feedback and comments so that we can create a finalized "White Paper Version" in the next 30-60 days so that it can be submitted to the DoD and be a part of the national discussion to help frame and shape the process going forward.

Why the Green Paper?

In the Green Paper Steve Lines of the DIB-ISAC and I, explore and discuss the motivation behind developing the CMMC for defense contractors, and why this will have a major impact on the current cybersecurity assessment, remediation, and certification process overall. Because of the significant increase in the number of compliance items and complexity imposed by multiple cybersecurity frameworks and standards that are being suggested by the DoD and its consultative participants... We provide a top-down and bottom-up review to help quantify and describe these proposed changes as well as make some recommended changes and modifications in an effort to streamline and simplify what looks to be a very daunting and complex process overall.

The potential threat to small businesses has been made clear.  That's what a call to action for small and medium business is put forward so that important feedback is provided to DoD so that an appropriate design is achieved and balanced with respect to the competing demands of good security and affordable, achievable implementation of the core competencies of Information Security.

CMMCGreenPaperthumbReview and Comments:

To review the Green Paper online, (if your browser supports in-line opening of PDF documents) just click on the thumbnail image of the Green Paper at the right.  Or to download a copy for review, simply right-mouse-click and save the PDF file locally.   If you are a small or medium sized business, or a larger commercial enterprise that does business with the Federal Government, or you are a sub-contractor to a prime-contractor on a government contract, this will obviously impact you.  If so, we encourage you to provide your input and feedback on the process.

You can use an online feedback form that we have set-up on the National Cyber Exchange's website that will help collect your feedback to the Green Paper as well as the proposed CMMC framework, where we will combine your inputs and suggestions into a larger comprehensive submission to the DoD for their review and consideration. Let us know what you think. 

Submit comments to https://nationalcyber.org/CMMC and the DIB ISAC and the NCX will make sure all comments are received by the CMMC team.  

Both Steve and myself thank you for your participation in advance.

imprimislogosmMichael G. Semmens
President & CEO, Imprimis Inc.
Chairman, National Cyber Exchange

 

dibisaclogo

Steve Lines
President DIB ISAC Inc.

 


 

 

 

radarloopriskmgmtradarbanner

 

 

 

 

 

Cyber Risk Part 2: Growing Cyber Regulations

As discussed previously, the risks associated with cyber come in many different forms.  This blog is dedicated to looking at the growth of #cyberregulations.

FEDERAL REGULATIONS AND STANDARDS FOR CYBERSECURITY

Bills are flowing through both state and federal assemblies and are becoming law.  Further, These laws and regs are being updated and modified frequently.  Take for example the cyber DFARS (Defense Federal Acquisition Regulations Supplement) and the FAR (Federal Acquisition Regulation) requirements.  They started in earnest with the passing of the Federal Information Security Management Act (FISMA) in 2002.  NIST developed the Federal Information Processing Standard (FIPS) in that same year.  The security work performed was confined to the federal government.  However, in 2010 an Executive Order (EO 13556) was issued directing the protection of all sensitive yet unclassified information within and outside of the government.  This sensitive but unclassified information is now referred to as Covered Defense Information (CDI) within DoD and Controlled Unclassified Information (CUI) elsewhere.  CUI is the term universally recognized by all government organizations.

Including the EO, there were 3 significant publications of laws or standards from 2002 up to and through 2010.  As you can see in the list below, a total of 12 have been published in the 8 plus years since 2010.  The cyber race is on.

  • Dec. 2002: Federal Information Security Management Act (FISMA)
  • Dec. 2002: FIPS (Federal Information Processing Standard)
  • Nov. 2010: EO 13556 Controlled Unclassified Information
  • Nov. 2013: First cyber DFARS published (51 controls- 800-53)
  • Jun. 2015: NIST (SP) 800-171 published
  • Sept. & Dec. 2015: DFARS modified and deadline postponed 2 years until December 31, 2017
  • Aug. 2015: Cloud Computing Clarified
  • Jun. 2016: FAR 4.19 / 52.204-21
  • Dec. 2016: NIST (SP) 800-171 Rev. 1 Draft
  • Nov. 2017 NIST-HB-162 Published
  • Jun. 2018: NIST (SP) 800-171 Rev. 1 Final
  • Jun. 2018 NIST (SP) 800-171A Draft
  • Jun. 2019 NIST (SP) 800-171B Draft
  • Jun. 2019: NIST (SP) 800-171 Rev. 2 Draft
  • Jan. 2020: DoD CMMC (Cybersecurity Maturity Model Certification)

Federal Cybersecurity Related Regulation or Standards Published Between …

2000 and 2010

2011 and 2020

3

12

 

The risk presented by the Federal regulations and standards is in an organization not meeting them and becoming ineligible to compete and obtain government contracts and business.  Working as a subcontractor is not a workaround as the same clauses contained in the prime contractor's contract must be flowed down to all subcontractors handling sensitive data or CUI.  So, to be eligible contractors should be in compliance with NIST 800-171r1, or at least have a good System Security Plan (SSP) and Plan of Action & Milestones (POA&M) that can be provided to the procurement personnel. 

Of particular note, DoD has announced that they will require 3rd party certification of contractors starting in 2020.  Further, they stated that the new requirement will be the CMMC (Cybersecurity Maturity Model Certification) which will retain all of NIST 800-171 requirements and add 800-53 and NAS 9933 controls to the mix.  There will be 5 levels within the maturity model.  Getting to the first level of maturity may not be enough either, the AIA (Aerospace Industry Association) states that the minimum acceptable maturity level within NASS 9933 is level 3.

The growth and change of the DFARS give credence to the statement that cybersecurity is a journey, a never-ending process.  Contractors should start this process in the near future if they have not done so already. 

PRIVACY REGULATIONS: US STATES AND ABROAD

The same trend can be observed in other areas of the economy.  The term ‘Privacy’ has become a central concern of governments at all levels.  The first major privacy regulation was established in Europe and is known as the General Data Protection Regulation or GDPR.  It applies to any companies doing work with European entities such that personal information is being recorded, stored, or used.  The principle tenants of GDPR are listed below.

  • May 2018 GDPR (General Data Protection Regulation) Principles
    • Lawfulness, fairness and transparency
    • Purpose limitation
    • Data minimization
    • Accuracy
    • Storage limitation
    • Integrity and confidentiality
    • Accountability and compliance
    • Rights:
      • Right to be informed
      • Right to rectification
      • Right to erasure
      • Right to restrict processing
      • Right to data portability
      • Right to Object
      • Rights related to automated decision making (incl. profiling)

Many businesses have taken the position that they will decline federal business in response to the cyber FAR and DFARS.  Fewer are taking the position that they will not participate in federal work and international work because the market is greatly reduced.  But even the decision to avoid both the federal and international market will not solve their cyber problem.  There is more coming!

States are now very active passing privacy bills.  According to Hogan Lovells of iapp:

At least 31 states have already established laws regulating the secure destruction or disposal of personal information. And at least 12 states—Arkansas, California, Connecticut, Florida, Indiana, Maryland, Massachusetts, Nevada, Oregon, Rhode Island, Texas and Utah—have imposed broader data security requirements.’ 

Lovells goes on to describe legislation being considered by the New York State Assembly, specifically A.10190, that will, if passed, prescribe cybersecurity requirements to include:

  1. Secure user authentication protocols
  2. Secure access control
  3. Encryption of personal information in transit
  4. Monitoring systems to identify unauthorized access attempts
  5. Encryption of data on portable devices
  6. Implementing appropriate firewall protections
  7. Patching of operating systems
  8. Security software with regular updates
  9. Security education and training

State laws apply to all businesses – period.  They focus on protecting consumer rights and identifying business obligations as summarized below:

CONSUMER RIGHTS

  1. The right to access personal information collected
  2. The right of access to personal information shared with a third party
  3. The right to correct or rectify incorrect or outdated personal data
  4. The right for a consumer to delete personal information
  5. The right to restrict processing of personal data
  6. The right to data portability
  7. The right to Opt-Out of the sale of personal data
  8. The right against automated decision making
  9. The right of consumer legal action for recovery of damages

BUSINESS OBLIGATIONS

  1. A strict opt-in for the sale of personal information
  2. Notice / transparency requirements
  3. Data breach notification
  4. Mandated risk assessment
  5. Prohibition on discrimination against consumers exercising rights
  6. Purpose limitation
  7. Processing limitation

The following matrix published by the International Association of Privacy Professionals (iapp) shows current legislative activity in a number of states.  It is a lot of activity, but it raises another concern.  If many or all states write their own privacy laws, it will become a patchwork of varying requirements that will be difficult to follow.  As a result, the US Senate Committee on Commerce, Science and Transportation has held hearing to investigate national regulations for privacy which would at least provide a single standard to follow.   Ironically, if the federal government defines privacy regulations, they will mist likely return to the NIST standards – full circle!

iappchart

APPROACH

All the regulations discussed above in aggregate represent a tsunami heading straight for businesses.  So, what is the right approach?  Start and have a plan. 

As previously stated, cybersecurity is a process that will be with your company for all of its days.  The important thing is to start with a basic program that covers the major defense issues.  At Imprimis, we refer to this as the Cyber Start Package.  It includes both technical and non-technical elements.  The technical will include a next generation firewall – properly configured – with an intrusion detection system (IDS), very strong and capable endpoint protection (EPP), strong access control preferably using multi-factor authentication (MFA). data encryption, vulnerability management and patching and an effective and redundant backup system round up the minimum technical requirements.

The non-technical requirement will include policies & procedures or at least a start, defining a management organization for the network and its configuration management, and training for all. 

You will still be doing these things when you become an advanced, mature cybersecurity operation, so we are talking in degrees.  Start with the basics and add to them.  One thing that will be important for risk management is cybersecurity insurance.  It is a must from the beginning.

And as always … It is time for everyone to #CyberUpAmerica.  We all need to access the benefits of the cyber domain but to do so we all need to learn how to #CyberDeny the bad guys.

 

radarloopriskmgmtradarbanner

Cyber Risk Part 1: The Explosion of Cyber Crime

Risk comes in many forms.  Likewise, cyber risk or risk emanating from the cyber domain, has gone from ‘Zero’ on the Richter scale to one of the major threats faced by businesses and individuals alike. As cyber ubiquity has become a reality, so has #cybersecurity risk. 

As we discussed in the last blog, there are four major categories of cyber risk:

  1. direct criminal cyber attacks designed to steal money and/or information
  2. regulations promulgated for minimum cyber defense capabilities
  3. legal liabilities
  4. competitiveness in the marketplace.

I would like to take these risks in turn and devote one or more blogs to each in my Risk Management Radar series...

So, to establish context, let’s first answer the question ‘why are cyber attacks and #cybercrime growing so rapidly?’  The answer involves three elements; good tools, safe operating environments or sure getaway capability, and profit or financial payments.

WhatWasFirstVirusThe Tools of Cyber Criminals:

The tools of cybercriminals are referred to as viruses, worms, botnets, exploits, and payloads.  For you "history buffs" in the audience... the first generally recognized computer virus was called "Creeper" and appeared in 1971.  See the sidebar at right for a list of the first three...  

When software was infected with a virus, it stopped working or did not work correctly.  The vandals are still around but they are hunting bigger game – they are out to do major damage, and they are much better at destroying software then they used to be.  But everyone knows about computer viruses, but that is where the knowledge of the general public stops.  The problem is they think anti-virus software fixes everything.  The truth is that although anti-virus is still important, it is a small fraction of what is needed to be safe on the internet.

Worms and Bots, and Payloads... Oh My !

Most people don’t think a moment about worms in their computers – most don’t know what it is.  A worm is a software program that spreads itself through replication – fast replication.  It can circle the globe in about 10 minutes. Worms first made the scene in 1988 and have been around ever since.  The purpose of a worm is to carry and deliver a ‘payload’- another software package written for specific purposes like delivering ransomware software or any other of hundreds or thousands of evil purposes.

Twenty years later the botnet was introduced.  I tell my clients that this is when the ghost of Henry Ford  joined the cyber gang.  Officially, a botnet is a large number of private computers and servers that are networked together for beneficial use.  However, there are many malicious botnets of computers networked together and controlled by the bad guys without the owners knowledge.  These malicious botnets automate cyber-attacks.

The number of payloads or malicious programs has exploded with millions of #hackers in just about every country on earth developing hacking payloads.  These payloads usually use well known and publicly available exploits designed to allow access to networks.  The tools of the trade have become very strong and they are available to everyone who wants them. 

In 1990 the Dark Web was invented.  It was first used for government purposes but was soon discovered by the criminal element who saw the value of having a place to launch their cyber-attacks – a place where there were no laws and where no law enforcement organization could come after them.  Much like the old ‘hole-in-the-wall’ used by bandits.  A safe place for bad people.  So, the second need was satisfied with a safe operating environment.

Bitcoin came along in 2009.  With #cryptocurrency now a #hacker has a way of transferring money in a totally untraceable way.  Prior to cryptocurrency cashing in on cybercrime was a dicey business – the riskiest part for the cybercriminal.   Bitcoin fixed that.  Now it is very easy to get paid from anywhere in the world.  The third component went into place in 2009.

The complete cyber criminal ecosystem has now been operating for a decade this year.  It is paying very well and is #cybercrime is growing exponentially.  Exploding.  No organization big or small is safe and no individual is either.

It is time for everyone to #CyberUpAmerica.  We all need to access the benefits of the cyber domain but to do so we all need to learn how to #CyberDeny the bad guys.

radarloopriskmgmtradarbanner

Cybersecurity Risk - Defined, Described, Detailed...

So, let's get started with my first Risk Management Radar Blog post... 

Over the years there has been many definitions of Cybersecurity and the associated Risks that come with not being fully Cybersecurity Aware for small to medium sized businesses !...  Here are a couple of examples:

 

From a GSA.GOV RFQ:

“Cybersecurity Risk Management” means technologies, practices, and policies that address threats or vulnerabilities in networks, computers, programs and data, flowing from or enabled by connection to digital infrastructure, information systems, or industrial control systems, including but not limited to, information security, supply chain assurance, information assurance, and hardware and software assurance.

 

From a TechTarget "Essential Guide" Description:

"Risk management" is the process of identifying, assessing and controlling threats to an organization's capital and earnings. These threats, or risks, could stem from a wide variety of sources, including financial uncertainty, legal liabilities, strategic management errors, accidents and natural disasters. IT security threats and data-related risks, and the risk management strategies to alleviate them, have become a top priority for digitized companies. As a result, a risk management plan increasingly includes companies' processes for identifying and controlling threats to its digital assets, including proprietary corporate data, a customer's personally identifiable information and intellectual property.

Do you have a Risk Management Plan for your business ?

 

CyberStart

Imprimis as developed a product line and framework that can support SMB to do just that.  The CyberStart is the initial effort which provides the basics in cybersecurity and corporate cyber insurance.  The cyber basics greatly reduce the risk of a breach and supports the underwriting of insurance.  CyberStart mitigates the risk from cyberattacks and legal liabilities, while supporting a positive profile in the marketplace.  Together, cyber basics and insurance are an effective risk management approach that is affordable for all small businesses.

Beyond the basics, companies will need to comply with industry standards.  The framework established in CyberStart can be expanded to include compliance with standards.  Imprimis has developed a suite of tools and processes that support achieving compliance in the minimum time and cost, and once compliance is achieved, Imprimis provides services required for sustainment. 

If your interested in learning more about the CyberStart solution... allow us to provide a live demonstration the Imprimis system.


About Michael Semmens:

Michael Semmens is a former Corporate VP at BDM International, a corporation eventually acquired by Northrop Grumman Corporation. At BDM Mr. Semmens was responsible for developing and managing business divisions in energy, information technology, manufacturing, and advanced instrumentation. Major programs included designing the CAD/CAM system for the B2 bomber, the initiation of the EDGAR program for the SEC, building totally automated factories for Morton Thiokol, Caterpillar, and developing manufacturing control designs for Ford Motor Company. He also was responsible for the state and local IT outsourcing business. Mr. Semmens has also managed and arranged funding for a number of high-tech start-up companies. He was named Engineer of the Year in New Mexico, received the R&D 100 Award, and Leadership in Education from the University of Colorado at Colorado Springs.
 

Welcome to the Risk Management Radar Blog Series

Introduction:

 

The cyber domain simultaneously portends tremendous opportunity for increased capability and productivity, and a spectrum of threats and risks that threaten every business. This is especially true for small to medium sized businesses (SMB). These businesses are known for their great innovation and creativity, agility, and efficiency but not for their great reservoir of resources – especially financial resources.


Nonetheless, every small business has a fiduciary responsibility to manage the risks associated with the cyber domain. So, what are these risks? Are they losses from cyberattacking which is now an everyday occurrence? Are they hidden liabilities? Are they regulations that if not met can result in fines or disqualification? Or is it the risk of falling behind the competition? The answer, of course, is all the above.


So, what is the right approach for small businesses? Well, in a word, start. First recognize that your capability in the cyber domain must become a key competency. Define the cyber capability that you need for your business – today and in the future. Then devise and implement a plan that allows a reasonable on-ramp with a blueprint or framework that allows your cyber capability to grow with the company’s needs in the market place.

 

Need Help ? - You've come to the right place...

radarloopriskmgmtradarbanner

 

The i2 Risk Management Radar Blog Series:

In this blog series, over the next 3 months, I will be addressing a wide variety of cybersecurity risk, risk managememt, remediation, insurance and compliance topics.  Through the "i2 Risk Management Radar" as I am calling it... I will be providing a "deeper dive" for the small to medium sized business manager, or executive who is ultimately responsible for their companies risk management profile and status. 

Through a series of technical briefings, expanded white papers, and my experience as a cybersecurity professional... I hope to deliver to you helpful, expanded perspectives on an number of cybersecurity technology topics, policy & procedures best practices, in-the trenches remediation tips and techniques, and long term cybersecurity life-cycle and maturity models that every business will need to adopt and maintain.

So when you see my animated "I2 Risk Management Radar Banner" (above) on the CyberDeck Blog page... this will be my continuing cybersecurity blog series...

Here are some of the categories I will be covering in the weeks and months to come:

  • Cyber Risks
  • Cyber Risk Management
  • Cyber Remediation
  • Cyber Insurance
  • Cyber Compliance
  • Cybersecurity Standards
  • Cyber Compliance Tools
  • Cyber Management & Culture

 

So, look for my first i2 Risk Management Radar post this week !

 

Watching your Cybersecurity Radar !

 

Michael Semmens
President, Imprimis, Inc.
Colorado Springs, CO
 

About Michael Semmens:

Michael Semmens is a former Corporate VP at BDM International, a corporation eventually acquired by Northrop Grumman Corporation. At BDM Mr. Semmens was responsible for developing and managing business divisions in energy, information technology, manufacturing, and advanced instrumentation. Major programs included designing the CAD/CAM system for the B2 bomber, the initiation of the EDGAR program for the SEC, building totally automated factories for Morton Thiokol, Caterpillar, and developing manufacturing control designs for Ford Motor Company. He also was responsible for the state and local IT outsourcing business. Mr. Semmens has also managed and arranged funding for a number of high-tech start-up companies. He was named Engineer of the Year in New Mexico, received the R&D 100 Award, and Leadership in Education from the University of Colorado at Colorado Springs.
 

Welcome to the Imprimis "CyberDeck" Blog !

CyberDeckImageBanner

 

 

 

 

 

 

Here you will find a "Direct Connection" to the talented SME's of Imprimis... (a.k.a "Subject Matter Experts") who are our in-house cyber security specialists operating on the front lines for Cyber Security Assessment, Remediation and Sustainment... 

On the CyberDeck we will post a weekly blog or a series of posts spanning multiple days or weeks covering a cybersecurity topic of interest that we will not only "introduce" to you... we will do a "deep dive" on it as well... diving into the details and into the weeds... because that's where the true wisdom comes from.  Gaining a complete understanding of all angles of a challenging cybersecurity policy or procedure...

So What is a CyberDeck ?

In keeping with the origins of the word "cyberdeck" and to pay homage to the original use of it in a literary sense...

Etymology
cyber- +‎ deck, coined by William Gibson in Neuromancer (1984).
https://en.wiktionary.org/wiki/cyberdeck

cyberdeck (plural cyberdecks)
(science fiction) A piece of equipment that can be temporarily connected to the user's brain as an interface to cyberspace.

The Imprimis "CyberDeck" Blog
A "Direct Connection" to the Imprimis Cybersecurity Team where you can frequently "jack" into information such as engaging articles and best practice reviews of some of the tips and techniques used by the Imprimis Cybersecurity Team as they continiously battle "hackers and bad actors" in the Cyber "Warfare" Arena...

 

Stay tuned for our first series of Blog Posts in the coming weeks... !