Austin Murphy

Key quotes from the new 48CFR Rule for #CMMC. This rule is the one that goes into new and renewing contracts and requires having a CMMC certificate or self-assessment upon contract award. They tightened up the language quite a bit. On quick scan, it looks well done. The first 40 pages give a lot of information about the DoD's thought process on CMMC, including some technical clarifications like whether joint ventures need to be individually certified, and whether talking about CUI over the phone is in scope.

31

ISC2's CISSP: Is the Certification Broken? David Malachow interviews Ira Winkler on the Professional CISO Show, discussing Ira's open letter to ISC2 and its implications for CISSP certification. A must-watch for cybersecurity professionals! #ProfessionalCISO ['#ProfessionalCISO', '#Cybersecurity', '#CISSP', '#InfoSec', '#ISC2', '#CybersecurityPodcast', '#InformationSecurity', '#DataSecurity', '#ITSecurity', '#CyberRisk']

17

CMMC Level 2 Assessment Objective: Alternative Work Sites PRACTICE: Organizations must enforce safeguarding measures for containing controlled unclassified information (CUI) at alternative work sites. ASSESSMENT: Alternative work sites may include government facilities or the private residences of employees. Organizations must define and implement safeguards to account for protection of CUI beyond the enterprise perimeter. Safeguards may include physical protections, such as locked file drawers, as well as electronic protections such as encryption, audit logging, and proper access controls. Be prepared! Your assessor could ask to: 🔍 EXAMINE a list of safeguards required for alternative work sites 🗣 INTERVIEW personnel approving use of alternative work sites 📝 TEST organizational processes for security at alternative work sites (CMMC Assessment Guide: Level 2 Version 2.11, page 186) #CMMC #DoD #cybersecurity #NIST #InformationSecurity

47

It's here - CRQ Training! If you're a CISO, risk analyst or assessor interested in quantifying cyber risk don't miss this CRQ Mastery Workshop. Learn basic and advanced method. Hands-on exercises. Full toolkit and risk models. ISC2 and ISACA Chapters save and additional 20% for their members. 20 CPEs. More info and registration https://lnkd.in/ecVj8V5N #ISC2, #ISACA, #Training, CyberRiskQuantification, #CISO, #Cybersecurity

5

ECS selected #Axonius to support DHS's CDM program. Axonius will provide comprehensive #Cybersecurity asset visibility and vulnerability management, enabling efficient risk management: https://dy.si/m5nFJ

2

I often hear the question "Where/What are our biggest security exposures?" Cyentia Institute recently had the opportunity to explore this question using data from hundreds of thousands of attack path assessments conducted through the XM Cyber Continuous Exposure Management (CEM) platform. The attached figure gives a categorical breakdown of what we observed based on all entities (digital assets), total security exposures, and exposures affecting critical assets. . The left-most chart represents the attack surface based on broad categories of digital entities discovered during attack path assessments. Active Directory constitutes just over half of entities identified across all environments. On-premises IT and network devices account for another 31% of entities and cloud environments house the remaining 17%. Not all entities, however, are exposed via attack paths. If we change the scope of the attack surface to include only vetted exposures (entities susceptible to attack techniques), things look different. The middle chart captures this perspective and Active Directory exposures dominate the attack surface. But not all of those exposures affect critical assets. To be truly effective, Exposure Management must encompass all environments and account for where critical assets are most at risk. If we once again rescope the attack surface to focus on exposures to critical assets, a very different picture emerges, which is captured in the rightmost chart. Cloud environments now encompass over half of all critical asset exposures, followed by AD at 33% and IT/Network devices at 11%. Does this sync with exposures across your attack surface? Which perspective/view/chart is your primary guide for managing exposures? The full report contains tons of additional insights on exposure management. Download here: https://lnkd.in/dPfqXG7y #cybersecurity #exposuremanagement #cyberrisk

48

8 Comments

Join us for our quarterly happy hour!   Come mingle with your peers and learn about the latest topics/threats in Cybersecurity.    When: Tuesday, September 10, 2024, from 4:00pm   Where:  Draft & Vessel - 7479 Harwood Avenue, Wauwatosa, WI, US 53213    Topic: “AI in Cybersecurity”   Panelists: Pete White, Senior Security Architect at Exabeam Roman Eng, AI Researcher at Clarkson University Andrei Ionescu, Sr. Solutions Architect at Bitdefender  Qualys CyberArk Bitdefender #cybersecurity #AI #happyhour Link to register in the comments!

26

1 Comment

CMMC Level 2 Assessment Objective: Flaw Remediation for Controlled Unclassified Information (CUI) Data PRACTICE: Organizations must identify, report, and correct system flaws in a timely manner. ASSESSMENT: All software and firmware have potential flaws. Organizations must identify systems that are affected by announced software and firmware flaws, including potential vulnerabilities resulting from those flaws, and report this information to designated personnel with information security responsibilities. Security-relevant updates include patches, service packs, hot fixes, and antivirus signatures. Be prepared! Your assessor could ask to 🔍 EXAMINE system and information integrity policy. 🗣 INTERVIEW system or network administrators. 📝 TEST organizational processes for identifying, reporting, and correcting system flaws. (CMMC Assessment Guide: Level 2 Version 2.11, page 241) #CMMC #DoD #cybersecurity #NIST #InformationSecurity

55

Koren Wise - so true and so important. There are many qualified organizations offering CMMC Advisory Services from CUI studies and boundary determination to gap analysis and remediation. BUT NOT EVERYONE WHO REPRESENTS THEMSELVES OR THEIR COMPANY AS CAPABLE AND QUALIFIED ACTUALLY IS. The consequences for a company that is legitimately trying to satisfy 800-171 requirements and then pass a CMMC certification assessment in anticipation of receiving an award can be catastrophic. They could lose the opportunity to receive the award they expected and will need to spend additional time and money to conform with the standard and pass a certification assessment. And not every company will have the resources or the willingness to try again. It is a matter of caveat emptor - buyer beware. Ask smart questions to protect yourself against false claims. References are important, especially from clients that have passed JVSAs or DIBCAC Highs. This begs the question: should there be a certification available for companies and individuals providing advisory services? An RPO designation is not at all meaningful, but could be misleading to the uninformed. Just a thought.

20

1 Comment

Check out this podcast interview with me just after my TribalNet keynote in Vegas recently. I was asked a random question at the end about the first concert I attended that you might find interesting (and it's not just what's listed in the podcast description). #infosec #CISO #CIO #businessleaders #cybersecurity #podcast #keynotespeaker #backtobasics #rockconcerts #ISAC

5

By the end of 2024, the MVP Enclave and 800-171 Compliance Program will have undergone four intense Joint Surveillance Voluntary Assessments within a 12-month period by four distinct DIBCAC teams with four separate small businesses. Building enclaves and 800-171 Compliance Programs correctly is a challenging task. Who is guiding your company towards early assessment and beyond? You deserve to move forward with confidence. You deserve to win in 2025. #DIB #InformationSecurity #CMMC #CCA #CCP #ENCLAVE #JSVA #GOVCON #HAMPTONROADSDIB

67

8 Comments

Cyber Threat Investigation 🕵 Quickly understand scope and uncover root cause with targeted forensic-level evidence collection and analysis, delivering prioritized insights across hundreds of assets. Gain clarity fast to inform precise response, remediation, and confident recovery with Binalyze - Automated Investigation and Response (AIR) ==

6

1 Comment

New study finds uptick in cybersecurity disclosers due to new SEC requirements. Still, few detail the material impact of these events. More work and clarity are needed. https://lnkd.in/gQ2paXVs #cybersecurity #infosec #SEC #disclosure

7

This could be the source of your "aha" moment with CMMC. Trust me when I say that there's a lot of FUD and myths in the marketplace, and there's a lot of sleight of hand being performed by people who really are not the experts they pretend to be in the CMMC echo system. Here's a few quick screening questions to ask. 1. Is CUI classified information? 2. Did DoD develop the requirements for protecting my sensitive information? 3. If I don't meet a particular control, I can always get an extension of up to a year to do so, correct? 4. Do I just have to meet 80% of the assessment objectives in each control to be certified? 5. Do I pass the assessment and receive a CMMC Level 2 certification if I meet 75% of the requirements? If you encounter hesitation on any of these questions by any company you're asking to help you comply with CMMC, I would suggest you keep looking. Better yet, go the NCMBC web site and pay the admission. It's $130 per person, and you get food, entertainment and fellowship with other managers and subject matter experts as you plot your journey through the CMMC echo system. Hope to see you there. It's an in person event at McKimmon Center of North Carolina State University. (https://lnkd.in/eitYSGUf, McKimmon Conference and Training Center at NC State University, 1101 Gorman St, Raleigh, NC 27606 (919) 515-2277). Registration link is in Laura's post.

1

Are you a contractor that uses an external cloud service provider (CSP) to store, process, or transmit sensitive defense information? DFARS clause 252.204-7012 details several requirements you must “require and ensure” meet security requirements (Are they on FedRamp.gov Marketplace?) or provide evidence that they are 100% equivalent to the FedRAMP moderate baseline. They must comply with all DFARS 252.204-7012 requirements for: Cyber incident reporting Malicious software Media preservation and protection Access to additional information and equipment necessary for forensic analysis Cyber incident damage assessment You can read the requirements yourself here: https://lnkd.in/gb7qEeaq. Or give us a call at MNS Group. We’re an Authorized C3PAO that can help provide guidance. #DoD #compliance #contractors #cybersecurity #assessment

43

1 Comment

As CMMC takes effect, many FSOs are discovering that their workload is growing rapidly. In our ever-connected, digital, and internet-of-things world, the lines between physical security, digital security, cybersecurity, and information security are blurring. Protecting sensitive information now means guarding against both physical and digital threats. FSOs might find themselves needing to understand not just how to secure a door, but also how to safeguard access controls with strong passwords. The modern FSO is becoming a key figure in overall compliance, taking charge of overseeing, developing, maintaining, and enhancing all aspects of security, not just the physical side. Ultimately, it's all about ensuring that national security information, classified data, CUI, and any other sensitive material are truly protected.

1

Useful tips for CUI scope management for CMMC.

4