The Cyber Defense eMagazine February Edition for 2024

More documents

Recommendations

Info

History of CMMC Defense contractors are required to implement security controls to safeguard sensitive unclassified information. For example, in cases where the government issues solicitations or contracts involving the processing, storage, or transmission of FCI, contractors are required to implement the fundamental safeguarding requirements outlined in the Federal Acquisition Regulation (FAR) clause 52.204-21. Similarly, for defense contracts where CUI will be processed, stored, or transmitted during the performance of the contract, the contractor must implement the security requirements in NIST SP 800- 171 per Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. Enforcement of these requirements is primarily achieved through self-attestation. A 2019 DoD Inspector General report found that implementation of these requirements is inconsistent, and self-attestation does not provide sufficient assurance that defense contractors are implementing adequate measures to protect sensitive unclassified information. Additionally, the report recommended the DoD take steps to more effectively validate contractor compliance with CUI protection requirements. It also recommended improvement in DoD contracting processes and enhancements to procedures related to document marketing. While unclassified, information like CUI holds significant importance to the economic and national security of the United States. In recognition of this, the FY20 National Defense Authorization Act (NDAA) charged the DoD with creating a “consistent, comprehensive framework to enhance cybersecurity for the United State defense industrial base.” This requirement led the DoD to create an initial iteration of CMMC, incorporating five scaled levels of security practices. These were based on requirements such as FAR 52.204-21 clause and NIST SP 800-171, in addition to process maturity requirements. A second iteration (CMMC 2.0) reduced the security requirements in the model to directly align with NIST SP 800-171 and FAR 52.204-21, removed the process maturity requirements, and condensed the number of levels to three. In 2020, the DoD released an interim final rule that established a new DFARS clause around CMMC and the assessment of NIST SP 800-171 security requirements. Currently, defense contractors handling CUI must perform a self-assessment of the NIST SP 800-171 security requirements and submit the results of the self-assessment to the government. 2023 Proposed Rule In 2023, the DoD released another rule that builds upon the 2020 rule. This rule is a “proposed rule,” meaning that the DoD must adjudicate and respond to public comments prior to the rule being final. While this rule clarifies many public questions regarding CMMC and introduces some new requirements on defense contractors, the security requirements for Levels 1 and 2 remain the same. For organizations that must attain CMMC Level 1 and for some that must attain CMMC Level 2, there is a requirement to perform a self-assessment and provide an annual affirmation of compliance with CMMC requirements. Additionally, for most organizations that must attain CMMC Level 2, an independent third-party must assess implementation of NIST SP 800-171. A very small subset of defense contractors that support critical DoD programs will also need to achieve CMMC Level 3 and will be assessed by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). CMMC Level 3 is the only level that will Cyber Defense eMagazine – February 2024 Edition 32 Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
equire the implementation of additional security requirements intended to reduce the risk of compromise by advanced persistent threats. Transformative Change While this proposed CMMC rule introduces additional requirements for defense contractors, it also presents an opportunity for deliberate and transformative change. Organizations that must comply with CMMC should consider stepping back and evaluating not only if security requirements are being met, but also if their cybersecurity program is poised to consistently meet these requirements over time and deliver value to the business. Organizations should consider the following to use CMMC adoption for transformative change: 1. Understand how meeting CMMC will enable the organization to meet strategic goals and ensure the cybersecurity program strategy is aligned with these goals. 2. Obtain senior leadership buy-in for the necessary resources—people, funding, and tools—to meet and maintain compliance with CMMC. 3. Evaluate if CMMC security requirements also provide benefit to proprietary information that is not used in the performance of defense contracts. 4. Ensure that improvements to security controls are adequately documented in policies and procedures. Dedicating proper time and attention to documenting cybersecurity processes will improve the acculturation of the processes so that they are retained even in times of organizational stress. 5. Schedule and plan continuous risk assessments to proactively manage cybersecurity and identify gaps ahead of CMMC assessment or affirmation obligations. Another important factor for organizations to consider when building or improving a cybersecurity program is the incorporation of performance management into operational processes. A CMMC assessment validates the implementation of security requirements at a point in time and does not provide organizational leadership continued assurance that cybersecurity measures are durable over time and aligned to strategic objectives. A more powerful approach includes the development of metrics to validate performance of these requirements over time to ensure they continue to provide a security posture commensurate with organizational needs as threat environments evolve. Organizations should regularly communicate the achievement of key metrics to ensure the effectiveness of security controls over time and to provide rationale for key decisions. System of Record Cybersecurity leaders, such as Chief Information security Officers (CISOs), have increased motivation to ensure that due care is used in the implementation and validation of cybersecurity controls. Recent rules adopted by the Securities and Exchange Commission (SEC) put pressure on public companies to Cyber Defense eMagazine – February 2024 Edition 33 Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
Page 1 and 2: How One Industry Exemplifies the Im
Page 3 and 4: Data Breach Search Engines --------
Page 5 and 6: @MILIEFSKY From the Publisher… De
Page 7 and 8: Welcome to CDM’s February 2024 Is
Page 9 and 10: Cyber Defense eMagazine - February
Page 15 and 16: 2001 2024 Cyber Defense eMagazine -
Page 19 and 20: How One Industry Exemplifies the Im
Page 21 and 22: That is where things stand in my in
Page 23 and 24: current on the mission and values o
Page 25 and 26: So, monitoring and managing vendor
Page 27 and 28: About the Author Caroline McCaffery
Page 29 and 30: How so? Businesses can make things
Page 31: Using Cmmc 2.0 To Transform Your Cy
Page 35 and 36: for the Department of Energy’s Cy
Page 37 and 38: • IT no longer controls where and
Page 39 and 40: For example, the Cloudbrink service
Page 41 and 42: 5 Cybersecurity Resolutions for The
Page 43 and 44: The Importance of Cyber Hygiene for
Page 45 and 46: The key steps to improve your cyber
Page 47 and 48: Connecting Tech to Black America By
Page 49 and 50: Establish partnerships with HBCUs E
Page 51 and 52: Perhaps the most obvious example of
Page 53 and 54: Crafting AI’s Future: Decoding th
Page 55 and 56: The implementation of regulations c
Page 57 and 58: AI Is Revolutionizing Phishing for
Page 59 and 60: That’s why security awareness tra
Page 61 and 62: culmination of this race will revea
Page 63 and 64: Traditionally, DBSEs would only inf
Page 65 and 66: Enhancing Cybersecurity Defenses: T
Page 67 and 68: Social engineering testing In the e
Page 69 and 70: GitGuardian Researchers Find Thousa
Page 71 and 72: *Emergent trends While everything f
Page 73 and 74: There are multiple tools that will
Page 75 and 76: Good Security Is About Iteration, N
Page 77 and 78: to incorporate architectural and de
Page 79 and 80: Hacking and Cybersecurity Trends to
Page 81 and 82: detect attacks as they are occurrin
Page 83 and 84:
Legacy solutions hinder an organiza
Page 85 and 86:
About the Author Thomas Müller-Mar
Page 87 and 88:
Having worked closely with financia
Page 89 and 90:
device is emitting its signal the t
Page 91 and 92:
Navigating the API Security Landsca
Page 93 and 94:
that entities (users, services, or
Page 95 and 96:
examine financial transactions, net
Page 97 and 98:
Offensive Awakening: The 2024 Shift
Page 99 and 100:
Not only are legislators pushing fo
Page 101 and 102:
Let’s dive into how security lead
Page 103 and 104:
Overcoming Common Data Security Cha
Page 105 and 106:
The Risks of Over-Privilege Alongsi
Page 107 and 108:
Quishing Campaign Exploits Microsof
Page 109 and 110:
After inserting their email address
Page 111 and 112:
more expensive and time consuming.
Page 113 and 114:
Cotton Sandstorm or Static Kitten h
Page 115 and 116:
Spike in Layoffs Pose Serious Cyber
Page 117 and 118:
About the Author Adam Gavish is the
Page 119 and 120:
The Crucial Role of Data Categoriza
Page 121 and 122:
The Next Generation of Endpoint Sec
Page 123 and 124:
Next-Generation Endpoint Security:
Page 125 and 126:
As I reflect back on the past few m
Page 127 and 128:
Why Is Hardware More Secure than So
Page 129 and 130:
can achieve throughput levels of up
Page 131 and 132:
ecome more secure. By the end of 20
Page 133 and 134:
Zero Trust Matures, Insider Threat
Page 135 and 136:
of the risk of insider threats and
Page 137 and 138:
Zero Trust: Navigating the Labyrint
Page 139 and 140:
• Enhanced Security: Zero trust b
Page 141 and 142:
Cyber Defense eMagazine - February
Page 143 and 144:
Page 145 and 146:
Page 147 and 148:
Page 149 and 150:
CyberDefense.TV now has 200 hotseat
Page 151 and 152:
Books by our Publisher: Amazon.com:
Page 153 and 154:
Page 155:
i https://www.whitehouse.gov/briefi
show all

The Cyber Defense eMagazine February Edition for 2024

Create successful ePaper yourself

Delete template?

Save as template?