May 2022

DCMA Enforcing NIST SP 800-171 Documentation

DCMA Enforcing NIST SP 800-171 Documentation – Surprise Assessments are in effect! – Are You Ready! Though the DoD has delayed CMMC certification, Defense Contract Management Agency is now enforcing that contractors have all NIST SP 800-171 documentation in place by performing surprise audits. DCMA created the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) to examine companies who have self-assessed compliance with NIST requirements at all CMMC levels. If subject to a surprise assessment, the DIBCAC will initiate contact with the contractor on a Monday and will require them to submit their gap analysis, plan of actions and milestones (POA&M), and system security plan (SSP) by that Friday.1 In order to prepare for any spontaneous audit, companies must complete and ensure the accuracy of the these documents immediately. NIST SP 800-171 Gap Analysis First, your organization needs a compliance gap analysis detailing compliance-related activities associated with each of the 110 NIST SP 800-171 cybersecurity requirements. You must assess each control requirement as “fully compliant,” “partially compliant,” “not compliant” or “not assessed.” The result of a NIST SP 800-171 gap analysis is a compliance score, derived from the number of controls a company assesses as “fully compliant.” In September 2020, the DoD published the DFARS Interim Rule requiring contractors to report their NIST SP 800-171 compliance score through the Supplier Performance Risk System (SPRS) no later than November 30, 2020. Over a year later, many organizations still have not reported their compliance score. Some organizations have been denied contract modifications or new contract awards because they have not done so. The CMMC Registered Practitioners at GjB and Associates have a thorough understanding of each CMMC requirement. Plan of Action & Milestones Second, a Plan of Action & Milestones is expected to be in place. The Plan of Action & Milestones is a compliance remediation plan expressed in a format defined by DoD. The POA&M is created by your assessment and details each deficiency, what will be done to remediate the compliance gap, and a timeline of when the gap will be remediated. The gap with the last remediation date is the “Plan of Action Date”, or the date when full compliance will be achieved.  GjB and Associates can help produces your POA&M. System Security Plan (SSP) Lastly, a System Security Plan must be completed. The SSP illustrates the detailed architecture of security controls required by NIST SP 800-171 and provides high-level compliance plans or evidence of compliance (depending on status) for all 110 requirements. GjB and Associates can also produce this document for your organization based on the results from the assessment and POA&M.  GjB and Associates has also developed nearly 100 Policies and Procedures to assist you in confirming what is in your Systems Security Plan. Efficient, Cost-Effective Documentation Security plans, assessments, and policies and procedures are a critical element of any NIST SP 800-171 compliance effort. A gap analysis, POA&M, and SSP documents must be produced to provide a foundation for NST SP 800-171 and CMMC compliance. The investment in time to prepare and review each document for accuracy will pay off as your organization moves closer to its CMMC assessment. If you do not have these documents in place and need efficient, cost-effective help, or you would like to have an external review of your current compliance efforts, email us at sales@gjbandassociates.com. Sources 1https://cmmcab.org/videos/cmmc-town-hall-march-2022/

DCMA Enforcing NIST SP 800-171 Documentation Read More »

15 Common Vulnerabilities and Exposures of 2021

The CISA, the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) have released details on the top 15 Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in 2021.  Your IT department or MSP should have addressed these already. CVE Vulnerability Name Vendor and Product Type CVE-2021-44228 Log4Shell Apache Log4j Remote code execution (RCE) CVE-2021-40539   Zoho ManageEngine AD SelfService Plus RCE CVE-2021-34523 ProxyShell Microsoft Exchange Server Elevation of privilege CVE-2021-34473 ProxyShell Microsoft Exchange Server RCE CVE-2021-31207 ProxyShell Microsoft Exchange Server Security feature bypass CVE-2021-27065 ProxyLogon Microsoft Exchange Server RCE CVE-2021-26858 ProxyLogon Microsoft Exchange Server RCE CVE-2021-26857 ProxyLogon Microsoft Exchange Server RCE CVE-2021-26855 ProxyLogon Microsoft Exchange Server RCE CVE-2021-26084     Atlassian Confluence Server and Data Center Arbitrary code execution CVE-2021-21972   VMware vSphere Client RCE CVE-2020-1472 ZeroLogon Microsoft Netlogon Remote Protocol (MS-NRPC) Elevation of privilege CVE-2020-0688   Microsoft Exchange Server RCE CVE-2019-11510   Pulse Secure Pulse Connect Secure Arbitrary file reading CVE-2018-13379   Fortinet FortiOS and FortiProxy Path traversal

15 Common Vulnerabilities and Exposures of 2021 Read More »