Uncategorized

DCMA Enforcing NIST SP 800-171 Documentation – Surprise Assessments are in effect! – Are You Ready! Though the DoD has delayed CMMC certification, Defense Contract Management Agency is now enforcing that contractors have all NIST SP 800-171 documentation in place by performing surprise audits. DCMA created the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) to examine companies who have self-assessed compliance with NIST requirements at all CMMC levels. If subject to a surprise assessment, the DIBCAC will initiate contact with the contractor on a Monday and will require them to submit their gap analysis, plan of actions and milestones (POA&M), and system security plan (SSP) by that Friday.1 In order to prepare for any spontaneous audit, companies must complete and ensure the accuracy of the these documents immediately. NIST SP 800-171 Gap Analysis First, your organization needs a compliance gap analysis detailing compliance-related activities associated with each of the 110 NIST SP 800-171 cybersecurity requirements. You must assess each control requirement as “fully compliant,” “partially compliant,” “not compliant” or “not assessed.” The result of a NIST SP 800-171 gap analysis is a compliance score, derived from the number of controls a company assesses as “fully compliant.” In September 2020, the DoD published the DFARS Interim Rule requiring contractors to report their NIST SP 800-171 compliance score through the Supplier Performance Risk System (SPRS) no later than November 30, 2020. Over a year later, many organizations still have not reported their compliance score. Some organizations have been denied contract modifications or new contract awards because they have not done so. The CMMC Registered Practitioners at GjB and Associates have a thorough understanding of each CMMC requirement. Plan of Action & Milestones Second, a Plan of Action & Milestones is expected to be in place. The Plan of Action & Milestones is a compliance remediation plan expressed in a format defined by DoD. The POA&M is created by your assessment and details each deficiency, what will be done to remediate the compliance gap, and a timeline of when the gap will be remediated. The gap with the last remediation date is the “Plan of Action Date”, or the date when full compliance will be achieved.  GjB and Associates can help produces your POA&M. System Security Plan (SSP) Lastly, a System Security Plan must be completed. The SSP illustrates the detailed architecture of security controls required by NIST SP 800-171 and provides high-level compliance plans or evidence of compliance (depending on status) for all 110 requirements. GjB and Associates can also produce this document for your organization based on the results from the assessment and POA&M.  GjB and Associates has also developed nearly 100 Policies and Procedures to assist you in confirming what is in your Systems Security Plan. Efficient, Cost-Effective Documentation Security plans, assessments, and policies and procedures are a critical element of any NIST SP 800-171 compliance effort. A gap analysis, POA&M, and SSP documents must be produced to provide a foundation for NST SP 800-171 and CMMC compliance. The investment in time to prepare and review each document for accuracy will pay off as your organization moves closer to its CMMC assessment. If you do not have these documents in place and need efficient, cost-effective help, or you would like to have an external review of your current compliance efforts, email us at sales@gjbandassociates.com. Sources 1https://cmmcab.org/videos/cmmc-town-hall-march-2022/

The CISA, the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) have released details on the top 15 Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in 2021.  Your IT department or MSP should have addressed these already. CVE Vulnerability Name Vendor and Product Type CVE-2021-44228 Log4Shell Apache Log4j Remote code execution (RCE) CVE-2021-40539   Zoho ManageEngine AD SelfService Plus RCE CVE-2021-34523 ProxyShell Microsoft Exchange Server Elevation of privilege CVE-2021-34473 ProxyShell Microsoft Exchange Server RCE CVE-2021-31207 ProxyShell Microsoft Exchange Server Security feature bypass CVE-2021-27065 ProxyLogon Microsoft Exchange Server RCE CVE-2021-26858 ProxyLogon Microsoft Exchange Server RCE CVE-2021-26857 ProxyLogon Microsoft Exchange Server RCE CVE-2021-26855 ProxyLogon Microsoft Exchange Server RCE CVE-2021-26084     Atlassian Confluence Server and Data Center Arbitrary code execution CVE-2021-21972   VMware vSphere Client RCE CVE-2020-1472 ZeroLogon Microsoft Netlogon Remote Protocol (MS-NRPC) Elevation of privilege CVE-2020-0688   Microsoft Exchange Server RCE CVE-2019-11510   Pulse Secure Pulse Connect Secure Arbitrary file reading CVE-2018-13379   Fortinet FortiOS and FortiProxy Path traversal

This is the first NIST Control.  Has your company set this up along with the corresponding evidence to confirm implementation? Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). Application services that are installed on system components along with their login  IDs are identified in the inventory spreadsheet (3.1.1[b]) 3.1.1[a]: authorized users are identified. 3.1.1[b]: processes acting on behalf of authorized users are identified. 3.1.1[c]: devices (and other systems) authorized to connect to the system are identified. 3.1.1[d]: system access is limited to authorized users. 3.1.1[e]: system access is limited to processes acting on behalf of authorized users. 3.1.1[f]: system access is limited to authorized devices (including other systems). Does the company use passwords? Does the company have an authentication mechanism? Does the company require users to log on to gain access? Are account requests authorized before system access is granted? Does the company maintain a list of authorized users, defining their identity and role and sync with system, application, and data layers?

The CUI enhanced security requirements in (SP 800-172) are organized into 10 families. The process to assess the CUI enhanced security requirements include preparing for assessment, developing assessment plans, conducting assessments, and analyzing results. The CUI Enhanced Security Requirement Families are: Access Control, Awareness, and Training, Configuration Management, Identification and Authentication, Incident Response, Personnel Security, Risk Assessment Security Assessment, System and Communications Protection, and System and Information Integrity. In our next Blog Post, we will walk you through the Assessment Procedures.

If you’ve been paying attention to the recent $800 million Ukrainian relief package, you may have noticed that a long-held-up aspect of US CyberSecurity was included: the bipartisan Cyber Incident Reporting Act. What this means for you… More than 100,000 companies are covered by this bill, including all those in the defense industrial base The new law allows CISA to subpoena companies that fail to report cybersecurity incidents or ransomware payments  Failures to comply can be referred to the Department of Justice for investigation and penalties Whistleblowers have a direct email link This is a NIST/CMMC requirement We have developed both an Incident Response Plan and an Incident Response Policy and Procedure as part of our NIST/CMMC offering.

Assessing Enhanced Security Requirements for Controlled Unclassified Information (CUI). The National Institute of Standards and Technology (NIST) released Official guidance for contractors in the DoD supply chain for NIST SP 800-172A. The generalized assessment procedures described in this publication provide a framework and a starting point for developing specific procedures to assess the enhanced security requirements in NIST Special Publication 800-172. The assessment procedures can be used to help generate and evaluate the relevant evidence needed to determine if the security safeguards employed by organizations are implemented correctly, operating as intended, and satisfy the enhanced security requirements. Organizations have the flexibility to tailor the assessment procedures by selecting the assessment methods and objects needed to achieve the assessment objectives. There is no expectation that every assessment method and object in an assessment procedure will be used for every assessment. In addition, there is significant flexibility in the scope of the assessment and the degree of rigor applied during the assessment process. The assessment procedures can support self-assessments, third-party assessments, or assessments conducted by sponsoring organizations (e.g., government agencies). Such approaches may be specified in contracts or agreements by participating parties.

What is CUI? Government created or owned UNCLASSIFIED information that must be safeguarded from unauthorized disclosure. An overarching term representing many difference categories, each authorized by one or more law, regulation, or Government-wide policy. Information requiring specific security measures indexed under one system across the Federal Government. Why is CUI important? The establishment of CUI was a watershed moment in the DoD’s information security program, formally acknowledging that certain types of UNCLASSIFIED information are extremely sensitive, valuable to the United States, sought after by strategic competitors and adversaries, and often have legal safeguarding requirements. Unlike with classified national security information, DoD personnel at all levels of responsibility and across all mission areas receive, handle, create, and disseminate CUI. CUI policy provides a uniform marking system across the Federal Government that replaces a variety of agency-specific markings, such as FOUO, LES, SBU, etc. Where did CUI come from? Executive Order 13556 established CUI on November 4, 2010. Part 2002 of 32 Code of Federal Regulations prescribed Government-wide implementation standards on September 14, 2016. DoD Instruction 5200.48, “Controlled Unclassified Information,” established DoD CUI policy on March 6, 2020. Do you handle CUI? Then you must currently comply with NIST 800-171 or you may be in breach of contact. Are you prepared? We can help!!      

SBA Administrator Guzman Announces New Pilot Program to Bolster Cybersecurity Infrastructure of Emerging Small Businesses SBA will Award $3M in Grants to Help States, Entrepreneurs Combat Rise in Cyber Attacks and Threats WASHINGTON – Today, Administrator Isabella Casillas Guzman, head of the U.S.Small Business Administration (SBA), announced $3 million in new funding for stategovernments to help emerging small businesses across America develop their cybersecurity infrastructure – a priority of the Biden-Harris Administration, outlined in the President’s Bipartisan Infrastructure Law (BIL). As part of the Cybersecurity for Small Business Pilot Program, through the Office of Entrepreneurial Development, state governments are eligible to compete for grants that will help deliver cybersecurity assistance to nascent and start-up business owners. Applications will be accepted from January 26, 2022, through March 3, 2022. “Throughout the COVID-19 pandemic, small businesses have adopted technology at high rates to survive, operate, and grow their businesses. As a result, cybersecurity has become increasingly important as now, more than ever before, small business owners face cyber risks and challenges that could disrupt their operations and competitive advantages. As we seek to build a stronger and more inclusive entrepreneurial ecosystem, we must innovate and provide resources to meet the evolving needs of the growing number of small businesses. With this new funding opportunity, the SBA intends on leveraging the strengths across our state governments, territories, and tribal governments to provide services to help small businesses get cyber ready and, in the process, fortify our nation’s supply chains,” said SBA Administrator Isabella Casillas Guzman. “The bottom line is we must do more to help small businesses combat cybersecurity threats, which continue to increase, evolve and inhibit,” said SBA Associate Administrator for the Office of Entrepreneurial Development Mark Madrid. “This pilot program will empower state governments to expand existing services, innovate, adapt to current environments, develop new resources, and scale solutions to assist more small businesses.  Additionally, expanding access to underserved and underrepresented small business ecosystems will be a critical marker of success.” About the Cybersecurity for Small Business Pilot Program Eligible applicants are comprised of state governments that seek to provide training, counseling, remediation, and other tailored cybersecurity services for emerging small firms in multiple industries. Grantees will be awarded up to $1 million to assist small businesses. Funding details and requirements are available at Grants.gov under “Cybersecurity for Small Business Pilot” (Funding Opportunity Number SB-OEDCS-22-001/CDFA 59.079) offered by the SBA. Applications must be submitted by the stated deadline on the official grant application portal as stated in the funding announcement. To learn more about SBA’s programs and services related to cybersecurity, visit  www.sba.gov/cybersecurity. To find additional SBA local resources, visit www.sba.gov/local-assistance. About the U.S. Small Business Administration The U.S. Small Business Administration helps power the American dream of business ownership. As the only go-to resource and voice for small businesses backed by the strength of the federal government, the SBA empowers entrepreneurs and small business owners with the resources and support they need to start, grow or expand their businesses, or recover from a declared disaster. It delivers services through an extensive network of SBA field offices and partnerships with public and private organizations. To learn more, visit https://www.sba.gov.

With a Continuing Resolution (CR) funding fiscal year (FY) 2022 until February and deep budget disagreements remaining, the Department of Defense (DoD) faces a significant risk it could be funded with CRs for the entirety of FY22. This would be a first for DoD and, as Secretary of Defense Lloyd Austin has stated, “an unprecedented move that would cause enormous, if not irreparable, damage to a wide range of bipartisan priorities — from defense readiness and modernization to research and development, to public health.”  These impacts will extend well beyond DoD, disrupting the performance of the defense industrial base (DIB) and economic activity across the U.S. The timing of an FY22 full-year CR could not be worse. Our country is navigating a near-perfect storm of a deteriorating strategic environment urgent catch-up defense modernization needs, surging inflation eroding defense buying power, and a defense industrial base (DIB) amid COVID-19, supply chain constraints, and workforce disruptions. To further quote Secretary Austin, a full-year CR “would misalign billions of dollars in resources in a manner inconsistent with evolving threats and the national security landscape, which would erode the U.S. military advantage relative to China, impede our ability to modernize, degrade readiness, and hurt our people and their families. And it would offer comfort to our enemies, disquiet to our allies, and unnecessary stress to our workforce.” This is where the approximately 300,000 DoD contractors can ensure that they are securing their systems and in turn the nation against our adversaries.  We cannot wait for the government to do this for us.  We must take the lead.  Your role in ensuring NIST 800-171 compliance and future CMMC 2.0 requirements will go a long way.

Cybersecurity is one of the top issues that organizations are battling with every day. In fact, according to Accenture, 68% of business leaders say that their cybersecurity risks are increasing. Ignoring cybersecurity is proving to be one of the most expensive mistakes leading to a 72% increase in the average cost of cybercrime over the past 5 years. With cybersecurity, it is not possible to eliminate risks. Hence, having defense strategies in place can be the best possible solution to mitigating cybersecurity risk. Using a layered security approach, the risks can be minimized. But how do you ensure that your cybersecurity system is strong enough to withstand any attacks on your organization? This is where the cyber kill chain has a role to play. What is a Cyber Kill Chain? The cyber kill chain is essentially a cybersecurity model created by Lockheed Martin that traces the stages of a cyber-attack, identifies vulnerabilities, and helps security teams to stop the attacks at every stage of the chain. The term kill chain is adopted from the military, which uses this term related to the structure of an attack. It consists of identifying a target, dispatch, decision, order, and finally, destruction of the target.