Monthly Archives: April 2024

A New CMMC Compliance Checklist

cmmc 2.0 final and proposed rules a checklist for compliance and preparations

The Cybersecurity Maturity Model Certification (CMMC) has become a critical framework for Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs) aiming to work with the U.S. Department of Defense (DoD) and its affiliates. With the upcoming mandate requiring CMMC compliance by October 1, 2026, it’s imperative for organizations in this sector to understand and implement the necessary steps to achieve certification. This blog will guide you through the process of achieving CMMC compliance. It breaks down the critical steps and provides a useful checklist to ensure your organization stays on track.

What is the timeline and target date for CMMC 2.0 implementation?

  • November 2019—CMMC announced.

  • September 2020—CMMC 1.0 program initiated.

  • November 2021—CMMC 2.0 announced.

  • December 26, 2023—proposed rule codifies CMMC 2.0 with adjustments.

  • February 26, 2024—60-day comment period on the proposed rule ends.

After receiving final comments, the DoD will roll out CMMC in four phases over 2.5 years. It is expected that CMMC requirements will begin to appear in contracts by early 2025. However, companies should not wait with their CMMC implementation plans. The foundational standards for CMMC, NIST 800-171, are already required today.

1. Understanding and Implementing Security Processes 

Begin with establishing robust information security processes. Developing a system security plan and conducting self-assessments against the NIST 800-171 standards are foundational steps. These assessments help identify your current cybersecurity posture and form the basis for improvements.

2. Continuous Improvement and Submission 

Improvement is a continuous journey. After assessing your security processes, create an action plan to address any gaps, aiming for a maximum score of 110. Submitting this score to the DoD’s Supplier Performance Risk System (SPRS) is crucial for moving forward in the compliance process.

3. Scope Identification 

Identify the specific scope within your organization that requires compliance. This could range from the entire enterprise to specific units or programs, depending on the nature of your DoD interactions.

4. Preliminary Gap Analysis 

Although optional, a preliminary gap assessment is advisable. It provides a clear view of where your security measures stand against CMMC requirements and helps pinpoint areas for improvement.

5. Choosing a C3PAO 

Selecting a CMMC Third Party Assessor Organization (C3PAO) is a key step. A C3PAO will conduct the formal assessment of your cybersecurity practices against CMMC standards.

6. Undergoing the CMMC Assessment 

The assessment process is thorough, covering pre-assessment planning, the assessment itself, and post-assessment activities, including quality assurance reviews and any necessary remediation to meet CMMC standards. The DoD has also published new information regarding these assessments. Findings can automate this assessment journey for you, simplifying the process

7. Achieving Certification 

Upon successful assessment and remediation (if required), your organization will receive its CMMC certification, valid for three years, signifying compliance and eligibility to work within the DoD supply chain.

Levels of CMMC Compliance 

CMMC outlines three levels of certification, each with its own set of requirements:

  • Level 1 (Foundational): Involves basic cybersecurity controls for protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

  • Level 2 (Advanced): Requires adherence to 110 controls for protecting information critical to national security.

  • Level 3 (Expert): Demands compliance with additional controls for top-tier cybersecurity resilience and is assessed via government-led reviews.

CMMC Compliance Checklist: 

A comprehensive checklist can streamline your path to compliance. It includes:

  • Determining your required CMMC level based on the data you handle.

  • Designating a compliance leader within your organization.

  • Limiting the scope of CUI to essential areas and personnel.

  • Selecting technologies that meet CMMC’s stringent security requirements.

  • Developing a detailed System Security Plan (SSP) and Plan of Action and Milestones (POA&M).

  • Performing a self-assessment against NIST 800-171A standards.

  • Addressing any identified security gaps.

  • Optionally, seeking a final review from an RPO or C3PAO before the formal assessment.

Making CMMC Compliance Manageable 

Transitioning to CMMC compliance might seem daunting, but leveraging existing frameworks and certifications that align with CMMC can simplify the process. Incorporating practices from the NIST Cybersecurity Framework (NIST CSF) and other recognized standards can facilitate a smoother certification journey.

Securing Trust

Achieving CMMC compliance is not just about fulfilling a regulatory requirement; it’s about demonstrating your commitment to cybersecurity resilience. By following these steps and utilizing the provided checklist, MSPs and MSSPs can navigate the path to compliance confidently. This effort will not only prepare your organization for the mandatory compliance deadline but also position it as a trusted partner in the defense supply chain, ready to tackle the cybersecurity challenges of today and tomorrow. For more information about CMMC, check out our blog about why CMMC will be good for your business.

New NSA Zero-Trust Guidance

New NSA Zero-Trust Guidance 2024 findings

The Zero Trust (ZT) model has emerged as a critical framework for safeguarding an organization’s digital environment. This approach is built on the premise that threats can originate from anywhere, and therefore, no entity within or outside the network should be automatically trusted. Among the various pillars of the Zero Trust model, the network and environment pillar plays a pivotal role in preventing unauthorized access and movement within an organization’s digital ecosystem.

Recently, the NSA shared a cybersecurity information sheet titled “Advancing Zero Trust Maturity Throughout the Network and Environment Pillar”. It provides guidance on strengthening internal network control and containing network intrusions to a segmented portion of the network using Zero Trust principles. The guide was written in response to the increasing complexity and frequency of cyber threats facing organizations today.

Below, I’ve summarized the document and here are the key points to note. Read on!

Understanding Zero Trust in Network Security

The principle of Zero Trust dictates that organizations must adopt a stance of continuous verification and minimal privilege across their networks. This approach is crucial in thwarting adversarial tactics such as lateral movement, where attackers, once inside the network, seek to access sensitive data and critical systems. Implementing Zero Trust within the network and environment pillar involves creating a robust architecture that segments and isolates the network, thereby controlling access through detailed policies and checks.

NSA’s guidance is particularly aimed at National Security Systems (NSS), the Department of Defense (DoD), and the Defense Industrial Base (DIB), but is also relevant to other entities potentially targeted by sophisticated cyber attacks. It incorporates and aligns with guidance from the DoD’s Zero Trust Strategy, Zero Trust Reference Architecture, and the Cybersecurity Reference Architecture, as well as additional standards from the National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA).

The NSA’s guidance stresses the importance of transitioning from traditional perimeter defense strategies to a more robust defense-in-depth approach. This approach involves managing, monitoring, and limiting both internal and external traffic flows to protect sensitive data and critical systems more effectively. By enhancing their network control, organizations can more effectively contain, detect, and isolate network intrusions, thereby significantly improving their overall security posture.

Learning from Past Breaches

As mentioned in the guide, significant breach of an American retail corporation in 2013 underscores the necessity of network segmentation. Cybercriminals exploited the network’s lack of segmentation by using credentials from a contracted HVAC company to plant malware in the retailer’s systems, resulting in massive data theft. This incident highlights the importance of not only monitoring external access but also implementing stringent internal controls to mitigate such risks.

Advancing Network Security with Zero Trust

To enhance security, organizations are encouraged to delve deeper into the network and environment pillar, moving beyond traditional perimeter defenses to more sophisticated mechanisms. Key strategies include:

  1. Data Flow Mapping – Identifying and understanding how data moves within the organization. This helps in spotting any unauthorized or risky data handling and ensures that data is encrypted during transmission.

  2. Macro Segmentation – Dividing the network into distinct zones based on different security needs. For instance, separating departments like IT and Accounting to prevent access to each other’s data and resources, thereby reducing the overall risk of lateral movement by malicious actors.

  3. Micro Segmentation – Further dividing those zones into even smaller segments to control data flow more granularly. This restricts the access even among users within the same department, limiting the spread and impact of potential breaches.

  4. Software Defined Networking (SDN) – Using advanced network management technology to dynamically and efficiently manage network flows and implement security controls. This provides centralized control over the network, enhances security through automated updates, and helps in quick adaptation to new security threats.

NSA’s Guidance

The NSA suggests that organizations should:

  • Continuously map and understand data flows to ensure sensitive information is properly secured and encrypted.

  • Implement both macro and micro segmentation to not only limit the scope of potential breaches but also to provide finely tuned control over who can access what within the network.

  • Utilize SDN technologies where applicable for better control and automation of network configurations and security policies.

  • Adopt a vigilant approach by continuously monitoring for threats, assessing risks, and responding promptly to detected security incidents.

The goal is to establish a resilient network environment that can resist, detect, and respond effectively to cyber threats based on the principles of Zero Trust.

The Road to Maturity

Adopting a mature Zero Trust strategy involves a gradual progression, starting with basic segmentation and encryption, and evolving towards a comprehensive, automated, and centrally managed security posture. As organizations refine their approach, they develop a more resilient defense-in-depth strategy that not only detects and isolates threats but also significantly improves the overall security landscape.

The Crucial Role of Zero Trust Model

In conclusion, fortifying the network and environment pillar under the Zero Trust model is not just a strategic move but a necessity in today’s threat landscape. By mapping data flows, implementing rigorous segmentation, and embracing software-defined networking, organizations can build a formidable defense against cyber threats. The Zero Trust model is a journey of continuous improvement, where each step forward enhances the organization’s capability to protect its most valuable assets in an ever-changing cyber world.

March 2024 Data Breach Round Up

March 2024 Data Breaches

A few months into 2024, and data breaches are on the rise. This surge highlights the need for improved security measures and greater awareness. These instances of unauthorized access to confidential data expose vulnerabilities in our interconnected systems. A deeper look into these breaches uncovers broader cybersecurity issues that necessitate immediate, coordinated efforts for digital information protection. In a time when data breaches are becoming more advanced, traditional security measures are no longer adequate.

This is where comprehensive security assessments and compliance become invaluable. Evaluating your company’s security posture and aligning it with industry standards can help identify vulnerabilities before exploitation. Compliance isn’t just about ticking boxes—it’s about creating a robust framework that bolsters security measures and instills trust in clients.

However, the real game-changer in the fight against cyber threats is the integration of AI  into your security strategies. AI can analyze vast amounts of data at an unprecedented speed, identifying potential threats and anomalies that might go unnoticed by human eyes. It can also predict potential vulnerabilities, allowing companies to fortify their defenses proactively.

Let’s jump into the data breaches that shook the industry in March 2024, a stark reminder of the ever-evolving challenge of maintaining digital security. 

AT&T

AT&T has initiated a mass reset of customer account passcodes following a leak that exposed millions of records online, including sensitive information such as names, addresses, and Social Security numbers. The leaked data, dating back to 2019 or earlier, affects about 7.6 million current and 65.4 million former AT&T account holders. Despite the leak, AT&T has stated there’s no evidence of unauthorized system access. The leak, including encrypted passwords easily decryptable, was first identified when a security researcher shared their findings with TechCrunch. AT&T is contacting affected current and former customers to inform them about the breach and the steps being taken to secure their accounts.

Fujitsu

Fujitsu, a leading global IT services provider, recently announced a significant security breach where malware infected its systems, leading to the theft of customer data. The company, ranking as the sixth largest in its sector with a workforce of 124,000 and revenues of $23.9 billion, plays a pivotal role in technology, offering a wide array of products and services, including cloud solutions and IT consulting. The breach, affecting systems holding sensitive customer information, prompted immediate action from Fujitsu to isolate infected computers and enhance monitoring. Despite no reports of the data’s misuse, Fujitsu has notified relevant authorities and is in the process of alerting affected customers. This incident follows a 2021 security breach involving Fujitsu’s ProjectWEB tool, which compromised government agencies and led to significant data theft, underscoring ongoing cybersecurity challenges.

MarineMax

MarineMax, a leading yacht retailer, reported a cyberattack in March, revealing that hackers, identified by the Rhysida ransomware gang, compromised its systems and stole data including employee and customer personal information. Despite initial claims of not storing sensitive data on the breached systems, a subsequent investigation uncovered that the cybercrime group accessed and extracted data, which is now being offered for sale on the dark web for 15 Bitcoin (over $1 million). MarineMax, with operations spanning 130 locations globally and reporting $2.39 billion in revenue last year, has engaged external cybersecurity experts to mitigate the breach’s impact, notified law enforcement, and is in the process of notifying affected individuals and regulatory bodies. The Rhysida gang, known for its ransomware-as-a-service operations since May 2023, has targeted various organizations, including the British Library and healthcare entities, marking this incident as part of a broader pattern of cyberattacks by the group.

PandaBuy

PandaBuy, an online shopping platform facilitating purchases from Chinese e-commerce sites, experienced a data breach affecting over 1.3 million users. The breach, executed by threat actors ‘Sanggiero’ and ‘IntelBoker’ through exploiting critical API vulnerabilities, exposed comprehensive user data including names, contact details, order information, and addresses. The compromised data was offered on a forum for a nominal cryptocurrency fee, with a sample provided to validate its authenticity. Despite attempts to downplay the incident, evidenced by moderated discussions on Discord and Reddit, the breach’s reality was confirmed by data breach aggregator Have I Been Pwned (HIBP), advising impacted users to change their passwords and be cautious of potential scams. PandaBuy has yet to officially address the breach publicly, as concerns over user privacy and platform security escalate.

France Travail

France Travail, the national unemployment agency in France, has reported a significant data breach affecting approximately 43 million individuals, stemming from a cyberattack between February 6 and March 5. The agency, which aids in job placement and financial support, acknowledged that personal details of job seekers over the past two decades, including sensitive information like social security numbers and contact details, were compromised. While bank details and passwords remain unaffected, the exposed data raises serious concerns for identity theft and phishing risks. France Travail has notified the National Commission of Informatique and Liberties (CNIL) and is advising those potentially impacted to exercise caution with their communications. This incident, surpassing the scale of previous breaches including a 10 million person breach last August and the recent Viamedis and Almerys breach, marks a record for cybersecurity incidents in France.

Prioritizing Compliance & Cybersecurity in the Wake of Rising Data Breaches:

Digital security is a complex tapestry, with challenges increasing in both frequency and severity. This complexity calls for action. We must strengthen our defenses, both as organizations and individuals. At Findings we understand the pivotal role of security assessments, compliance, and AI in safeguarding your digital assets. Our suite of services is designed to provide a comprehensive security solution that not only helps prevent data breaches but also ensures that your company is equipped to handle any cyber threats that come its way. From detailed security assessments that highlight your strengths and weaknesses to AI-driven insights that keep you one step ahead of cybercriminals, we are your partner in establishing a resilient and compliant security posture.

As we reflect on the lessons from the top breaches in March 2024, let us use them as a stepping stone towards a more secure and trustworthy digital future. 

Supply Chain Risk Monitoring as a Service
Join us today
Supply Chain Risk Monitoring as a Service
Join us today

Let's Tackle Compliance Together

Waitlist signup

Welcome to Findings

Let's go over some details to setup your tailor-made account


Please fill your details below and click "Next" to create your account:

Payment

Feature
Startup
Business
Enterprise
Price
$10 / Month
$10 / Month
$25 / Month
VDPaaS
Alerts
Assessments
Integrated Apps
API
Join today and scan ALL YOUR VENDORS for FREE*
* FREE VENDOR SCAN for all of your vendors during your first month.
Feature
Startup
Business
Enterprise
Price
$25 / Month
$200 / Month*
Contact Us
Free vendors scan for 1 month
Findings search engine
Rapid security and compliance profile
Profile/showcase engagements per year
5
40
Unlimited
Multi/unlimited showcase use cases
Showcase compliance badge for your website
Best practice self-assessment
1 Findings or 1 BYOC
Assessment response automation
Personalizable, branded security & compliance showcase page
File/evidence repository
OKTA
DKIM
Out-of-the-box TPRM
20 vendors +
20 rating scans
50 vendors +
50 rating scans
Support
Email
Priority via Phone / Email
Internal Workflows (SO/BO)
Onboarding and customization account setup
*Price for every 40 engagements
Automate assessment response and showcase your cybersecurity posture
Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!

Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!