Category Archives: CMMC Insights & Resources

A New CMMC Compliance Checklist

cmmc 2.0 final and proposed rules a checklist for compliance and preparations

The Cybersecurity Maturity Model Certification (CMMC) has become a critical framework for Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs) aiming to work with the U.S. Department of Defense (DoD) and its affiliates. With the upcoming mandate requiring CMMC compliance by October 1, 2026, it’s imperative for organizations in this sector to understand and implement the necessary steps to achieve certification. This blog will guide you through the process of achieving CMMC compliance. It breaks down the critical steps and provides a useful checklist to ensure your organization stays on track.

What is the timeline and target date for CMMC 2.0 implementation?

  • November 2019—CMMC announced.

  • September 2020—CMMC 1.0 program initiated.

  • November 2021—CMMC 2.0 announced.

  • December 26, 2023—proposed rule codifies CMMC 2.0 with adjustments.

  • February 26, 2024—60-day comment period on the proposed rule ends.

After receiving final comments, the DoD will roll out CMMC in four phases over 2.5 years. It is expected that CMMC requirements will begin to appear in contracts by early 2025. However, companies should not wait with their CMMC implementation plans. The foundational standards for CMMC, NIST 800-171, are already required today.

1. Understanding and Implementing Security Processes 

Begin with establishing robust information security processes. Developing a system security plan and conducting self-assessments against the NIST 800-171 standards are foundational steps. These assessments help identify your current cybersecurity posture and form the basis for improvements.

2. Continuous Improvement and Submission 

Improvement is a continuous journey. After assessing your security processes, create an action plan to address any gaps, aiming for a maximum score of 110. Submitting this score to the DoD’s Supplier Performance Risk System (SPRS) is crucial for moving forward in the compliance process.

3. Scope Identification 

Identify the specific scope within your organization that requires compliance. This could range from the entire enterprise to specific units or programs, depending on the nature of your DoD interactions.

4. Preliminary Gap Analysis 

Although optional, a preliminary gap assessment is advisable. It provides a clear view of where your security measures stand against CMMC requirements and helps pinpoint areas for improvement.

5. Choosing a C3PAO 

Selecting a CMMC Third Party Assessor Organization (C3PAO) is a key step. A C3PAO will conduct the formal assessment of your cybersecurity practices against CMMC standards.

6. Undergoing the CMMC Assessment 

The assessment process is thorough, covering pre-assessment planning, the assessment itself, and post-assessment activities, including quality assurance reviews and any necessary remediation to meet CMMC standards. The DoD has also published new information regarding these assessments. Findings can automate this assessment journey for you, simplifying the process

7. Achieving Certification 

Upon successful assessment and remediation (if required), your organization will receive its CMMC certification, valid for three years, signifying compliance and eligibility to work within the DoD supply chain.

Levels of CMMC Compliance 

CMMC outlines three levels of certification, each with its own set of requirements:

  • Level 1 (Foundational): Involves basic cybersecurity controls for protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).

  • Level 2 (Advanced): Requires adherence to 110 controls for protecting information critical to national security.

  • Level 3 (Expert): Demands compliance with additional controls for top-tier cybersecurity resilience and is assessed via government-led reviews.

CMMC Compliance Checklist: 

A comprehensive checklist can streamline your path to compliance. It includes:

  • Determining your required CMMC level based on the data you handle.

  • Designating a compliance leader within your organization.

  • Limiting the scope of CUI to essential areas and personnel.

  • Selecting technologies that meet CMMC’s stringent security requirements.

  • Developing a detailed System Security Plan (SSP) and Plan of Action and Milestones (POA&M).

  • Performing a self-assessment against NIST 800-171A standards.

  • Addressing any identified security gaps.

  • Optionally, seeking a final review from an RPO or C3PAO before the formal assessment.

Making CMMC Compliance Manageable 

Transitioning to CMMC compliance might seem daunting, but leveraging existing frameworks and certifications that align with CMMC can simplify the process. Incorporating practices from the NIST Cybersecurity Framework (NIST CSF) and other recognized standards can facilitate a smoother certification journey.

Securing Trust

Achieving CMMC compliance is not just about fulfilling a regulatory requirement; it’s about demonstrating your commitment to cybersecurity resilience. By following these steps and utilizing the provided checklist, MSPs and MSSPs can navigate the path to compliance confidently. This effort will not only prepare your organization for the mandatory compliance deadline but also position it as a trusted partner in the defense supply chain, ready to tackle the cybersecurity challenges of today and tomorrow. For more information about CMMC, check out our blog about why CMMC will be good for your business.

2024 Trends Unveiled: Cybersecurity as a Key Business Enabler

As 2024 unfolds, we are witnessing a revolutionary transformation in the cybersecurity landscape. No longer a mere aspect of IT, cybersecurity is now a pivotal driver in reshaping business operations on a global scale. This blog post delves into the forefront of cybersecurity, compliance, highlighting pivotal regulations such as the ASEAN Guidelines on Consumer Impact Assessment (CIA), CMMC, PCI DSS 4.0, DORA, and SEC incident disclosure regulations. These emerging trends are rapidly becoming the gold standard in global business cybersecurity practices.

 

CMMC: Evolving from Defense to a Universal Cybersecurity Benchmark

  • The Cybersecurity Maturity Model Certification (CMMC) is evolving from its U.S. defense sector roots to a worldwide cybersecurity standard. Now applicable across various industries, CMMC’s layered cybersecurity approach is garnering universal acceptance. Its comprehensive framework, focused on continuous improvement, is especially vital for entities managing sensitive or critical data, signifying a move towards standardized cybersecurity excellence.

PCI DSS 4.0: Revolutionizing Payment Security Standards

  • PCI DSS 4.0 is revolutionizing payment security standards globally in 2024. This updated version introduces an adaptive, risk-based approach, essential for any business involved in digital transactions. Its flexibility and focus on tailored security measures are vital for e-commerce, financial institutions, and others in the payment ecosystem, making PCI DSS 4.0 compliance synonymous with secure and trustworthy payment processing.

DORA: Spearheading Digital Resilience in the Financial Sector

  • The Digital Operational Resilience Act (DORA) is a groundbreaking EU regulation shaping the financial sector’s approach to digital risks in 2024. Its influence extends globally, affecting financial entities interacting with the EU market. DORA emphasizes operational resilience, highlighting the need for robust digital risk management in today’s interconnected digital finance landscape.

SEC Incident Disclosure: Championing Transparency in Corporate Cybersecurity

  • The SEC’s incident disclosure regulations are leading a worldwide movement towards transparency in corporate cybersecurity. These mandates, which require prompt and detailed disclosure of cybersecurity incidents, are becoming critical for publicly traded companies globally. This shift towards transparency and accountability in cybersecurity reflects an increasing demand from investors and consumers for trustworthiness and integrity in corporate practices.

ASEAN CIA: Redefining Cybersecurity with a Consumer-Centric Approach

  • The ASEAN Guidelines on Consumer Impact Assessment, originating from Southeast Asia, are now setting a global precedent. These guidelines shift the focus towards assessing cybersecurity’s impact on consumers, prioritizing their rights and data privacy. This consumer-centric approach, especially critical for businesses in or targeting the ASEAN market, is now a global best practice. It underscores the imperative of balancing robust security with consumer rights, a notion gaining traction across various industries.

Other Regulatory Developments Shaping the Cybersecurity Domain

Additional global regulations also predict significant cybersecurity trends:

  • GDPR: Continues to influence data privacy and protection globally, impacting businesses handling EU citizens’ data.

  • ISO/IEC 27001: Gaining traction as a comprehensive framework for managing information security, key for organizations striving for global best practices.

  • NIST Framework: Increasingly adopted worldwide, indicating a move towards unified approaches in cybersecurity risk management.

Cybersecurity Compliance: A Strategic Business Advantage

In 2024, adherence to these emerging cybersecurity regulations offers businesses a strategic advantage. It transcends legal compliance, fostering trust, enhancing brand reputation, and providing a competitive edge. The integration of AI in cybersecurity is another emerging practice, offering efficient and effective solutions for meeting these standards.

  • Increased Focus on Supply Chain Attacks: Modern supply chains are interconnected and complex, making them susceptible to cyberattacks. A breach in one part can have a cascading effect, impacting multiple businesses. This emphasizes the need for rigorous cybersecurity measures across the entire supply chain.

  • Collaborative Risk Management: The trend towards collaborative defense strategies is based on the principle that sharing threat intelligence and best practices can strengthen the security posture of all involved parties. By learning from each other’s experiences, industries can develop more effective defenses against common threats.

State-Sponsored Cyber Attacks: An Escalating Concern

  • Global Ramifications: State-sponsored cyberattacks are particularly concerning due to their scale and impact. These attacks target critical infrastructure, such as energy grids or financial systems, and can compromise national security. The global nature of these threats requires an international response and cooperation.

  • Advanced Countermeasures: To combat these sophisticated threats, organizations need to implement advanced threat detection systems that can identify and neutralize attacks quickly. A zero-trust security model, where trust is never assumed and verification is required from everyone, can be crucial in mitigating these risks. Continuous monitoring ensures that any suspicious activity is detected and addressed promptly.

AI in Cybersecurity: A Complex Role

  • Enhanced Detection and Response: AI can significantly improve threat detection by analyzing vast amounts of data to identify patterns that may indicate a cyberattack. However, this technology can also be used by attackers to create more sophisticated threats, such as deepfakes or AI-driven phishing attacks.

  • Proactive Mitigation Strategies: Organizations must not only invest in AI-based defense systems but also ensure that their workforce is trained to recognize and respond to AI-generated threats. This includes understanding the limitations of AI and being able to identify when a human response is required.

Ransomware Evolution: The Changing Landscape of Cyber Extortion

  • Sophisticated Tactics: Modern ransomware attacks are more than just data encryption; attackers are now threatening to leak sensitive data if the ransom isn’t paid, adding an extra layer of coercion. This dual-threat approach makes it even more challenging for victims to decide whether to pay the ransom or risk public exposure of their data.

  • Comprehensive Defense Strategies: To protect against these evolving ransomware threats, organizations must have robust backup systems that can restore data with minimal loss. Employee training is crucial to help staff recognize and avoid potential ransomware attacks. Additionally, a well-prepared incident response plan can ensure quick action to mitigate damage if an attack occurs.

The Metaverse and Cloud Security: New Frontiers, New Risks

  • Expanded Attack Vectors: As businesses venture into new digital domains like the metaverse and cloud platforms, they face new cybersecurity challenges. These platforms can provide attackers with novel ways to exploit security vulnerabilities.

  • Proactive Security Measures: Ensuring security in these new environments involves a comprehensive approach that includes strong encryption to protect data, robust identity management to verify users, and regular security audits to identify and address vulnerabilities.

The Human Element: Bolstering the Frontlines of Cyber Defense

  • Empowering Through Training and Awareness: Regular and comprehensive training programs are essential in equipping employees with the necessary skills to recognize and prevent security breaches. This training should cover the latest cybersecurity threats and best practices.

  • Cultivating a Security-First Mindset: Creating a culture of security within the organization is crucial. This involves fostering an environment where employees are aware of the importance of cybersecurity and are motivated to take proactive steps to protect the organization’s digital assets.

As 2024 progresses, it’s clear that these cybersecurity trends and regulations are not just shaping, but redefining business strategies. From the consumer-centric ASEAN CIA guidelines to CMMC’s comprehensive security model, and the transparency demanded by SEC disclosure regulations, these developments are crucial in enabling businesses to thrive in the digital era. By staying ahead of these trends, companies can harness cybersecurity not only as a compliance requirement but as a cornerstone for growth and success. Understanding evolving regulations, embracing innovative technologies, and reinforcing human-centric defenses remain key to ensuring business resilience and triumph in an increasingly digitized world.

A CISO’s VDP Security Roadmap, Step-by-Step

Green Bar Chart - Business Growth Concept

When it comes to cybersecurity, discovering vulnerabilities is often the easy part. What tends to be challenging is figuring out where to disclose vulnerabilities once you’ve discovered them.

If someone inside your business or supply chain discovers a vulnerability but fails to report it to the people who need to know about it, the vulnerability may as well not have been discovered at all. It’s only by disclosing and reporting vulnerabilities that stakeholders can remediate them, while also taking steps to avoid falling victim to them until their root cause is addressed.

That’s why establishing vulnerability disclosure programs and policies is critical to cybersecurity success – not to mention the overall health of your business. Setting up a VDP places you ahead of competitors who lack one. It also sends a clear message to vendors, customers, partners, employees and other stakeholders that you take cybersecurity seriously and operate with transparency when you discover vulnerabilities. And it establishes clear policies, robust communication channels and backend processes that help you resolve vulnerabilities and risks quickly.

 

 

But how do you actually create a security VDP initiative? What goes into a VDP, and how do you ensure your VDP application covers all security requirements? Keep reading for answers to those questions as we walk through the five major components of a VDP “roadmap” that can support teams and project managers when it comes to disclosing and reporting on vulnerabilities and ensuring they get back to the Cybersecurity Infrastructure and Security Agency (CISA). CISA which plays a leading role in managing vulnerabilities (and which has also, incidentally, developed a new VDP platform because it recognizes how crucial – and challenging – effective VDP security can be).

 

VDP security step 1: Outline your goals

Creating a VDP to reinforce your security strategy starts with determining exactly what you hope to get out of your VDP.

Ask questions such as:

  • What is the driving factor for your VDP? Having a clear VDP program is essential if you want to work with US officials. Do you want to promote increased security, improve coordination between teams, increase vulnerability visibility or something else? While VDP security operations can do all of these things, you may choose to prioritize one of them in particular.
  • What are your main VDP pain points? What’s currently getting in the way of vulnerability disclosure? Is it a lack of employee education or lack of communication channels, for instance?
  • What role does your VDP play in your overall business? VDPs don’t just serve security purposes. They can also help you achieve business goals by developing a unique selling proposition..

Once you know your main VDP security goals, you can build and use a VDP application tailored to them.

 

VDP security step 2: Assign responsibilities, develop policies

To start building your program, you need to map responsibilities to stakeholders, then establish policies that define who does what within the context of vulnerability disclosure. CISA offers a template that may be helpful for this purpose.

Identify, for starters, who needs to be aware of the program and who needs to participate in it. Then go deeper by defining specific responsibilities for collecting, analyzing and reporting on vulnerabilities.

Outline as well which security policies your vendors need to adhere to, and how you’ll keep those policies up-to-date. And determine whether vulnerability disclosers will be allowed to remain anonymous. An anonymous disclosure does not make the disclosure any less important. A researcher may simply not want their name on any of the disclosure notes.

Ultimately, your goal during this step should be to lay the groundwork for a community that helps itself with vulnerability disclosure and management. 

 

VDP security step 3: Integrate VDP into your processes

Vulnerability disclosure processes shouldn’t exist in a silo. Instead, they should be integrated into your routine business operations, and your VDP policies map should reflect this.

For example, your VDP should outline how software development, testing and deployment operations interface with VDP reporting requirements. It should also define exactly which tests should be run in an effort to discover vulnerabilities.

By establishing these processes, you not only gain efficiency when it comes to managing vulnerabilities. You also set clear guidelines that employees, researchers and vendors should follow to ensure that all vulnerabilities are discovered and disclosed effectively. You should give CISOs and researchers enough scope so that they can provide valuable feedback, but not so much scope that your team can’t keep up with the incoming reports. 

These policies may also help to drive VDP automation by making it possible to automate VDP discovery and reporting within the context of routine business operations. Education is key across the organization and a security culture needs to be embedded into the fabric of your business. 

 

VDP security step 4: Evaluate vendors

Once you’ve determined which VDP policies your business needs to meet, it’s time to evaluate your vendors and perform due diligence to confirm that they align with your requirements.

Rank your vendors according to their overall security postures. You can sort them into three categories: High security, medium security or low security.

From there, choose which vendors require more monitoring, and which pose such security risks that you can’t work with them. You should also highlight vendors with excellent security records, since you may want to target them for long-term partnerships.

To validate your vendor assessments, collect documentation, including the frameworks and security rules that the vendors adhere to internally. Keep these documents secure and update them periodically because they may change.

 

Read here: All you’ve ever wanted to know about Vulnerability Disclosure Programs (VDPs)

 

VDP security step 5: Continuously monitor and audit VDP compliance

After rolling out your VDP policies and vetting vendors, you need to monitor, measure and audit continuously to ensure that stakeholders continue to follow the guidelines. Your goal here is to ensure that everyone – including internal users like your employees, as well as vendors and other external parties – remain in compliance with VDP policies you establish.

To make this process efficient, you’ll want to automate it as much as possible. Automation also ensures that you can scale your business as VDP requirements grow continuously more complex, and as you integrate more vendors and other stakeholders into your operations.

 

With VDP, everyone wins (except the bad folks)

Establishing clear, transparent and actionable VDP rules is a win-win for everyone (except, of course, the threat actors who want to exploit vulnerabilities). It lays the foundation for effective collaboration while also strengthening relationships with both internal and external stakeholders. And it facilitates the fast resolution of vulnerabilities and breaches by getting vulnerability data to organizations like CISA as rapidly as possible.

Findings bakes VDP into  their platform, making VDP security an effortless operation. With Findings, you can both discover and report on vulnerabilities across your business’s supply chain. Findings bakes the “switch” for vulnerability disclosure directly into your business operations, making your VDP processes efficient, scalable and all-encompassing.

 

Learn more by signing up for a Findings demo.

Our Take on Gartner’s Latest Supply Chain Compliance Advice

Data Analysis and Insights - Magnifying Glass on Graph

Going forward, businesses need a new strategy for vetting and monitoring the compliance of their suppliers. But don’t just take our word for it. These are among the takeaways from Gartner’s latest guidance on supply chain compliance and management

 

Gartner highlights why conventional supplier onboarding methods no longer work as businesses need to onboard suppliers quickly, while also ensuring that suppliers meet their compliance requirements.

 

The global supply chain compliance crisis

You probably already know that supply chains are under stress, to put mildly. Gartner points to a couple of main reasons why:

 

  • Businesses are increasingly working with suppliers from new geographic regions, where compliance norms may be different. This complicates onboarding and requires a deeper level of compliance inspection.
  • Organizations often need to add vendors quickly in order to keep their supply chains moving. Yet, without a fast onboarding process, integrating suppliers is time-consuming, which increases the stress placed on supply chains.
  • We’d also add, that issues like global sanctions, which have become especially pronounced as a result of the ongoing Ukraine-Russia war, add even more complexity to vendor onboarding. 

 

We agree wholeheartedly that these are among the key reasons why supply chain compliance and management have become so challenging for the typical business today.

Today, you have to worry not only about whether your vendors meet standard compliance rules, but also about potential sanctions that are subject to constant change. This adds yet more unpredictability and complexity to the onboarding process.

Add to that the surge in supply chain cyber security risks, and it’s no exaggeration to say that operating efficient, compliant supply chains has never been tougher than it is at present.

 

How to streamline supply chain compliance

Gartner suggests three main strategies for addressing the supply chain compliance challenges that businesses currently face.

 

1. Create a playbook for vetting vendors

First, Gartner recommends creating a “playbook that grades each third party’s threat level to determine who gets more attention from the business and compliance.”

 

The idea here is that you can develop preset policies to analyze vendors rapidly during and after the onboarding process. Your policies should reflect information like which risks have impacted your business in the past and how closely a given vendor matches the risk profile of other vendors who have posed challenges.

 

We love this idea not only because it helps businesses to be proactive in their approach to vendor compliance, but also because it lays the groundwork for compliance automation. Playbooks make it possible to implement vendor compliance validation automatically within a security platform, which could sort vendors into high-risk, medium-risk and low-risk categories

This may be of interest to you:

 A CISO’s VDP security roadmap based on criteria defined in the playbooks

2. Automate supply chain compliance

The piece quotes Chris Audet, Senior Director of Research at Gartner, who says, “Compliance leaders must move quickly to onboard third parties and effectively monitor for risks, but many of their traditional methods won’t cut it.”

 

The way to move quickly and monitor for risks comprehensively is to automate risk detection. Automation can help you collect the information you need to make good decisions about vendor risks. It can also automatically flag risks with the help of advanced analytics, and it can help you keep up-to-date as vendor profiles change. In all of these ways, automation helps businesses to complete vendor onboarding quickly, even if they have an increasing number of vendors to vet and face increasing complexity due to new compliance mandates, new sanctions rules or diverse vendor geographies.

 

3. Streamline upfront due diligence

As another way to speed up onboarding, Gartner advises businesses to “streamline due diligence to focus on critical risks.” It suggests doing this by reducing the number of questions you ask vendors to answer manually. Focus validation around critical risk areas, Gartner suggests, rather than asking a large number of questions that may not be relevant for every vendor.

 

We agree. We’d add, though, that it’s important to leverage automation wherever possible to collect as much data as you can about supplier insurance, safety, environment and sustainability initiatives, legal and financial data and any other information that can be helpful for gaining a 360-degree view of your suppliers and sub-suppliers. With automation, it’s possible to onboard rapidly without compromising on your visibility into supply chain compliance.

 

Bonus advice: Establish a compliance-focused company culture

We think Gartner did a great job of capturing much of what it takes to achieve supply chain compliance. But we’d suggest another strategy that Gartner hasn’t mentioned: Building a compliance-centric culture.

 

A compliance-centric culture is one that maximizes collaboration and communication related to compliance. It aligns compliance with vendor expectations, and it allows all stakeholders – both internal and external ones – to share information rapidly in order to manage compliance and supply chain cyber security risks.


Findings helps you to build this culture by providing a platform that anyone can use to raise compliance flags automatically. With Findings, you get holistic compliance that protects your entire supply chain, while also benefiting from automations that allow you to onboard vendors rapidly.

 

Learn more about how Findings can help you to streamline your compliance.

 

Top 5 Reasons Why CMMC Security Will Be Good For Your Business

Top 5 Reasons why CMMC Security will be good

Keeping up to date on the changing CMMC security requirements may seem like a hassle that’s only worth undertaking if you do business with the Department of Defense. But in reality, meeting the new CMMC compliance mandates is a great way to make your business more secure and agile.

That’s why, even if you aren’t a DoD contractor, the CMMC security updates can be beneficial to your business. Keep reading for an overview of what to know about the new CMMC Framework and how to meet it in a way that benefits your business.

Read here how to meet the CMMC compliance challenge head on 

How CMMC is changing

By May 2023, the DoD expects to implement CMMC 2.0, at least in interim form.

Among other changes, CMMC 2.0 reduces the number of compliance “levels” from five to three. This is a major benefit to businesses that need to meet CMMC security mandates because it simplifies the process of choosing which compliance path to follow and adhering to its associated rules. The 3 levels are:

  • Level 1 (Foundational)

This level must match the 15 controls of FAR52.204-21 “basic” controls to protect

Federal Contract Information. Certification is required annually. It is possible for your

organization to self-assess. This is similar to the previous model in CMMC 1.0.

  • Level 2 (Advanced): 

This level is comparable to CMMC 1.0 level 3. Its requirements mirror NIST SP 800-71, which includes 14 levels and 110 security controls developed by the National Institute of Technology and Standards (NIST) to protect sensitive information. The 20 requirements of CMMC 1.0 level 3 compliance have been dropped.

  • Level 3 (Expert)

Under this CMMC 2.0 assessment level, which is comparable to CMMC 1.0 level 5, businesses will require government-led assessments. The focus is on reducing Advanced Persistent Threats (APTs) that could lead to data exfiltration or compromised applications. Besides the 110 controls that are required for the new Level 2 certification, the NIST’s SP 800-172 is required for Level 3 certification.

5 great reasons to choose CMMC compliance

Some businesses will need to meet CMMC compliance requirements because they sell to the DoD, and CMMC 2.0 is a mandate. But even if that is not the case, there are great reasons to become CMMC-compliant.

1. Overall CMMC security protection

Implementing security controls using CMMC 2.0 levels is a great way to maximize your overall security posture. It will help to protect sensitive information within your organization and increase the security of your supply chain.

2. Tailor cyber hygiene to your business

CMMC uses maturity processes and cybersecurity best practices from multiple frameworks as its foundation. And, because CMMC security offers different compliance levels, it’s an excellent framework to follow if you want a cybersecurity plan tailored to your business. Not every organization faces the same level of threats or the same level of data sensitivity. With CMMC, you can establish cyber hygiene policies, such as vulnerability disclosure programs, that reflect your organization’s particular needs. 

3. Prepare for upcoming regulatory changes

As we’ve noted, there is a lot of overlap between the CMMC security requirements and other compliance standards, like those developed by NIST. Thus, by becoming CMMC-complaint, you prepare your business to meet similar compliance mandates that may be rolled out in the future.

4. Validate your cybersecurity from the outside

CMMC assessment is a great way to determine how well your business meets security mandates. This can be done not only by internal stakeholders, who are not objective observers, but by outsiders who understand how risks can flow through supply chains and what it takes to build a strong cybersecurity culture within an organization.

5. Winning additional contracts

The higher your level of cyber security, the more competitive you’ll be. Supply chain security is increasingly viewed as a necessity rather than a nice-to-have. Businesses that fail to prioritize security risk losing contracts and relationships with key enterprises.  Additionally, coordinated vulnerability disclosure programs that are apart of the CMMC security framework, help to build trust and positive cooperation across the supply chain.

Here’s Why Your CISO Wants To Implement A CMMC Framework

The future of supply chain security

As you assess what the CMMC security changes mean for your business, don’t think merely in terms of whether you are specifically required to undergo CMMC assessments. Instead, think about how increasing awareness of cybersecurity and building a stronger cyber culture within your organization will pay dividends now and in the future, regardless of your specific CMMC compliance requirements.

After all, security is always changing, and compliance frameworks like the CMMC change with it. Keeping pace with changing requirements is a good way to encourage accountability across your supply chain and enforce strong cyber hygiene standards.

Indeed, it’s a safe bet that, going forward, cyber security requirements will become tighter, not looser. Embrace the trend now by using frameworks like the CMMC to supercharge your cyber hygiene and disclosure programs, rather than waiting until a specific mandates is handed down that affects you.

Schedule a call to learn more

The 7-Step Guide To CMMC Assessment

Hassle-Free CMMC Assessment: A Step-by-Step Guide

Just when you thought you were on top of CMMC compliance, CMMC 2.0 has come along, upping the stakes for identifying and managing cybersecurity within your business. On top of that, the new National Initiative for Improving Cybersecurity in Supply Chains (NIICS) adds yet another layer of compliance complication for businesses that want to do business with the government. All of this means that having a streamlined process in place for meeting updated compliance mandates is more important than ever.

 

Fortunately, you don’t have to rebuild all of your compliance and assessment processes from the ground up to meet CMMC 2.0 and other new compliance needs. If you already have compliance procedures in place that address NIST standards or similar U.S. government mandates, there’s a good chance that you can expand upon them to address CMMC 2.0 compliance, too.

The challenge of CMMC assessment

Let’s be clear: CMMC assessments are challenging, no matter how streamlined your compliance program is or how much cybersecurity expertise you have in-house. Beyond the complex technical rules you have to meet, you have challenges such as:

 

  • Meeting deadlines: You can’t perform assessments according to timelines you create. You need to meet externally imposed deadlines.
  • Shareholder buy-in: Assessments cost time and money. You need to convince shareholders that the assessment is worth the investment.
  • Cost of certification: Becoming certified, too, comes with a cost, which makes it even harder in some respects to get buy-in.

In the long run, achieving CMMC compliance is well worth it because it allows your business to do business with the DoD. But that doesn’t mean that CMMC assessment is simple or straightforward.

 

Here’s 4 Reasons Why Your CISO Wants To Implement A CMMC Framework

Key differences between NIST and CMMC assessment

As we noted, companies that already have compliance programs designed to meet NIST cybersecurity standards are in a good position to extend upon those programs to address CMMC assessment requirements, too. Both frameworks allow for self-assessments, at least in some cases, and the assessment processes are similar.

But NIST and CMMC are not identical, of course. You must understand the differences before you devise a CMMC assessment strategy based on NIST.

 

One obvious difference is that NIST requirements are developed by the National Institute of Standards and Technology, whereas the Department of Defense oversees CMMC compliance requirements. This means that NIST and CMMC rules could evolve in different directions in the future, even though there is some overlap today.

 

On top of this, under the CMMC framework, not everyone can self-assess. Third-party assessments are required for businesses that manage data that the DoD considers critical to national defense. So, before building a CMMC 2.0 compliance strategy based on self-assessment, be sure you’re actually eligible to self-assess.

7 essential steps for CMMC assessments

If you determine that you can self-assess, then you can build a CMMC assessment process based on the assessment operations you already have in place for NIST or similar standards. Here’s how to do that, step-by-step.

Step 1: Set goals

Start by determining why you are performing a CMMC assessment. Is it because you are specifically required to do so as a contractor for the DoD? Or are you doing it voluntarily, as a means of assessing your cyber health? In the latter case, you have more control over the assessment process and its outcomes, because you won’t have to report to the DoD.

Step 2: Determine assessments you have completed

Identify which assessments your business has already performed, and compare those assessments to CMMC assessment requirements. Again, there is a lot of overlap between requirements like NIST’s and CMMC’s, so you may be able to duplicate large parts of your existing assessments.

Step 3: Perform gap analysis

Of course, there is not likely to be complete overlap between existing assessments and CMMC. You’ll need to perform a gap analysis (or hire an outside auditor for this purpose) to determine which additional data you’ll need to collect or processes you’ll have to undertake to perform CMMC assessment.

Step 4: Create or update the SSP

NIST defines the System Security Plan, or SSP, as a “formal document that provides an overview of the security requirements for the system and describes the security controls in place or planned for meeting those requirements.” You’ll want to have an SSP in place because it serves as the basis for authorization decisions, while also providing detailed information to support processes and activities in the system development lifecycle. Thus, the SSP serves as the information foundation for your CMMC assessment operation.

Step 5: Build a plan of action and milestones

Next, form a plan of action and milestones (POA&M), which is the roadmap you plan to follow after creating your SSP. The POA&M defines a clear course of action to take and goals you plan to meet to ensure that employees and stakeholders know their roles in keeping and advancing compliance goals. Your POA&M should identify the tasks that need to be completed to secure your systems, proposed remediations for risks and which employees will perform which tasks.

Step 6: Form a remediation plan

The results of your gap analysis should form the basis for a remediation plan. The purpose of this plan is to allow you to pinpoint compliance risks to remediate, prioritize activities to fix vulnerabilities and determine the associated costs you’ll pay to become CMMC-certified. You can formulate the remediation plan yourself, or outsource it to a Managed Security Service Provider (MSSP).

Step 7: Maintain compliance and reporting

Treat CMMC assessment as an ongoing process, not a one-and-done affair. You’ll need to update your plans continuously as your risks change. Changes to your vendors or supply chains may necessitate compliance changes, too. And you’ll want to monitor for risks on an ongoing basis so that you can remediate them immediately, rather than waiting till your next assessment to discover and address problems.

Achieving a well-implemented CMMC assessment framework

When you follow the steps described above, you get a well-maintained cybersecurity program that enables CMMC certification, while also enhancing supply chain security and keeping sensitive data and intellectual property more secure. And you can do it all without having to overhaul your compliance tools or processes from scratch.

 
 

Learn more about becoming CMMC compliant

The Insider Guide To Coordinated Vulnerability Disclosure Programs

The-Insider-Guide-To-Coordinated-Vulnerability-Disclosure-Programs

When you co-ordinate a vulnerability disclosure program, you follow a systematic process for communicating about, responding to and remediating vulnerabilities. Keep reading for tips on how coordinated vulnerability disclosure programs work, why they’re important and 5 steps to creating one.

 

What Is a Coordinated Vulnerability Disclosure Program?

A coordinated vulnerability disclosure program (CVDP) is a structured, systematic strategy for sharing information about vulnerabilities to various internal and external stakeholders whenever a vulnerability occurs. It’s a way of ensuring that information about a known vulnerability is not just available, but also that response operations are as efficient as possible. But remember not all vulnerabilities should or must be disclosed. Deciding how to react, whether to block or avoid is also an important decision.

 

 

The Benefits of Coordinated Vulnerability Disclosure

Coordinated vulnerability disclosure programs ensure that you can react efficiently and minimize the risks that vulnerabilities create. Disclosure programs minimize risks not just for your business, but also for your suppliers, partners and customers. The benefits include:

– Reduced vulnerability impact

The overall impact of the vulnerability is likely to be smaller when stakeholders coordinate their response. Patches can be developed faster, and  rolled out to affected applications or systems before hackers attack them. This translates to a lower risk that the vulnerability will be exploited. 

Consider CVDP as a  “neighborhood watch” for your IT assets by encouraging everyone in your supply chain to report risks they discover.

– Build internal processes

Having a coordinated plan in place for vulnerability disclosure helps ensure that your employees each work efficiently to respond to vulnerabilities. A coordinated program defines what each internal stakeholder needs to do when a vulnerability appears.

– Combined stakeholder response

External stakeholders, too, can coordinate their activities much more effectively via a coordinated vulnerability disclosure program. With a program in place, each affected entity can share information efficiently and collaborate with security researchers as needed. Coordinated programs help to establish trust and positive cooperation across the supply chain with regard to vulnerabilities.

– Avoid surprises

When you have set policies in place for what to disclose and how to react to it, stakeholders from across the supply chain have the information they need to react effectively. This breeds transparency and mitigates the risk of unanticipated actions by one organization (such as a decision that a vulnerability is not severe enough to merit action) that could disrupt the responses of others.

On top of this, when you share information quickly and in a coordinated way, you avoid the risk that affected organizations will learn of a vulnerability from the media. The result is an embarrassing scenario and one that leads to slow, inefficient responses and potential damage to an organization’s reputation.

– Ethical corporate behavior

Finally, there is an ethical element to coordinated vulnerability response. Having set procedures in place, and defining how your business will interact with others during vulnerability response, sends a message that you care about transparent operations that benefit the community as a whole. It’s a sign that you’re not just tracking security risks for your own sake, but because you understand the broader impact (ESG) they can have on suppliers, partners and customers.

 

Did you know that your supply chain security can affect your stock value?

 

5 Steps for Creating a Coordinated Vulnerability Disclosure Program

Now that we know what coordinated vulnerability disclosure means and why it’s important, here’s how to implement it.

1. Create secure reporting channels

As cybersecurity analyst Keren Elazari says, “hackers can be helpful allies” in finding vulnerabilities. What she means is that good-willed third parties who are reviewing your code or systems can be a critical asset for finding security risks that you haven’t seen.

However, you need to provide secure channels through which third parties can report vulnerabilities in order to benefit from them. These channels could be as simple as resources like security.txt” files that identify where and how someone can report a vulnerability to you.

Consider, too, integrating incentives into these reporting channels, for example, by creating a vulnerability reward program – a practice that companies like Google have used with great success.

2. Assess vulnerability severity

Every vulnerability carries a different degree of risk. What’s more, the risk can vary for different stakeholders within the supply chain.

For these reasons, your coordinated response program should include a process for assessing how severe the vulnerability is, then include that information in the disclosure report, along with technical details on how the vulnerability is exploited.

With that information, security analysts at organizations like CISA can disseminate vulnerability data that is as meaningful as possible.

3. Remediation

Determine, too, how the vulnerability should be mitigated. Does it require the creation of a patch by software vendors, for example, or can it be mitigated by changing environment configurations?

This information helps to coordinate vulnerability response because it provides actionable guidance to stakeholders on what they need to do to remediate the vulnerability across the supply chain.

4. Public awareness

In a coordinated response process, the group that identifies a vulnerability will take appropriate steps to notify users about it via all relevant channels – such as vulnerability databases, email lists and media reports.

Included in these notifications should be a timeline about which information to disclose and when to disclose it. In some instances, you may not want to include certain technical details right away; for example, if a patch is not yet available to fix a vulnerability, you may not wish to disclose how to exploit the vulnerability, in case hackers use that information to execute zero-day attacks that can’t yet be prevented.

5. Assess your response

The final step in a coordinated response program is to generate feedback about its effectiveness. Assess each disclosure by answering questions like how transparent it was and whether stakeholders had easy access to the information they needed to respond. These insights help ensure that you can continuously improve your program over time.

Coordination leads to the best outcomes

As Daniel Cuthbert, Global Head of Cyber Security Research at Santander, said in a Black Hat talk, “missing links create a vulnerability unto themselves.” In other words, the less information you have available in vulnerability disclosures, the higher your risk of damage.

Coordinated vulnerability disclosure programs minimize these risks by allowing all stakeholders to respond as effectively as possible to newly discovered vulnerabilities. They remove the blind spots in vulnerability response, while also demonstrating goodwill commitments to transparency on the part of your business.

When it comes to planning for coordinated vulnerability response, Findings can help. Findings provide end-to-end visibility into software supply chain risks, ensuring you have all the information you need to plan for effective, comprehensive vulnerability disclosure.

Schedule a call to learn more

4 Reasons Why Your CISO Wants To Implement A CMMC Framework

4-Reasons-Why-Your-CISO-Wants-To-Implement-A-CMMC-Framework

“Let’s pursue a new compliance framework just because we feel like it!” is not a phrase that you tend to hear business leaders utter excitedly. After all, making the changes necessary to comply with new compliance rules is a significant undertaking. Unless a specific legal requirement is at stake, businesses tend to embrace them slowly.

However, the Cybersecurity Maturity Model Certification (CMMC) is an exception. Although CMMC is not strictly required for most businesses, implementing it should be a priority for many CISOs today. 

Indeed, a CISO’s main job is to harden cybersecurity wherever possible. Doing so requires identifying security risks, developing practices and policies to mitigate those risks, and creating regular reports that track the effectiveness of cybersecurity investments. Because the CMMC encourages these practices, pursuing CMMC compliance is an excellent way for CISOs to achieve their primary goals.

“All DoD contractors will eventually be required to obtain a CMMC certification,” as CSO Online notes, which may be another reason CISOs implement CMMC compliance. But it shouldn’t be the only one: Whether or not you need to do business with the U.S. Department of Defense, pursuing CMMC compliance is a great idea.

Four reasons to implement CMMC

You achieve several critical benefits when you invest the time and effort required to implement CMMC compliance.

1. Independent cybersecurity validation

Among the recent changes to CMMC is a new independent validation requirement for businesses with CMMC level 3 compliance. Independent validation provides a more thorough security check and vulnerability reporting than you can get from following other security guidelines, like those from NIST (which closely resembled the original version of CMMC).

Thus, CMMC is a more rigorous cybersecurity framework in many respects than anything else you can find.

2. Holistic cybersecurity best practices

CMMC is designed to encourage solid cyber hygiene for businesses of all types and industries.

It encourages a proactive cybersecurity culture (ESG benefits because it demonstrates a commitment to privacy). It facilitates education for all employees – including non-technical stakeholders – about security best practices. And it underlines the importance of managing supply chain security risks, one of the most severe categories of threats that businesses face today.

3. Increased revenue

From a purely business perspective, the additional sales opportunities that CMMC compliance opens up can lead to revenue growth.

When you achieve CMMC compliance, you can do business with U.S. government agencies that might otherwise be off-limits. This means more clients, but it often means more significant client contracts because government agencies tend to be high-value, long-term accounts.

4. Enhanced security maturity

Even in cases where clients aren’t government agencies and don’t require CMMC compliance, being CMMC compliant can nonetheless be a significant boon to business. It helps you demonstrate a commitment to cybersecurity and serves as a stamp of quality/security on the security front, which can help you close more deals and retain more clients.

The enhanced security maturity that comes with CMMC compliance can help you stay ahead of the competition, which may comply with less rigorous mandates but not with CMMC.

Here are the CMMC Compliance Requirements: Everything You Need To Know

Granted, CMMC implementation is not a simple task: It’s essential for CISOs to understand the challenges before undertaking a CMMC compliance initiative:

  • Process: You have to apply for CMMC compliance. That’s another task for CISOs to manage on their already full plates.
  • Buy-in: CISOs need to get buy-in from shareholders and management for the CMMC process. That’s important not just culturally but also because business leaders will need to play a valuable role in the CMMC application process by filing forms, tracking progress and reporting, etc.
  • Multiple steps: Applying for CMMC compliance is not a one-and-done affair. It usually involves multiple steps, with changes or additional information required as you progress through the process.
  • Maintenance: You need to keep your compliance strategy continuously updated to meet CMMC compliance requirements. That increases your time and effort even further.
  • Cost: For most businesses, CMMC compliance will require new tools and processes, which come at a cost. And depending on what level of CMMC compliance you need, an outside advisor may also be required.

None of these challenges should prevent businesses from pursuing a comprehensive CMMC framework to protect against cyberattacks compliance. But it’s essential to be aware of the potential objections and barriers before starting the process.

Even if CMMC compliance is technically optional for your business, there’s a good reason not to treat it as an option. Instead, CISOs should embrace CMMC implementation as an intelligent way to strengthen their business’s cybersecurity – and, in turn, open up new business opportunities.

Learn more by scheduling a demo.

Supply Chain Risk Monitoring as a Service
Join us today
Supply Chain Risk Monitoring as a Service
Join us today

Let's Tackle Compliance Together

Waitlist signup

Welcome to Findings

Let's go over some details to setup your tailor-made account


Please fill your details below and click "Next" to create your account:

Payment

Feature
Startup
Business
Enterprise
Price
$10 / Month
$10 / Month
$25 / Month
VDPaaS
Alerts
Assessments
Integrated Apps
API
Join today and scan ALL YOUR VENDORS for FREE*
* FREE VENDOR SCAN for all of your vendors during your first month.
Feature
Startup
Business
Enterprise
Price
$25 / Month
$200 / Month*
Contact Us
Free vendors scan for 1 month
Findings search engine
Rapid security and compliance profile
Profile/showcase engagements per year
5
40
Unlimited
Multi/unlimited showcase use cases
Showcase compliance badge for your website
Best practice self-assessment
1 Findings or 1 BYOC
Assessment response automation
Personalizable, branded security & compliance showcase page
File/evidence repository
OKTA
DKIM
Out-of-the-box TPRM
20 vendors +
20 rating scans
50 vendors +
50 rating scans
Support
Email
Priority via Phone / Email
Internal Workflows (SO/BO)
Onboarding and customization account setup
*Price for every 40 engagements
Automate assessment response and showcase your cybersecurity posture
Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!

Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!