fbpx

Category Archives: CMMC

Top 5 Reasons Why CMMC Security Will Be Good For Your Business

Keeping up to date on the changing CMMC security requirements may seem like a hassle that’s only worth undertaking if you do business with the Department of Defense. But in reality, meeting the new CMMC compliance mandates is a great way to make your business more secure and agile.

That’s why, even if you aren’t a DoD contractor, the CMMC security updates can be beneficial to your business. Keep reading for an overview of what to know about the new CMMC Framework and how to meet it in a way that benefits your business.

Read here how to meet the CMMC compliance challenge head on 

How CMMC is changing

By May 2023, the DoD expects to implement CMMC 2.0, at least in interim form.

Among other changes, CMMC 2.0 reduces the number of compliance “levels” from five to three. This is a major benefit to businesses that need to meet CMMC security mandates because it simplifies the process of choosing which compliance path to follow and adhering to its associated rules. The 3 levels are:

 

  • Level 1 (Foundational)

This level must match the 15 controls of FAR52.204-21 “basic” controls to protect

Federal Contract Information. Certification is required annually. It is possible for your

organization to self-assess. This is similar to the previous model in CMMC 1.0.

  • Level 2 (Advanced): 

This level is comparable to CMMC 1.0 level 3. Its requirements mirror NIST SP 800-71, which includes 14 levels and 110 security controls developed by the National Institute of Technology and Standards (NIST) to protect sensitive information. The 20 requirements of CMMC 1.0 level 3 compliance have been dropped.

  • Level 3 (Expert)

Under this CMMC 2.0 assessment level, which is comparable to CMMC 1.0 level 5, businesses will require government-led assessments. The focus is on reducing Advanced Persistent Threats (APTs) that could lead to data exfiltration or compromised applications. Besides the 110 controls that are required for the new Level 2 certification, the NIST’s SP 800-172 is required for Level 3 certification.

5 great reasons to choose CMMC compliance

Some businesses will need to meet CMMC compliance requirements because they sell to the DoD, and CMMC 2.0 is a mandate. But even if that is not the case, there are great reasons to become CMMC-compliant.

1. Overall CMMC security protection

Implementing security controls using CMMC 2.0 levels is a great way to maximize your overall security posture. It will help to protect sensitive information within your organization and increase the security of your supply chain.

2. Tailor cyber hygiene to your business

CMMC uses maturity processes and cybersecurity best practices from multiple frameworks as its foundation. And, because CMMC security offers different compliance levels, it’s an excellent framework to follow if you want a cybersecurity plan tailored to your business. Not every organization faces the same level of threats or the same level of data sensitivity. With CMMC, you can establish cyber hygiene policies, such as vulnerability disclosure programs, that reflect your organization’s particular needs. 

3. Prepare for upcoming regulatory changes

As we’ve noted, there is a lot of overlap between the CMMC security requirements and other compliance standards, like those developed by NIST. Thus, by becoming CMMC-complaint, you prepare your business to meet similar compliance mandates that may be rolled out in the future.

4. Validate your cybersecurity from the outside

CMMC assessment is a great way to determine how well your business meets security mandates. This can be done not only by internal stakeholders, who are not objective observers, but by outsiders who understand how risks can flow through supply chains and what it takes to build a strong cybersecurity culture within an organization.

5. Winning additional contracts

The higher your level of cyber security, the more competitive you’ll be. Supply chain security is increasingly viewed as a necessity rather than a nice-to-have. Businesses that fail to prioritize security risk losing contracts and relationships with key enterprises.  Additionally, coordinated vulnerability disclosure programs that are apart of the CMMC security framework, help to build trust and positive cooperation across the supply chain.

The future of supply chain security

As you assess what the CMMC security changes mean for your business, don’t think merely in terms of whether you are specifically required to undergo CMMC assessments. Instead, think about how increasing awareness of cybersecurity and building a stronger cyber culture within your organization will pay dividends now and in the future, regardless of your specific CMMC compliance requirements.

After all, security is always changing, and compliance frameworks like the CMMC change with it. Keeping pace with changing requirements is a good way to encourage accountability across your supply chain and enforce strong cyber hygiene standards.

Indeed, it’s a safe bet that, going forward, cyber security requirements will become tighter, not looser. Embrace the trend now by using frameworks like the CMMC to supercharge your cyber hygiene and disclosure programs, rather than waiting until a specific mandates is handed down that affects you.

Schedule a call to learn more

The 7-Step Guide To CMMC Assessment

Just when you thought you were on top of CMMC compliance, CMMC 2.0 has come along, upping the stakes for identifying and managing cybersecurity within your business. On top of that, the new National Initiative for Improving Cybersecurity in Supply Chains (NIICS) adds yet another layer of compliance complication for businesses that want to do business with the government. All of this means that having a streamlined process in place for meeting updated compliance mandates is more important than ever.

 

Fortunately, you don’t have to rebuild all of your compliance and assessment processes from the ground up to meet CMMC 2.0 and other new compliance needs. If you already have compliance procedures in place that address NIST standards or similar U.S. government mandates, there’s a good chance that you can expand upon them to address CMMC 2.0 compliance, too.

The challenge of CMMC assessment

Let’s be clear: CMMC assessments are challenging, no matter how streamlined your compliance program is or how much cybersecurity expertise you have in-house. Beyond the complex technical rules you have to meet, you have challenges such as:

 

  • Meeting deadlines: You can’t perform assessments according to timelines you create. You need to meet externally imposed deadlines.
  • Shareholder buy-in: Assessments cost time and money. You need to convince shareholders that the assessment is worth the investment.
  • Cost of certification: Becoming certified, too, comes with a cost, which makes it even harder in some respects to get buy-in.

In the long run, achieving CMMC compliance is well worth it because it allows your business to do business with the DoD. But that doesn’t mean that CMMC assessment is simple or straightforward.

 

Here’s 4 Reasons Why Your CISO Wants To Implement A CMMC Framework

Key differences between NIST and CMMC assessment

As we noted, companies that already have compliance programs designed to meet NIST cybersecurity standards are in a good position to extend upon those programs to address CMMC assessment requirements, too. Both frameworks allow for self-assessments, at least in some cases, and the assessment processes are similar.

But NIST and CMMC are not identical, of course. You must understand the differences before you devise a CMMC assessment strategy based on NIST.

 

One obvious difference is that NIST requirements are developed by the National Institute of Standards and Technology, whereas the Department of Defense oversees CMMC compliance requirements. This means that NIST and CMMC rules could evolve in different directions in the future, even though there is some overlap today.

 

On top of this, under the CMMC framework, not everyone can self-assess. Third-party assessments are required for businesses that manage data that the DoD considers critical to national defense. So, before building a CMMC 2.0 compliance strategy based on self-assessment, be sure you’re actually eligible to self-assess.

7 essential steps for CMMC assessments

If you determine that you can self-assess, then you can build a CMMC assessment process based on the assessment operations you already have in place for NIST or similar standards. Here’s how to do that, step-by-step.

Step 1: Set goals

Start by determining why you are performing a CMMC assessment. Is it because you are specifically required to do so as a contractor for the DoD? Or are you doing it voluntarily, as a means of assessing your cyber health? In the latter case, you have more control over the assessment process and its outcomes, because you won’t have to report to the DoD.

Step 2: Determine assessments you have completed

Identify which assessments your business has already performed, and compare those assessments to CMMC assessment requirements. Again, there is a lot of overlap between requirements like NIST’s and CMMC’s, so you may be able to duplicate large parts of your existing assessments.

Step 3: Perform gap analysis

Of course, there is not likely to be complete overlap between existing assessments and CMMC. You’ll need to perform a gap analysis (or hire an outside auditor for this purpose) to determine which additional data you’ll need to collect or processes you’ll have to undertake to perform CMMC assessment.

Step 4: Create or update the SSP

NIST defines the System Security Plan, or SSP, as a “formal document that provides an overview of the security requirements for the system and describes the security controls in place or planned for meeting those requirements.” You’ll want to have an SSP in place because it serves as the basis for authorization decisions, while also providing detailed information to support processes and activities in the system development lifecycle. Thus, the SSP serves as the information foundation for your CMMC assessment operation.

Step 5: Build a plan of action and milestones

Next, form a plan of action and milestones (POA&M), which is the roadmap you plan to follow after creating your SSP. The POA&M defines a clear course of action to take and goals you plan to meet to ensure that employees and stakeholders know their roles in keeping and advancing compliance goals. Your POA&M should identify the tasks that need to be completed to secure your systems, proposed remediations for risks and which employees will perform which tasks.

Step 6: Form a remediation plan

The results of your gap analysis should form the basis for a remediation plan. The purpose of this plan is to allow you to pinpoint compliance risks to remediate, prioritize activities to fix vulnerabilities and determine the associated costs you’ll pay to become CMMC-certified. You can formulate the remediation plan yourself, or outsource it to a Managed Security Service Provider (MSSP).

Step 7: Maintain compliance and reporting

Treat CMMC assessment as an ongoing process, not a one-and-done affair. You’ll need to update your plans continuously as your risks change. Changes to your vendors or supply chains may necessitate compliance changes, too. And you’ll want to monitor for risks on an ongoing basis so that you can remediate them immediately, rather than waiting till your next assessment to discover and address problems.

Achieving a well-implemented CMMC assessment framework

When you follow the steps described above, you get a well-maintained cybersecurity program that enables CMMC certification, while also enhancing supply chain security and keeping sensitive data and intellectual property more secure. And you can do it all without having to overhaul your compliance tools or processes from scratch.

 
 

Learn more about becoming CMMC compliant

The Insider Guide To Coordinated Vulnerability Disclosure Programs

Findings - Vulnerability Disclosure Program

When you co-ordinate a vulnerability disclosure program, you follow a systematic process for communicating about, responding to and remediating vulnerabilities. Keep reading for tips on how coordinated vulnerability disclosure programs work, why they’re important and 5 steps to creating one.

 

What Is a Coordinated Vulnerability Disclosure Program?

A coordinated vulnerability disclosure program (CVDP) is a structured, systematic strategy for sharing information about vulnerabilities to various internal and external stakeholders whenever a vulnerability occurs. It’s a way of ensuring that information about a known vulnerability is not just available, but also that response operations are as efficient as possible. But remember not all vulnerabilities should or must be disclosed. Deciding how to react, whether to block or avoid is also an important decision.

 

The Benefits of Coordinated Vulnerability Disclosure

Coordinated vulnerability disclosure programs ensure that you can react efficiently and minimize the risks that vulnerabilities create. Disclosure programs minimize risks not just for your business, but also for your suppliers, partners and customers. The benefits include:

– Reduced vulnerability impact

The overall impact of the vulnerability is likely to be smaller when stakeholders coordinate their response. Patches can be developed faster, and  rolled out to affected applications or systems before hackers attack them. This translates to a lower risk that the vulnerability will be exploited. 

Consider CVDP as a  “neighborhood watch” for your IT assets by encouraging everyone in your supply chain to report risks they discover.

– Build internal processes

Having a coordinated plan in place for vulnerability disclosure helps ensure that your employees each work efficiently to respond to vulnerabilities. A coordinated program defines what each internal stakeholder needs to do when a vulnerability appears.

– Combined stakeholder response

External stakeholders, too, can coordinate their activities much more effectively via a coordinated vulnerability disclosure program. With a program in place, each affected entity can share information efficiently and collaborate with security researchers as needed. Coordinated programs help to establish trust and positive cooperation across the supply chain with regard to vulnerabilities.

– Avoid surprises

When you have set policies in place for what to disclose and how to react to it, stakeholders from across the supply chain have the information they need to react effectively. This breeds transparency and mitigates the risk of unanticipated actions by one organization (such as a decision that a vulnerability is not severe enough to merit action) that could disrupt the responses of others.

On top of this, when you share information quickly and in a coordinated way, you avoid the risk that affected organizations will learn of a vulnerability from the media. The result is an embarrassing scenario and one that leads to slow, inefficient responses and potential damage to an organization’s reputation.

– Ethical corporate behavior

Finally, there is an ethical element to coordinated vulnerability response. Having set procedures in place, and defining how your business will interact with others during vulnerability response, sends a message that you care about transparent operations that benefit the community as a whole. It’s a sign that you’re not just tracking security risks for your own sake, but because you understand the broader impact (ESG) they can have on suppliers, partners and customers.

 

Learn more about Vulnerability Disclosure Programs – Click here

 

5 Steps for Creating a Coordinated Vulnerability Disclosure Program

Now that we know what coordinated vulnerability disclosure means and why it’s important, here’s how to implement it.

1. Create secure reporting channels

As cybersecurity analyst Keren Elazari says, “hackers can be helpful allies” in finding vulnerabilities. What she means is that good-willed third parties who are reviewing your code or systems can be a critical asset for finding security risks that you haven’t seen.

However, you need to provide secure channels through which third parties can report vulnerabilities in order to benefit from them. These channels could be as simple as resources like “security.txt” files that identify where and how someone can report a vulnerability to you.

Consider, too, integrating incentives into these reporting channels, for example, by creating a vulnerability reward program – a practice that companies like Google have used with great success.

2. Assess vulnerability severity

Every vulnerability carries a different degree of risk. What’s more, the risk can vary for different stakeholders within the supply chain.

For these reasons, your coordinated response program should include a process for assessing how severe the vulnerability is, then include that information in the disclosure report, along with technical details on how the vulnerability is exploited.

With that information, security analysts at organizations like CISA can disseminate vulnerability data that is as meaningful as possible.

3. Remediation

Determine, too, how the vulnerability should be mitigated. Does it require the creation of a patch by software vendors, for example, or can it be mitigated by changing environment configurations?

This information helps to coordinate vulnerability response because it provides actionable guidance to stakeholders on what they need to do to remediate the vulnerability across the supply chain.

4. Public awareness

In a coordinated response process, the group that identifies a vulnerability will take appropriate steps to notify users about it via all relevant channels – such as vulnerability databases, email lists and media reports.

Included in these notifications should be a timeline about which information to disclose and when to disclose it. In some instances, you may not want to include certain technical details right away; for example, if a patch is not yet available to fix a vulnerability, you may not wish to disclose how to exploit the vulnerability, in case hackers use that information to execute zero-day attacks that can’t yet be prevented.

5. Assess your response

The final step in a coordinated response program is to generate feedback about its effectiveness. Assess each disclosure by answering questions like how transparent it was and whether stakeholders had easy access to the information they needed to respond. These insights help ensure that you can continuously improve your program over time.

Coordination leads to the best outcomes

As Daniel Cuthbert, Global Head of Cyber Security Research at Santander, said in a Black Hat talk, “missing links create a vulnerability unto themselves.” In other words, the less information you have available in vulnerability disclosures, the higher your risk of damage.

Coordinated vulnerability disclosure programs minimize these risks by allowing all stakeholders to respond as effectively as possible to newly discovered vulnerabilities. They remove the blind spots in vulnerability response, while also demonstrating goodwill commitments to transparency on the part of your business.

When it comes to planning for coordinated vulnerability response, Findings can help. Findings provide end-to-end visibility into software supply chain risks, ensuring you have all the information you need to plan for effective, comprehensive vulnerability disclosure.

 

Schedule a call to learn more

Crisis Management: The Missing Link In Supply Chain Security

Findings - Supply chain security

It’s easy to treat crisis management as an afterthought within the context of supply chain security. Businesses may assume that attacks are unlikely to happen, especially if they’ve invested in risk assessment and mitigation. Just ask some of the major vendors that have been at the root of cybersecurity crisis in the recent past, despite having taken breach prevention quite seriously.

What is a cybersecurity crisis management strategy?

A crisis management strategy provides a protocol for organizations to identify, eliminate and recover from cybersecurity attacks as swiftly as possible; its purpose is to  position the organization for minimal impact of a cybersecurity incident. The protocol will unquestionably reduce the stress on your executive and IT teams in a crisis situation and everyone else involved in mitigating an attack. 

The protocol typically includes, who does what in the event of a cyber incident, who is in charge of managing the crisis, aka  Cybersecurity Crisis Response Team (“Response Team” or “CCRT”). It also covers which  systems need to be checked for impact and where the backups are located; which partners, vendors and customers need to be notified and at what stage does the Board of Directors and media need to be addressed and how. 

For many organizations, this strategy is not only  the responsible thing to do, but may also be a compliance mandate.

 

Information: The following policies can also be mandated:

Your Vulnerability Disclosure Policy Can be Easier Than You Think

 Meeting The CMMC Compliance challenge Head On

 

But where do you start? In contrast to many other security protocols – like privacy disclosure requirements, which are usually straightforward enough – there is no predefined playbook you can follow or set of boxes you can check off, to plan for crisis management. 

It is therefore up to each organization to research and create their own set of protocols. We’ve highlighted what should be in yours below.

Supply chain security: Your crisis management plan

Step 1: Risk assessment

The first step is to identify your supply chain security risks.

Do this by assessing which regulations and legal requirements your business is bound to when it comes to cybersecurity. You should also evaluate your contractual obligations. Next, identify vulnerabilities that exist within your supply chain security and risk management report. Do these vulnerabilities need to be reported to other vendors within your supply chain? Or can they be easily patched? Finally, examine how a breach may impact your business’s operations.

The easiest way to check your metal here is to take risk assessments test surveys and run some gap analysis – doing so will give you a complete score on where your current efforts stand compared to where you should be and industry standards. 

If you find any “show-stoppers,” you must stop your process and fix it before moving forward to avoid failure at a later stage.

With this insight, you can develop a plan for managing the impact.

Step 2: Formalize your security and risk management plan

Once you’ve identified the risks, document them and put them in writing, along with a plan that spells out which steps various stakeholders need to take during an incident to mitigate the risks.

Specifically, your plan should detail:

  • Whom – such as vendors, partners, customers, regulatory authorities – you need to notify about a supply chain breach. And, your head of cyber security should also be formalized.
  • Which processes various stakeholders – such as executive, IT and public relations teams will follow to do their part in handling the incident.
  • How you’ll maintain the necessary level of transparency (which should be defined within your Vulnerability Disclosure Program).
  • What information to disclose to the media, and how to disclose it. Not every part of every incident needs to be publicized, but you should think strategically ahead of time about how to engage with the media.

Step 3: Practice cyber drills

In order to ensure your crisis management plan actually works as you intend it to, you should run through cyber drills, which mean engaging stakeholders in responding to simulated incidents.

If you have the resources, you can hire a professional penetration testing team to create a mock incident, then test your business’s response. Alternatively, you may use your own teams to create a simulated supply chain attack, using a red team/green team model.

The more drills you practice, the better, but you should perform one drill annually at a minimum.

Step 4: Make crisis management a collective business responsibility

Next, work to ensure that everyone in the business – not just the IT team and security experts, but everyone from PR and customer relations to sales and marketing, to the C-suite and beyond – understands your supply chain crisis management plan and knows how to play their role within it.

Do this by publishing the process in a place where all stakeholders can view it. You can also ask stakeholders to explain their role in crisis management, based on the published plan.

Be sure, too, that the plan nominates someone to take the lead in crisis management unless your business already has an obvious person (such as a CISO) to take on this role.

Step 5: Leverage crisis management

Finally, to get even more buy-in for the plan and generate business value from it, educate your sales and marketing teams in particular about the investments you’ve made in crisis management.

This is important because sales and marketing teams can tout your crisis management investments when selling your products to other companies that require a high level of supply chain security and risk management. The more commitment you can demonstrate to managing supply chain risks effectively, the better positioned you’ll be to win customers who need strong supply chain security guarantees.

Winning such business is certainly not the only reason to invest in crisis management planning, but landing more customers this way can’t hurt.

 

Request a demo

4 Reasons Why Your CISO Wants To Implement A CMMC Framework

4 Reasons Why Your CISO Wants To Implement A CMMC Framework by Findings

“Let’s pursue a new compliance framework just because we feel like it!” is not a phrase that you tend to hear business leaders utter excitedly. After all, making the changes necessary to comply with new compliance rules is a significant undertaking. Unless a specific legal requirement is at stake, businesses tend to embrace them slowly.

However, the Cybersecurity Maturity Model Certification (CMMC) is an exception. Although CMMC is not strictly required for most businesses, implementing it should be a priority for many CISOs today. 

Indeed, a CISO’s main job is to harden cybersecurity wherever possible. Doing so requires identifying security risks, developing practices and policies to mitigate those risks, and creating regular reports that track the effectiveness of cybersecurity investments. Because the CMMC encourages these practices, pursuing CMMC compliance is an excellent way for CISOs to achieve their primary goals.

“All DoD contractors will eventually be required to obtain a CMMC certification,” as CSO Online notes, which may be another reason CISOs implement CMMC compliance. But it shouldn’t be the only one: Whether or not you need to do business with the U.S. Department of Defense, pursuing CMMC compliance is a great idea.

Four reasons to implement CMMC

You achieve several critical benefits when you invest the time and effort required to implement CMMC compliance.

1. Independent cybersecurity validation

Among the recent changes to CMMC is a new independent validation requirement for businesses with CMMC level 3 compliance. Independent validation provides a more thorough security check and vulnerability reporting than you can get from following other security guidelines, like those from NIST (which closely resembled the original version of CMMC).

Thus, CMMC is a more rigorous cybersecurity framework in many respects than anything else you can find.

2. Holistic cybersecurity best practices

CMMC is designed to encourage solid cyber hygiene for businesses of all types and industries.

It encourages a proactive cybersecurity culture (ESG benefits because it demonstrates a commitment to privacy). It facilitates education for all employees – including non-technical stakeholders – about security best practices. And it underlines the importance of managing supply chain security risks, one of the most severe categories of threats that businesses face today.

3. Increased revenue

From a purely business perspective, the additional sales opportunities that CMMC compliance opens up can lead to revenue growth.

When you achieve CMMC compliance, you can do business with U.S. government agencies that might otherwise be off-limits. This means more clients, but it often means more significant client contracts because government agencies tend to be high-value, long-term accounts.

4. Enhanced security maturity

Even in cases where clients aren’t government agencies and don’t require CMMC compliance, being CMMC compliant can nonetheless be a significant boon to business. It helps you demonstrate a commitment to cybersecurity and serves as a stamp of quality/security on the security front, which can help you close more deals and retain more clients.

The enhanced security maturity that comes with CMMC compliance can help you stay ahead of the competition, which may comply with less rigorous mandates but not with CMMC.

Here are the CMMC Compliance Requirements: Everything You Need To Know

Granted, CMMC implementation is not a simple task: It’s essential for CISOs to understand the challenges before undertaking a CMMC compliance initiative:

  • Process: You have to apply for CMMC compliance. That’s another task for CISOs to manage on their already full plates.
  • Buy-in: CISOs need to get buy-in from shareholders and management for the CMMC process. That’s important not just culturally but also because business leaders will need to play a valuable role in the CMMC application process by filing forms, tracking progress and reporting, etc.
  • Multiple steps: Applying for CMMC compliance is not a one-and-done affair. It usually involves multiple steps, with changes or additional information required as you progress through the process.
  • Maintenance: You need to keep your compliance strategy continuously updated to meet CMMC compliance requirements. That increases your time and effort even further.
  • Cost: For most businesses, CMMC compliance will require new tools and processes, which come at a cost. And depending on what level of CMMC compliance you need, an outside advisor may also be required.

None of these challenges should prevent businesses from pursuing a comprehensive CMMC framework to protect against cyberattacks compliance. But it’s essential to be aware of the potential objections and barriers before starting the process.

Even if CMMC compliance is technically optional for your business, there’s a good reason not to treat it as an option. Instead, CISOs should embrace CMMC implementation as an intelligent way to strengthen their business’s cybersecurity – and, in turn, open up new business opportunities.

Learn more by scheduling a demo.