Don Maclean

Cybersecurity Maturity Model Certification (CMMC) 2.0 is here. If your company is not prepared, the time to get ready is now, or your company may risk losing business with the Department of Defense (DoD). The CMMC program requires cyber protection standards for companies in the Defense Industrial Base (DIB) and aims to protect sensitive unclassified information that the DoD shares with contractors and subcontractors.

Implementing zero trust may seem daunting, but it is also an opportunity to integrate more secure coding practices into your software applications from the start. Zero-trust security assumes that all traffic on your internal network is potentially malicious. Consequently, it requires taking measures to:

In view of current events, the Cybersecurity Infrastructure Security Agency (CISA) has noted the increased likelihood of a cybersecurity breach. Their recommendations, listed below, speak mainly to the basics of cybersecurity:  foundational practices and technology that protect every enterprise, in both the public and private sector. Below are the key elements (full details are here Shields Up | CISA):

In a Department of Defense (DoD) Town Hall held on February 10, led by David McKeown, DoD’s Senior Information Security Officer and Deputy CISO, we heard some news about CMMC. Defense contractors holding Controlled Unclassified Information (CUI) will need a third-party assessment to obtain certification.

Are you next? Will criminals target your organization with ransomware? No one can say for sure, so prepare now. Here are four and a half critical decisions to make – and things to do – before a crisis hits.   (What’s half a decision, you ask? What’s half an action, you may wonder. Read to end if you want to find out). 1. Do: Have a plan This sounds so obvious, but I have seen major organizations in business and government scrambling to respond to a ransomware attack. Your plan should include at least these elements?

President Biden has recently issued the “Executive Order on Improving the Nation’s Cybersecurity”, which requires government agencies to present plans for implementing a Zero Trust architecture, imposes stringent standards for threat sharing on government contractors and agencies alike, requires software vendors to show a Software Bill of Materials to demonstrate the security of their products, and seeks broad modernization of the Federal government’s cybersecurity posture.

Hackers recently attacked computer systems belonging to the Colonial Pipeline company, forcing them to shut down operations and inhibiting delivery of diesel fuel, gasoline, and jet fuel throughout the East Coast of the United States. The company has responded quickly but cautiously and expects to resume normal operation very soon. In the meantime, a declaration of emergency from the White House allows extended operation of other means of petroleum transport.

The Technology Modernization Fund (TMF) recently received a much-needed influx of funds, bringing its total to $1 billion.  This money is a small part of the funding for technology upgrades in the government, and a very small part of the overall COVID relief bill of which it was a component. The bill does not indicate how the money is to be spent but for most observers modernization is almost equivalent to cloud adoption, with cybersecurity a close second. While most observers accept that the U.S.

If your business sells products or provides services to the Department of Defense (DoD), then you should know about the Cybersecurity Maturity Model Certification (CMMC) program. 

DoD has recently incorporated CMMC requirements into the Defense Federal Acquisition Regulation Supplement (DFARS Case 2019–D041, available here https://bit.ly/30LXAeE).  The rule change is currently open for public comment, and I urge all interested parties to read it and provide input.  

DLT Solutions recently sat down for an interview with Joyce Hunter, executive director for strategy and process at the Institute for Critical Infrastructure and Technology (ICIT), the nation’s leading cybersecurity think tank. On the table for discussion was how ICIT is cultivating a “cybersecurity renaissance” – including promoting the role of women in cybersecurity. We also talked to Hunter about how government agencies can compete more effectively for cybersecurity talent and nurture the next generation of cyber warriors. 

The old saying goes, there are only two kinds of organizations: those that have been breached and those that will be soon. Clearly, the “moat-and-castle” approach to security has not worked. Simply being “inside” a network – behind a firewall, DMZ and other traditional defenses – does not confer trustworthiness, whether it’s a device, a user, network traffic, or an application.

DHS recently published version 3.0 of the Trusted Internet Connection (TIC) architecture. A response to changing IT conditions, Executive Orders, and OMB mandates, the new architecture seeks to support IT modernization through cloud adoption while keeping security as a top priority. The comprehensive set of documents includes an overview, a catalog of security capabilities, a reference architecture, guidance for pilot programs, advice for service providers, and a very helpful set of use cases relevant to agency needs.

The Threat Risk is a function of likelihood times impact.  When it comes to zero-day exploits, particularly those that use return-oriented programming (ROP) or one of its many cousins the likelihood is high, and the impact is higher.  How do these attacks work, and what is the industry doing to stop them?  More importantly, what can you do to stop them?  Is it possible to stop a zero-day without patching or updating systems?  Let’s explore these questions. How ROP Works

The Cyberspace Solarium Commission recently released a groundbreaking report detailing 75 recommendations for improving the cybersecurity of the nation, including both the private and public sectors. The Commission, bipartisan in both name and spirit, conducted over 300 meetings with industry, academia, U.S. government, think tanks and foreign governments. I had the privilege of participating in this effort. The result is a comprehensive report that urges immediate and concrete action on its recommendations, organized into six pillars”:

Last week, my associate, Shane Rogers, shared an article on GovCybersecurityHub discussing the Cybersecurity Maturity Model Certification (CMMC) and its potential impact on small- and medium-sized government contractors.

I recently had the opportunity to visit an amazing new facility—the Cyber Range at Tech Data—and got to meet the truly exceptional people who make it happen. The facility has many purposes, stemming from the powerful sense of mission that drives the staff.

At RSA this year, Chris Krebs gave an important talk: “Cybersecurity Has a Posse” where he stressed the importance of collaboration between government and industry to fight the cybersecurity war. He started by pointing out that his agency, Cybersecurity and Infrastructure Security Agency (CISA) is an “all-source” group. He meant that CISA collects threat information from sources all over the world, including government agencies, private industry, and more. Krebs’ group consolidates that information and disseminates it – daily – to security professionals across all industries.