cyberjudicataTM

Last week, the Department of Defense ("DoD") published its long-awaited rule on its Cybersecurity Maturity Model Certification ("CMMC") framework. Notably, in addition to the CMMC framework, the rule also includes a second framework related to NIST SP 800-171 DoD Assessments that some defense contractors will also need to consider. This second prong of DoD's cyber regime adds another layer of complexity for defense contractors with an obligation under the Defense Federal Acquisition Regulat...

For some small businesses, securing your information systems (and your proprietary data) might seem complicated and expensive, but it doesn't have to be.  After all, cybersecurity can simply be described as implementing practices, procedures, and technologies to protect the confidentiality, integrity, and availability of data (i.e., to help prevent unauthorized access to data and cyberattacks).

A cybersecurity program can begin with, for example, creating information security...

Later today, the Department of Defense will release version 1.0 of its Cybersecurity Maturity Model Certification ("CMMC").  With the CMMC moving full steam ahead, several new pieces of information (below) have come to light regarding the timing of when the CMMC will appear DoD solicitations and the CMMC Accreditation Body's ("CMMC-AB") efforts to train the third-party assessors who will be performing CMMC assessments.

Given that this recent news might...

Many of you have heard the news that President Trump ordered a drone strike that killed a top Iranian military commander, General Qasem Soleimani.  So, what happens next?

Well, according to news reports (e.g., here, here, here, here, and here), experts predict that Iran will likely retaliate with a series of "disruptive and destructive" cyberattacks on U.S. interests (including, business and government agencies).  Given that retaliatory cyberattacks are likely (or have already begun), a few thoug...

The Department of Defense ("DoD") recently published its Draft Cybersecurity Maturity Model Certification ("CMMC") Version 0.7 (dated December 6, 2019). DoD posted the following note with the release:

DoD is releasing this latest version (v0.7) so that the public can review the draft model and begin to prepare for the eventual CMMC roll out. This document includes CMMC Levels 1-5 as well as the associated discussion and clarification for a subset of practices and processes in Appendices B - E.

CMM...

Today, the Department of Defense ("DoD") posted its Draft Cybersecurity Maturity Model Certification ("CMMC") Version 0.6 (dated November 7, 2019).  DoD posted the following note with today's release:

DoD is releasing this latest version so that the public can review the draft model and begin to prepare for the eventual CMMC roll out. This document includes CMMC Levels 1 - 3 of the latest version of the CMMC Model (Appendix A) with clarifications for CMMC Level 1 in Appendix B. The updates to CMM...

Yesterday, the Department of Defense (DoD) published its Cybersecurity Maturity Model Certification (CMMC) Draft Version 0.4 (dated August 30, 2019). [1]  

As many government contractors are aware, DoD is creating the CMMC to help shore up defense industrial base cybersecurity by way of third-party audits of contractor information systems regarding NIST SP 800-171 compliance.  Defense contractors are obligated to implement the NIST SP 800-171 controls to protect covered defense information in DoD...

The Department of Defense (DoD) will likely publish a draft Cybersecurity Maturity Model Certification (CMMC) standard sometime this summer (see here and here). While much focus has been on how the CMMC will help shore up defense industrial base (DIB) cybersecurity—i.e., as the enforcement mechanism for DFARS 7012/NIST SP 800-171 compliance via third-party audits––DoD also must address the process of how agency personnel will select the CMMC “go/no-go” threshold for set-aside procureme...

DoD to propose Cybersecurity Maturity Model Certification (CMMC)––via third-party audit––and it will add another layer to defense contractor cybersecurity compliance.

It appears that the CMMC will be comprised of five levels, ranging from basic to "State-of-the-Art." In addition, the article reports that, "DoD contracts will require specific levels — and awards will be 'go/no-go' based on the contractor’s certification status."

. . .

Article: https://sera-brynn.com/pentagon-to-unveil-new-cybersec...

The 2019 DBIR is finally here!  Some interesting items at first glance:

– 32% of breaches involved phishing

– 33% included Social attacks

– 43% of breaches involved small business victims

– 34% involved Internal actors

– Figure 21, page 14. In sanctioned phishing exercises, click rates are down to 3% (a good sign, but one just one click can be devastating)

– Golf analogy on page 20

The gray box on page 14 (social engineering) is also interesting: "Research points to users being significantly mor...