Corey Elinburg

A little late, but here's the next #cmmc entry for level 2: https://lnkd.in/gKpkbpBp This one was a bit more difficult to decide what to write, as I did not want it to be a long boring read. There are almost 100 additional requirements above level 1, so I just tried to give some highlights by sections. Level 2 is where you start seeing more technical requirements that will be much more likely to start requiring outside assistance, but it also will likely greatly enhance most company's security postures.

9

Key quotes from the new 48CFR Rule for #CMMC. This rule is the one that goes into new and renewing contracts and requires having a CMMC certificate or self-assessment upon contract award. They tightened up the language quite a bit. On quick scan, it looks well done. The first 40 pages give a lot of information about the DoD's thought process on CMMC, including some technical clarifications like whether joint ventures need to be individually certified, and whether talking about CUI over the phone is in scope.

31

Do you need to be CMMC Level 2 compliant, but are having trouble translating the cybersecurity gobbligook into real actions that your IT team can take? We are having a live webinar on June 27, 2024 at 2pm EST to demonstrate the Kieri Compliance Documentation. This is a full-featured program for CMMC Level 2 and NIST SP 800-171 compliance which includes policies, procedures, system security plan, user agreements, record-keeping databases, account request form, self-assessment form, and other vital resources needed to be compliant. Monthly Q&As and over 50 hours of video training included. Kieri Solutions uses this program to efficiently manage our CMMC Level 2 compliance. We passed a DoD assessment for CMMC Level 2 and NIST SP 800-171 compliance with a perfect 110 score using this governance program. We have over a hundred clients using the KCD to manage their compliance and prepare for CMMC Level 2 assessment themselves. 𝐃𝐨𝐞𝐬 𝐭𝐡𝐢𝐬 𝐬𝐨𝐮𝐧𝐝 𝐥𝐢𝐤𝐞 𝐲𝐨𝐮? 🔸 You are frustrated with your policies and procedures… 🔸 You don’t know how to perform some CMMC requirements, or how to answer assessment objectives like “define non-essential functions”… 🔸 Your documentation is out of date… 🔸 You bought compliance templates elsewhere and they are too complex to get through… 🔸 You are paying a huge monthly fee to a GRC website and you’re still stuck filling in blanks… 🔸 You don’t have a record keeping system that makes it easy to gather the info you need for assessment… 🔸 Your users are asking how to mark CUI and you don’t know how to help them… If so, please join us for this webinar. We will be showing the program that we use to reach and maintain a "110" score. https://lnkd.in/eRjbVFrD Kieri Solutions - Authorized C3PAO

38

6 Comments

Hey everyone, here is where we will begin really digging into the details of #CMMC levels. My full post is here: https://lnkd.in/gZKXAY3C I tried to not be too wordy and dry, but there's only so much you can do with government regulations (even with 10+ years of experience with them, I can only do so much). For a quick summary, level 1 focuses on mostly basic hygiene requirements. It does bring in physical security as part of cyber, which I was happy to see. The most technical requirements are probably the segmentation and malicious code monitoring/scanning parts. Even for companies without DoD contracts, I would probably recommend that level 1 be followed just as a general minimum level of protection. All of these requirements will be a part of levels 2 and 3 as well, and we'll see a big jump in complexity for level 2 next week.

8

1 Comment

I dislike using the term “crisis communications” when talking about security incidents because it gives people permission to accept chaos and panic. These are red flags that your decision-making process isn’t ready for prime time. Anyway, I’m always glad to see more security teams recognize that incident communications isn’t just what you say publicly, it’s also how you communicate internally so that you’re proud of how you show up for the people impacted.

24

I wonder how many SIEM vendors out there are sweating how GenAI will auto-magically translate data normalizations and field extractions, detections, reports, and dashboards between different products to make SIEM replacements far easier to do. I think they probably should be.

23

28 Comments

Thanks to the good people at Claroty, I found services that list OT/ICS attacks! Some great material here: Newsfeed style: https://icsstrive.com/ Database: https://lnkd.in/e8KM7fJw, https://lnkd.in/eJkM9UYJ But what's interesting? None of them are complete... There was an attack on a Texas water treatment plant in January by, potentially, SANDWORM. It's not on either list. Complete databases will help us with complete information that will need to better decision-making and a fuller intuition. So, if you know of attacks that are not on these lists, use the Report button to add them. #cybersecurity #otsecurity

7

Does anyone believe that we know "the half of it" when it comes to the impact on patients due to Ascension's failed enterprise cyber risk management (ECRM) program? Anyone who's been a patient (that's all of us) knows how difficult it is to receive access to care, timely care, and quality care when the healthcare system is ostensibly operating at its best. In addition to patients not getting their prescriptions, having important diagnostic tests postponed, being treated without access to vitally important records, being diverted from ERs etc. etc., etc., I'm convinced there are deaths occurring. C'mon healthcare!@#! Top two root causes: 1. Risk illiteracy 2. Lack of C-suite/Board engagement #riskmanagement #enterprisecyberriskmanagement #cyberriskmanagement #cyberriskilliteracy #cyberopportunitymanagement #cybersecurityvalue #boardcyberoversight #boardofdirectors https://lnkd.in/esvF_ETP

18

3 Comments

Join Bridget Wilson, CISSP, CMMC RP, Neil K. Jones, and me TODAY for the latest #CMMC updates you don’t want to miss! Got specific questions or topics you’re curious about? Let me know, and we’ll cover them. This session has actionable insights to help you navigate this pivotal moment in compliance and cybersecurity. Don’t miss out—let’s get informed and prepared together! #Cybersecurity #CMMCUpdates #StayAhead

16

2 Comments

I often hear the question "Where/What are our biggest security exposures?" Cyentia Institute recently had the opportunity to explore this question using data from hundreds of thousands of attack path assessments conducted through the XM Cyber Continuous Exposure Management (CEM) platform. The attached figure gives a categorical breakdown of what we observed based on all entities (digital assets), total security exposures, and exposures affecting critical assets. . The left-most chart represents the attack surface based on broad categories of digital entities discovered during attack path assessments. Active Directory constitutes just over half of entities identified across all environments. On-premises IT and network devices account for another 31% of entities and cloud environments house the remaining 17%. Not all entities, however, are exposed via attack paths. If we change the scope of the attack surface to include only vetted exposures (entities susceptible to attack techniques), things look different. The middle chart captures this perspective and Active Directory exposures dominate the attack surface. But not all of those exposures affect critical assets. To be truly effective, Exposure Management must encompass all environments and account for where critical assets are most at risk. If we once again rescope the attack surface to focus on exposures to critical assets, a very different picture emerges, which is captured in the rightmost chart. Cloud environments now encompass over half of all critical asset exposures, followed by AD at 33% and IT/Network devices at 11%. Does this sync with exposures across your attack surface? Which perspective/view/chart is your primary guide for managing exposures? The full report contains tons of additional insights on exposure management. Download here: https://lnkd.in/dPfqXG7y #cybersecurity #exposuremanagement #cyberrisk

48

8 Comments

All Federal Agencies are going through the process of digital transformation of their records and archives, this article by CDW FSA Kathryn (Kate) Fink outlines how CDW Government is able to create custom AI solutions help the Federal Government expedite this process for both current and in future use cases. CDW•G Google Cloud Google Cloud Security

3

Thrilled to have joined Strike Graph's podcast (SecureTalk) to discuss building a strong cyber risk management practice! I explored how to develop essential ECRM tools, secure organization buy-in, and transform cybersecurity from a defensive measure into a true competitive advantage. I also shared insights on creating a budget philosophy that aligns with strategic goals. For anyone interested in moving beyond defense and turning cyber risk management into a growth driver, this episode is for you! I’d love to hear your thoughts—how are you approaching cyber risk management as a strategic asset in your organization? Thank you, Justin Beals, for an enlightening conversation! #CyberRiskManagement #CompetitiveAdvantage #ECRM

4

🚨 You've Been Breached...Now What? 🚨 In our latest IJIS Institute Podcast, we dive deep into how to effectively respond to a cyber incident. Using the NIST Cybersecurity Framework (CSF), we cover essential controls to have in place for taking action during a cyber event. Stay tuned until the end, where Jeramy Cooper-Leavitt and I share practical tips you can implement today! Don't miss out on this crucial episode! #CyberSecurity #NISTCSF #CyberIncidentResponse #IJISPodcast #PracticalTips

7

As you've probably heard by now, Verizon's 2024 Data Breach Investigations Report (DBIR) just dropped. I'm proud to say that Cyentia Institute was a contributor again this year. I should say "one of the many, many data contributors." I know most people focus on the findings from the DBIR - and they should. But to me, this is the most remarkable and important aspect of the DBIR. I can't think of any other report/project in the #cybersecurity field that can unite all these logos in a common effort of data sharing and analysis. And do it for 15 years! Yes - I know the DBIR first published more than 15 years ago (I was there). But 2010 was the first time we included non-Verizon data from the U.S. Secret Service. That initial step took quite a bit of effort, but then they introduced us to the Dutch High Tech Crime Unit, the Australian Federal Police, London Metropolitan Police...and the dominos kept going. I clearly remember when I got a "yes" from the first private sector IR service provider that was a competitor of Verizon at the time. The execs HATED the idea of sharing the spotlight, but they eventually conceded. And their participation paved the way for all the others you see here. And though I'm no longer leading the DBIR production effort, I'm honored to be one of those logos I started adding so long ago. Also - it's not easy managing all those contributors and datasets. As you review and apply all the insights from this year's DBIR, raise a toast of appreciation to the DBIR team that is dedicated to what they do for the community. Many thanks David Hylender Suzanne Widup Philippe Langlois Alex Pinto #databreaches #cyberrisk

259

15 Comments

One of the topics I have discussed most since joining CyberRisk Alliance is #securitymetrics. CISOs and senior leaders face a daily challenge of putting their security programs into a context that results in action. I have always said metrics fall into 4 categories, “what should I track”, “what can I track”, “what am I tracking”, and “what doesn’t need to be tracked.” Finding what goes in which bucket is the challenge.

18

2 Comments