CMMC has recently become a hot topic in cybersecurity compliance. In short, the Department of Defense requires its contractors that are or will be handling sensitive information (FCI, CUI) to implement the controls (practices) contained in the NIST Special Publications 800-171r2 document. Originally called out by Defense Federal Acquisition Regulation Supplement 252.204-7012 (usually referred to in shorthand as DFARS 7012), the NIST SP800-171r2 standard is transforming into the CMMC program. CMMC is currently undergoing the Federal rulemaking process and expected to show up in contracts as a standard requirement in mid 2023. But don't wait until then to get your compliance program into shape, especially if DFARS 7012 already applies you! Contact us - we are well-versed in CMMC and the NIST Special Publications 800 series. In fact right now many of our current clients are working with us to become certifiable in advance of the requirement.
And coming soon, we'll have CMMC v2.0 ready-made documentation available for purchase. You can use that to supercharge your compliance efforts and save yourself potentially hundreds of hours writing and compiling the documentation yourself.
The founders of Foundation InfoSec Services started their cybersecurity careers in Department of Defense cybersecurity compliance, beginning with DITSCAP, through DIACAP, and eventually to the current Risk Management Framework (RMF) accreditation process. Most cybersecurity professionals consider the RMF control set, the mighty NIST Special Publications 800-53 document (now on revision 5) to be the most comprehensive official compendium of controls and practices. NIST SP800-171 and CMMC (see above) are derived from this larger control set. We know first hand how challenging the implementation of these controls can be, especially if you don't have a team of highly skilled personnel to tackle it. If you're attempting to obtain a Department of Defense Authority to Operate (ATO) accreditation, contact us - we can help you prepare.
As a result of Executive Order (EO) 13636 issued in 2013, NIST published the Cybersecurity Framework to give critical infrastructure businesses and agencies practical security guidance in the form of a general controls framework. While voluntary, the critical infrastructure sector has been heavily encouraged to implement the CSF. We believe the CSF is a high quality, user-friendly framework that pulls together most of the really good cybersecurity standards, practices, and guidelines from other official sources. We very often recommend the CSF for companies looking to strengthen their cybersecurity programs. If this is something you'd like to do, or you're already hard at work on it, contact us - we would be happy to assist you with your CSF efforts.
These days everything in the computing world is moving toward the cloud. In fact there are more cloud services out there than ever before, and the numbers will only increase. The bottom line is that hosting infrastructure on-prem is expensive and requires the hiring or contracting of skilled staff. Cloud computing keeps costs down for businesses and agencies. However, cloud computing by its nature also introduces a number of cybersecurity access control and data handling challenges. The Federal Government (through GSA) established the FedRAMP program in 2012 to address these and other security issues. Its mission is to promote cloud computing and to establish an authorization program that includes Federal-grade cybersecurity requirements. It's essentially a security compliance program for Cloud Service Providers (CSPs).
The Cloud Security Alliance (CSA), meanwhile, is a partnership between various organizations and governments to promote and adopt effective cloud security practices worldwide. Is your organization looking to become FedRAMP authorized, or adopt practices promoted by the CSA? We would be happy to assist.
The International Standards Organization (ISO) develops and publishes standards of every imaginable kind. The ISO/IEC 27000 series of standards provide a comprehensive framework for establishing an Information Security Management System (ISMS). Many organizations choose ISO in order to map their security efforts fluidly with various other country-specific requirements and initiatives, and many other organizations/governments require ISO 27000 certification/validation from others looking to do business with them. TISAX, for example, is one of those initiatives. It was introduced by the ENX Association (the European Automotive Industry and its suppliers) to standardize security requirements (based on ISO 27000) for its partners, vendors, and service providers. We have helped organizations prepare for both ISO 27001/27002 and TISAX certifications. Let us know if we can help you.
The Payment Card Industry developed the Data Security Standards (PCI-DSS) to provide credit card merchants and other entities in the financial sector a standard compliance/assessment program specific to credit card related business and transactions. We can help you with your Self Asessment Questionnaire (SAQ), your PCI-DSS compliance strategies, assessments, and other PCI-DSS related matters regardless of your merchant/reporting level.
Formerly known as the "SANS Top 20 Critical Security Controls (CSC)," the CSC is now managed and developed by the Center for Internet Security (CIS). CIS has developed the CSC far beyond the original vision. Aside from the controls and the framework, CIS develops technical implementation guides and benchmarks for "hardening" (securing) images and configurations of various industry standard computing environments and platforms. The CIS Benchmarks in particular are a good alternative to STIGs (DISA's Security Technical Implementation Guides) for non-government organizations. We highly recommend the CIS CSC, the CIS Benchmarks, and the CIS Hardenend Images for secure baselining. We would be happy to assist you with anything produced by CIS.
So what kind of cybersecurity standard, framework, or regulation are you dealing with? While those listed above are the ones we usually encounter, we're experienced with many more. Chances are good whatever you're facing is something we've worked with before. And in the end, hardly anything we've ever encountered varies significantly from the larger, more popular classics such as ISO 27000 or NIST Special Publications 800-53. If you recognize any of the logos or trademarks to the left as something you're facing or need to address, rest assured you're in good hands should you decide to work with us.
Call, email, or send us a brief message using the form on the right. Be sure to include your name, email address, and a message detailing your request. If you'd like a call back, include a phone number in the message. Thank you!
