Cybersecurity Framework – Simplified

Brian Berger, President of Cytellix Corporation • Jan 30, 2018

Cybersecurity Framework – Cutting Through the Complexity

Hopefully you spent the holidays with family and friend’s instead of reading the latest publication “Framework for Improving Critical Infrastructure Cybersecurity” Version 1.1 Draft 2 published by National Institute for Standards and technology (NIST) on December 5, 2017. If you read it, like I did, kudos! I am not saying it was riveting and should be an episodic series based subscription on Amazon or Netflix, but, there are a few areas that should have every business paying attention.


I am a standards fanboy, as they are public and fair for all. Typically they are measurable and help keep the playing field for enforcement fair. The framework here lets the business take some liberties with aligning processes and technologies to meet conformance and compliance. As industries continue to adopt the cybersecurity framework for compliance, reporting and awareness, businesses are the beneficiary for mitigating risk by implementing. Why? As an example, if your business knows its cyber posture today, it can plan to improve using defined objectives, and implement security policies and controls based upon both business objectives, risks, budgets and need. The benefit to the business is both reduced cyber risk and improved employee productivity. A single breech, malware infection, ransomware event, or patching lapse can cause significant business impacts including loss of revenues, increased expenses and countless hours of productivity that can never be recovered. Using the framework model of “Identify, Protect, Detect, Respond and Recover” helps your organization complete a comprehensive, unbiased, cyber program. Again, as a fan, this is non-vendor specific framework that is neutral on what technology may or will be required.


Let’s take a short journey through the framework and its applicability. 


Identify

Perform a Cybersecurity Assessment to understand assets, roles and responsibilities, policies, procedure, risk management monitoring, gaps and people.


Protect

Implement and manage access to assets and infrastructure. Verify that all security and integrity can be measured across networks, identities, devices, data and systems based upon user profiles and permissions. Deploy training and awareness internally and externally. Align and test all security policies and procedure with practice.


Detect

Continuous monitoring and management for cyber events is enabled; Detection of events, 3rd party connections, unauthorized connections, vulnerability scanning, awareness of cyber events and ownership, and incident response plans and procedure.


Respond

Develop a communication and response plan to a cyber event. Understand the cyber event impact and recovery plans are developed by severity.


Recover

Recovery implementations and improvement plans are maintained and updated using lessons learned. Make sure all stakeholders are who are needed to engage in recovery efforts are in constant communication.


Within the framework and organization will develop both knowledge and skills to become cyber aware, prepared and proactive to cyber events. The tactical process to prepare for the framework includes specific tactics that are outlined below.


Assessments

Assessments vary by type and provider and can be either outsourced or completed internally. The main objective of the assessment is a true, unbiased view of the actual state of cyber controls within an organization. Many of the controls cannot be assessed by just subject matter expertise, but require tools and technology to identify vulnerabilities, cyber gaps and process concern. The assessment should cover all aspects of physical, logical and digital security.


Gap analysis and System Security Plans

Every assessment should include both a written summary and a detailed analysis including identification of high, medium and low priority vulnerabilities. Also included in the assessment is a network diagram of the current configuration of the organizations infrastructure. It is important to understand and isolate vulnerabilities in the infrastructure. In addition to these, digitally collected vulnerabilities need to be identified and classified by their importance for remediation.


Plan of Action and Milestones (POAM)

Once the assessment is completed, a task oriented plan is needed. Each gap identified in the assessment needs a logical identifier, owner, solution and alignment with any compliance reference. In addition to the above, adding completion dates, 3rd party technology and dependencies will help drive a budget and or resource conversation. A high quality POAM will help identify internal or external resources, timeframes and project owners making the progress through the cyber framework a systematic approach.


Vulnerability Scanning and Continuous Monitoring

There are specialty tools used to capture and maintain a continuous improvement model for cyber preparedness. A cyber assessment and completion of the PAOM or progression through the cyber framework is a continued effort. Cyber is NOT a one and done event in terms of awareness and continuous understanding of cyber events. Vulnerability scanning should be periodic and scheduled; monthly and quarterly works well for most organizations. Cyber monitoring differs from firewall settings, network monitoring and end-point technology services. The difference is in knowledge and awareness of changes networks, devices and connections. All digital assets, known and unknow, need to be monitored in real-time with the ability to see alerts/changes in real-time that can be acted upon before they manifest into significant cyber events.

 

The framework model does define the stages needed to improve an organizations cyber posture. Without awareness and a plan, including proactive knowledge of cyber events, it’s a roll of the dice and my money is with the house- it’s a loser roll!


www.cytellix.com

small business cybersecurity

MSP SPOTLIGHT: Go Beyond Baseline Security.

By Walt Czerminski 30 Aug, 2023
Explore the challenges MSPs face in providing holistic cybersecurity support to their SMB clients and discuss how a programmatic-optimized approach can help bridge the gap, ensuring enterprise-level protection without breaking the bank for SMBs, while adding revenue opportunities for MSPs.

The Clock is Ticking for CMMC 2.0: Here’s Everything You Need to Know – START NOW

By Brian Berger 23 Aug, 2023
The Department of Defense (DoD) has formally presented the CMMC regulation for official evaluation, marking the start of its journey toward formal announcement. Every regulation proposed by the executive branch, including this one, undergoes scrutiny by OIRA, a division of the Office of Management and Budget (OMB). The significance of this step is that the previously mentioned "delays" in the CMMC process were due to the time taken for the DoD to forward the rule to OIRA. With this action now taken, the subsequent stages of the rulemaking procedure are underway. Nevertheless, due to the intricate nature of federal rulemaking, several more stages need to be navigated before the CMMC becomes a part of contracts. The following scenarios should be considered for preparation for compliance and certification for the Defense Industrial Base (DIB). Scenario 1: Proposed Rule Submission to OIRA: The Department of Defense (DoD) has officially submitted the CMMC rule for regulatory review to the Office of Information and Regulatory Affairs (OIRA). Review and Publication: After OIRA's review, which takes an average of 66 business days, the CMMC rule is expected to be published in late October 2023. Public Comment Period: A standard 60-day public comment period will follow, ending in December 2023. Finalization: The CMMC rule will be published as a "proposed rule", which means it will only become effective after the agency responds to public comments in a final rule. Based on historical data, the average time for DoD proposed rules to be published as final rules is 333 business days. This means the CMMC final rule is expected between February and April 2025 . Phased Roll-Out: The DoD plans a 3-year phased roll-out for CMMC contract clauses. Assuming the final rule is published in Q1 2025, all relevant DoD contracts will contain CMMC by 2028. Scenario 2: Interim Final Rule Immediate Effectiveness : If the CMMC rule is published as an "interim final rule", it will be effective before the agency responds to public comments . This means the rule would be in effect and appear in contracts in Q1 2024 . Rarity of Interim Final Rules: Such rules are rare and bypass the usual democratic process of "notice and comment" rulemaking. They are typically granted in urgent situations, like the need to enhance national security. So when should you start preparing? Before we start with the background and changes, let’s talk about the "Big Elephant” in the room. Clearly, the updated compliance and certification process developed by the DoD and the non-profit organization liaisons has been long overdue with a lot of anticipated deadlines that never materialized. And with the latest announcements it does seem to be mildly reminiscent of the movie comedy and colloquial meaning of Groundhog Day. Since the Library of Congress selected the film for preservation in the National Film Registry I found humor in relativity, not cynicism. Opinion: This is different and the information we have in the DoD supply chain must be protected from our adversaries. This is a serious issue and needs clear and precise guidelines as the supply chain will not spend money on the protection of the information that protects national security unless they must as it is deemed as a complex undertaking. That’s an unfortunate reality. We have seen the start and restart of the cyber programs for DoD for the past 5-years, what makes this different? The implementation of the CMMC rule in contracts will be phased in over a period of 3 years, with all relevant DoD Defense Industrial Base (DIB) contracts containing CMMC by 2028. For a company with 50-100 employees operating in the DoD supply chain, it takes an average of 12-18 months to prepare for assessment and audit for eventual certification, with certification being the ultimate requirement for compliance. Therefore, the time is now to start the process if you plan to hold government contracts in 2024/2025. There are also varied flow down requirements that need to also be taken into consideration. Understanding Plan of Action and Milestones (POAM) There is now the ability to present interim status vs 100% compliance as we have with the current DFARS and NIST requirements. These interim reports can be handled in the traditional manner by presenting a Plan of Action and Milestones (POAM) that have a less than 180-day completion date for allowed baseline gaps. Unallowed gaps will have a “No POAM” designation and need to be implemented. If you have any doubts, work with a highly skilled 3 rd party who has expertise in these standards and a track record of enabling comprehensive successful standards-based cyber programs. The information presented by the suppliers in POAM’s or claiming 100% compliance will be evaluated and can and will likely trigger audits if certain high-level cyber controls are not met or the 100% compliance score creates suspicion of a false claim. Be careful to present accurate and validated information. So, what does this all mean? You must be compliant with DFARS clause 252.204.7012 and NIST 800-171 today. This is a requirement of your current contracts, and the False Claims Act applies to all cyber compliance representations. If you are not compliant, you could be subject to civil penalties and criminal charges. You need to start preparing for CMMC 2.0 today. The deadline for the final rule is 18 months from now, and it will take an average company in the DoD supply chain 12-18 months to become assessment ready. Waiting is not an option. Waiting is a bad idea. Why you ask? It is very clear that most suppliers and Small and Medium Businesses are not cyber ready and nowhere near compliant with any cyber framework. The timeframe for a typical business to understand, develop and implement full compliance is more than 1-year assuming they have the skills and personnel to complete the objectives. CMMC 2.0 clearly aligns with DFARS and NIST, so it is the best way to protect your organization's sensitive data. Don't delay, start preparing today! *If you have any questions, please reach out to our experts – [email protected]
Share by: