• Who’s Watching the Watchmen?

    The majority of large organizations have a solid security posture, devoting significant resources to ensure that their systems are secure. But why do some of these same organizations experience massive security failures with breaches that compromise their clients’ data, leading to long-term damage to the company’s reputation? It’s because sometimes bad things do happen in ... Read More →

    read more »
  • FedRAMP Revision 5 has been Released!

    The FedRAMP Joint Authorization Board has approved the FedRAMP Revision 5 baselines to align with Revision 5 of the National Institute of Standards and Technology (NIST) Special Publication 800-53. At a high level, the changes include the following: Aligns security controls with NIST 800-53 Revision 5 and adds additional guidance for many of the controls. ... Read More →

    read more »
  • New Update to NIST 800-171 (Revision 3) Coming Soon…

    The next update to NIST SP 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” is expected to be released in late Spring or early Summer of this year. NIST SP 800-171 is the source for contractor security requirements in Department of Defense regulations and the Cybersecurity Maturity Model Certification (CMMC) program. An initial public ... Read More →

    read more »
  • CMMC may be delayed – But it’s not going away. Here is what you still need to do now……

    As you have likely heard, CMMC Rulemaking will be delayed for at up to a year due to additional Government entities review and approval. The Government may also be looking at improving requirement consistency and standardizing those requirements so that they can also be applied to non-DOD agencies. However, it is certain that DoD prime ... Read More →

    read more »
  • Frequent Findings from the Most Recent Joint Surveillance Voluntary Assessments (BETA)

    As a Registered Practitioner Organization, BSC is directly involved with the CMMC Cyber-AB organization and attends multiple meetings and town halls to stay current on the CMMC landscape. While no official CMMC assessments will be performed until rulemaking is completed, here are some of the common issues that arose during the voluntary beta assessments. Organizations ... Read More →

    read more »

AdobeStock_568888423

As a Registered Practitioner Organization, BSC is directly involved with the CMMC Cyber-AB organization and attends multiple meetings and town halls to stay current on the CMMC landscape. While no official CMMC assessments will be performed until rulemaking is completed, here are some of the common issues that arose during the voluntary beta assessments.

Organizations are having a hard time with FIPS validated encryption.

FIPS 140-2 is a standard that handles cryptographic modules and the ones that organizations use to encrypt  data at rest or transmitted. FIPS 140-2 has 4 levels of security, with level 1 being the least secure and level 4 being the most secure. Most tools are compliant with this requirement but you have to understand the tool, as many, such as BitLocker require an additional setting that many organizations are not using.

Many organizations don’t use Multi Factor Authentication

Multi Factor Authentication (MFA) and Two Factor Authentication are electronic authentication methods in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism: knowledge, possession, and inherence. Many organizations just use a user id and password, and MFA is new to them. There are many ways implement MFA and it comes in many different price ranges. We can help you find a cost-effective option.

Risk Assessments are too informal

A risk assessment is the process of identifying what security vulnerabilities exist, or may appear in the workplace, how they may cause harm and taking steps to minimize harm. Many organizations track risks but do not use a formal process. A risk assessment is an ongoing task that should be reviewed regularly.

Inconsistent or no Vulnerability Scanning

Vulnerability Scanning is the process of identifying security weaknesses and flaws in systems and software running on them. This is an integral component of a vulnerability management program, which has one overarching goal – to protect the organization from breaches and the exposure of sensitive data. This, along with phishing tests, may be one of your most important tools to secure your organization. There are many tools available at different price ranges, but they all use the same database of vulnerabilities. The key is to find the most cost-effective solution for your organization.

Audit Logs are not reviewed

SIEM tools collect, aggregate, and analyze volumes of data from an organization’s applications, devices, servers, and users in real-time so security teams can detect and block attacks. SIEM tools use predetermined rules to help security teams define threats and generate alerts. A SIEM tool is expensive, and depending on the size of your organization, buying a SIEM tool may not be cost-effective. You need to assess the requirement against your security posture and look at other options such as managed services or in some cases a much simpler tool.

Incident Response Tests are rarely performed

Incident response testing is critical to bolstering an organization’s cyber-defenses against potential threats. By implementing incident response plan testing, you can be better prepared to handle various types of threats, secure sensitive data, and minimize disruptions to business continuity. BSC can facilitate your initial test that you can then perform on your own in the future. The key is to also have a robust test report as objective evidence so the activity can be assessed.

How can BSC Help?

BSC has a proven track record with current CMMC references of helping businesses of all sizes meet the CMMC requirements. As a Cyber-AB Registered Practitioner Organization, we have tools, templates and the expertise to tailor them for your organization and help lay the foundation for a compliant and more secure environment. Give us a call or send us an email for a free one-hour consultation to discuss your needs. Call Philip Norton at 703-405-7131 or email me at pnorton@bscsys.com. Also visit our web site at www.cmmcrx.com.