MathCraft Newsletter Issue Q1 2022 – Associate Member of NCMS
Looking Ahead in 2022
2021 was a long and eventful year for facility security officers (FSOs), cybersecurity professionals and government contractors at large. While there is much to look back on, there is also much that we may look forward to.
Just as we are stepping into 2022, we are also being confronted by a brand new set of challenges and risks. At every step along the way, MathCraft is here to keep you informed, and help cleared facilities to meet the demands of a rapidly changing security landscape.
- Agencies Under New Deadlines to Address ‘log4j’ Flaws with Emergency Directive – in December, federal agencies were given an emergency directive to find and patch vulnerabilities associated with the open source Log4j API, after cybersecurity firms found evidence that the vulnerabilities were being exploited by foreign actors. Read more.
- Experts: Log4j Bug Could Be Exploited for “Years” – with billions of Internet-connected devices running Java, experts worry that the recently discovered Log4Shell exploit will wreak havoc for years to come; in response, the Cybersecurity and Infrastructure Security Agency (CISA) has created resources to help organizations address this threat. Read more.
- GAO Calls for Action to Further Improve Security Clearance Vetting Process at ODNI and DOD – while the security clearance process has improved substantially since the introduction of Trusted Workforce 2.0, the Government Accountability Office (GAO) has called for further reforms, including a revised schedule for the National Background Investigation Services (NBIS). Read more.
- US federal agencies told to patch hundreds of security bugs – in November, the White House gave federal agencies 6 months to patch security vulnerabilities from a list of 300; although some have been known for nearly a decade, all represent a “significant risk” and “frequent attack vector” for cybercriminals to this day. Read more.
- DHS establishes its own bug bounty program, offering outsiders $500 to $5K for discovering flaws – following in the DoD’s footsteps, the Department of Homeland Security (DHS) has launched a bug bounty program, offering ethical hackers up to $5,000 if they can identify severe vulnerabilities in DHS networks. Read more.
- Federal Cybersecurity Advisor Floats Executive Order on Cloud Service Providers – concerned by the way some cloud service providers upsell basic security controls, a member of the CISA advisory comittee has proposed legislation that would require these features in all cloud products sold to federal agencies. Read more.
- Agencies entering ‘execution’ phase of Biden’s cyber executive order – following an executive order on cybersecurity that was issued last May, federal agencies have made progress towards implementing its sweeping reforms, which include vulnerability patching, the adoption of zero-trust security strategy and more. Read more.
- NIST Outlines Require for Information Toward a New Cybersecurity Framework – the National Institute of Standards and Technology (NIST) is preparing to update its influential Cybersecurity Framework (CSF) for the first time since 2018, with a request for information expected early in 2022. Read more.
Log4Shell: A Cyber Catastrophe
One year ago, government agencies and contractors were scrambling to address the SolarWinds attack. 2022 is kicking off with a cybersecurity threat of equal if not greater significance: early in December, researchers unveiled a zero-day exploit (Log4Shell) in the popular Java logging library Log4j which enables remote code execution.
Given that billions of Internet-connected devices and web servers depend on open-source software which include Log4j as a dependency, Log4Shell is one of the highest impact cybersecurity vulnerabilities we’ve seen in many years. It could also be related to a slew of ransomware incidents which occurred in the week following its disclosure.
Soon after the zero-day was uncovered, CISA issued an advisory (AA21-356A) and an emergency mandate directing agencies to patch Log4j-related vulnerabilities before Christmas. While that time has passed, CISA’s Log4j resource page is still available, and may prove indispensable to government organizations in the coming years.
Preparing for CMMC 2.0
In November, the DoD introduced CMMC 2.0, a major update to the Cybersecurity Maturity Model Certification (CMMC). In December, it went on to issue self-assessment guidelines for Levels 1 and 2 of the revised framework.
Under CMMC 2.0, the number of security levels has been reduced to three, and CMMC-unique security controls have been scrapped in favor of controls originating from NIST legislation. Most significantly, fewer organizations will be required to undergo third-party assessment. To prepare for CMMC 2.0, cleared organizations should follow three steps:
- Review Self-Assessment Guidelines – available on the Office of the Under Secretary of Defense for Acquisition & Sustainment OUSD(A&S) website.
- Use DoD Resources – the DoD’s Project Spectrum includes free educational materials and a cyber readiness check to help contractors prepare for CMMC.
- Establish a C-Level Cybersecurity Officer – under CMMC 2.0, all organizations at Level 1 and some organizations at Level 2 will be able to forego third-party assessment in favor of self-certification. However, they will require an executive level officer to confirm the assessment.
The Triumph of DISS
Last year, the DCSA finally rolled out the Defense Information System for Security (DISS), fulfilling a major goal of the Trusted Workforce 2.0 initiative. DISS has risen to replace the Joint Personnel Adjudication System (JPAS) as the Defense Department’s security clearance and access database, solving many problems along the way.
- Continuous evaluation– nearly all DoD clearance holders have been transitioned to the continuous evaluation model, which has many advantages: not only will it cut down on time-consuming, periodic reinvestigations, but it will also increase standards of security for cleared personnel while helping to eliminate insider threats based on early warning signs.
- Reduction of clearance backlog– thanks to the cumulative efficiencies of DISS and all the time saved by continuous evaluation, the clearance backlog has been practically eliminated as of this year, ensuring that the government can process new clearances in a timely manner.
- Modernization– the implementation of DISS has driven government agencies to replace aging technologies and consolidate information systems, leading to improved security against cyberthreats. While there is still progress to be made, it’s a step in the right direction.
While the security clearance process is still being improved, DISS represents a major step in the right direction. Learn more in our blog post: The History of DISS and the Future of Clearance Reform.
Our Latest Blogs
After more than a decade of preparation, the Defense Counterintelligence and Security Agency (DCSA) finally rolled out the Defense Information System for Security (DISS) this March. Fulfilling a major goal of the Trusted Workforce 2.0 initiative, DISS has risen to replace the Joint Personnel Adjudication System (JPAS) as the Defense Department’s security clearance and access database, solving many problems along the way.
Ever since the December SolarWinds breach, supply chain security has been a top concern for cybersecurity leaders in the U.S. In our latest blog post, learn about ongoing legislation developments, and how you can insulate your organization against supply chain attacks.
It’s been nearly a year since the Cybersecurity Maturity Model Certification (CMMC) went into effect, promising greater accountability and better protection in a world of emerging threats. In this blog post, learn everything you need to know about CMMC and how to prepare for it.
MathCraft Security Technologies, Inc. is the leading provider of innovative software and technologies for Industrial Security professionals. Our tools are compliant with 32 CFR Part 117, NISPOM Rule and are available on-premises or in the cloud. Contact us today to see how our products can transform your security operations!
NCMS Endorsement/Disclaimer: References to commercial products, processes, or services do not necessarily constitute an endorsement by NCMS Inc. The opinions and views expressed on this email and on any linked web sites do not necessarily reflect those of NCMS.