MathCraft Newsletter Issue Q3 2021 – Associate Member of NCMS
New Legislation and Changing Threats
2021 has been an eventful year for cybersecurity as the U.S comes to grips with rising ransomware and IoT attacks, supply chain vulnerabilities and more. Following May’s executive order, this quarter has seen new legislation from multiple agencies, the risk of a government shutdown and many other developments.
It’s a lot to keep up with, and MathCraft is here to give you the scoop. The role of FSOs and other security officers in America’s security preparedness has never been greater, and this drives us to keep our subscribers informed with the latest news, tips and “need-to-know” information.
- OMB tells agencies to start planning for possible government shutdown – as the federal government approaches its current debt ceiling, the Office of Management and Budget (OMB) has advised government agencies and personnel to prepare for the possibility of an imminent government shutdown beginning on Thursday, the 30th of September. Read more.
- NIST Outlines Security Measures for Software Use and Testing Under Executive Order – in response to an executive order issued earlier this year, the National Institute of Standards and Technology (NIST) has issued new guidelines aimed at mitigating software supply chain attacks. Among other things, the guidelines identify security measures for critical software and minimum testing standards for vendors. Read more.
- Biden Administration Releases Draft Zero-Trust Guidance – the OMB has unveiled a roadmap to deploy zero-trust security architectures throughout the federal government by the end of 2024. Under the Cybersecurity Infrastructure Agency (CISA)’s preliminary zero-trust model, users will be required to continually validate their credentials as they move through a network. Read more.
- Attacks on IoT Devices Double Over Past Year – according to a study from Kaspersky, the number of attacks targeting Internet of Things (IoT) devices has nearly doubled since the last half of 2020. Compromised devices can be conscripted into botnets, used to launch DDoS attacks, or made to serve as an entry point for system penetration. Read more.
- US Cybercom says mass exploitation of Atlassian Confluence vulnerability ‘ongoing and expected to accelerate’ – earlier this month the U.S Cyber Command issued a public notice warning government agencies of ongoing attacks against popular enterprise management software from Atlassian. Organizations who have not updated to the latest software patch are advised to do so as soon as possible. Read more.
- Safer Federal Workforce Task Force Issues Guidance for Federal Contractor Compliance with COVID-19 Executive Order – according to new instructions from the Safer Federal Workforce Task Force, most employees of federal contractors will be required to receive the COVID-19 vaccine by December 8th of this year. For the foreseeable future, covered employees will also be expected to practice physical distancing and wear appropriate masks in common areas. Read more.
- DoD planning to create big data platform to better understand supply chain risks – as part of its supply chain security initiative, the Defense Department is planning to build a cloud-based data platform that will perform risk analysis on nearly 100,000 organizations. Among other objectives, the project aims to identify companies with foreign ownership, control and influence (FOCI), monitor supply chain shortages, and more. Read more.
A Cyber 9/11?
MathCraft honors the memory of all Americans, first-responders and government employees who perished on 9/11.
This month, Americans paused to remember the 20th anniversary since the terrorist attacks of December 11th, 2001. Since then, no single incident has caused a greater number of casualties on U.S soil. But the world has changed with the emergence of a global digital infrastructure, and some have worried about the possibility of a “cyber 9/11”.
Experts reassure the country that such an event is unlikely. While cyberterrorism is a real and present reality which FSOs confront on a daily basis, the ability to cause mass casualties through cyberactivity is still beyond the capabilities of most terrorist organizations.
Even so, the possibility can’t be totally dismissed. Today, small groups can leverage malware-as-a-service to supplement their cyber capabilities, and targets like emergency communication systems could have devastating consequences. Such risks call for renewed vigilance and mutual cooperation throughout the federal government – we know that FSOs will be on the front lines of the fight.
The Future is Zero Trust
Following May’s executive order on cybersecurity, the OMB is gearing up to mandate zero-trust network policies across federal agencies and cleared organizations. CISA has issued a preliminary maturity model with comments due on October 1st; once it is finalized, the OMB will likely enforce it by the end of 2024.
Federal Chief Information Officer Clare Martorana summarizes the philosophy of zero-trust in a single statement: “never trust, always verify.” In more concrete terms, that means:
- Continually checking a user’s credentials as they move through a network
- Maintaining an inventory for every connected device across cleared organizations
- Encryption of all HTTP traffic and DNS requests
- Rigorous testing and vulnerability reports for all applications, local or cloud-based
Once deployed, zero-trust architecture will likely take some getting used to. But in the face of increased ransomware and supply chain attacks, cybersecurity experts agree it is the best step forward to protect the country from developing threats.
With the release of NIST guidelines for software use and testing, cleared organizations should familiarize themselves with supply chain risk management (SCRM) practices and defend against supply chain attacks. Here are four tips based on a report from the Government Accountability Office (GAO):
- Establish executive oversight – appoint a C-level officer to oversee SCRM activities; the chief information security officer (CIS) and chief security officer (CSO) are good picks.
- Develop an agency wide strategy – just like you have a high-level cybersecurity strategy encompassing all agencies, departments and personnel, you should have one for SCRM.
- Establish a process to conduct agency-wide assessments – from time to time organizations should review their vendor and Information, Communications and Technology (ICT) portfolio for security concerns.
- Establish a process for review of potential vendors – before adopting a new product or service, evaluate the vendor for trustworthiness and good security practices.
For more, see the GAO’s full report: Federal Agencies Need to Take Urgent Action to Manage Supply Chain Risks.
The Cybersecurity Maturity Certification Model (CMMC) rule went into effect in December of 2020 under a five-year rollout plan. Between now and 2025, the DoD will be fleshing out the requirements of CMMC and training accredited inspectors through the CMMC Accreditation Body.
In its current state, CMMC incorporates the security controls and practices contained in NIST 800-171 with the objective of protecting Controlled Unclassified Information (CUI). It also introduces new controls across multiple security domains. CMMC is also divided into 5 levels of security with different standards of protection.
In order to receive certification at any level, organizations must be certified by a Certified Third-Party Assessment Organization (C3PAO). Unfortunately, the process of training assessors is ongoing, and only 360 individuals are expected to be trained by the end of 2021. Until then, cleared organizations should familiarize themselves with the requirements of CMMC and work to comply with existing legislation like NIST 800-171.
Our Latest Blogs
How Cleared Organizations Should Prepare for Supply Chain Attacks
Ever since the December SolarWinds breach, supply chain security has been a top concern for cybersecurity leaders in the U.S. In our latest blog post, learn about ongoing legislation developments, and how you can insulate your organization against supply chain attacks.
How CMMC is Changing Facility Security in 2021
It’s been nearly a year since the Cybersecurity Maturity Model Certification (CMMC) went into effect, promising greater accountability and better protection in a world of emerging threats. In this blog post, learn everything you need to know about CMMC and how to prepare for it.
FSO Tip: Managing Forms with Portal Commander
Today’s FSOs have a lot on their plates: they don’t have all day to spend in front of a screen fielding emails or keeping track of individual support tickets. In this blog post, learn how you can use Portal Commander™ to automate form tracking and management for your cleared personnel.
MathCraft Security Technologies, Inc. is the leading provider of innovative software and technologies for Industrial Security professionals. Our tools are compliant with 32 CFR Part 117, NISPOM Rule and are available on-premises or in the cloud. Contact us today to see how our products can transform your security operations!
NCMS Endorsement/Disclaimer: References to commercial products, processes, or services do not necessarily constitute an endorsement by NCMS Inc. The opinions and views expressed on this email and on any linked web sites do not necessarily reflect those of NCMS.
© 2022 MathCraft Security Technologies, Inc. All Rights Reserved.
44121 Harry Byrd Highway, Suite 200, Ashburn, Virginia 20147
703-729-9022, info@mathcraft.com
Quick Links
MathCraft offers the most comprehensive industrial security software in the industry. Our products are compliant with 32 CFR Part 117, NISPOM Rule, and are available on-premise or in the cloud!
