Category Archives: Third-Party Risk & Vendor Risk Management
Third-Party Crashers: Recent Data Breaches Targeting Vendors and Service Providers
Thank goodness we have partners, suppliers, contractors, and third-party service providers to keep our businesses operating smoothly. But let’s make sure that your security postures are aligned – your partners serve as an extension of your business and it is your duty to ensure they are secure and in compliance with your standards as well as applicable laws and regulations. (more…)
A Summary of DBIR 2020 – Where the Data Breach World is Today and How to Prepare for IT
CMMC 101: The Basics of Cybersecurity Maturity Model Certification
WHAT IS CMMC? CMMC which stands for ‘Cybersecurity Maturity Model Certification’ is the upcoming required standard for all contractors and suppliers that work with the Department of Defense (DoD).
WHY IS THIS NEEDED? The new framework is to ensure contractors and suppliers have appropriate cybersecurity frameworks in place to protect data such as Controlled Unclassified Information (CUI), Federal Contact Information (FCI), and other information. The DoD is rolling out the new framework “to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB).”
WHO MUST FOLLOW CMMC? Any DoD contractors and suppliers in the supply chain. For any organization that wants to do work for the DoD and bid on a project, they must be CMMC certified.
HOW DOES IT WORK? The CMMC categorizes organizations by five maturity levels. These maturity levels attempt to map the rigor of an organization’s cybersecurity plan to the risk they pose to the interests of national defense. Maturity Level 1 is associated with organizations who pose the least risk and require a baseline security program. Maturity Level 5 organizations pose the highest possible risk to our national defense interests and therefore require the most rigorous security program. Organizations that wish to bid on a DoD contract would need to show that the maturity of their CMMC certification supports the risk associated with the bid.
The new CMMC framework also requires third-party certification. Contractors and suppliers will need to have an independent third-party assessment organization (C3PAO) to conduct assessment and certification. Contractors and suppliers will no longer be able to self-certify as they do now with NIST 800-171.
IS THE CMMC ACTIVE NOW? The DoD is estimating the formal implementation of CMMC in the near future. Updates to the status of the initiative can be found on the official site, and we will also publish updates as we receive them.
WHAT SHOULD CONTRACTORS DO NOW? Any organization that will be required to certify to CMMC is already required to be compliant with NIST 800-171. By evaluating their compliance to NIST 800-171, and by developing a remediation plan that includes new requirements from the draft CMMC standard, DoD suppliers can ensure their compliance today, and prepare for this revenue-critical requirement in the coming months.
UPDATE: NIST SELF-ASSESSMENT REQUIREMENTS“Under the new rule, these entities will need to conduct a “Basic” self-assessment of their compliance with the NIST Requirements, and submit the results of that assessment to DoD through the Supplier Performance Risk System (“SPRS”). Contractors will need to update this self-assessment every three years or sooner if required by a contract. Starting November 30, 2020, contractors will not be eligible for new contracts (including task orders and delivery orders) or for options on existing contracts, unless the self-assessment score is posted on SPRS. DoD expects that it will take 30 days from submission to have the self-assessment score posted on SPRS, so it is important for contractors to submit their assessment at least 30 days prior to the November 30, 2020 implementation date.”
Access the CMMC presentation briefing and other supporting documents.
IMAGE SOURCE: https://www.acq.osd.mil/cmmc/docs/CMMC_ModelMain_V1.02_20200318.pdf
M&A: The Cyber Risk of Business
The impact of the COVID-19 pandemic is profound – every business has been touched, forcing many to explore how their organizations adapt to the new economy. Some industries have bigger challenges due to the nature of their business – travel and lodging, restaurants, transportation, oil and gas and more due to social distancing ordinances. (more…)
Payment Processing in a Remote Working Environment
Organizations are facing a lot of change with remote work set ups – in both physical location and operational shifts. Especially challenged are businesses that manage credit card information electronically and over the phone. These new working conditions unearth new risks for sensitive data. Social distancing can also bring about more social engineering attempts. According to the U.S. Secret Service, social engineering/phishing is a very common online attack right now.* (more…)
Taking Care with Telehealth: Health Care. Cyber Care. Duty of Care.
Social distancing and stay-at-home orders are designed to protect us from the spread of COVID-19, but what about patients that still require check-ups, post-hospitalization follow-ups, continued monitoring due to other conditions – Telehealth is a convenient solution. (more…)
4 Reasons Why Third-Party Risk Management (TPRM) Should Be Reviewed
As people “Stay at Home” and work remotely during the COVID-19 pandemic, organizations have an increased reliance on external partners, suppliers, and third party vendors to keep their businesses running. For some companies, this may be the first time their employees worked outside of their office, without the benefit of established cyber security policies for working from home. It is crucial that third-party vendors be on the same page as their clients to ensure proper safeguards and business continuity. (more…)
Covid-19 Does Not Exempt Compliance nor Security Obligations
While companies are consumed with the task of implementing remote work strategies in response to the COVID-19 crisis, it is critical to remember one thing: No matter how chaotic things get, Coronavirus does not exempt you from your industry or government compliancy obligations such as HIPAA, CCPA and PCI DSS. It also does not release you from your responsibility of employing Duty of Care when it comes to protecting third party personal data. (more…)
CAMP IT Conferences Gallery
CAMP IT produces events designed to help IT professionals understand new technologies and make the critical, strategic and tactical decisions for their enterprises. (more…)