Fathom Cyber’s CEO, Jim Goepel, is an adjunct professor of cybersecurity in both Drexel University’s Lebow College of Business and Thomas R. Kline School of Law and Drexel University. Since joining Drexel, Jim Goepel has been working with Professor Paul Flanagan on an innovative approach to cybersecurity and data privacy risk management. Drexel University has asked Jim and Paul to present their research as part of Drexel’s 5th Annual International Research Showcase on May 27, 2020. Using Professor Goepel’s and Professor Flanagan’s unique approach, organizations can implement an holistic enterprise risk management program that creates an agile business environment while adding structure necessary to properly manage regulatory, legal, cyber, data privacy, and other risks. Their approach includes risk definition and management techniques, carefully tailored policies and procedures, and strong compliance and audit functions. More details about Professor Flanagan’s and Professor Goepel’s approach will be included in an upcoming technology journal published by the National University of Singapore.
The Department of Defense (“DoD”) is pressing forward with its plans to create a cybersecurity maturity program that will apply to all government contractors in the Defense Industrial Base (“DIB”). As we have previously reported, draft Version 0.6 of the Cybersecurity Maturity Model Certification was released a few weeks ago. You can read our analysis of Version 0.6 here. Version 0.7, which is due in December, is slated to address maturity levels 4 and 5, and we will provide updates on that version shortly after it is released.
Although the DoD is creating the initial version of the CMMC, including the maturity scale itself as well as training and other materials, the DoD wants a nonprofit accreditation body to take over the maintenance of the CMMC. The nonprofit will also be responsible for creating a credentialing process for the C3PAOs (certified 3rd party assessment organizations) that will provide the actual CMMC certification to a government contractors, as well as training materials for those C3PAOs. In a November 26 response to industry inquiries, the DoD indicated that it will not have the initial training guides (for CMMC Levels 1-3) available to the C3PAO until at least early February, and that training for Levels 4 and 5 may not be available until March. This means that the 3PAOs will not be able to even begin the certification process until at least late February, and there will inherently be only a limited number of people who are certified in CMMC audits at each C3PAO.
The DoD also indicated that it has received inquiries from several other government agencies and outside groups who are interested in CMMC and the overall process. We expect to see adoption of the CMMC expand to other industries and in other contexts, such as by insurance companies when assessing overall cybersecurity maturity and associated risk and insurance rates.
Finally, the DoD stressed that although written security plans and Plans of Actions and Milestones (“POAMs” or “POA&Ms”) are acceptable under DFARS 252.204-7012, DIB contractors have not done a good job in executing their POAMs. Thus, the CMMC will not give credit for plans; instead, only the current state will count toward the contractor’s CMMC level.
We strongly encourage all organizations, and especially DIB contractors, to engage an independent consultant to conduct a maturity assessment as soon as possible. The C3PAOs will have a large backlog of organizations (over 300,000!) to go through in only a few short months to meet the DoD’s September 2020 deadline, and the C3PAOs are likely to prioritize certifying those organizations that have already taken steps to assess their maturity and to address any shortcomings.
Contact Fathom Cyber today to discuss how your organization will benefit from a maturity assessment.
Fathom Cyber is excited to announce our upcoming webinars for December and January:
- December 16, 2019 – Cybersecurity Terms for Nontechnical Managers
- January 13, 2020 – An overview of the Department of Defense’s Cybersecurity Maturity Model Certification (“CMMC”)
- January 27, 2020 – Introduction to Enterprise Risk Management
- February 10, 2020 – Creating Defensible Cybersecurity Strategies
All webinars will begin at 1 PM US Eastern. To register for one or more of the webinars, please visit our webinar registration page.
The UK’s National Cyber Security Centre has published a useful guide for people shopping online this holiday season. Here are a few highlights:
A padlock isn’t enough – That padlock in the address bar of your browser means that communications between the browser and the site you are visiting are encrypted. However, that padlock does not mean the company you’re buying from is legitimate. Criminals can create inexpensive shopping sites that look legitimate, even down to implementing encryption to trick you into thinking they are safe
Limit the information you give – Most websites don’t need your mother’s maiden name, the name of your primary school, or other such personal information so you can buy something from them. Instead, only fill in the mandatory information, such as your name and address. Don’t create an account on the site unless you are going to buy from them again frequently in the future.
Follow good device hygiene – Keep your devices up to date, use strong passwords, enable multi-factor authentication, and follow other good hygiene practices. For more information on staying safe online, see our Top 7 Tips for Improving Individual Cybersecurity.
Smaller entities like nonprofits, state and local governments, and small and medium businesses are frequently reluctant to devote already scarce resources to cybersecurity and data privacy. They often feel that they are too small to be attractive to cyber criminals or that they have nothing of value. Unfortunately, this attitude makes them targets for cyber criminals, because the criminals know that the smaller organizations are easy to attack.
For organizations looking to improve their cybersecurity and data privacy programs, employee training can bring significant returns on investment. Educating all employees about their role in keeping the organization secure is critical to ensuring the organization stays safe, and Fathom Cyber offers a variety of training options, including training for an organization’s employees, executives, and even Boards of Directors. We also recommend augmenting these traditional courses with short awarness videos, and we have partnered with Wizer, an innovative training system provider to help our clients achieve this goal. Wizer offers an ever-increasing number of free, 1 minute long security awareness videos along with premium options including phishing simulation, gamification, and training videos and more, all for a reasonable fee. Wizer’s short videos are a great way for organizations of all sizes to keep security and privacy top-of-mind for their employees.
Below is an example of one of their videos. Contact us for more information or to create your free account today!
The US Department of Defense released version 0.6 of its Cybersecurity Maturity Model Certification program on Thursday, November 7, 2019.
More Ratings Clarity
As we have previously discussed, the CMMC will use a maturity rating system to assess not only the technical controls that are in place (which the DoD refers to in the CMMC as “practices”), but also the policies and procedures that the contractor has implemented to help guide the use of that technology.
The maturity ratings will range from level 1 to level 5, and the contractor will be rated separately for the controls and the polices. This rating system is used for each of the seventeen (17) different “domains” defined within the CMMC.
The DoD recognizes that many of its contractors are likely to still be rushing to get themselves to at least an overall rating of level 3 for each domain (which the DoD appears to suggest as a “reasonable” baseline for security), and thus this version focuses on the requirements to meet levels 1-3. Requirements for levels 4 and 5 are left for a later version.
It should be noted that a contractor’s overall maturity rating in each domain will be equal to the lowest of the two maturity ratings. That is, an contractor that has superior technical controls in a particular domain (i.e., one deserving a 5 rating) but which has yet to implement any policies and procedures (i.e., one deserving a 1 rating) will only be given an overall maturity rating of 1 for that domain.
Ratings Requirements in Government Contracts
It remains unclear how the DoD will specify the maturity level required for a given contract. For example, we know that the contractor will be rated across each of the domains, but it is not yet clear whether a contractor will have a single, aggregate rating that will be used for assessment on a particular contract, or if the contracts are expected take a more granular view, specifying each of the ratings across all of the domains. From earlier comments by the DoD, it would appear that they are likely to use a single, aggregate rating and that it will be the lowest rating across all domains. Clarity on this issue would be beneficial because it will allow contractors to prioritize their remediation and enhancement efforts within their Plan of Action and Milestones (“POAM”).
As discussed above, the CMMC divides cybersecurity into seventeen (17) domains. These domains are:
- Access Control (AC)
- Asset Management (AM)
- Audit and Accountability (AA)
- Awareness and Training (AT)
- Configuration Management (CM)
- Identification and Authentication (IDA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical Protection (PP)
- Recovery (RE)
- Risk Management (RM)
- Security Assessment (SAS)
- Situational Awareness (SA)
- Systems and Communications Protections (SCP) and
- System and Information Integrity (SII)
Much like the NIST Cybersecurity Framework’s Functions (Identify, Protect, Detect, Respond, Recover) and their corresponding controls categories, at a high level, the CMMC domains can be useful for organizations’ management, including boards and the C-Suite, as a means for organizing discussions around issues to be addressed by, or being addressed in, their organization’s cybersecurity strategy. This can allow for a more granular discussion between the security/technology teams and the contractor’s senior management without the senior management having to become experts in any particular domain. For self-assessment purposes, these domains and the corresponding maturity within them can be very useful for contractors as they assess how to invest their hard-earned IT and security budgets.
A Missing Domain
However, as is common with many cybersecurity strategies, the DoD has overlooked a key domain: legal and regulatory concerns. While it appears from the comments in Appendix B that the DoD may intend the legal and regulatory aspects to be included across all of the domains, many organizations are not aware of their legal and regulatory exposure. Forcing contractors to explicitly address this as part of their maturity assessment will be beneficial. For example, many organizations’ incident response plans focus on data privacy reporting obligations and do not address their cybersecurity incident reporting requirements, such as those imposed by the Securities and Exchange Commission. The failure to address the full spectrum of legal and regulatory requirements as part of an incident response plan is a strong indicator of the overall maturity of the contractor’s approach to its cybersecurity strategy. Thus, legal and regulatory domain should be incorporated into the CMMC’s requirements.
Capabilities and Practices
Version 0.6 adds additional clarity within each of the domains as to what the DoD expects of its contractors. There are now a set of 40 defined capabilities, or achievements to ensure cybersecurity objectives are met within each domain. Each of these capabilities has associated with it at least one practice that is to be implemented to demonstrate compliance with that practice. Different practices are assigned to different maturity levels. Each practice also has associated with it one or more external references. These external references are provided to help practitioners understand how the practices are to be implemented, but strict compliance with the external references is not required to achieve CMMC certification.
While the CMMC represents a significant improvement over most organizations’ approach to cybersecurity, version 0.6 of the CMMC still misses the boat. The NIST Cybersecurity Framework and the Cybersecurity & Infrastructure Security Agency’s “Cyber Essentials” for small and medium businesses both encourage businesses to conduct a thorough business assessment before making any significant technology investments. However, CMMC v.0.6 encourages contractors to treat cybersecurity primarily as a technological problem. This is evidenced in part by the way the technical domains are prioritized over more business-oriented domains like risk management. For example, organizations can achieve a level 2 rating without ever even considering risk management, which is a mistake as it forces the DoD’s contractors to invest in technologies that may not be necessary and prioritizes doing something over doing the right thing. Even within the Audit and Accountability domain, a domain which by its title should be focused more on business-level issues, the proscribed practices are purely technology focused. The US Government, and especially the Executive Branch agencies entrusted with protecting our nation, should be providing consistent messaging and prioritization to everyone on this very important topic.
We believe the NIST/CISA approach to be the approach that will provide the best value to both the contractor and the DoD, and is also the approach that is more likely to result better cybersecurity as the contractor will have business-oriented reasons for maintaining and enhancing the programs rather than it being treated as a compliance-type expense from which the business derives limited value. In addition, under the CMMC’s current approach, contractors are likely to spend money on practices that will have only a marginal improvement on their actual security while ignoring other controls from which they would greatly benefit. The DoD needs to bring the level 1 requirements more in line with the NIST Cybersecurity Framework and CISA’s guidance.
We also want to stress that we support the DoD’s efforts with respect to the CMMC. Requiring contractors to change the way they view and address cybersecurity is a long overdue change. However, there are some fundamental issues that need to be addressed. We hope the DoD will reassess its approach and address these issues before version 1.0 is released.
Some users of Office 365 will soon have a new tool to fight ransomware. As we noted in our recent article on corporate ransomware protection, one of the most common ways companies are infected with ransomware is through infected Microsoft Office files. These files typically have macros, or computer programs, embedded in them that kick off the ransomware infection. Microsoft recently announced that users of Office 365 ProPlus will soon be able to open all documents from untrusted sources (e.g., anything sent via E-mail or downloaded from the Internet) using “Microsoft Office Application Guard,” a separate virtual environment. The virtual environment is isolated from the user’s operating system and standard programs, and is destroyed when the user logs out. This means that any infection that may be caused by the untrusted document should not be able to infect the user’s computer, and will be destroyed within the virtual environment when the user logs out. This should significantly limit the spread of ransomware, or at least force the criminals to find other approaches for infecting user computers.
We expect to see Microsoft make this available to lower-tier Office 365 users in the near future as well. If your organization uses Office 365, we encourage you to take advantage of this exciting security feature which should help significantly reduce your organization’s attack surface.
That being said, no security system is perfect. For example, a file may be run in the virtual environment without any negative effects being detected, but it may include a “sleeper” version of the ransomware that waits days, or even months, before it will launch. Others may seek to detect whether they are being launched in the virtual environment and, if detected, may postpone any malicious activity until they are outside the virtual environment. Still others may attempt to escape the virtual environment by exploiting vulnerabilities.
In the end, as we discussed previously, disabling macros can significantly reduce your attack surface. If you must enable macros, the Australian Cyber Security Center has created this handy chart that outlines some of the risks associated with the different levels of macros.
Did you know that your organization and you can be a cyber criminal’s target even if you do not have much valuable information? Imagine that it is the morning of February 3rd, 2020. Frigid temperatures extend as far south as Texas and are expected to stay in place for at least the next 6-8 days. As you are getting ready for work you hear the local fire company’s siren begin to wail. A few seconds later your whole house goes dark. You pull out your phone to turn on the flashlight app and it starts wildly chirping and buzzing. There is an alert from the Federal Emergency Management Agency (“FEMA”) advising everyone of a nearly nation-wide blackout and recommending that everyone stay off the streets and at home while emergency crews work to assess and address the situation.
Your Wi-Fi is out, so try connecting your laptop to the Internet via your phone but the phone has trouble keeping you online. So, you E-mail your office that you will try again in a bit when the power comes back on, then change into warmer clothes and settle in on your couch armed with a heavy blanket, a book, and the old AM/FM radio that you found buried at the back of your closet.
By noon the news begins reporting that the blackout was the result of a coordinated attack. The attackers created malicious software (malware) that overwhelmed the protective switches, called relays, which are used by power companies to keep their electrical distribution equipment from being damaged. The malware kept the relays from working properly, causing transformers and other equipment to overheat and, in some cases, to catch fire. Officials are still assessing the damage, but they are warning that although there is some inventory of spare parts and equipment, much of the equipment will need to be newly manufactured which could take months.
As the day progresses you accept the fact that the power will be out a while and that the fire-and-blanket approach is not a long-term strategy. You are about to hop in the car to buy a generator when your phone rings. It is the CEO of your company. The FBI called her moments ago and told her that they traced the problem back to an individual E-mail account at your company: your account. Foreign agents gained access to your E-mail account and used it to send infected E-mails to select customers of your company. These infected E-mails allowed the foreign agents to gain control of other systems, and to eventually work their way up to a company that has access to the electrical grid. From there, they were able to infect the grid and cause the nation-wide blackout. The FBI assured the CEO that they will not publicly name your company, but cautioned that given the scope of the damage and the number of agencies involved it may not be long before the company’s name, your name, and your collective role in the blackout are leaked. You hang up and collapse onto your couch, your head spinning at the thought that your world has forever changed.
Could This Really Happen?
While this scenario may sound far-fetched, cyber criminals target victims for a variety of reasons, and most aspects of this scenario have already occurred. For example, according to the Wall Street Journal, agents of the Russian government gained access to an excavating company’s E-mail systems in 20181. They exploited the excavating company’s trusted relationship with its customers and moved up to larger, more sophisticated companies, eventually gaining access to the US electrical grid. “They got to the point where they could have thrown switches” and disrupted power flows, said Jonathan Homer, chief of industrial-control-system analysis for DHS2. “Some companies were unaware they had been compromised until government investigators came calling, and others didn’t know they had been targeted until contacted by the Journal.” Thankfully, investigators from the FBI and DHS were able to stop the foreign agents before damage could be done to the US electrical grid. Otherwise, the US may have suffered the same fate as Ukraine in 2018, when an attack on its electrical grid caused massive equipment failures and lengthy power outages3.
To help keep this from happening to you, follow our Top 7 Tips for Reducing Individual Cybersecurity Risks. Click Here to download a PDF version of this document, along with our Top 7 Tips for Reducing Individual Cybersecurity Risks.
The United States Department of Defense published Version 0.4 of the CMMC on September 4, 2019. The publication includes some new insights into the DoD’s plans for the CMMC, including:
- Reinforcement of the January 2020 target date for the release of CMMC 1.0 and the June 2020 target date for incorporation of the CMMC in all RFIs;
- A softening of the target date for incorporation of the CMMC as a mandatory requirement for all acquisitions to “Fall 2020” (this had previously been September 2020);
- A commitment for a second daft of the CMMC which is due in November 2019;
- They are actively pushing to streamline the CMMC and are seeking public comments on how the requirements should be reprioritized and/or reassigned, as well as whether certain requirements should be removed or added;
- The DoD is aware that small and medium businesses may be more severely impacted than large government contractors and is trying to factor SMB concerns into the CMMC;
- The DoD is stressing process maturity, not merely the implementation of certain pieces of technology (which they refer to as “practices”) and asserts that such maturity can help make up for shortcomings in technical control implementations.
- As illustrated in Figure 1, below, the CMMC defines eighteen (18) different cybersecurity-related domains, from Access Control to Systems and Information Integrity. Every domain is comprised of capabilities, and each capability is comprised of both practices and processes.
- The CMMC defines two sets of maturity metrics: one for technical practices (i.e., whether certain controls have been implemented), and one for processes (i.e., how well the organization has documented not only its plans for implementing the controls, but also monitoring how well it is performing/implementing the controls). The practice maturity levels are:
- Basic Cyber Hygiene;
- Intermediate cyber Hygiene;
- Good Cyber Hygiene;
- Proactive; and,
- The process maturity levels are:
- Reviewed; and,
- Each organization’s maturity will be assessed against all eighteen domains, and the assessment will look at at both the practices and processes. Organizations, especially small and medium organizations, frequently do not prioritize documentation of processes, therefore it can take months, and even years, for organizations to obtain process maturity level 2 or beyond. We strongly encourage organizations to start documenting their processes now, before CMMC 1.0 is released. We recognize that this process can be intimidating for even sophisticated organizations. Contact Fathom Cyber today to learn more about how we can help your organization prepare for CMMC 1.0.
Subscribe to our newsletter for more details about the DoDs Cybersecurity Maturity Model and other business-oriented cybersecurity news and information. To view CMMC Version 0.4, visit https://www.acq.osd.mil/cmmc/draft.html
We attended a presentation in early August by Katie Arrington, who is spearheading the Department of Defense’s (“DoD”) efforts to increase the role cybersecurity plays in acquisitions. At that time, Ms. Arrington mentioned that Version 0.4 of the DoD’s Cybersecurity Maturity Model Certification (“CMMC”) would be released on August 30, just before the long Labor Day weekend. The DoD’s Office of the Under Secretary of Defense for Acquisition & Sustainment announced late last week that “Due to the impending holiday [the office] will release the Draft CMMC 0.4 once it clears review by DoD Public Affairs”. This is disappointing for the hundreds of thousands of Defense Industrial Base (“DIB”) contractors who are waiting for additional clarity from the DoD before kick-starting their maturity assessment and improvement processes. DoD is currently targeting a January, 2020 release date for CMMC Version 1.0, with June and September roll-outs for mandatory inclusion of the CMMC in all RFIs and acquisitions, respectively. We recommend that all contractors perform a pre-assessment now so that they have as much lead time as possible to make any necessary changes or improvements.