Menu Close

Questions for Cybersecurity

Cybersecurity consists of technologies, processes and measures that are designed to protect systems, networks and data from cyber-crimes. Effective cybersecurity reduces the risk of a cyber-attack and protects entities, organizations and individuals from the deliberate exploitation of systems, networks and technologies.

Cyber resilience is the ability to defend against attacks while continuing to do “business as usual” successfully.

Cybersecurity assessment is a based approach to examine and enhance defense mechanisms against cyber-attacks. The strategy helps identify threats that could affect the availability and reliability of a system. Cybersecurity assessment findings are the key “inputs” of a security project plan/roadmap that will strengthen your organization’s infrastructure. A thorough cybersecurity assessment evaluates organization’s technology, policies and employee awareness

Cybersecurity assessment helps identify and mitigate risks with reliable security controls and measures. In response to the increasing number and sophistication of cyber threats targeting company networks, it is imperative for all businesses to conduct thorough cybersecurity assessments to identify and protect network systems from attacks on a recurring basis.

The ultimate goal of cybersecurity assessment is to identify the risk exposure of cyber assets in an enterprise. During the process, all network devices and services that could be a source of vulnerabilities are addressed. The service focuses on:

  • Network components audit, including hardware, software, and network components.
  • Overall management of network mapping
  • Network port and service scanning
  • Vulnerability assessment on hosts
  • Risk modelling
  • Network security analysis
  • Risk mitigation analysis
  • Reporting

In cybersecurity assessments, penetration testing and network auditing should be done on a regular basis to examine the physical security of a company’s network and security policies. The assessment should also examine the configuration of Wi-Fi access points to ensure it is secure. Other activities include evaluating firewall rules, disabling insecure protocols (like SSLv3 and TLS v1.0, etc.), eliminating weak encryptions (like RC4 and 3DES, etc.), and validating password and login policies.

Cybersecurity assessment services generate actionable and concise reports that are presented in an understandable format for the client. The findings are interpreted and recommendations are implemented to remediate vulnerabilities within a network. A cyber-security assessment report will show a picture of a network security at one point in time. However, new vulnerabilities are discovered frequently, requiring businesses to plan for progressive scans to remain proactive against attacks.

Questions for CMMC

The Cybersecurity Maturity Model Certification(CMMC) is a new standard developed by the DoD, aimed at assessing and enhancing the cybersecurity posture of the Defense Industrial Base (“DIB”), particularly as it relates to controlled unclassified information (“CUI”) within the supply chain. This new standard will provide oversight for the current Defense Federal Acquisition Regulation Supplement (DFARS) requirement that contractors handling sensitive unclassified information should protect in accordance with the 110 security controls laid out by the National Institute for Standards and Technology (NIST) special publication (SP) 800-171. It encompasses five maturity levels that ranges from “Basic Cybersecurity Hygiene” to “Advanced/Progressive”.

DOD is planning to migrate to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks.

CMMC Levels 1-3 encompass the 110 security requirements specified in NIST SP 800-171 rev1. CMMC incorporates additional practices and processes from other standards, references, and/or sources such as NIST SP 800-53, Aerospace Industries Association (AIA) National Aerospace Standard (NAS) 9933 “Critical Security Controls for Effective Capability in Cyber Defense”, and Computer Emergency Response Team (CERT) Resilience Management Model (RMM) v1.2.

Unlike NIST SP 800-171, the CMMC model possesses five levels. Each level consists of practices and processes as well as those specified in lower levels.

In addition to assessing a company’s implementation of cybersecurity practices, the CMMC will also assess the company’s institutionalization of cybersecurity processes.

No, the results of a CMMC assessment will not be made public. The only information that will be publicly available is that your company has a CMMC certification. The specific certification level will NOT be made public. The DoD, however, will have access to all DIB companies’ certification levels.

In general, a CMMC certificate will be valid for 3 years.

The CMMC requires DOD contractor information systems to be certified by a third-party auditor starting in 2020 to 2021.

Only CMMC Third Party Assessment Organizations (C3PAOs) and individual assessors that have been accredited by the CMMC AB will perform CMMC assessments.

A cybersecurity incident will not automatically cause a DIB company to lose its CMMC certification. Depending upon the circumstances of the incident, the DoD program manager may direct a re-assessment.

The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive. For contracts that require CMMC you may be disqualified from participating if your organization is not certified.

If a DIB company does not possess CUI but possesses Federal Contract Information (FCI), it is required to meet FAR Clause 52.204-21 and must be certified at a minimum of CMMC Level 1.

Companies that solely produce Commercial-Off-The-Shelf (COTS) products do not require a CMMC certification.

Yes, so long as your company does not solely produce COTS products, it will need to obtain a CMMC certificate. The level of the CMMC certificate is dependent upon the type and nature of information flowed down from your prime contractor.

The DoD will specify the required CMMC level in Requests for Information (RFIs) and Requests for Proposals (RFPs).

CMMC applies to only a DIB contractor’s unclassified networks that handle, process, and/or store FCI or CUI.