CMMC 2.0 Strategy Briefing: Rulemaking Ready

The Cybersecurity Maturity Model Certification(CMMC) final rule-making process has been kicked off for architectural and engineering firms that do business with the Department of Defense. The CMMC rules are submitted and will be published by the Office of Information and Regulatory Affairs within 90 days. We can expect CMMC 2.0 to be published by October 2023.

The biggest delays in the published date are now behind us. The CMMC model version 2. 0 has been released, and it incorporates feedback from industry stakeholders and enhances the requirements and practices for each CMMC level. The important point is that the submission of the final rule to the office of management and budget OMB is done. It's still a bureaucratic process like we've seen in the past, but now it's less fraught with delay than previous phases.

Next, OIRA will decide how to publish it, and will likely make CMMC 2.0 a proposed rule making it effective in 2025. However, OIRA may make this an interim final rule, making it effective in 2024. They rarely do this, but according to the rule book, when an agency publishes a final rule, the rule is usually effective no less than 30 days after the date of publication in the Federal Register.

If the agency wants to make the rule effective sooner, it must cite good cause in the public interest. This has happened a few times in the last several years, so be aware of this possibility. In addition, be prepared for a comment period, specified by the agency, that lasts from 30 to 60 days.

Most importantly, implement CMMC now while acquiring contracts for 2024 and 2025.

Here is what you can do:

1. Have a true chief information security officer(CISO) review the version of the CMMC rules submitted for OMB review. Do this with yourself and your CMMC assessor.

2. Assess your business case for acquiring and retaining government contracts using CMMC 2. 0. Know what your business has to gain, what you have to lose, and the timing of opportunities.

3. Assess your timeline and whether your implementer and auditor can accomplish the work in time and within the costs of your business case.

4. Stay tuned for news on the review process. It's becoming public, and we'll know more in the coming days.

If you'd like more insights like this, Please join my free private group for architecture and engineering firm executives:

https://www.linkedin.com/groups/8272471/

See how you can protect millions in revenue for your firm

7 Strategies to Protect Millions in Revenue and Maintain Client Trust

The Problem:

  1. Annualized revenue of $20 million, but $3 million was dependent upon cybersecurity requirements.

  2. Starting cybersecurity maturity score: 35.

A firm’s Managing Director made a personal promise to clients that their firm would implement cybersecurity practices according to the client’s requirements to gain the business. The reputation of the firm, as well as millions of dollars in contract value each year, were at stake. 

He understood that they needed cybersecurity measures that not only met their own requirements but also fulfilled the complete set of requirements of all their customers. This meant it was more complex than just avoiding ransomware and downtime. It required oversight to ensure compliance with customer requirements. 

How They Increased Cybersecurity Maturity:

The firm implemented an oversight strategy including many of these items.

  1. Assess & Oversee Policy:

    • Assess business-specific risks rather than following the generic practices of a managed service provider. 

    • Use a publicly defensible framework to build trust with customers while implementing a Written Information Security Policy (WISP). 

    • Protect revenue, reputation, and data with transparency for client trust. 

  2. Watch for Weaknesses:

    • Implement redundancy and long-term logging to detect breaches by deploying SIEM/SOC and MDR in the cloud and on-premises. 

    • Raise awareness of the most important business risks through AI assisted risk alerting and incident response. 

  3. Educate Staff:

    • Lower the risk of phishing attacks with engaging training videos. 

    • Audit and follow up on training to address current staff risks.

  4. Detect New Weaknesses:

    • Identify insecure data pathways and storage mechanisms. 

    • Use AI powered event management to find new risks. 

    • Harden new risks to the network and map data flow. 

  5. Manage Vendor Weaknesses:

    • Audit vendors' access to data and evaluate their maturity and ability to protect information up and down the supply chain. 

    • Lower the likelihood of a breach through vendor risk management.

  6. Test Weaknesses:

    • Test what's been done for quality oversight.

    • Conduct penetration tests.

  7. Use Qualified Oversight:

    • Select a battle-tested cyber information security officer (CISO) who has protected thousands of people for many years. 

    • Have the CISO report to the CEO ideally, else the CFO or general counsel. 

The Result:

Annualized revenue protected: $3 million per year and growth requiring cybersecurity maturity total revenues of $20 million per year protected from disruption.  

Ongoing Cybersecurity maturity score moved from 35 to 73, surpassing the customer requirement of 70. 

Within three months of implementing slashBlue cyberSecurity Oversight, our client demonstrated the ability to meet the target cybersecurity maturity requirements for both their firm and key clients. 

  • The firm has ongoing reporting that gives confidence in meeting customer cybersecurity requirements. 

  • In the event of a cybersecurity incident or breach, the firm is fully prepared to protect customer data. 

  • By prioritizing customer protection, the firm safeguards revenue generation. 

  • The firm leaders can now sleep better at night with greater peace of mind. 

Reach out if you would like help.

Top 5 Risks of Business Disruption in 2023 (And 5 Strategies to Mitigate)

Alliance published its risk barometer for 2023.  According to the report, cyber and business interruption top the list of threats, economic and energy risks rise.

Cyber incidents and Business interruption ranked as the foremost company concerns for the second year in a row. Macroeconomic developments such as inflation, financial market volatility and the threat of recession, shortage of skilled workforce, and natural catastrophes round out the top five for the United States.  View the full global and country risk rankings.

Here are five strategies you can use:

1.     Business interruption - Plan for disruption and establish alternate channels in your supply chain. Tune up your disaster recovery and business continuity policy.

2.     Cyber incidents - Review your product and services to establish cybersecurity as part of your strategy for acquiring and retaining clients.  Cybersecurity capability is now a possible competitive advantage to build trust in the marketplace. Of course, you also want to make sure that your cybersecurity policy is clear and tested.

3.     Macroeconomic developments - Tune your value proposition to accommodate inflationary pressures on your pricing while making sure you're delivering the value that your customers need in changing market conditions.

4.     Shortage of skilled workforce - Establish repeatable and scalable processes, teaching your employees how your company delivers value. Make sure they have the right technology tools and software solutions to do their job. Even more importantly, make sure that they know when to use software and when not to. All of us get too many emails and thoughtless communications. Let's simplify the technology we use.

5.     Natural Catastrophes - Get insurance against catastrophe. Prepare for disruption to business with a full sales pipeline so that if you have supply chain or natural disaster disruption, you can redirect resources to other areas of revenue generation.

Whether you are the CEO, CFO, COO, President, or Managing Director, make sure to take the time to assess and plan for risks as part of your strategy for 2023 and beyond. Reach out if you would like help.

Equifax Security Breach: The Top 3 Ways to Protect Yourself

In another cybersecurity breach, 143 million U.S. consumers may have had their identity information stolen from Equifax.

The identity thieves make money selling your information to people who could potentially take out credit cards or loans in your name.

Take action to protect yourself and those you love.

Security+Breach.jpeg

Here is what we recommend for every consumer to protect themselves from this theft:

1)    Check to see if your information was known to be stolen. Check your name at Equifax on the web or call 866-447-7559.

2)    Take action to protect your identity.  To be the most secure, many recommend placing a “credit freeze” on your credit report with Equifax, Innovis, Experian and Trans Union.

a.     See the Federal Trade Commission's Credit Freeze FAQ

b.     Check out some free services Equifax is offering to help. 

3)    Stay alert. Keep an eye on bank accounts for suspicious activity. The hackers got information because Equifax was insecure.  It was not something you did. While, it was not because of a phishing attack, phishing remains one of the top ways to have identity information stolen.

If you want to know what should be on your Cybersecurity Roadmap, schedule a free consultation now.

 

Password Manager Breach – How do you know you are secure and What to do about it? (OneLogin)

Security Breach

The recent OneLogin breach is very serious. When a password manager gets hacked, it's not as though you only have your user login and password to worry about. Password managers store more than just basic password information. They include login information, identity, credit card, health information and more.  Cloud service providers use these password managers. So, with the OneLogin breach, it's not just their passwords that are on the line, it is all of their clients information. (Including yours if you have a service provider that uses them)

It seems like there is no one immune to a hack. It's just a matter of time. 

How much trust should we place in password managers to store this information?

What companies can we trust out there?

Here's what you can do to protect yourself:

  1. Use a password manager, but only one that offers two-factor authentication AND encrypts data locally (e.g. Lastpass)
  2. Select Cloud Service Providers and Managed IT Support with a Cybersecurity plan that uses two-factor authentication AND encrypts data locally 
  3. Ensure that your IT partners have Cybersecurity and Data breach insurance

Password managers are a great tool to protect yourself and your company. It is technology that protects your purpose. Remember, there is no way to be 100% secure online.  If you store information online, it may become public someday.

If you need help with a Cybersecurity Technology Roadmap, find out more.
If you want to get a free month of Premium Lastpass, click here.

3 Tips for the Uber-busy to Keep Improving

image.jpg

For the uber-busy, keeping up with personal development is difficult.

Even though we may have the best intentions togrow,  personal development can often get sidelined.

Here are a 3 ways you can keep improving even when you're maddeningly busy:

(and my favorite mental improvement app)

 

1) Leverage your time - When you need a break, be intentional. Read a book that will help you develop. Listen to an audiobook when you're in the car or working out.

2) Focus on your bookends - Work to improve your greatest strength and minimize damage from your greatest weakness. This can be incredibly motivating. When you stop the bad behavior, you make greater progress. When you strengthen what you're good at, you can enjoy your work more.

3) Learn as you go - Keep in mind your greatest strength and greatest weakness as you work. Look for opportunities to learn in the flow of what you are doing. Purpose is the mother of invention after all. If you have a will, you can find a way.

There's plenty of technology that can help you as well. One of my favorite apps is Elevate. Ithelped me to to dramatically accelerate my reading speed to 520 words per minute.  Because of Elevate, I am faster at every day math. I write greater clarity and simplicity.

Take advantage of these tips every day and you will find yourself gaining momentum toward what is most important to you.

May the Fourth be with you - 5 Great Star Wars Technologies

When Star Wars came out in 1977, it shocked the world with amazing space battles, realistic special-effects and mind blowing sound.

The desire to create and make better movies, pushed the technology.

The imagination and drive of George Lucas, and his team, created many new technologies that made the story come alive on screen.

A STAR WARS DAY MESSAGE FROM NASA

Here are 5 of the technologies they created: (according to Rotten Tomatoes)

  1. The Dykstraflex - This special camera allowed filmmakers to replicate repeated camera movements for amazing space battles.
  2. Computer animation -  Star Wars gave us 3D wireframe animation.
  3. Go Motion - Better than stop-motion, go-motion used computer controlled puppets to mimic more realistic movement.
  4. THX sound - THX sound has become an industry standard for movies.
  5. Blue screen – The blue screen provided much greater realism than fake-looking rear projection. Blue screen set the bar for special effects in the modern era.

Let your inner George Lucas out and get to your mission faster with great technology.

The technology makes the purpose possible.