Zofia Buzz

Jul
23
Defense Security Service To Verify that

There will be a push from DoD for a “4th pillar” of evaluation for contract awards - in addition to cost, performance and schedule – “Security” will become a strong factor of evaluation. The goal is to reward companies that have established and effective security and risk management programs. https://www.zofiaconsulting.com/blog/post/defense-security-service-to-tackle-dod-cui-program #CUI #ISMS #RMF #DFARS #CDI #7012


Jul
18
NY CREDIT REPORTING AGENCIES (CRA) MUST COMPLY WITH NEW #CYBER MANDATE

By November 1, covered CRAs must have a CHIEF INFORMATION SECURITY OFFICER (#CISO) & a written CYBERSECURITY PROGRAM designed to safeguard the confidentiality, integrity and availability of organization’s info systems. https://www.zofiaconsulting.com/blog/post/new-yorks-credit-reporting-agencies-cra-must-comply-with-new-cyber-mandate


Jul
11
Defense Security Service To Verify that "4th Pillar" of Defense Contracts #CUI

There will be a push from DoD for a “4th pillar” of evaluation for contract awards - in addition to cost, performance and schedule – “Security” will become a strong factor of evaluation. The goal is to reward companies that have established and effective security and risk management programs. https://www.zofiaconsulting.com/blog/post/defense-security-service-to-tackle-dod-cui-program #CUI #ISMS #RMF #DFARS #CDI #7012


Jul
10
NY CREDIT REPORTING AGENCIES (CRA) MUST COMPLY WITH NEW #CYBER MANDATE

By November 1, covered CRAs must have a CHIEF INFORMATION SECURITY OFFICER (#CISO) & a written CYBERSECURITY PROGRAM designed to safeguard the confidentiality, integrity and availability of organization’s info systems. https://www.zofiaconsulting.com/blog/post/new-yorks-credit-reporting-agencies-cra-must-comply-with-new-cyber-mandate


Jul
06
New York's Credit Reporting Agencies (CRA) Must Comply with New Cyber Mandate

temp-post-image

On June 25, 2018, any credit reporting agency (CRA) with “significant operations” in New York must register with the New York Department of Financial Services (NYDFS) and comply with the NYDFS cyber regulations under Part 500.CRAs must register by September 15, 2018. Also, in addition to registering, CRAs must begin complying with New York’s cyber regulations as early as November 1, 2018. There are multiple deadlines over the next year for CRA Compliance.

Here are some highlights:

  • By November 1, covered CRAs must have appointed a chief information security officer (CISO) and have implemented a written cybersecurity program, including an incident response plan, that are designed to safeguard the confidentiality, integrity and availability of the organization’s information systems.

  • CRA must base its cybersecurity program upon a conducted risk assessment, and it must have designed the program to enable the CRA to identify, detect, respond to and recover from a reportable “cybersecurity event.”

  • CRAs have a maximum of 72 hours to report a “cybersecurity event” to the NYDFS making the reporting requirements more consistent with Federal guidelines for government agencies.

  • A member of the board of directors, or a senior officer, of each CRA must certify annually to the NYDFS the agency’s compliance with the regulations. The first certification is due on February 15, 2019.

  • Under this regulation, NYDFS has the authority to deny, suspend, or revoke a CRA’s license and ability to conduct business in New York if the agency fails to comply with the NYDFS’s cyber regulations, including a failure to certify annually its compliance.

Zofia Consultants are experts in full-time CISO activities and Enterprise Security Risk Management.

Not every organization has the need or resources for full-time, all the time, cybersecurity support. Having “Virtual CISO” ™ expertise available part-time and virtually on-demand is a service more and more of our clients are asking for, particularly those needing to demonstrate compliance with State and Federal laws.

Zofia Consulting assists our clients through the complex cybersecurity maze and provides the necessary leadership and learning opportunities for ongoing protection, compliance, and mission success.

Learn more here: https://www.zofiaconsulting.com/virtual-ciso

 

Jul
03
Defense Security Service to Tackle DOD CUI Program

In a recent public government meeting, Defense Security Service (DSS) confirmed they will not only be taking over the majority of government background investigations, they will also be taking the DoD CUI program. Public details are scarce now, but we presume the audit process will get started over the next year and be similar to their existing audit and risk management review process. The overall goal is to ensure all products and services delivered to the USG are “uncompromised.”

There will also be a push from DoD, stated the Director DSS, for a “4th pillar” of evaluation for contract awards. This means that in addition to cost, performance and schedule – “Security” will become a strong factor of evaluation. The goal is to reward companies that have established and effective security and risk management programs. The Director also stated that there will be heavier penalties exacted for contractor failures to maintain security compliance and oversight on their systems during the contract periods.

An initial self-assessment for CUI compliance is the first of many steps in a thorough risk management program that we presume DSS will audit, and is only one component of the overall information security picture. Any assessment should be complemented with a robust information security program within the organization. A single report cannot reveal all types of security weaknesses, and should not be the sole means of determining an organization’s security posture.

An initial assessment may not provide a detailed architectural analysis of the network or a detailed network hardware/software configuration review. An initial self-assessment is not substitute for in-depth analysis of control system vulnerabilities as performed by trained professionals.

Periodic onsite reviews and inspections must still be conducted using a holistic approach including facility walk downs, interviews, and observation and examination of facility practices. Consideration should also be given to additional steps including scanning, penetration testing, and exercises on surrogate, training, or non-production systems, or systems where failures, unexpected faults, or other unexpected results will not compromise production or safety.

Dangers of DIY: http://www.dodig.mil/reports.html/Article/1481961/logical-and-physical-access-controls-at-missile-defense-agency-contractor-locat/


Apr
11
COMPLYING WITH DFARS 252.204-7012 & CONTROLLED UNCLASSIFIED INFORMATION (CUI) MANDATES

temp-post-image

The DoD isn’t conducting full CUI audits as of this date, but that doesn’t mean that government contractors are free to ignore the mandate. Currently, DoD government contractors attest their compliance to DFARS 252.204-7012 and NIST SP 800-171 Rev. 1 when bidding for a DoD Government contract. In lieu of a full audit, the Defense Contract Management Agency (DCMA) does have a significant role in providing oversight into government contractor attestations. According to DoD:


Apr
06
WHAT IS A VIRTUAL CISO?

WHAT IS A ZOFIA CONSULTING VIRTUAL CISO?

temp-post-image

Dec
21
DFARS CUI / CDI COMPLIANCE: YOU ARE OUT OF TIME BUT NOT OUT OF OPTIONS.

calendarDEADLINE IS HERE
If you are a Department of Defense (DoD) Government Contractor or sub-contractor to a Government Contractor and are required to comply with the NIST SP800-171 regulations supporting DoD Controlled Unclassified Information (CUI) (or Covered Defense Information(CDI [1])), the deadline for compliance is December 31, 2017. (The full set of NIST SP800-171 security controls are imposed on Department of Defense contractors in Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012)

The new statutory changes have been in the works for several years and should not come as a surprise. However, the new requirements and deadline have caught many government contractors and academic institutions unaware, leaving many to ...


Dec
12
CYBERSECURITY IS RISK MANAGEMENT

temp-post-image


Cybersecurity is NOT just a technology problem. The majority of cyber incidents are caused by human action or inaction with the result becoming a risk to business operations and perhaps a risk to the survival of a business. Affected parties include shareholders, stakeholders, customers, executives, and employees of the business.