Defending your CUI/CDI infrastructure with an improved Security Operations Capability

Authored by: Gary Daemer
DFARS/NIST compliance is hard We are hearing more and more from our customers every day that they are being required to attest to their DFARS compliance status and all indicators are that these requirements are continuing to expand to civilian agencies as well. The most common NIST SP 800-171 security control requirement gap we find with our…

Draft DoD Guidance for reviewing NIST SP 800-171 SSP and POA&M -- Do you want to compete in the Federal Market Space?

Authored by: Gary Daemer
On April 24, 2018, the Department of Defense (DoD) issued a Notice and Request for Comment on draft guidance for procurements that require contractors to meet security requirements outlined in NIST SP 800-171*. The proposed guidance, provides an approach to assessing the contractors’ System Security Plans (SSPs) and Plans of Action and Milestones…

Demystifying FedRAMP - Part 4 - Who is allowed to work on the system or access SSP documentation? What about non-US Persons / non-US Citizens?

Authored by: Jason Shropshire
Note: This is part 4 of a multi-part series. See the links below for other topics in the series. Today we will address questions around handling and security of the FedRAMP System Security Plan (SSP) and related documentation, as well as who is allowed access to components within the system boundary. This includes that ever pervasive question, “…

Demystifying FedRAMP - Part 3 - Is system documentation included in the system boundary? What classification should be placed on our system security plan (SSP)?

Authored by: Jason Shropshire
Note: This is part 3 of a multi-part series. See the links below for other topics in the series. Today we will address questions around handling and classification of the FedRAMP System Security Plan (SSP) and other documents that are included in the FedRAMP Package. This will be closely related to the next topic regarding the protection of this…

Demystifying FedRAMP - Part 2 – If I follow FedRAMP requirements and get a P-ATO, my cloud service will be well designed and attractive to Federal Agencies, right?

Authored by: Jason Shropshire
In part 1 of this series, we addressed the question “Is an NDA with FedRAMP needed to protect my company’s trade secrets?” In today’s topic we address the question “If I follow FedRAMP requirements and get a P-ATO, my cloud service will be well designed and attractive to Federal Agencies, right?”. The short answer is no…  But the key to…

Demystifying FedRAMP - Part 1 - Is an NDA with FedRAMP needed to protect my company’s trade secrets?

Authored by: Jason Shropshire
While providing FedRAMP consulting for our customers, we’ve have had to address a variety of questions that have come to us varying from the strategic to specific questions on how a Cloud Service Provider (CSP) should treat the information in its System Security Plan (SSP). In addressing these questions, we have sometimes floated questions to the…

The Mecklenburg County Ransomware Attack -- Four Key Takeaways for Your Breach Readiness Program

Authored by: Rob Seate
The scope of ransomware victims continues to rapidly expand beyond individual consumers and into business and Government organizations. This was recently evidenced in early December 2017 by the Mecklenburg County (NC) local Government in which they were the victim of a ransomware attack. The impact of this malicious software attack resulted in…

Is your organization ready for a data breach?

Authored by: Gary Daemer
We talk with many organizations every day, and the most common issue we see in cyber security today is culture, even though we see the threats everywhere in the news, on TV, in print and all over the internet. Despite all of this media coverage, organizations are still struggling getting past one of the first questions we are consistently asked…