Stephen Cicirelli

A little late, but here's the next #cmmc entry for level 2: https://lnkd.in/gKpkbpBp This one was a bit more difficult to decide what to write, as I did not want it to be a long boring read. There are almost 100 additional requirements above level 1, so I just tried to give some highlights by sections. Level 2 is where you start seeing more technical requirements that will be much more likely to start requiring outside assistance, but it also will likely greatly enhance most company's security postures.

9

CISA has been releasing advisories on Industrial Control System security issues, vulnerabilities, and exploits for years, but the volume of advisories has sharply increased in the last two years. Three years ago a typical CISA advisory on Industrial Control Systems had one to five advisories. Today, I see a lot more bulletins with advisories numbering 20, 25, or even as high as 30+. This is a signal that the ICS/OT community is doing more. OEMs, software providers, integrators, services companies, and critical infrastructure operators are all doing more to protect the critical systems that support our modern way of life and identifying more of these vulnerabilities. Your electrical grid, water system, connected transportation networks, telecommunications infrastructure, and more, are all connected and carry risk just like any network. CISA plays a vital role in distributing these advisories. Sign up and subscribe to their updates at the link below and keep up the great work team. https://lnkd.in/gSMNnVRB

32

Fellow #CISSP holders, I need you to weigh in. I was recently having a discussion with a colleague where the conversation led to an important consideration. Having a CISSP comes with a hefty burden of upholding a code of ethics that can, in nearly every case, risk a cert holders livelihood. Given that ISC² has no jurisdiction or ability to offer protections for CISSP holders who uphold these ethical standards, how do you navigate scenarios where you witness unethical, illegal, or risky behaviors that could put an enterprise and the public at risk? There are some serious considerations I think every #CyberSecurity #Practioner needs to consider before they align to ANY certification body. 1. Ethical Dilemma: CISSP's are expected to uphold high ethical standards, including reporting security issues, but may face personal consequences for doing so. 2. Enforcement Limitations: ISC²'s ability to enforce ethics is largely limited to the certification itself, not extending to workplace protections. 3. Credibility Issue: This situation could potentially undermine the integrity of the certification if holders feel they can't act on their ethical obligations without risking their livelihoods. 4. Practical Challenges: Providing actionable protections across various global jurisdictions and employment situations is extremely complex. So, with that being said, how do you navigate the conflicts of interest that exist with these certifications? Let me know in the comments. I want to hear your thoughts! #CleverGirl ♛ Gina King ♛ Derrick Knox, Jr. WellSecured IT The Ovation Point LLC Diverse IT ISC2

21

33 Comments

Check out this podcast interview with me just after my TribalNet keynote in Vegas recently. I was asked a random question at the end about the first concert I attended that you might find interesting (and it's not just what's listed in the podcast description). #infosec #CISO #CIO #businessleaders #cybersecurity #podcast #keynotespeaker #backtobasics #rockconcerts #ISAC

5

It's September 25, 2024. Do you know where your organizations vulnerabilities are? Don't wait for a cyberattack to happen! Vulnerability assessments and remediation allow you to take a proactive approach to security, finding and patching vulnerabilities before they become problems. Contact HaltSec Security Services. We can help!!!

1

While I am reposting this is that many of my connections have to adhere to 23 NYCRR 500 and it will be useful to them, publishing a template like this is also horrible to get it followed. I was talking with Deborah Nitka at dinner today, and she mentioned how she would examine compliance related documents, and it is clear that they basically just did a universal Cut and Paste on company name. Sharing a template like this can result not in people actually implementing a compliant program, but in creating a document that looks like they are. That is a major difference.

40

3 Comments

Our #massdatagov recently commented on the Cybersecurity and Infrastructure Security Agency #CIRCIA #cybersecurity reporting requirements NPRM including suggestions around zero-day vulnerability requirements #security #MHDCregulatory Read our comment here: https://ow.ly/JRRW50SiqLG

1

Jill Martucci, CISA, SSCP, Director of GRC, Advisory Services for Avalon Cyber dives into the "Govern" function in the National Institute of Standards and Technology (NIST) Version 2.0 of the Cybersecurity Framework. "While there are multiple enhancements in CSF 2.0, the “Govern” function is the change that may have the largest impact, as this function should help organizations and compliance teams map and meet various laws and regulations while managing their cyber programs." Learn more in Jill's latest blog post: https://hubs.li/Q02Ll22z0 #TeamAvalon #AvalonCyber #NIST2.0 #compliance #cybersecurity #riskmanagement #cyber #governance

14

CISA (Cybersecurity and Infrastructure Security Agency) has proposed new reporting requirements for significant cyber events across critical infrastructure sectors, including healthcare. These requirements aim to enhance cybersecurity measures but have raised concerns within the medical community. MGMA (Medical Group Management Association) has suggested that instead of adding duplicative reporting requirements, CISA should collaborate closely with HHS (Department of Health and Human Services) to streamline existing regulations under HIPAA. They also expressed concerns about the proposed size-based threshold, which could impose reporting obligations on smaller physician offices with revenues as low as $9 million annually. Do you agree that collaboration between CISA and HHS could streamline regulatory burdens? #HealthcareSecurity #CISA #CybersecurityReporting

5

I hope everyone is having a good Friday. Time for some Sa(a)S. We're continuing the CMMC series with a more detailed breakdown of the 3 levels. The full post can be seen here: https://lnkd.in/g-DCGGi2 For a quick summary, all 3 levels are from NIST SP 800 171 (and 172 for level 3), so it's at least not completely new standards. And why the standards are still in the rule-making process, we have a good idea what the final requirements will be. Level 1 will have 17 requirements and is intended for the least sensitive DoD contracts. This certification will be based off of a self assessment. Level 2 has a big jump to 110 total requirements as more national security implications are expected with the associated contracts. This is expected to be the most common level, and in most cases will require a 3rd party assessment every 3 years with an annual self assessment. Level 3 is for the most sensitive contracts that don't involve classified (or greater) designations and will add up to an additional 35 requirements above level two. For this, companies will need to have Federal officials perform the assessment every three years. Please reach out with any questions and have a great weekend! #cmmc #cybersecurity #securityawareness

8

Brief article on #CISA's proposed rule to require certain entities in the 16 critical infrastructure sectors to timely report specific cybersecurity incidents and ransomware payments. #govcon #cyber #criticalinfrastructure

4

1 Comment

Enhanced Visibility & Hardening Guidance for Communications Infrastructure CISA has released actionable guidance to help organizations bolster the security and resilience of critical communications infrastructure. * Enhanced Network Visibility: Tools and strategies to monitor and detect potential vulnerabilities. * Hardening Measures: Practical steps to fortify systems against evolving threats. * Proactive Defense: Best practices for mitigating risks to critical infrastructure. Secure your communications systems today and stay ahead of potential threats. Explore the full guidance here: https://lnkd.in/gADKtUPf #Cybersecurity #InfrastructureSecurity #CISA #Resilience

24

In a recent conversation a cyber assessor asked me how they could get leadership buy-in to using risk quantification. Here are 3 ways I'd suggest doing this. Let me know what you think in the comments. 1. Use Industry Profiles for Context : Show how your organization compares to others in your industry in terms of risk exposure by using industry data. This helps highlight where your organization stands and can spark interest in exploring risk quantification further. 2. Highlight a Recent Attack : Use a recent cyber attack that affected your industry as an example. Show the potential financial impact and likelihood of such an attack on your organization. This makes the concept of risk quantification more real and urgent, helping leaders understand its importance. 3. Clarify Risk Levels : When discussing risk, push for clear definitions of what “high,” “moderate,” or “low” risk means by advocating for a quantified approach. This can help uncover inconsistencies in how risk is evaluated and emphasize the need for a standardized risk assessment method. Have you had success getting leadership buy-in to using risk quantification?

1

2 Comments

Incident reporting is really important at all levels. End user self reporting is crucial and often overlooked. https://lnkd.in/dgVj5hZa

5

Just in - CISA publishes Encrypted DNS Implementation Guidance for Federal Agencies to enhance cybersecurity and protect sensitive data. Stay ahead of the curve with this important resource: https://lnkd.in/eMeN-uxt #cybersecurity #CISA #encryptedDNS

2

The National Institute of Standards and Technology (NIST) has released the latest draft of its #password #guidelines, simplifying password management and eliminating complexity rules that previously required a mix of character types. The new guidelines, outlined in the draft version of SP 800-63-4, focus on making passwords longer and easier to manage while no longer mandating regular password changes unless there is evidence of a #breach. NIST’s updated guidelines represent a shift from promoting complex password requirements to recommending #passwordlength as a more effective strategy for protecting credentials. The guidelines suggest that passwords should be at least eight characters long, with a recommendation for passwords of up to 15 characters. The draft also encourages password flexibility, allowing users to include ASCII and Unicode characters, and does not impose any #restrictions on character composition. The move away from complexity stems from evidence that users often create predictable or weak passwords, leading to risky practices such as writing passwords down #stickies or reusing them across multiple personal and work accounts. Instead, #NIST emphasizes longer passwords that are harder to crack through #bruteforce attacks and easier for users to remember without sacrificing security. I personally love #passphrases that are long and personal and do not need a #passwordmanager that have a tendency of being #hacked in the past. The draft also advises against requiring regular password resets unless there is a clear security concern. #Jury is out on that one! Public comments on the draft are being accepted until October 7, 2024. Source: https://lnkd.in/gra8T7W2

35

1 Comment