Michael Greenman’s Post

NEW BLOG of Interest... How Can Deltek Help? With DoD’s CMMC enforcement rule racing toward the finish line and assessments beginning very soon, defense contractors face imminent risk to their funding source and need a secure solution from a trusted provider to meet their compliance needs. Deltek has supported compliance requirements for government contractors for decades and is prepared to support CMMC requirements as a Cloud Service Provider (CSP) with our Costpoint GCCM offering, which has achieved FedRAMP Moderate Ready status and is listed on the FedRAMP Marketplace. DoD contractors need to be aware that CSPs cannot inherit FedRAMP Authorization from third-party providers such as Amazon GovCloud or Microsoft GCC High. Deltek’s product security roadmap demonstrates that we treat security of your data seriously and that we will continue to invest in secure solutions that deliver value and peace of mind for government contractors to achieve compliance standards and win more contracts.

Understanding Changes to ESP Certification Requirements? 🛡️ CMMC 2.0 is here, and it’s reshaping the landscape for certification. Key changes streamline the process but also bring new compliance hurdles. Why does it matter? Adapting to these updates is critical to maintain your compliance and protect your business's future. 🔍 Get informed today — find out what these changes mean for your organization. Read more here: [https://ow.ly/YKCo50TSpxB] #CyberSecurity #CMMC #Compliance #Certification #ESP #InformationSecurity #DataProtection #RiskManagement #BusinessSecurity

Seeking SOC2 Certification? is a key first step in assessing your business’s password security. Let’s dive deeper into it entails, its password requirements, and how a password manager can help. https://bit.ly/43JLS3p #SOC2

The Trust Center tools offered by compliance vendors are pretty slick. They describe the organization's compliance program, what certifications and attestations they have, what controls they have in place, who their subprocessors are. In many respect, these are good tools that organizations should deploy. I have looked at a number of trust sites and have found a few themes. 1) The request for access to SOC 2 attestation report or similar documentation is not necessarily followed up on. While the company set up the site, they did not work on the process for when requests were made. I used the tool for one of our vendors (who doesn't have a great program) and they failed to respond. Since I am an actual customer I assume that I should be approved but they have not. I would bet that this behavior is not unique. 2) The controls listed on the website are very generic. I get that you are picking from a menu of controls. Someone in marketing is not crafting the specific language that is appropriate for your organization and site. Good trust centers should have language that is 100% applicable to the organization and not "The company requires authentication to production datastores to use authorized secure authentication mechanisms, such as unique SSH key." The sentence above does not give a good sense of the control or even if it is really being performed. 3) Speaking of not getting a good sense of things. Many of these pages do not give you good context for the cybersecurity program. I would like to see something like "Our cybersecurity team is led by Jane Smith, CISSP. We focus on x, y, and z." Maybe some statistics about the program. Most of these pages just give you raw information about the program. What do you think of Trust Center pages? Do they make things better or worse? Let us know in the comments below. #fciso

Rob makes some great points on trust centers! What would you expect a Trust Center to have?!? Having reviewed many myself I’ve come to the similar conclusion… many popular trust centers can’t be trusted! Many are just a simple yes/no ✅ checkbox exercise put out by the marketing department. They don’t actually show real time data that is in alignment to a security program. They often lack real time data that shows ongoing security measures and compliance conformity. At Compliance Scorecard we believe in actual trust, with real time data to back up the security program and help approve, ongoing, continuous, compliance monitoring Our friend Brian talks about “do what’s right” versus “do what’s popular” and that’s a similar mantra I have…

🚀 Kaseya Kicks Off Cybersecurity Month: First MSP Vendor Committed to FedRAMP! 🚀 We're kicking off Cybersecurity Month with a major milestone! Kaseya is proud to announce that we’ve embarked on the journey to achieve FedRAMP. As one of the first MSP-centric platform vendors to make this commitment! We’re demonstrating our dedication to the highest standards of cybersecurity and compliance. 💪 Why this matters: With cybersecurity regulations tightening and the Cybersecurity Maturity Model Certification (CMMC) requirements on the rise, over 80,000 organizations will soon need to achieve CMMC Level 2 certification. Our commitment to FedRAMP will not only position Kaseya to support government and DoD contractors, but it also opens up new revenue opportunities for MSPs by enabling them to serve these high-compliance sectors. 🔒 Cybersecurity is our top priority and achieving FedRAMP underscores our multimillion-dollar investment in keeping our MSPs and their customers ahead of the curve. By partnering with the third-party assessor organization (3PAO) SERA-BRYNN, we’re making it easier for our partners to comply with CMMC and other federal standards – all while continuing to grow and thrive in a rapidly evolving compliance landscape. #CyberSecurityMonth #FedRAMP #Compliance #CMMC #Kaseya #MSPs #Cybersecurity #ITComplete #ITManagement

Today the NIS2 (Network and Information Security Directive) takes effect. It is the new European cybersecurity directive that will require organizations to establish a baseline of security measures to mitigate the risk of cyber-attacks and to improve the overall level of cybersecurity in the EU (or those doing business with the EU). Find out more about how Microsoft Security solutions can help your organisation be prepared: https://lnkd.in/e-tzDXAR

The Network and Information Security Directive 2 (NIS2) is a continuation and expansion of the previous European Union (EU) cybersecurity directive introduced back in 2016. The purpose of establishing a baseline of security measures for digital service providers and operators of essential services is to mitigate the risk of cyberthreats and improve the overall level of cybersecurity in the EU. Organizations have until October 17, 2024, to improve their security posture before they’ll be legally obligated to live up to the requirements of NIS2. #Security #Microsoft #Cybersecurity

Good summary of a complex issue

This Kiteworks article is a good read for companies who need to be warned against the misconception of "FedRAMP Equivalency" and its potential risks to CMMC (Cybersecurity Maturity Model Certification) compliance. It emphasizes that claiming such equivalency without proper assessment and validation can jeopardize an organization's compliance efforts. Don’t Be Fooled: Why Empty Claims of “FedRAMP Equivalency” Put CMMC Compliance at Risk https://lnkd.in/eQQfXVNz #cybersecurity #compliance #CMMC #FedRAMP #Kiteworks