As a DoD contractor, you already know the road to CMMC compliance is full of twists and turns. Now, amid concerns about the costs and complexities of the process, the DoD has overhauled the Cybersecurity Maturity Model Certification once again, launching CMMC 2.0 in November.

CMMC 2.0 is the DOD’s efforts to streamline and improve earlier CMMC compliance requirements, specifically by revamping the five maturity levels into three. CMMC 2.0 maintains the program’s original mission of protecting sensitive information, but offers several other advantages for some government contractors:

• Simplifies the standards.
•  Minimizes barriers to compliance.
• Sets priorities for protecting DoD information.
• Provides additional clarity on regulatory, policy, and contracting requirements.
• Reinforces cooperation between the DoD and industry in addressing evolving cyber threats.
• Increases department oversight.

Collapse and Streamline of Levels

CMMC 2.0 still has a level 1, 2, and 3, but they are very different than the levels of CMMC 1.0. Levels 2 and 4 have been eliminated. Here’s a brief overview of what the new levels look like.

Level 1 mostly stays the same with 17 practices requirements, but third-party assessments are no longer required. Instead, an annual self-assessment will be required to certify compliance.

Level 2 (formerly level 3 in CMMC 1.0) will be aligned with the full 17 NIST 800-171 practices but eliminates all CMMC unique practices and processes. Assessments for Level 2 will be triennial third-party assessments for critical national security information and annual self-assessments for select programs.

Level 3 (formerly level 5 in CMMC 1.0) will use a subset of 100+ NIST 800-172 practices. Level 3 will require triennial government-led assessments.

The Interim Rule Is Still In Effect!

The Interim Rule is still in effect! NIST 800-171 Self-Assessment, SSP, POAM, and SPRS Score still stand. However, the timeline for contracts to include the CMMC level may possibly change from 2025 to 2023.

Confused yet? With the introduction of CMMC 2.0, it’s time to take a look at where you are now, what the new changes mean for your company, and where you need to go. SME can help you better understand 2.0 and how you can competitively position your organization by developing a plan on how to get there.

Cybersecurity is no joke. And that’s just the message that the Department of Justice (DOJ) is sending with its creation of the Civil Cyber Fraud Initiative. This initiative allows the DOJ to use civil enforcement of the False Claims Act (FCA) against government contractors and grant recipients who fail to follow required cybersecurity standards, jeopardizing U.S. information and infrastructure.

All government contractors should take this initiative very seriously. Failure to adopt and maintain cybersecurity best practices can mean reimbursing the government and taxpayers for losses incurred if your company fails to satisfy your cybersecurity obligations. In fact, for the fiscal year ending September 30, 2020, the DOJ collected more than $2.2 billion in settlements and judgments from civil cases involving fraud and false claims against the government.

SME can help you avoid DOJ scrutiny and potential FCA claims with our trusted cybersecurity tools that meet federal standards and regulatory obligations. We can help you implement a cybersecurity hygiene strategy so you can avoid FCA enforcement.

Give us a call at 703-378-4110 if you’re ready to learn more about how SME can help.

By now, DoD contractors already mired in the complexities of Cybersecurity Maturity Model Certification (CMMC) know one thing for certain: the process takes time—anywhere from six to 12 months, depending on the maturity of your company’s security level, policies, and procedures. If you want to continue to win government contracts, and you haven’t started the CMMC process yet, it’s crunch time, and a last-minute cram session won’t cut it in this case. 

There is a LOT that goes into the CMMC certification process. While not all DoD contractor’s compliance journeys will be the same, those who are ahead of the game have some valuable insights that every organization can apply. To help ensure you start your CMMC efforts off on the right foot, here are some lessons learned by Certified Third-Party Assessor Organizations (C3PAOs).

Don’t Skimp on Standard Operating Procedures (SOP)

At CMMC Level 2, organizations are required to document a system security plan, practices, and policies that allow staff to perform processes that are repeatable and consistent. Best practices show that having robust, detailed, step-by-step procedures, including a well-defined purpose, scope and roles and responsibilities for each activity, is important for a successful CMMC.   

Make an Incident Response Plan a Priority

Also high on the list of lessons learned is establishing a formal and proactive Incident Response (IR) plan and regularly test the plan to increase your organization’s ability to respond to security incidents.

Know Your Network Inside and Out

Get to know your network—and the people who use it—intimately! Start by performing an audit to accurately assess your network devices and approve all of the devices connected to your network, the applications and software they are running, including your email system, and create a list. And, know your data stored on your network. CMMC focuses mainly on protected controlled unclassified information (CUI) which can include software executable code, source code, technical reports, studies, analysis, intellectual property, engineering drawings, tax-related information, to name a few.

Get a Grip on Daily Cybersecurity Hygiene

Checking in on your organization’s cybersecurity measures everyday isn’t just a suggestion, but a must. And it’s much more than protecting passwords and telling employees not to click on phishing links. There are 5 levels of CMMC cybersecurity hygiene, each with their own requirements. One way to get a handle on daily cybersecurity hygiene—and show your due diligence—is through a dashboard-driven tool like SME’s state-of-the-art Compliance Management Platform, that gives you the visibility you need to know the real-time status of all your programs.  

Need CMMC Assistance?

If you bid on DoD contracts, don’t wait any longer to start your CMMC certification process. SME will work with you to prepare and navigate CMMC and help you maintain your maturity levels. Give us a call at 703-378-4110 or email info@smeinc.net.

The Internet of Things, or IoT devices are great! Not only do they provide automated, seamless assistance to normal, everyday life; they also make life simpler. Can’t remember if you locked the door before leaving? Open up the app for your Smart Door Lock and engage the lock. Want to make sure the house is the perfect temperature when you arrive? Smart thermostats like Nest, Ecobee, or HoneyWell can give you the ability to turn on the heat or AC before you even walk through the door; and who doesn’t like the sound of being able to make sure dinner is cooking and will be ready for when you get home from work? There’s a Smart Crockpot for that! Yes, seriously! Even a large majority of the TV’s sold in stores are Wi-Fi enabled.

As convenient and simple as these types of devices can make our everyday lives, they can also be something of a double edged sword, as they can come at a price that’s significantly higher than what the device itself actually costs. As with many of the electronic and internet enabled devices that we use in everyday life, IoT devices require a certain level of security, and ignoring this aspect when it comes to your IoT devices can do much more harm than good. 

How IoT devices Can Make Us More Vulnerable

As with any device that connects to a network, hackers can use IoT devices to gain access and even a long standing foothold into your network, and this can happen from even the most unexpected of devices. Unfortunately, many of us are more concerned with getting these cool, new devices, getting them configured, and setup on the network so that we can start using them immediately; and as a result put the idea of securing the devices on the back burner. 

So what exactly can be done to secure these IoT devices? Actually, there is quite a bit that can be done!

Use Your Own Network, Avoid Public Wi-Fi

It should go without saying that if you’re planning on trying out that new Wi-Fi enabled toaster, don’t connect it to a public Wi-Fi network. In the rare, off chance that you absolutely have to connect the device to a public network, use a Virtual Private Network (VPN).

Setup and Use a Guest Network

Guest networks are simple to set up and configure and provide an extra layer of security to your network. This is especially true in the case when you have visitors who want to use your Wi-Fi, either at home or in the office. The guest network can provide them with access to the network and of course to the internet, but it secludes them from entering into the main network so they can’t actually access any of the other devices or system connected to the main network. 

It’s recommended to also use a guest network for your IoT devices, such that in the off chance that one of the devices is indeed compromised, then the threat actor (hacker) will be trapped within that guest network and unable to access your personal devices on the main network.

Always Reconfigure Every IoT Device

Whether you receive it as a gift or purchase it as soon as it hits the shelves, every IoT device that you plan to connect to your network needs to be reconfigured during setup. This doesn’t mean you have to take the device apart to “hack it”, all this simply means is setting up a strong, complex, and secure password for the device, as well as the email or federated login account you’re using to set up the device.

Use Strong Passwords

Just as we mentioned above, make it a habit of using strong, complex passwords for all the devices that you connect to your network and the accounts that you may end up creating for these devices. People often have a tendency of reusing the same password for many of their devices and accounts, what is even worse is the fact that most of these passwords are simple, and can either be easily guessed, or cracked by hackers.

Also make a habit of using Two-Factor Authentication (2FA) if the account or device allows it. 

Always Know What Is Connected to Your Network. 

It should go without saying that you should always be cognizant or aware of what devices are connected to your network. Many of today’s wireless network routers come with easy to access and user friendly administrative interfaces that can be used to find out exactly what devices are connected to your network. However there are some routers that are setup and configured using an app, and these apps also allow the same type of administrative check. 

Ensure Devices are Updated

When initially setting up a new IoT device, always make sure to check and see if it has any current software/firmware updates that can be applied. Also, another even more helpful feature to have is auto-updates, so if the device has this capability, enable it. Be sure to make a habit of checking to see if the device needs updating. 

IoT devices and the technology that drives them have a seemingly unlimited potential to assist us in our daily lives, but do not disregard the risks. You can purchase the most highly rated, most expensive IoT device on the market that was created by the top companies in that field, but at the end of the day, the security of IoT devices and that of your network is up to your and the amount of time and level of protection that you are willing to take. 

Ransomware, phishing, password cracking, social engineering—these are all REAL threats, and they are only getting worse as cyber criminals get better. If you are a DoD contractor, it’s time to get your staff on the same security page. If your staff isn’t trained in cybersecurity hygiene, then they’re putting your entire organization at risk.

As part of the CMMC compliance, Security Awareness and Training (AT) is one of the 17 domain requirements that companies looking for CMMC maturity certification level 2 or higher have to meet before working on government contracts. 

The requirement means that you have to have an effective cybersecurity training program in place. There are five AT practices broken into two capabilities: C011 Conduct Security Awareness Activities and C012 Conduct Training. Here’s a look at how the practices are broken out.

C011 includes two practices:

AT.2.056: Cybersecurity awareness training for all users

This practice ensures that managers, system administrators, and users of company systems are conscious of the various security risks related to their activities, and the procedures, standards, and policies related to the security of those systems.

Contractors can comply with this DoD CMMC requirement by conducting an annual cybersecurity awareness training. This training program must be customizable and should come with links to a company’s security policies and the contact information of its security department.

AT.3.058: Provide cybersecurity awareness training to identify and report possible insider threats

Contractors handling controlled unclassified information (CUI) must conduct insider threat training as part of their cybersecurity initiative. The training must identify the risk factors involved in becoming an insider threat, as well as a less formal way of reporting potential threats to avoid discrimination among friends and colleagues.

C012 includes these four practices:

AT.2.057: Ensure that cybersecurity personnel are properly trained to perform their security-related tasks and responsibilities.

Contractors should implement security training designed for system administrators, help desk, developers, and testers. Cybersecurity personnel should also possess security certifications such as a Certified Information Systems Security Professional (CISSP).

AT.4.059: Offer security awareness training designed to detect and respond to threats from suspicious behavior, breaches, advanced persistent threats (APTs), and social engineering. This security awareness training must be updated at least once a year, or if new threats are discovered. (Meant for certification levels 4 or higher)

To meet the requirements of this practice, contractors must conduct security awareness training sessions that focus on tactics used by APT actors. The goal of this practice is for companies to go beyond basic cybersecurity practices and broaden their cyber defenses against more advanced attacks.

AT.4.060: Practical exercises must be included in security awareness training modules. These exercises should be aligned with the latest threat scenarios and must offer feedback to personnel involved in the training. (Meant for certification levels 4 or higher)

This practice is designed to enhance a contractor’s security awareness training by including exercises associated with real-world threats. Also, the requirement to provide feedback is to ensure contractors are being proactive in measuring the value provided by these security exercises.

How you get trained is important too. SME’s CMMC experts are Certified Security Awareness Practitioners, or CSAP. Our security awareness training program includes everything you need to select the right content, deploy your training, and obtain detailed reporting on progress and completion. Don’t put off this important CMMC certification requirement. Our training programs are easy to arrange and affordable. Start your Security Awareness and Training domain requirement today!

The Cybersecurity Maturity Model Certification program (CMMC) is ramping up this summer—even though approved CMMC Third-Party Assessment Organizations (C3PAOs) are in short supply and timelines are ever evolving. These hiccups might have you thinking you have all the time in the world to start your CMMC certification. Unfortunately, that assumption just isn’t correct.

CMMC isn’t going away. Though the organizations waiting to receive their C3PAO status are stacking up, so are the thousands of DoD contractors who are waiting to achieve CMMC certification. Having the right controls in place isn’t just something you can wing, or pencil whip your way around. Now is the time to save your place in line so you don’t miss out on opportunities for government contracts.  Here are five steps you can take now to get you closer to CMMC compliance.

Get to Know Your Data

Not every piece of data that resides in a contractor’s IT systems is classified—and it doesn’t have to be. In fact, CMMC largely focuses on protecting controlled unclassified information, or CUI. CUI data covers a wide range of information, including software executable code, source code, technical reports, studies, analysis, intellectual property, engineering drawings, tax-related information, and much, much more.

Test Your Backups

Are you prepared to recover from an event that might compromise the integrity or availability of your data? Backing up all content—not just CUI—is a CMMC requirement. A loss of data can significantly impact your operations, and, depending on CMMC level, impact national security. Now is the time to test your backup systems and determine their functionality.

System recovery is a key focus of CMMC, specifically the ability to recover from any event that compromises the integrity and availability of data. The requirement is to backup all content, not just controlled unclassified information (CUI) and other critical content.

Create an Incident Response Plan

Speaking of recovering from an event, contractors with level 2 or higher CMMC requirements must have an incident response plan in place that proves your ability to detect, respond, analyze, report, and test incidents.

Practice Daily Cybersecurity Hygiene-That Means Everybody

CMMC success starts with every single person in your organization practicing cyber hygiene at all times. From the front desk to the C-Suite, ensuring cybersecurity in your government contracting business is everyone’s responsibility. This goes beyond checking off the usual boxes of password updates and identifying phishing emails. Your firm needs to be right 100% of the time for cybersecurity. Attackers only need to be right one time—that one time they are able to detect a weakness and move in for the kill.

There are 5 levels of CMMC cybersecurity hygiene, and each has its own requirements. Level 1 is basic cyber hygiene and includes 17 practices from NIST standards that companies should already be practicing when working for the DoD. They go up from there to Level 5, which includes 171 practices. These organizations have an advanced, progressive cybersecurity system in place and can assess and prevent advanced threats.

Even if CMMC wasn’t a requirement for DoD contractors—you should be practicing cybersecurity hygiene anyway! With high-profile ransomware and leakware attacks making the headlines in increasing fashion, it’s not a matter of if, but when a compromise will take place.

Communicate with your Subcontractors

In addition to your own internal team, getting your subcontractors on the same page is also crucial to CMMC success—and it’s a requirement. Weaknesses in the DoD supply chain are most prevalent several levels down from the prime contractor. If you are a prime, know this: you are obligated to educate your subcontractors on the proper CMMC requirements and where CUI lives on your systems so they can begin their CMMC journey as well.

With thousands of DoD contractors already waiting to achieve CMMC certification, you don’t want to find yourself at the back of the line. No matter where you are in the process, SME can help you navigate the process. We’re experts in CMMC certification requirements and implementation. Give us a call at 703-378-4110 or email info@smeinc.net.

Cybersecurity and Compliance Made Easy

Do you have a compliance action plan in place? With 171 sub-controls across five levels, CMMC compliance can seem overwhelming—even more so for contracts with higher level requirements. SME’s Compliance Management Platform makes compliance easy for DoD contractors to maintain their eligibility.

What is SME’s Compliance Management Platform?

Our state-of-the-art Compliance Management Platform is a dashboard-driven tool that helps your organization crosswalk from NIST 800-171 to CMMC, at any maturity level. The platform gives you the visibility you need to know the real-time status of your programs—across all lines of business—and makes it easy to assess, build, manage, connect, and report all of your cybersecurity functions. Here’s a look at some of the features.

Assessment Manager

Predefined or customized templates. The questionnaire-based Assessment Manager in SME’s Compliant Management Platform allows you to evaluate your cybersecurity posture quickly and easily. You can fast track assessments using the Platforms’ predefined templates or customize your own to match your unique needs.

One click-reporting. The reports feature improves visibility for all your stakeholders including auditors, executives, and Board of Directors. And, you can transfer the results of your assessment to a program to get a head start on compliance, management, and remediation.

Create a full program. Transfer your completed assessment results and evidence into a full program. There you can manage remediation tasks and workflows, monitor compliance progress and budgets—and create additional reports.

Harmony

As your cybersecurity program matures, the Harmony feature of the Platform makes it easy for you to add and manage multiple frameworks as one mapped program without duplicating your efforts. This means you can consolidate thousands of sub controls from an entire library of frameworks, making your cybersecurity and compliance efforts much more efficient. In fact, you could see a reduction in cost, time and effort by 60% and gain a head start on compliance with:

 Unlimited combinations. Crosswalk frameworks in unlimited combinations.

One-click reporting. Easy report feature for consolidated analysis of mapped programs supports a wide variety of recurring and ad hoc reporting needs.

Flexible monitoring. Monitor and report on combined and individual frameworks.

Streamlined maintenance. Data replication across subcontrols in both the mapped program and standalone frameworks.

Automatic Uncoupling. If you need to remove a framework from a mapped program, the Compliance Management Platform will automatically uncouple the subcontrols, but will remain in each standalone framework.

For a seamless execution of your CMMC strategy, let SME’s robust Compliance Management Platform be your competitive advantage. To start your compliance action plan today, give me a call today at (571) 601-1496 or email at info@smeinc.net.

Many of us are probably aware in the weeks following the Colonial Pipeline attack that ransomware attacks are a serious concern that all of us face. Many cyber-criminals are agnostic on who they target with ransomware, victims can range from large multinational corporations, to local hospitals, even individuals like you or I, and in this most recent instance; highly crucial U.S. infrastructure. This attack had a direct effect on millions of Americans and as a result, led to long lines at the gas pump and even gas shortages in some states along the Eastern Seaboard. 

Headlines, news stories and anxiety about how soon a fix would be implemented, this was what was on the minds of many of us during the weeks after the attack. In the end, Colonial Pipeline paid the hackers roughly $4.4 million dollars in order to have their data decrypted. 

However, after all of the stories, and buzz about the incident, many people may still be wondering what exactly ransomware is, how it works, and why it is becoming more popular for cyber-criminals. Our goal for this post is to provide some answers to these questions.

What is Ransomware?

Ransomware is a form of malware, or virus that encrypts data and files on a victim machine, which then prevents users from accessing their files. When ransomware infects a system, it starts searching for files and then begins encrypting them, oftentimes it will encrypt all of the files on the machine. Attackers hold the key that can decrypt the files, which they commonly will offer to give to the victim once a ransom payment has been made, but it is not always a guarantee.

Most ransomware will display a ransom notice/pop-up to users, usually by replacing their desktop background image or placing a text file with instructions in the folders it has encrypted. The ransom notice demands payment, which may be between hundreds and several thousand dollars, most typically to be paid in cryptocurrency to keep the transaction anonymous, and untraceable.

How Does Ransomware Work? 

Ransomware can enter a network in several different ways, the most common of which is from being downloaded, however other means of infection can come from social engineering. These downloads can come in the form of email attachments, or programs that are disguised to perform a specific function or task, but in fact are carrying the ransomware. Once downloaded, the ransomware program then begins attacking the system and then begins encrypting all of  the data and files on the system, adds a new file extension to the files and makes them inaccessible and unusable. There are even much more sophisticated variants of ransomware than can spread themselves throughout networks and systems without human interaction, much like a computer worm. 

Ransomwares Rise to Popularity

Ransomware attacks have grown in popularity in recent years for several reasons, the most likely reason being that more times than not, ransomware victims will end up paying to have their data decrypted so cyber-criminals see it as an easy means to an end for making money.

Some other reasons that it is becoming more widespread:

• Use of new techniques for encrypting data (encrypting the entire drive instead of just certain files)
• Ransomware and other types of malware kits are becoming more readily available that can be used to create malware on demand
• Malware and ransomware creators are becoming more sophisticated with their design and development, many are using generic interpreters and cross platform technologies so the malware can be spread to more victims.
• Ransomware and other forms of malware are becoming easier and easier to use. Cybercriminals do not have to be tech savvy in order to use, send, or spread the ransomware. 
• Ransomware marketplaces can be easily found online, offering different variants of malware/ransomware that can be purchased and used to their choosing.

There is a silver lining to this cloud. Ransomware can be mitigated and even prevented, if you would like to read more about this, check out one of our previous posts. Ransomware Prevention: Backups & Data Recovery

SME offers both Managed Backup solutions and Cloud Backup Storage solutions that ensure reliable backups of your data. For any IT/security related questions, please give us a call at 703-378-4110 or email info@smeinc.net.

A fact that many businesses and organizations have difficulty accepting is that their employees are one of the biggest risks to their overall security posture. Human error is still considered the leading causes of data breaches and compromises. 

However, with proper Security Awareness Training and provided with the fundamental understanding and knowledge to identify threats, your employees can act as another line of defense altogether, and even become one of your greatest assets. When designing, developing and implementing a Security Awareness Training program, it is vital to ensure that you take into consideration all of the cyber threats that your organization is most likely to face, and address those directly with your employees. 

The goal of this post is to discuss some of the more common Security Awareness Training program topics.

Phishing

I’m sure many of you reading this have received a call about your car’s extended warranty, or a call from the IRS of Social Security Administration. Phishing scams are still one of the most common attack methods that cyber criminals use in order to gain access to an organization’s network and resources. These threat actors play on fear, emotions, or empathy in order to take advantage of human nature and our inherent ability to trust others, and an ingrained need to help those in need. They do this by creating a sense of urgency or fear, by offering some sort of incentive like free stuff of “Stays at the Hamptons”, or “A free cruise”. 

Password Security

Passwords are still the main source for authentication measures used by organizations, and poor password security can be one of the biggest threats to enterprise level security. A large majority of your employees can have upwards of a dozen or more accounts that require a username (most typically their email address), and a password. The following tips are very important to include in training content.

• Passwords should be randomly generated
• Always use a different, unique password for each online account
• Passwords should contain a combination of letters, numbers, and symbols
• To make managing all of these accounts easier, use a password manager
• When possible, always use Two-Factor or Multi-factor Authentication to reduce the risk of compromised passwords

 Safe Internet Habits

Almost every employee in the workplace, especially so in tech. Have access to the internet. Security Awareness Training programs should be sure to incorporate safe internet habits in and outside of the workplace to further protect the network and your employees from threat actors. 

• Ability to spot, and recognize spoofed domain names
• What the difference between HTTP and HTTPS is and why it is important
• The potential dangers of downloading software from untrusted or suspicious websites
• The inherent risks and dangers or entering login credentials into suspicious or untrusted websites

Social Networking Risks

More and more organizations are using social media as a form of both customer service and a way to connect and build relationships with their customers, and even generate online sales. Unfortunately for them, cybercriminals have also started utilizing social media to create another attack surface that can put organizations reputation, and systems at risk.

An organization should have a section in their Security Awareness Training program that focuses on social networking and should limit the use of social networking on premises and should inform and train employees on the threats that social media can present online.

Removable Media

Removable media such as CDs, and USB drives can be useful to organizations to share and transfer documents, however, they can also be very useful for cybercriminals. Threat actors can enable malware to bypass an organization’s security measures and defenses. Malware can easily be installed on the media and configured to execute automatically, or can even trick employees into clicking and opening the file by naming the file with something enticing. These malicious media can be used to install malware like ransomware, steal data, and even destroy the system they’re installed on.

• Inform employees to never plug or insert untrusted removable media into a computer 
• Take any untrusted device to IT or Security Team for scanning and approval
• IT/Security Team should disable autorun on all computers

Clean Desk Policy

Organizations should take time to inform their employees of Clean Desk Policies. What this means is that employees are not leaving sensitive information out on  their desk for passersby or others to glance at and see. These can be in the form of printouts, papers, sticky notes, etc that can be easily taken by thieves and seen by prying eyes. Before leaving a work space, all sensitive and confidential information should be securely stored. 

Physical Security

Security Awareness does not just have to apply to computers or other electronic devices, employees should also be made aware of the potential physical security risks in the workplace.

• Employees should be made aware of what “shoulder surfing” is, and how to counteract it
• Employees should be made aware to ensure and verify other peoples credentials to prevent “impersonation”
• Informing employees to not leave passwords written on pieces of paper on one’s desk
• Leaving company issued devices out in the open
• Not locking or logging off of company issued computers when leaving one’s desk

SME is here to help increase security posture and get rid of those sleepless nights, for any IT/security related questions, please give us a call at 703-378-4110 or email info@smeinc.net.