CMMC 2.0

Cybersecurity Maturity Model Certification

The Cybersecurity Maturity Model Certification (CMMC) is a certification process developed by the Department of Defense (DoD) to assess the cybersecurity practices of organizations that handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) for the DoD. CMMC requires that government contractors protect their Controlled Unclassified Data (CUI) by implementing the NIST SP 800-171 controls and having them verified by a CMMC Third-Party Assessment Organization (C3PAO). With the recent release of CMMC 2.0, it's important for organizations to understand the changes and how it can affect their business.

The CMMC model includes 14 domains of cybersecurity practices, such as access control, incident response, and Maintenance. Each level includes a set of requirements and practices that organizations must meet in order to achieve certification at that level. One of the major changes in CMMC 2.0 is the introduction of a new certification level, Level 3. This new level will require organizations to demonstrate a greater level of maturity and capability in their cybersecurity practices. Additionally, CMMC 2.0 also includes new requirements for incident response, risk management, systems and communications protection, and cybersecurity governance. The certification process involves an assessment of an organization's cybersecurity practices by a third-party assessor, who will evaluate whether the organization is meeting the requirements for the level of certification being sought. The new version also features a new certification process, where the certifying body will have more control over the assessment process and will be responsible for the selection of the assessors, and the scheduling and conduct of the assessment, which allows more flexibility and responsiveness to the organization’s needs.

It's important to note that the CMMC certification is mandatory for certain contracts and not for others. Organization’s that handle FCI or CUI for the DoD must comply with the new requirements if they want to continue doing business with the DoD. Implementing the CMMC framework can bring many benefits to an organization. It can help improve the overall security posture by identifying and mitigating vulnerabilities, and it can also help organizations to comply with other regulatory requirements such as the Federal Risk and Authorization Management Program (FedRAMP) and the Health Insurance Portability and Accountability Act (HIPAA). Obtaining a CMMC certification can also bring a competitive advantage for organizations, as it demonstrates to customers and partners that the organization is taking cybersecurity seriously and that it is committed to protecting sensitive information.

To Summarize, the CMMC is a certification process that assesses the cybersecurity practices of organizations that handle FCI or CUI for the DoD, it provides a standard for measuring the maturity and capability of an organization's cybersecurity practices and it helps ensure that DoD suppliers are following best practices to protect sensitive information. Organizations that handle FCI or CUI for the DoD must comply with the new requirements if they want to continue doing business with the DoD, and it can bring many benefits to the organization such as improving overall security posture and gaining competitive advantage.

 

Written By: Chris Gonzalez, RP

Not Paying the Ransom

Not Paying the Ransom!

 

 

 

 

 

 

 

If you don't pay the ransom what systems do I bring up first?

When asking these questions you need not only the input from the IT staff but you also want to include different business units.  

When dealing with the law firm the two most needed systems will be Accounting and Conflicts followed by a myriad of other information systems.   This may differ for different law firms which bring up the reason for a Risk Assessment.  

Risk Assessments deal with these questions by putting quantitative values and impact on the business in a way that is understandable to the stakeholders of the business. 

Businesses understand the impact on a business when it comes to dollars lost.  The better way to handle this is to minimize the impact of dollars lost in a way that everyone can agree on. 

Perform a thorough Risk Assessment then build the Disaster Recovery Plan.

 

DataSoftNow will help you through the process.

Will Insurance Cover Ransom Payment?

Caution, include firms' council when asking these questions.

What will the Insurance Company cover?

Will they cover the cost of the ransom payment?

What will they provide during a ransom attack?

Will they cover the cost of any regulatory fines?

Here is why you want to have a conversation with your insurance company.  Not all insurance is the same.  Not all insurance will pay if the firm is lacking in its cybersecurity posture.  You need to know this upfront.  Insurance companies now provide their Lawyers, Forensics Team, and Breach Coaches. 

Many states now require notification of a breach within 72 hours.  Depending on the breach, you may need to perform a notification to the States Attorney General's office.

 

Will you need to notify?

This is where you get your money's worth from the insurance company.  This is also why the Insurance Company will bring in its forensic and lawyer teams.  When the forensics team is complete, the lawyers will help you make an informed decision. 

 

Do you have a Breach Coach?

Breach Coaches are essential in today's world.  They understand the steps needed during a breach and recovery process and when the recovery process can begin. 

Including a breach coach during your assessments will help you ask the right question to make educated decisions.

 

Ransom payment negotiation.

Some insurance companies provide a ransom negotiating team.  When you receive the Ransom notification, a Bitcoin payment is displayed.  It is usually a pretty high number.  Some Ransomware hackers will renegotiate the ransom, but you have to respond quickly.  The insurance company's negotiating team has done this before and so understand what they can negotiate and what they can't.  Having an experienced Ransomware negotiator will go a long way in getting the issue resolved more quickly.

 

Making the payment.

Here again some insurance companies will provide these services.  Setting up a Bitcoin account could take a couple of days.  This is time lost for the business.  Using you insurance companies resources would speed up that process. 

As you can see, there are so many questions to be answered.  This is why having these discussion ahead of time may save you valuable time.

 

DataSoftNow will help you through the process.

Will your backups function as needed?

During a recent Ransomware incident, a law firm had many of terabytes of litigation data. Millions of individual 45kb tiff files.   The firm decided to not pay the Ransom and so started the process of restoration.  After two days of restoration, it was determined that the restoration of this one system was going to take two weeks to restore.   The firm never tested a full restoration or bothered to calculate what it would take to restore the data.  The time it would take to restore the data was more costly than paying the Ransom. 

Restores have to be tested in full to truly understand the impact of your Disaster Recovery Plan.

Destroying evidence:

Did you know that if you start restoring systems, you may be destroying evidence?  You may be held liable and the worst-case scenario could be that the insurance company may not pay.  Then your client's data shows up on the dark web, and the client is now suing you and your insurance company is holding you the CISO or IT Director responsible for destroying evidence.  Then the state attorney general wants to know why a breach notification was not performed.  More fines. 

Anyone involved in the destruction of evidence can be held liable including your IT consultants.   I heard one insurance company say to an IT consultant, I am coming after you for the destruction of evidence that would helped us understand that data was exfiltrated.

 

DataSoftNow will help you through the process.

 

Read Full Post

Will you pay the Ransom?

Pay or Not to Pay?

Any cybersecurity professional would urge you not to pay the ransom as this would only encourage the attackers to continue targeting your organization. However, many organizations that are affected by ransomware find themselves wanting to solve this problem as quickly as possible and start weighing the price of the ransom compared to the value of the data that is encrypted. While initially, organizations say they wouldn’t pay the ransom;  the majority will.

Leaders at organizations across the globe are witnessing the alarming rise of ransomware threats, leaving them with the sobering thought that an attack on their business maybe not be a matter of if, but when.

The stakes are becoming higher. Hackers aren’t just demanding money, they’re threatening to reveal sensitive or valuable information if companies don’t pay up.

Performing a Risk Assessment will help you understand if might have to pay a Ransom or it might show that by restoring data, you may only have a minimal loss. 

 

Here is a quick example:

As part of a Risk Assessment, you ask about your backups and backup tests.   Your backup engineer tells you they test backups all the time on a periodic basis.  The next question is what was tested.  Was a full restore of all data sets tested?   Remember, this is probably going to be a rebuild.  Depending on the response on the test of the restores and the kinds of tests done will be part of the calculations needed to understand if you have to pay the ransom. 

If your restores are going to take a few days to restore you may decide that this is what you will be doing. 

Remember, paying a ransom will take a few days.  Then decrypting the data may also take a few more.  This all depends on the size of your data sets.

This is where a Risk Assessment come in to help quantify your decisions.

DataSoftNow will help you through the process

Read Full Post

Ransomware | DataSoftNow

It's not if it will happen, it's when it will happen.

Ransomware Readiness Review

Will you be ready?

When a Ransomware attack happens time is your enemy. The clock is ticking. You have to start making quick decisive decisions. The only way to do that is by asking the questions in advance.

Consider these questions:

Read Full Post