Achieving & Maintaining Compliance
For organizations with compliance standards meeting the requirements is necessary. Regardless of how it is approached, alone or with support from a company like FNI, it takes ongoing diligence. The importance of compliance stems from the cybersecurity threats organizations face. Securing intellectual property, personal information, and government interests has a value that often isn’t fully appreciated until it fails. Having a minimum security standard gives organizations a stronger set of practices they should be following and an opportunity to prevent catastrophes they would have faced in their absence.
Future Networking is an ally and resource that assists organizations by efficiently and cost-effectively determining where they are in their compliance process, what needs to be done to get where they need to be, and establishing a program to get and stay compliant.
DFARS / CMMC / NIST
It is no secret that defense manufacturing companies in the United States are at risk. “If we were doing all the necessary security controls, we wouldn’t be getting exfiltrated to the level that we are. We need to level set because a good portion of our defense industrial base doesn’t have robust cyber hygiene. Only 1% of [Defense Industrial Base] companies have implemented all 110 controls from the National Institute of Standards and Technology. We need to get to scale where the vast majority of DIB partners can defend themselves from nation state attacks.” – Katie Arrington 2019 (DoD). Defense manufacturers and others in the government supply chain are high priority targets. They face threats from nation states and other highly skilled and capable malicious actors.
To date, very few small to mid-sized manufacturers have taken the necessary steps to achieve these compliance requirements. As a response to this lack of action the Department of Defense (DoD) released the Cybersecurity Maturity Model Certification guidelines on January 30th, 2020. As a part of the CMMC process, “Certified Assessors” will meet with manufacturers to verify they meet the necessary Maturity Level requirements.
DFARS Interim Rule Compliance & CMMC
On November 30th, 2020, the Defense Acquisitions Regulation System (DFARS) put into effect the new Interim Rule to supplement the current DFARS 254.204-7012 regulation.
The Cybersecurity Maturity Model Certification (CMMC) program is on course, however, the crawl-walk-run approach of CMMC from now until the end of FY2025 has left a gap in cybersecurity assurance for the DoD. This is solved during this interim phase by the DFARS Interim Rule. Put simply, CMMC compliance is verified through 3rd party certification that assures a minimum level of cybersecurity practices are followed for vendors who receive DoD contracts. The DFARS Interim Rule mandates companies who are in the DoD supply chain to perform a self-assessment based on a scoring system founded on NIST SP 800-171 controls and submit that score to the Supplier Risk Performance System (SPRS), via the Procurement Integrated Enterprise Environment (PIEE). This score will then be reviewed by Program Management Office cybersecurity personnel when bids are considered.
The DFARS Interim Rule and CMMC are bound together by NIST SP 800-171 whereby all 110 controls map directly to the 130 practices required for CMMC Maturity Level 3. If a company meets all the requirements of the DFARS Interim Rule, they already meet 85% of CMMC ML 3 practices.
Currently, CMMC is slowly being rolled out, and companies are adopting CMMC practices for the eventual certified assessments anticapted.
How We Help
The Cybersecurity Maturity Model Certification (CMMC) Pre-Assessment is undertaken to help assure the practices, processes and company security culture are meeting the requirements to achieve passing a CMMC Certified Assessment completed by a Cybersecurity 3rdParty Authorized Organization (C3PAO).
Future Networking (FNI) performs CMMC Pre-Assessments through 3 main phases. The first phase is the CMMC Roadmap, in which the network is scanned, and network and security reports are generated, registry and group policy information is obtained, and key personnel are surveyed, resulting in a CMMC Roadmap report that is discussed in detail with company stakeholders.
Due to the DFARS Interim Rule, FNI now uses the CMMC Roadmap to assist companies with their required NIST 800-171 Self-Assessment. CMMC Maturity Level 3 contains all 110 controls for NIST 800-171.
The next phase is evidence gathering, whereby two pieces of evidence for each required Maturity Level (ML) practice and process is documented, and a solution for each practice not being met is stated, and then implemented.
The final phase is a review of the implementation of the practices met or not met, a report detailing the results, and a final meeting outlining any missing deliverables or practices the client does not comply with.
The ultimate objective is for the client to fully understand if passing a CMMC Certified Assessment is likely or not, and if not, determine what more needs to be done to improve their odds of success.
What is ITAR / EAR Compliance? Put simply, ITAR governs exports made specifically for defense or aerospace purposes, whereas EAR governs exports that may be used for defense purposes or may be considered sensitive for other reasons. Failure to comply with ITAR / EAR can be harmful to national security and U.S. foreign policy. It may result in other costs including severe civil & criminal penalties (potential incarceration), damage to reputation and loss of export licenses.
The release of information to a foreign national is considered a “deemed export” under EAR, and although ITAR doesn’t use that specific term, EAR’s definition of “deemed export” is aligned with how ITAR assesses the transfer of information to foreign nationals. Information release under ITAR is defined as, “… the oral, visual or documentary disclosure of technical data by US persons to foreign persons.” It’s easy to see that information release violations of ITAR & EAR, and failure to secure data, are serious matters. They can also be disastrous for national security and organizational reputation. The government views these breaches & transfers of information as potentially causing severe damage to the United States and may impose civil and criminal penalties if a breach occurs. Violations can result in hundreds of millions in fines. Organizations may also have export licenses revoked or rejected, limiting or eliminating their ability to engage in critical activities!
What is an export? Sending or taking a defense article out of the U.S. in any manner; Disclosure, including oral or visual disclosure, or transfer of technical data to a foreign person whether in the U.S. or abroad; Performance of a defense service on behalf of, or for the benefit of a foreign person whether in the U.S. or abroad; Disclosure, including oral or visual disclosure, or transfer in the U.S. of any defense article to an embassy, agency, or subdivision of a foreign government; Transfer of registration, control or ownership to a foreign person of any aircraft, vessel, or satellite covered by the U.S. Munitions List, whether in the U.S. or abroad.
Who is a foreign person? Any natural person who is not a lawful permanent resident of the U.S. or who is not a protected individual; Any foreign corporation, business association, partnership, trust, society, or other entity that is not incorporated or organized to conduct business in the U.S.; International organizations, foreign governments, and any agency or subdivision of a foreign government.
What is a defense service? Furnishing of assistance, including training, to foreign persons, in the U.S. or abroad, in the design, development, engineering, manufacture, production, assembly, testing, repair, maintenance, modification, operation or use of defense articles; Furnishing of technical data to foreign persons in the U.S. or abroad, Military training and advice.
The Directorate of Defense Trade Controls (DDTC) is the government agency responsible for outlining the International Trade in Arms Regulations (ITAR). ITAR governs the export of military, weapons, and space related items and services as specified on the US Munitions List (USML). To ensure compliance with ITAR, the DDTC strongly encourages registered exporters, manufacturers, brokers, and others engaged in defense trade, to maintain programs that assist in the monitoring and control of exports and other regulated activities.
The Bureau of Industry & Security (BIS) is the government agency responsible for outlining the Export Administration Regulations (EAR). EAR covers the export of non-ITAR commercial goods & services including so-called “dual-use” items, which are commercial items that may also have military applications or other sensitive uses under the Commerce Control List (CCL).
The International Traffic in Arms Regulations (ITAR) The Department of State is responsible for the export and temporary import of defense articles and services governed by 22 U.S.C. 2778 of the Arms Export Control Act (AECA) and Executive Order 13637. The International Traffic in Arms Regulations (“ITAR,” 22 CFR 120-130) implements the AECA. The ITAR is available from the Government Printing Office (GPO) as an annual hardcopy or e-document publication as part of the Code of Federal Regulations (CFR) and as an updated e-document.
How We Help: Controlling the location and flow of information is mandatory to assure both ITAR and EAR compliance. By partitioning data and limiting access, through network management, encryption, password, physical security & surveillance, magnetic and even biometric tools, Future Networking helps assure compliance in these areas.
Healthcare faces significant threats from cyberattacks that can have massive financial and even life endangering impact. The perfect storm is when a cyberattack hits resulting in ransom, loss of patient records, slowing or even stopping patient care, with the attack being due to HIPAA violations – which subsequently result in heavy fines (capped in 2019 at $1,500,000 per year of violation), not to mention, the negative media attention that is sure to follow. All of the negative fall out is on top of direct losses due to cyberattacks suffered!
2019 saw unprecedented cyberattacks on healthcare providers amounting to billions of dollars in losses. These events included:
764 healthcare providers attacked
285 patient record breach incidents
Nearly 32 million patient records affected
Redirecting of emergency patients to other hospitals
Inaccessible, destroyed or permanently encrypted medical records
Canceled surgeries, postponed critical tests, admissions halted
911 services interrupted
Offline surveillance, badge scanners and building access systems
Unfortunately, in reading the bullet points above, the perfect storm does happen. It’s only the quick-thinking, care and diligence of first responders, hospital staff, doctors and nurses that kept these incidences from causing loss of life to their patients.
Though 45 C.F.R. 164.308 offers summary guidelines for incidence response (which can include ransomware, patient data theft and other intrusions), and that institutions offer training on mitigating and responding to incidences, it is not clear as to specifics of what approach to take (aside from documenting procedures and incidences) or what security tools to use to monitor and mitigate against such threats.
We Provide Security Tools to Match Policies & Procedures Specific to HIPAA compliance and the needs of healthcare facilities and organizations, Future Networking provides a full platform of threat-mitigation tools that can eradicate ransomware and malware at their entry point before they infect a network. Additionally, we put safeguards in place to deny Protected Health Information (PHI) from being compromised.
Offering a holistic approach, we also provide Security Awareness Training based on the current threats in the real-world environment, and address issues using information obtained from our Security Assessment of employee behavior and flaws within the network. If the need is there, we can also take the assessment many steps further, and do network penetration testing (an Attack Audit). Here we can provide results from penetrating the system through external or internal nodes, as well as test physical security protocols to determine where they might be lax.