For the last few years, CMMC, the Cybersecurity Maturity Model Certification, has been a huge topic of discussion among the U.S. Government and the Defense Industrial Base (DIB). What started as an Executive Order over a decade ago to protect CUI has had a slow, incremental rollout, and revisions. Now, with CMMC 2.0, defense contractors can finally expect CMMC requirements in their contracts as soon as May 2023.
CMMC’s complicated history, laundry list of requirements, and potentially large price tags from service providers and C3PAOs, have many defense contractors “waiting and seeing” as they weigh CMMC’s impact on their business. The wait is costing most more than they realize in ways that can be the difference between meeting your CMMC goals on time and on budget, or not.
Inflation is on the rise. We’re seeing it everywhere and in September 2022, leaving only 8 months until the CMMC will be required, inflation increased by 8.2% compared to 2021 across all goods and services. Cybersecurity technology like Microsoft Government Cloud as well as cybersecurity services provided by managed service providers and C3PAOs are also expected to rise in cost, if they haven’t done so already. The longer businesses wait to get started, the farther into the inflation rabbit hole you’ll go and the more expensive the climb out will be.
Inflation isn’t the only budget killer you’ll have to worry about when it comes to slow timelines. Too many defense contractors are waiting and the impact this has on your business is going to come down to simple economics. You remember supply and demand, right? The greater the demand, the less the supply, and the higher the cost. When everyone who has been waiting to get started tries to start at the same time, the demand will skyrocket. The ability for service providers to ‘supply’ the influx of people with policies and procedures, acquire and implement technology, configure systems, etc., as well as the ability of C3PAOs to assess everyone in time, will plummet. What’s left is either a huge price tag for rushed service or a lottery to see if you can find a provider to help you get done in time.
The waiting game is a tricky one mainly because there are multiple timelines you need to consider but only one you really have visibility into. Your own. Service providers have timelines of their own. For example, Tesseract, Ardalyst’s compliance-focused, managed cybersecurity program, typically has a wait time of about a month between the contract sign date and the implementation start date. This is, of course, the average we’ve seen before the last-minute CMMC rush. As more and more people attempt to get on implementation schedules across all the CMMC Registered Provider Organizations (RPOs), (and you will want to make sure your provider is an official RPO (you can learn more about what that means here), the fuller implementation calendars will get and the farther back your start time will be. If your organization has a lot of work to be done to get compliant, late starts could mean not being compliant by the time CMMC appears in your next contract. If you’re not sure how much work you have to do, this is a crucial first step in determining your business’s ability to wait. Check out our free NIST 800-171 Self-Assessment tool to see how you measure up against CMMC Level 2 and get your SPRS score to meet the current DFARS 252.204-7019 clause.
CMMC was created to strengthen our nation’s supply chain and ensure that government information is protected. A cause I’m sure most defense contractors can get behind, but it’s no secret that the driving force behind businesses getting CMMC-compliant is the ability to bid and win DoD contracts and soon any government contract as more and more agencies make plans to roll out CMMC. The more businesses that wait and the longer they wait, the greater the risk to your ability to bid on contracts. Getting CMMC-compliant can take upwards of 12 months, not including the time for assessment. Working with a service provider can shorten the timeframe significantly, but with only 8 months left until CMMC goes into full effect, many businesses risk missing the deadline. That’s fewer contracts you’ll be able to bid on and less DoD work to support your business.
Ardalyst has developed a five-step process to help you get started that doesn’t require an expensive initial assessment. Our team of CMMC-AB Registered Partitioners can also deliver a free Risk Assessment to meet the requirements of RA.L2-3.11.1 and give you a better idea of what your CMMC compliance timeline looks like. Contact us online at www.ardalyst.com, email us at info@ardalyst.com, or call us at (833) 682-8270 to get started!
The time to get CMMC compliant is now! Stacy Bostjanick, the Department of Defense’s Chief Information Officer, announced that they are eyeing March 2023 for the release of CMMC 2.0, and the DoD would begin implementing CMMC in contracts as early as May 2023. Depending on where you are in your compliance journey, this leaves less than a year to establish and document policies and procedures, purchase the necessary software, configure your networks, and prepare for CMMC audits. It’s time to get to work. Our five-step approach helps contractors develop a comprehensive plan for achieving CMMC compliance and staying compliant.
CMMC, or the Cybersecurity Maturity Model Certification, consists of three levels.
Level 1 – Foundational: Contains 17 practices aligned with FAR 52.204-21 and is required for companies that only handle Federal Contract Information (FCI) and do not handle Controlled Unclassified Information (CUI).
Assessment: Level 1 only requires businesses to perform an annual self-assessment.
Level 2 – Advanced: Contains 110 practices aligned with NIST SP 800-171 required by defense contractors who handle and must safeguard CUI.
Assessment: Level 2 requires a triennial third-party assessment by a Certified Third-Party Assessment Organization or C3PAO.
Level 3 – Expert: Contains the same 110 practices of CMMC 2.0 Level 2 and adds controls from NIST SP 800-172 demonstrating a greater depth of protection of critical national security information and reducing the risks of exploitation by Advanced Persistent Threats (APTs).
Assessment: Level 3 requires a triennial assessment by the U.S. government. Assessments will be conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
Determining the CMMC level you would like to ultimately achieve will help you make the proper strategic steps to get there in a way that works for your business.
Now that you know where you would like to be, you must determine the speed that’s right for you. For example, while you may hope to reach CMMC Level 2 compliance in the future, you may find that is better and more cost-effective for your business to achieve CMMC Level 1, or FAR 52.204-21 compliance (required of all federal contractors) now, and develop a System Security Plan (SSP) and Plan of Action and Milestones (POAM) for how you’d like to achieve CMMC Level 2 compliance later. Taking this approach will lay out a clearly defined roadmap of the next steps to ensure you reach your CMMC Level 2 goals. Some see early adoption as a competitive advantage. Others want to take multiple steps to reduce the pace of organizational change or spread out the costs. Figure out how important speed is to your strategy and your budget so you can identify the right steps and plan accordingly.
You have to understand what it is you must protect. The CMMC Scoping Guides are a great place to start. These guides provide information on what is in scope for a CMMC assessment. Keep in mind that assets that don’t process, store, or transmit CUI aren’t necessarily out of scope for CMMC Level 2 and Contractor Risk Managed Assets and Specialized Assets are still part of your System Security Plan (SSP) and require protection. After reviewing the scoping guide for your desired CMMC Level, determine where your value is, and make sure you’re building a program to defend it.
Understand your technology environment. You may have a state-of-the-art network that is ready to implement your security controls, but if you’re like most companies, cybersecurity requirements will be a big driver in upgrading your infrastructure or moving to the cloud. Cloud implementations are often easier to protect than on-premise and there are plenty of productivity improvements to be gained from moving to modern collaboration tools. Traditionally, on-premise solutions, referring to servers and data centers located in your office or business location, incur higher costs to get compliant because they require a more customized solution. With customization comes the need for more expertise, more configuration, and potentially more support during an audit. Therefore, choose new technologies based on your security and business goals. Keep in mind that the location of your infrastructure will play a huge role in how you secure it, develop your policies and procedures around it, and get and maintain your compliance.
There are many pieces to an effective and compliant cybersecurity program, and that usually means pulling resources together like a Managed Security Service Provider (MSSP), Managed Service Provider (MSP), Managed Defense & Response (MDR), Compliance Consulting Services (vCISO), and Compliance Management Software. While some larger organizations may be able to support these functions with internal staffing, many small to mid-sized businesses don’t readily have this expertise on hand and the cost of salaries to obtain it can be out of reach. Determining up front what parts of your cybersecurity program you’ll be able to support on your own and what partners or resources you’ll need along the way is key to developing an effective and actionable plan for achieving your CMMC compliance.
You’ll also want to keep in mind how these resources will impact your budget. Vendor costs can run anywhere from $35,000-$250,000, MSSP services from $150,000-$300,000 for vCISO and Compliance Consultant services, MDR services from $82,000-$178,000, and MSP services from $120,000-$150,000. If these price tags feel way out of reach, you’re not alone. Check out our Tesseract Managed Cybersecurity Programs. Tesseract was designed by cybersecurity and compliance experts to make FAR 52.204-21, NIST 800-171, and CMMC simple and affordable. With three program options and four service packages, the result is a cybersecurity program that not only feels customized to your business but is faster, simpler, and more affordable than the alternatives.
Building your CMMC strategy is no small feat. Knowing the right questions to ask, where you can save costs without compromising your security, and what the right steps are for your unique business is a challenge. Our team of CMMC-AB Registered Partitioners has helped numerous businesses not only determine the strategy that works for them but helped them execute that strategy to deliver comprehensive cybersecurity programs that meet their budget and return their confidence. It all starts with a free risk assessment & consultation. Contact us online at www.ardalyst.com, email us at info@ardalyst.com, or call us at (833) 682-8270 to schedule your free consultation today and let us help you build your CMMC strategy.
Since November 30, 2020, the DFARS 252.204-7019 clause has required DoD contractors to complete a Basic Assessment of their compliance with NIST 800-171. A Basic Assessment is a self-assessment using your organization’s System Security Plan (SSP) and Plan of Actions and Milestones (POAM) to calculate your score out of NIST 800-171’s 110 controls. This score must be uploaded to the Supplier Performance Risk System (SPRS). However, Basic Assessments were just the beginning, and some recent announcements made by Mr. John Ellis, Director of the Defense Contract Management Agency (DCMA)’s Software Division and Co-Founder of the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), signal the start of Medium Assessments.
What are Medium Assessments?
Medium Assessments are also an assessment of your organization’s compliance with NIST 800-171 but instead of being a self-assessment, Medium Assessments are conducted by DCMA’s DIBCAC. This will include a thorough investigation of your documentation like your SSP and POAM and include a review of your policies and procedures.
It is estimated that roughly 200 organizations will go through a Medium Assessment each year from randomly selecting from the over 19000 companies with scores in SPRS.
What do Medium Assessments mean for me?
If you’re among the organizations with a score in SPRS, Medium Assessments could mean receiving a call requesting the receipt of your organization’s SSP and POAM for investigation within the following few days, along with any additional supporting documentation like policies and procedures.
Can I really be penalized under the False Claims Act?
The short answer is yes, but this is nothing new. The False Claims Act (FCA) was first enacted in 1863 to penalize defense contractors for fraud during the American Civil War. It was also amended in 1986 to incentivize whistleblowers to come forward with fraud allegations. Where do you come in? Well, that part is relatively new. In early October 2021, the Department of Justice announced that a new Cyber-Civil Fraud Initiative would seek to leverage the False Claims Act to pursue cybersecurity-related fraud by government contractors and grant recipients. Punishable offenses include knowingly providing deficient cybersecurity products or services, knowingly violating obligations to monitor and report cybersecurity incidents and breaches, and knowingly misrepresenting cybersecurity practices or protocols. This means that if a falsified score was uploaded into SPRS, you could be subjected to a civil penalty of up to $10,000. According to FedScoop, if any fraud on your behalf leads to a breach or damages to the government, you could be forced to pay triple the damages.
What do I do now?
This greatly depends on where you are in your process.
I don't have a score in SPRS
If you haven’t uploaded your score into SPRS or developed your SSP and POAM, Ardalyst highly recommends getting started NOW! If you’re looking for DIY solution to walk your through scoring, check out our free NIST 800-171 Self-Assessment Tool. This step-by-step tool is a comprehensive guide to deliver your preliminary score out of 110 NIST 800-171 controls. Our team of CMMC-AB Registered Partitioners (RP) can also walk you through a free compliance consultation to provide a preliminary score and a summary report of their findings that you can incorporate into your SSP and POAM. From here we can make recommendations for next steps and help you get started with a comprehensive managed cybersecurity program.
I have a score in SPRS
Awesome! This is an important first step. With your SSP, POAM, and all policies and procedures handy, you’re ready to go if you’re one of the companies chosen for a Medium Assessment. If you have a score, but still need documentation, schedule your free consultation with our CMMC-AB RPs and get started quickly and accurately developing the proper documentation to be prepared for an assessment.
I'm freaking out about a possible assessment
Breathe! At 200 companies assessed per year, the likelihood of you being selected is roughly 1%. However, this won’t absolve you from having to meet the requirements, having all your documentation prepared, or needing to be ready for either a DIBCAC or a C3PAO assessment to achieve CMMC certification, so it’s best to tackle everything as soon as possible.
Wherever you are in your journey, we can help. Ardalyst services are also backed by our Assessment Guarantee. Should you fail an assessment, we’ll make the necessary changes to your program at no additional cost – we are behind you 100%! Contact us online at www.ardalyst.com, email us at info@ardalyst.com, or call us at (833) 682-8270 to get started and schedule your free consultation today.
There has been a lot of speculation about the Cybersecurity Maturity Model Certification (CMMC) in recent years. Some question whether it will ever be required. Others see its delay as a sign of failure. Whatever your thoughts, the lull we’re experiencing has fueled inactivity amongst the defense industrial base (DIB). Many small and midsize businesses are unsure what the right next steps are, what’s being required of them, and if it’s worth it. Below, we’ve answered some of our most frequently asked CMMC questions to help put an end to the indecision and ensure you’re making informed decisions.
What is the Cybersecurity Maturity Model Certification (CMMC) 2.0?
CMMC is described as a comprehensive framework to protect the DIB from increasingly frequent and complex cyberattacks. DoD’s goal is to safeguard sensitive unclassified national security information. This type of information is called Controlled Unclassified Information (CUI). CMMC 2.0, the most recent version of the framework was announced in November of 2021, providing an updated structure to that of CMMC 1.0.
CMMC 2.0 consists of three levels.
Level 1 – Foundational: Contains 17 practices aligned with FAR 52.204-21 and is required for companies that only handle Federal Contract Information (FCI) and do not handle Controlled Unclassified Information (CUI).
Assessment: Level 1 only requires businesses to perform an annual self-assessment.
Level 2 – Advanced: Contains 110 practices aligned with NIST SP 800-171 required by defense contractors who handle and must safeguard CUI.
Assessment: Level 2 requires a triennial third-party assessment by a Certified Third-Party Assessment Organization or C3PAO.
Level 3 – Expert: Contains the same 110 practices of CMMC 2.0 Level 2 and adds controls from NIST SP 800-172 demonstrating a greater depth of protection of critical national security information and reducing the risks of exploitation by Advanced Persistent Threats (APTs).
Assessment: Level 3 requires a triennial assessment by the U.S. government. Assessments will be conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
Do I actually need to worry about CMMC?
The short answer is yes! It’s important to remember that CMMC is certifying that security standards have been met, like those of NIST SP 800-171 for CMMC 2.0 level 2. Under CMMC 2.0, there are no new security controls. CMMC is an assessment regime for existing requirements.
Regardless of CMMC’s status, defense contractors who handle controlled unclassified information (CUI) as part of their work with federal and state agencies will still find DFARS 252.204.7019 clauses in their contracts.
The DFARS 252.204-7019 clause, which has been in effect since November 30, 2020, states that the contractor must comply with NIST 800-171 requirements, complete a self-assessment of their ability to meet those requirements resulting in a score that must then be submitted to the Suppliers Performance Risk System (SPRS), along with a System Security Plan (SSP) and a Plan of Action and Milestones (POAM). This means that whether your business seeks out an official assessment to be certified at CMMC level 2 or not, the requirements for your cybersecurity program remain the same.
Why is CMMC a priority?
There are two sides to the CMMC coin. On one side, the United States is under persistent attack. For cyber attackers who would wish to do our nation harm, the easiest way is often through the supply chain where security standards aren’t consistent, and defenses are usually much easier to penetrate than that of the government’s own IT infrastructure.
This makes targets of nearly everyone from technology firms like Microsoft and SolarWinds, to critical infrastructures like that of the colonial pipeline, and especially small and mid-sized contractors who often lack the knowledge and resources to properly protect themselves. Implementing security standards like NIST 800-171 and certifications of those standards like CMMC help ensure that our nation and all who support it are doing their part to protect it.
The other side to the CMMC coin is you! When you make CMMC a priority, you make your business, your data, and your customers a priority. Threat actors are getting smarter all the time, and customers are demanding better, more integrated, more convenient, and more optimized digital experiences. In our increasingly digital business landscape, being able to demonstrate good cyber hygiene and security to your clients and customers is key. As good cybersecurity practices become a requirement of customers, the investment becomes a revenue driver, not just a cost. Being proactive about your cyber hygiene now can improve both your reputation and financial stability.
What happens if I’m not compliant?
There are multiple angles to which this question must be answered. From a contracting standpoint, you won’t be a viable candidate without compliance. Even in a CMMC-less world, failing to meet NIST 800-171 cybersecurity standards currently has a negative impact on your business. Scores submitted into SPRS are visible to federal and state agencies and can be a factor when deciding to award contracts. Once CMMC is finalized, certification at any of the 3 CMMC levels will instantly demonstrate a certain level of “good” cyber hygiene and assure federal and state agencies that you’re doing your part to keep their data safe. However, getting started soon is going to be critical. Once CMMC rulemaking is done, if you haven’t already started seeking an assessment, you may find that getting one scheduled is difficult in the last-minute rush.
Failing to comply with CMMC, or any cybersecurity standard, increases your risk of a damaging attack. The requirements outlined in these standards are the foundation for good cyber hygiene and the starting point for how you’d measure your business’s security — with or without a compliance mandate. Taking these measures for your business ensures your data, devices, and networks are protected from attacks like ransomware, malware, and more, the proper contingency plans are in place for business continuity, and your employees are properly trained to ensure they know how to maintain the integrity of your cybersecurity efforts.
On the extreme end, the government has indicated that it will use the False Claims Act to prosecute organizations that submit false attestations.
With all these new requirements, should I just shift to providing commercial services only?
Some DIB companies are considering switching to commercial work to avoid these requirements. In many industries, this might delay the cybersecurity investment for a year, but it won’t eliminate it. National legislation on incident reporting, discussion of expanding CMMC-like requirements across all Critical Infrastructure industries, and commercial supply chain risk reduction programs mean that improving your cybersecurity programs will be a requirement for most businesses in the future.
How do I get compliant?
There is no one-size-fits-all solution when it comes to compliance. How you address the requirements of CMMC should be specific to your unique business to ensure that your cybersecurity is a business enabler and not an inhibitor. To do so, start with a cybersecurity assessment to figure out where your unique gaps are. Our team of CMMC-AB Registered Partitioners can walk you through a free compliance consultation to provide a preliminary score out of the 110 controls (this is the score you need to upload to SPRS) and a summary report of their findings that you can incorporate into your SSP and POAM. From here, we can make recommendations for next steps and help you get started with a comprehensive managed cybersecurity program. Contact us online at www.ardalyst.com, email us at info@ardalyst.com, or call us at (833) 682-8270 to schedule your free consultation today.
If you’re a small or mid-sized business that’s wondering how you will afford to meet growing cybersecurity requirements, you’re not alone. Many small and mid-sized businesses struggle to budget for the necessary technology and resources to keep their data and their business safe because the tools are either far too expensive or require large purchase quantities that can’t be met. The expertise to install and use those tools can also be out of reach for many.
Industry experts refer to this situation as the “Cybersecurity Poverty Line” or as we like to call it, the “Cybersecurity Affordability Line.” Simply put, this line encompasses a number of factors that together serve as a threshold for what’s considered the lowest line of defense.
Breaking Down the Cybersecurity Poverty Line for Small & Midsized Businesses
The impact of the cybersecurity affordability line isn’t just limited to typical financial poverty but also information and capability poverty, which are still big hurdles to overcome even with an unlimited budget. Ask yourself, could your business still build, run, and support your cybersecurity program even if you had the money to buy all the technology you need? It’s important to recognize the impact that all three aspects of cybersecurity poverty have on small and mid-sized businesses as they try to improve their security posture to meet compliance requirements:
Financial Poverty: Do you have the money to do all the things you need to do?
Information Poverty: If you’re able to afford the things you need to do, do you know what technology to buy or what to do to effectively build, execute, and support your cybersecurity?
Capability Poverty: Even with the budget and expertise, could you get it done? Do you have the people and expertise internally to properly run your cybersecurity program and mature it over time?
The Cybersecurity Poverty Line Fuels Greater Poverty
The outstanding lack of affordable solutions on the market has far too many small and mid-sized businesses looking at cybersecurity solutions as a commodity and not necessarily something that produces financial benefit. In an increasingly digital business landscape, being able to prove cyber hygiene and security to your clients and customers can shift the cost of cybersecurity into the revenue column. Threat actors are getting smarter all the time, and customers are demanding better, more integrated, more convenient, and more optimized digital experiences. However, if outrageous price tags hold you back from being proactive about your cyber hygiene, opportunities to improve both your reputation and revenues are that much further in the distance.
Recognizing Affordability as an Industry Problem
When small and mid-sized businesses feel forced to choose between budget and effective cybersecurity solutions, everyone loses. Businesses who find themselves below the Cybersecurity Affordability Line are often left with inadequate protection, potentially leaving both their company and customer data vulnerable to attacks. When that same small or mid-sized business serves our national government, like those in the 16 critical infrastructures, poor cybersecurity puts both their business and our nation at risk. With the rise in nation-state cyber-attacks, it has never been more crucial for our industry to recognize the role that we play.
Ardalyst is willing to take the first step toward making cybersecurity available and affordable.
Across the Line Pledge
Our “Across the Line” pledge looks to create opportunities for organizations of all sizes by committing to the development of quality products and services at prices that won’t force you to choose between comprehensive cybersecurity and your budget. Our pledge includes working with partners and vendors that share our passion for cost-effective solutions and stand with us as we move the affordability line closer for small and mid-sized businesses and do our part to get them Across the Line.
How Do I Get My Business Across the Line?
Moving across the cybersecurity poverty line means making an educated series of business and technology decisions. If you feel you don’t have the knowledge or resources to develop the employee education, technical processes, and software configurations necessary to achieve this on your own, Ardalyst can help. The goal of our Tesseract, compliance-focused, managed cybersecurity program has always been to give people a comprehensive cybersecurity program that’s affordable and supplies the right set of tools, policies, and processes to help businesses of all sizes defend against threats while meeting regulatory requirements like CMMC (Cybersecurity Maturity Model Certification) 2.0, NIST (National Institute of Standards and Technology) SP (Special Publication) 800-171, DFARS (Defense Federal Acquisition Regulations Supplement) 252.204-7019, and FAR (Federal Acquisition Regulation) 52.204.21.
Whatever your next step is, we’re happy to help you on your journey. If you’re ready to move your business across the line, we’d like to offer you a free consultation to learn more about your business and outline the next steps in getting compliant and securing your data. If your next step is to learn more, please visit us at www.ardalyst.com/Tesseract to learn more about the Tesseract program or visit our resources page at www.ardalyst.com/cybersecurity-resources/ for more information about regulatory compliance frameworks and how they affect your business.
Only two years into the new decade and our nation has been faced with increasing operational challenges. The pandemic turned us into a “remote-first world” making us more digitally dependent than we’ve ever been. As we’ve made this digital shift, we’ve also seen our traditional cybersecurity perimeters do the same to account for cloud solutions and disparately located employees outside of the traditional perimeter. This created the perfect opportunity for our adversaries and led to some significant cyber events, like the SolarWinds and Colonial Pipeline exploitations. Practitioners, organizational and national leaders agree, we must do something to improve the standard of cybersecurity across our nation to prevent these attacks. Zero Trust is one solution.
What is Zero Trust Architecture (ZTA)?
The National Institute of Standards and Technology (NIST) defines Zero Trust Architectures as “an enterprise cybersecurity architecture that is based on Zero Trust principles and designed to prevent data breaches and limit internal lateral movement.” In other words, assume that untrusted users already exist inside and outside the network, so trust can never be implicitly assumed or granted – it must be continually evaluated.
Zero Trust Principles
Microsoft, the industry’s leader in Zero Trust solutions, outlines Zero Trust principles as:
1. Verify Explicitly — Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies.
2. Use least privileged access — Limit user access with just-in-time and just-enough-access (JIT/JEA), risk-based adaptive policies, and data protection to help secure both data and productivity.
3. Assume Breach — Minimize blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses.
Where did all the ZTA Buzz Come From?
In response to the new normal (the current rise in outsized cyber-attacks), Executive Order 14028 set a new standard for the practice of cybersecurity inside and outside of government. The scope of the EO is to cover the protection and security of “systems that process data” (i.e., Information Technology (IT)) and “those that run the vital machinery that ensures our safety” (i.e., Operational Technology (OT)). It sets out to remove barriers to sharing threat information; standardize and consolidate the conduct of vulnerability management, incident response, and threat hunting practices within the government; and modernize federal infrastructure and government cybersecurity architectural standards to shift away from an on-premises, perimeter-based strategy to a cloud-based, Zero Trust Architecture (ZTA).
What’s the Catch?
In an ideal world, a true Zero Trust cybersecurity system could be the only cybersecurity system you need, as you are collecting all the data and using it to make every access decision. In practice, this requires extensive data collection, curation, and analysis. Driving accurate decisions on every interaction can be messy, inefficient, and impractical, especially when adversaries exploit the underlying dependencies. Always remember, the adversary gets a vote. This doesn’t mean Zero Trust is without merit, only that it should not be your sole cybersecurity strategy.
Understanding the Gaps in a Zero Trust Architecture
Thriving (let alone surviving) in the new normal requires organizations to have strategies to detect and respond in the “All-Threat” operating environment (i.e., collectively and continuously challenged by all four tiers of cyber threats), specifically:
No Adversary: Situations when there is no adversary or intent to purposely cause a cyber event (e.g., Natural Disasters).
Low-Tier: Spends tens of dollars to use known adversary tactics, techniques, and procedures (TTPs) to exploit pre-existing known vulnerabilities.
Low-Tier adversaries use publicly available tools and scripts with well-known, basic TTPs that cost in the tens of dollars to exploit exposed, known vulnerabilities to achieve basic criminal or attention-grabbing objectives.
Mid-Tier: Spends millions to use known TTPs to find and exploit unknown vulnerabilities.
Mid-Tier adversaries use known TTPs to exploit known and unknown vulnerabilities at the costs of millions of dollars to achieve major criminal or national objectives. Their TTPs are generally categorized and tracked as cyber intelligence as named Advanced Persistent Threat (APT) groups.
High-Tier: Spends billions to create new TTPs with new vulnerabilities for their targeted use.
High-Tier adversaries attack the supply chain creating their own methods and vulnerabilities (and therefore unknown). The costs are in the billions and are usually supported and funded by foreign governments seeking to gain outcomes vital to their national security.
Leveraging an All-Threat™ Strategy
We recommend bringing an All-Threat™ Strategy to your Zero Trust Architecture to help you achieve cyber resiliency and improve business functionality. The All-Threat Strategy helps you to:
Build for Cyber Resiliency: Limit the dependence on vulnerable technology and processes.
Stay Ahead of Threats: Regularly adjust your security based on the nature of the threats you face.
Develop Greater Assurance: Protect the system with out-of-band feedback to demonstrate and validate your system security.
Evolve with Your Adversary: Leverage the latest understanding of your adversaries in your defenses.
We use cookies to analyze website traffic and optimize your website experience. By accepting our use of cookies, your data will be aggregated with all other user data.