ASSET InterTech’s Cybersecurity Maturity Model Certification (CMMC) Compliance Initiative

There has been a lot of discussion and intrigue on Cybersecurity and what to really be concerned about.  As ASSET InterTech is moving towards CMMC 2.0 Level 2 Compliance, we felt that a blog would help explain why Cybersecurity should be important to everyone.

Cybersecurity; What it is

Cybersecurity refers to the practice of protecting computer systems, networks, data, and digital assets from various forms of cyber threats, which include unauthorized access, data breaches, cyberattacks, and other malicious activities. The primary goal of cybersecurity is to ensure the confidentiality, integrity, and availability of digital information and technology resources.

Cybersecurity encompasses a wide range of strategies, technologies, and practices aimed at safeguarding digital environments from risks posed by hackers, cybercriminals, and other malicious entities. It involves measures such as:

1. Access Control: Implementing mechanisms to control who can access digital resources and ensuring that only authorized individuals or entities can gain entry.
2. Encryption: Protecting sensitive data by converting it into a coded form that can only be decrypted by authorized parties with the appropriate keys.
3. Firewalls and Intrusion Detection/Prevention Systems (IDS/IPS): Deploying these technologies to monitor and filter network traffic, identifying and blocking suspicious or unauthorized activities.
4. Vulnerability Assessment and Penetration Testing: Conducting regular assessments to identify potential weaknesses in systems, applications, and networks and then testing them through controlled attacks to ensure their resilience.
5. Security Awareness Training: Educating users and employees about potential cyber threats, safe online practices, and how to recognize and respond to phishing and social engineering attempts.
6. Incident Response and Disaster Recovery: Establishing protocols and plans to effectively respond to and recover from cybersecurity incidents, minimizing potential damage and downtime.
7. Malware Protection: Implementing tools and techniques to detect, prevent, and remove malicious software (malware) such as viruses, worms, trojans, and ransomware.
8. Patch Management: Keeping software, operating systems, and applications up to date with the latest security patches and updates to address known vulnerabilities.
9. Authentication and Identity Management: Verifying the identities of users and devices trying to access digital resources through methods like multi-factor authentication and strong password policies.
10. Data Backup and Redundancy: Creating regular backups of critical data and systems to ensure that in the event of a cyber incident, data can be restored and operations can continue with minimal disruption.

As technology continues to advance, the field of cybersecurity evolves to address new and emerging threats, making it an essential aspect of modern digital life and business operations.

Cybersecurity; What it is not

Cybersecurity is often misconceived or confused with certain related concepts. Here are some aspects that cybersecurity is not:

1. Privacy Protection: While cybersecurity helps protect data from unauthorized access and breaches, it focuses on safeguarding the overall security of digital systems and networks. Privacy protection, on the other hand, is more concerned with ensuring individuals’ rights to control their personal information and regulating its collection, use, and disclosure.
2. 100% Invulnerability: Cybersecurity measures aim to reduce risks and vulnerabilities, but they cannot guarantee absolute protection against all cyber threats. No system can be entirely immune to attacks, and the goal is to mitigate and manage risks rather than eliminate them completely.
3. Physical Security: Cybersecurity primarily deals with digital assets and data in the virtual realm. It is not directly responsible for physical security measures like locks, surveillance cameras, or access control to physical locations.
4. Regulation Compliance: While cybersecurity practices often align with regulatory requirements (such as GDPR, HIPAA, or industry-specific standards), compliance does not necessarily equate to comprehensive cybersecurity. Organizations can comply with regulations without addressing all potential cyber risks.
5. Software Development: Cybersecurity involves securing software applications and systems, but it is distinct from the software development process itself. Secure software development practices (like secure coding) contribute to cybersecurity, but they are a subset of a broader security strategy.
6. Data Management: Cybersecurity is concerned with protecting data from cyber threats, but it does not encompass the entire spectrum of data management activities, such as data storage, retrieval, analysis, and utilization.
7. Information Technology (IT) Management: While closely related, IT management involves overall technology infrastructure maintenance, operations, and support, whereas cybersecurity focuses specifically on protecting these systems and networks from threats.
8. Insurance Against Cyber Attacks: While cybersecurity measures can reduce the risk of cyberattacks, cybersecurity itself is not a form of insurance. Cybersecurity involves proactive measures to prevent attacks, while cyber insurance provides financial coverage in the event of a successful attack.
9. Ethical Hacking or Penetration Testing: While ethical hacking and penetration testing are vital cybersecurity practices, they are specific methodologies used to identify vulnerabilities within systems. Cybersecurity encompasses a broader range of strategies beyond testing and assessment.
10. Digital Forensics: While digital forensics plays a crucial role in investigating and analyzing cyber incidents, it is a subset of cybersecurity focused on collecting and analyzing digital evidence after an attack or breach.

Understanding what cybersecurity is not can help to clarify its scope and importance within the larger landscape of technology, information management, and risk mitigation.

CMMC

Cybersecurity Maturity Model Certification is based off of the NIST 800-171 (NIST – National Institute of Standards and Technology).  This is the standard to protect CUI ( Controlled Unclassified Information) data in nonfederal systems and organizations.  These controls are not just protecting the CUI data a nonfederal entity has access to, but also the environment around this data.  ASSET InterTech is focused on providing the most secure environment to protect our DOD Suppliers information with protected controls of the data, as well as protective controls of our work environment, by securing end user endpoints, network, virtual machines, etc.  NIST 800-171 has 110 Controls that are tracked by the CMMC assessors and are the foundation of securing CUI data.

CMMC 2.0 has three levels of certification:

• Level 1 – Organizations will still need to demonstrate basic cyber hygiene across 17 practices that represent the basic safeguarding requirements under FAR 52.204-21 which has been in place since 2016.
• Level 2 – Organizations will have to demonstrate they have implemented the requirements of NIST SP 800-171, the same controls that were already required under the pre-existing DFARS 252.204-7012 clause. This includes 110 practices along with the Level 1 requirements.
• Level 3 – Contractors will need to demonstrate compliance with a subset of NIST SP 800-172. NIST SP 800-172 was designed to help protect against Advanced Persistent Threat (APT) actors which are currently targeting the US Department of Defense supply chain. NIST SP 800-172 provides the foundation and controls for a defense-in-depth protection approach.  These 110 additional practices must be complied with along with the level 1 and level 2 requirements.

At ASSET InterTech, we only need to be certified at Level 2 to protect the DOD Suppliers’ CUI data.

Conclusion

ASSET InterTech is committed through training, network controls, and endpoint controls to be as secure as possible.  One key element to avoiding cybersecurity attacks is to make sure your operating systems AND key applications are kept up to date with the latest security updates.  Hackers are continually finding ways to get to your private data through operating system holes and application holes.

At ASSET InterTech all employee endpoints minimize the applications that they load onto their device.  We limit our users to only 3 browsers, Edge, FireFox, and Chrome.  Our MSSP (Managed Security Services Provider), i.e. our IT support staff, continually are monitoring every endpoint, finding vulnerabilities to an endpoint and resolving those vulnerabilities in a timely manner to minimize any cybersecurity attacks.  The monitoring of endpoints uses three key applications:

• Rapid 7 – Exposes endpoint vulnerabilities
• Cisco Umbrella – Prevents users going to security risk URL’s
• CrowdStrike – Locks down endpoints that have had a security breach

This blog is to help everyone understand the importance of keeping your operating systems and key applications up to date.  It is imperative for the security of your network and systems to have the latest versions of your preferred OS on all endpoints.  Example: Windows 7 is now no longer supported by Microsoft and therefore no security updates are made.  This is a huge security hole for any organization.  At ASSET InterTech we had older applications that would only run on Windows 7.  Those applications were removed and ALL endpoints and VM’s (Virtual Machines) were updated to Windows 10 and some to Windows 11.

At ASSET InterTech, we are hoping this blog will help you become more aware of cybersecurity and how to make your endpoints and network environment as secure as possible.