惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
V
V2EX
大猫的无限游戏
大猫的无限游戏
腾讯CDC
博客园 - Franky
WordPress大学
WordPress大学
Jina AI
Jina AI
GbyAI
GbyAI
云风的 BLOG
云风的 BLOG
B
Blog RSS Feed
Last Week in AI
Last Week in AI
The Cloudflare Blog
V
Visual Studio Blog
P
Proofpoint News Feed
博客园 - 叶小钗
L
LangChain Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Recorded Future
Recorded Future
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
T
The Blog of Author Tim Ferriss
人人都是产品经理
人人都是产品经理
Y
Y Combinator Blog
罗磊的独立博客
雷峰网
雷峰网
博客园 - 【当耐特】
Microsoft Security Blog
Microsoft Security Blog
L
LINUX DO - 热门话题
Cisco Talos Blog
Cisco Talos Blog
L
Lohrmann on Cybersecurity
Martin Fowler
Martin Fowler
Spread Privacy
Spread Privacy
MongoDB | Blog
MongoDB | Blog
Engineering at Meta
Engineering at Meta
C
Cybersecurity and Infrastructure Security Agency CISA
小众软件
小众软件
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Recent Announcements
Recent Announcements
T
Threat Research - Cisco Blogs
Security Archives - TechRepublic
Security Archives - TechRepublic
量子位
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
宝玉的分享
宝玉的分享
D
DataBreaches.Net
T
The Exploit Database - CXSecurity.com
Vercel News
Vercel News
IT之家
IT之家
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
T
Troy Hunt's Blog
aimingoo的专栏
aimingoo的专栏

MeriTalk

Eliminating Silos in IT/OT Cybersecurity Is a Funding Challenge, Not a Technical One The FedRAMP High Supply Crisis Is a Federal Security Problem – Not a Procurement Footnote How More Tightly Focused Software Development Initiatives Will Unlock Innovation Across Government Transforming Federal Cybersecurity Through Private Sector Innovation Evolving Zero Trust and Embedded AI – Federal Government Cybersecurity Predictions for 2026 Unlocking AI’s Potential in High-Assurance Environments Accelerate Agentic AI in the Federal Government: Top Takeaways Why Congress Must Reauthorize the Technology Modernization Fund Make Cybersecurity a Key Ingredient of Modernization How Spectro Cloud’s PaletteAI Secure helps agencies scale AI securely, compliantly, and confidently Fix the Foundation: How Hybrid Cloud and Trusted Data Enable Government AI New Google Workspace Cost-Saving Offer Available for U.S. Federal Government Reinventing FedRAMP in the Age of AI Balancing Security and Efficiency: The Federal IT Dilemma in the AI Era Meeting Evolving State and Local Cyber Threats AI Is the Solution to Stop AI Data Theft Enhancing U.S. Government Operations with AI and Human-Centered Design How FinOps Can Help Agencies Slash Cloud Costs in 5 Steps Will Quantum Computing Weaken or Strengthen Cybersecurity of Federal Systems? Improving Citizen and Federal Employee Experience with Virtual AI Assistants Strategies for Securing the Federal Supply Chain Reframing the U.S. Government’s Approach to Cybersecurity Oversight Three Steps Agencies Can Take to Meet Government’s AI Requirements The Impact of NIST’s PQC Standardization on the Federal Cybersecurity Ecosystem Generative AI is Revolutionizing Federal Government Operations NIST’s new PQC Algorithms and What They Mean for Federal Agencies Addressing the U.S. Quantum Labor Shortage Before It’s Too Late How a Community Vigil Approach and Secure by Design are Critical to Software Cybersecurity Addressing the Talent Shortage: How Digital Government Improves Satisfaction, Retention Here’s What We Can Learn (and Do) About Cybercrime from FBI’s Latest Internet Crime Report Implementing AI Assurance Safeguards Before OMB’s December Deadline The Next AI Wave: Quantum AI CDM’s Evolution to Non-Traditional Technology: Why Now and How Will it Succeed? Customer Expectations Require Agencies to Raise the Bar on Customer Experience, Report Shows Applying for Government Benefits Shouldn’t Be Difficult When It Comes to Identity Verification Four Federal Software Supply Chain Security Trends to Watch FedRAMP Baseline Transition Points to OSCAL-Native Tools What Zero Trust Means for Modern Government: Best Practices for Key Tenets Four Ways to Handle the IT Funding Crunch Agencies Need to Get Creative to Fill the Cyber Workforce Gap Customer Identity trends report shows control trumps convenience Federal Agencies Making Strides Toward Sustainability and Climate Action Executive Order 14028 | Improving the Nation’s Cybersecurity Depends on Data | All Data is Security Data Applying Geospatial Intelligence, AI/ML to Climate Change Challenge My Cup of IT: Angry at Arthritis, Hunting for Cures How the Federal Government Can Help Combat a Fragmented Internet Accelerating Cybersecurity for US Critical Infrastructure Getting in on the Ground Floor of the ‘New Observability’ Comply-to-Connect is Key to Zero Trust for DoD How Will Upcoming Cryptocurrency Regulations Affect Industry? My Cup of IT: Cup Cake for Kushner? Launching a New Era of Government Cloud Security Managing IT Complexity in Federal Agencies Agencies Must Modernize Zero Trust Approaches to Achieve Optimal Protection Five Essential Metrics for Measuring Federal Government CX Unlocking the Benefits of 5G and Beyond The Federal Factory of the Future: How AI is Transforming Manufacturing The Quantum Impact on Cyber How Next-Gen Computers Will Transform What’s Possible for Federal Government Agencies Must Take an Authentic Approach to Synthetic Data Biometrics and Privacy: Finding the Perfect Middle Ground Two-Way Street: Why Officials and Constituents Are Equally Responsible for Securing the Midterms The “Programmable World” Will Bring the Best of the Virtual World Into the Physical One Cyberattacks are a Common Occurrence and the Costs are Higher Than Ever Increasing Equity Through Data and Customer Experience The AI Edge: Why Edge Computing and AI Strategies Must Be Complementary How Metaverses and Web3 can Reshape Government Four Emerging Technology Trends set to Impact Government Most 5G Enables AI at the Edge Plugging Cyber Holes in Federal Acquisition Resilient Critical Infrastructure Starts with Zero Trust Zero Trust Requires Continuous, Tested Security for Federal Agencies How Multi-INT Fusion Accelerates Mission Intelligence for Real-Time Decision Advantage Three Things to Consider for Responsible AI in Government Legislation, White House Orders Show Agencies Opportunity for Hybrid Cloud Creating an Effective Framework for DoD’s Software Factories Realizing Upsides for Digital Security in the Hybrid Workplace A Future With AI and ML: The Power of Workforce Education Five Tips to Begin MFA Integration and Embrace Zero Trust The Vital Intersection Between Equity and Digital Transformation Equity as a Platform: Applying a New Mindset to Scale Innovation Harnessing the Right Data for Evidence-Based Equity From EO to Action: Human Factors of Enabling a Cyber Safety Review Board For Equity in Government Services, It’s Time to Change the Paradigm Critical Questions to Ask When Considering Explainable AI (XAI) for Your Federal Agency The Telework Model for Government: COVID Lessons for Building an Effective Workforce DevSecOps: 4 Steps for Mitigating the Next Cyber Attack in Your Federal IT Environment Better Cyber Hygiene Helps, but Federal Security Needs SASE Lift DoD, Feds Plot Top Cyber, Cloud Priorities for 2022 Cloud-Native Government: How to Transform With Intention DoD and VA Health Networks Face Growing Threat From Medical-Device Vulnerabilities New Federal Cybersecurity Requirements: How Agencies Should Implement a Zero Trust Architecture Protecting Our Nation Through Big Data Analytics Three Ways COVID-19 Altered Federal, State IT Budget Allocations Ransomware is More Than a Cybersecurity Issue From Me to We: Take the Mission Further With Multiparty Systems Anywhere, Everywhere: Integrating Your Virtual Workplace ‘I, Technologist’: Empowering Innovators in the Federal Workforce Mirrored World: Digital Twins Report for Duty Across Government Stack Strategically: Rearchitecting Government for What’s Next
The Evolution of Government Tech Procurement Under CMMC 2.0
MeriTalk Sta · 2022-06-29 · via MeriTalk

By: Kyle Dimitt, Principal Engineer, Compliance Research at LogRhythm

Supply chain attacks have been on the rise across the globe, as we saw with targeted attacks against SolarWinds and Kaseya. The spike has created a large risk in the Federal government since industry supply chains don’t necessarily have to adhere to a set level of cybersecurity standards, specifically with agencies like the Department of Defense (DoD). To combat this, the DoD has attempted to minimize the risk by increasing the security of the Defense Industrial Base (DIB) with the introduction of the Cybersecurity Maturity Model Certification (CMMC) in 2019.

CMMC requires contractors to obtain third-party certification to ensure appropriate levels of cybersecurity practices are in place to meet basic cyber hygiene standards, as well as protect controlled unclassified information (CUI) that resides on partner systems. While this won’t answer all the government’s cybersecurity woes, it addresses what is becoming a more frequently seen exploit.

Challenges with CMMC 1.0

CMMC 1.0 was a very big change for the DIB. While contractors may have been required to adhere to NIST standards prior to its introduction, there was no requirement for proof of adherence to those standards with CUI. The requirement from CMMC to get audited and prove that your organization was adhering to these requirements became very costly depending on where the CUI was in your environment.

Many DIB contractors were also not confident in what CUI they had in their environments, further adding to the complexity of CMMC requirements. Because they couldn’t fully identify the CUI, they couldn’t fully scope what needed to be protected by the controls and what they would be audited against.

Additionally, there was no allowance for plans of action and milestones (PoAMs). Certifications were a firm pass/fail, which meant organizations could lose out on an opportunity for a contract if they weren’t certified and would have to be audited again once they remediated any deficiencies noted in the audit.

Introducing CMMC 2.0

In November 2021, the DoD announced CMMC 2.0, which came with an updated program structure and requirements. The key changes in CMMC 2.0 address some of the grievances shared above regarding CMMC 1.0, but other challenges remain.

CMMC 2.0 is more flexible, allowing for PoAMs and waivers to CMMC requirements under certain circumstances. This enables contractors who do not meet the security requirements to continue to bid on DoD contracts. The five-tier security system levels have also been revised to three levels, simplifying and streamlining requirements to focus on the most critical.

Third-party assessment requirements have also changed for version 2.0, reducing the number of government contractors that require a third-party assessment. Level 1 no longer requires third-party assessments but requires organizations to perform annual self-assessments. Level 2 requires triennial third-party assessments and annual self-assessments for select programs. Level 3 requires triennial government-led assessments by the Defense Industrial Base Cybersecurity Assessment Center.

The biggest challenge is still the depth of understanding in CUI. Organizations must continue working with their DoD and Federal partners to understand what CUI needs to be protected and where it is in order to properly perform third-party and self-assessments.

Impact on State and Local Governments

CMMC 2.0 will aid Federal agencies’ ability to buy and implement new technologies by allowing for more flexibility for contractors to gain CMMC certification. By making the certification process simpler and more affordable, contractors can find a quicker path to certification and ultimately a smoother procurement process. While CMMC does not impact state and local government agencies for now, it’s reasonable to expect similar mandates to extend to the local level in the future. State and local governments will likely take their cue from Federal agencies and will be more likely to work with contractors who have gained certification and federal contracts, even though it is not currently required they work with vendors with CMMC certification.

State and local governments should keep a watchful eye on the continued rollout of CMMC as they look to incorporate similar requirements in their supply chain. More importantly, these governments should stay up to date on President Biden’s executive orders around cybersecurity as they could have cascading effects for those entities. There is nothing as broad and sweeping as CMMC at the state level but with the increased focus on cybersecurity, many states are introducing new cybersecurity legislation.

Looking Ahead

The latest changes to the Cybersecurity Maturity Model Certification are a great move by the Office of Acquisition and Development and the DoD to continue to hold the DIB accountable while providing a more flexible standard. CMMC 2.0 will allow more contractors to obtain the certification and adhere to the standards but, most importantly, the second iteration is creating greater public buy-in.

The U.S. government has taken great first steps to modernize its own cybersecurity efforts before extending a set of audited requirements to the entire government supply chain. A government-wide implementation of CMMC or something very similar is not out of the question, but don’t expect to see it before CMMC demonstrates some success with its new model or before the DoD’s full phase-in by 2026.