Full Title or Meme
The increase in cyber-attacks and ransom-ware payments is increasing the demand for "experts" beyond the supply.
- It seems that a snake-oil industry is in development to provider service for high costs beyond the capacity of the talent to respond.
- Cybernetics was described by Norbert Weiner before computers were anything more than a curiosity. It was not the source many terms in English before very suspect activities like Bitcoin.
- New companies like Sentinel One start advertising on national television with no known track record and therefore no reason the Trust what they say. (2021-10-13 on NBC)
- Finding and fixing Cybersecurity breaches seems like an endless game of "Whack-a-Mole" where the more you whack them down, the faster that keep popping up.
- In most countries, like UK and EU, Cybersecurity is not required by law.
- The wiki page Cybersecurity Must Be Free explains why that is not the case today. Governments want to hold all the information even when it is damaging to the economy for them to do so.
- December 2017 DFARS 48 CFR § 252.204 - 7012 (Safeguarding covered defense information and cyber incident reporting) has been a requirement of DoD. Requiring defense contractors and subcontractors through flow - down to implement 110 NIST (SP) 800 – 171 cybersecurity practices.
- November 2020, the DoD introduced DFARS 48 CFR § 252.204 – 7019, 7020 and 7021.
- DFARS clause 252.204 – 7019 (Notice of NIST SP 800-171 DoD Assessment Requirements) -
- Contractors and subcontractors must submit a basic NIST SP 800 - 171 compliance score to the DoD
- Supplier Performance Risk System (SPRS) to be considered for contract award.
- DFARS clause 252.204 – 7020 (NIST SP 800-171 DoD Assessment Requirements) Contractor shall provide access to its facilities, systems, and personnel necessary for the Government to conduct a Medium or High NIST SP 800-171 DoD Assessment.
- Contractors shall not award contracts to subcontractors unless a NIST SP 800-171 score is held in SPRS.
- November 4, 2021 DFARS clause 252.204 – 7021 (CMMC 2.0).
- 3 levels
- Based on FAR & NIST 800-171
- Self-attestation/3rd Party Audit
- None of that seems to apply to COTS (commercial off-the-shelf) software.
- Legal precedence across the DoJ, DoT and SEC for prosecutions for failing to meet cybersecurity standards is documented.
- Definitions of Critical Software
- NIST presentation on enhancing the software supply chain. (2021-22-19)
- Guidelines for Enhancing Software Supply Chain Security (Section 4)
"The past 10 years have seen a move from R&D in purely defensive enterprise protection concepts to increasingly smart, autonomous, and reactive Cybersecurity research. This movement away from boundary protection and after-attack analysis, to proactive automonic systems has opened the door to new investigations and opportunities that are vital to future R&D."
- Terry Benzel, Cybersecurity Research of the Future CACM 64 no. 1 (2021-01)