Difference between revisions of "Cybersecurity"
From MgmtWiki
(→Solutions) |
(→Problems) |
||
| Line 9: | Line 9: | ||
* New companies like [https://www.sentinelone.com/partners/partner-overview/ Sentinel One] start advertising on national television with no known track record. (2021-10-13 on NBC) | * New companies like [https://www.sentinelone.com/partners/partner-overview/ Sentinel One] start advertising on national television with no known track record. (2021-10-13 on NBC) | ||
* Finding and fixing [[Cybersecurity]] breaches seems like an endless game of "Whack-a-Mole" where the more you whack them down, the faster that keep popping up. | * Finding and fixing [[Cybersecurity]] breaches seems like an endless game of "Whack-a-Mole" where the more you whack them down, the faster that keep popping up. | ||
| − | * | + | * In most countries, like UK and EU, [[Cybersecurity]] is not required by law. |
| + | |||
| + | ===OoD and Biden EO=== | ||
| + | * December 2017 DFARS 48 CFR § 252.204 - 7012 (Safeguarding covered defense information and cyber incident reporting) has been a requirement of DoD. Requiring defense contractors and subcontractors through flow - down to implement 110 NIST (SP) 800 – 171 cybersecurity practices. | ||
| + | * November 2020, the DoD introduced DFARS 48 CFR § 252.204 – 7019, 7020 and 7021. | ||
| + | ** DFARS clause 252.204 – 7019 (Notice of NIST SP 800-171 DoD Assessment Requirements) - | ||
| + | Contractors and subcontractors must submit a basic NIST SP 800 - 171 compliance score to the DoD | ||
| + | Supplier Performance Risk System (SPRS) to be considered for contract award. | ||
| + | ** DFARS clause 252.204 – 7020 (NIST SP 800-171 DoD Assessment Requirements) Contractor shall | ||
| + | provide access to its facilities, systems, and personnel necessary for the Government to conduct a Medium | ||
| + | or High NIST SP 800-171 DoD Assessment. | ||
| + | ** Contractors shall not award contracts to subcontractors unless a NIST SP 800-171 score is held in SPRS. | ||
| + | * None of that seems to apply to COTS (commercial off-the-shelf) software. | ||
| + | |||
==Solutions== | ==Solutions== | ||
"The past 10 years have seen a move from R&D in purely defensive enterprise protection concepts to increasingly smart, autonomous, and reactive [[Cybersecurity]] research. This movement away from boundary protection and after-attack analysis, to proactive automonic systems has opened the door to new investigations and opportunities that are vital to future R&D."<ref>Terry Benzel, ''Cybersecurity Research of the Future'' '''CACM 64''' no. 1 (2021-01)</ref> | "The past 10 years have seen a move from R&D in purely defensive enterprise protection concepts to increasingly smart, autonomous, and reactive [[Cybersecurity]] research. This movement away from boundary protection and after-attack analysis, to proactive automonic systems has opened the door to new investigations and opportunities that are vital to future R&D."<ref>Terry Benzel, ''Cybersecurity Research of the Future'' '''CACM 64''' no. 1 (2021-01)</ref> | ||
Revision as of 03:10, 21 November 2021
Full Title or Meme
The increase in cyber attacks and ransom-ware payments is increasing the demand for "experts" beyond the supply.
Context
- It seems that a snake-oil industry is in development to provider service for high costs beyond the capacity of the talent to respond.
- Cybernetics was described by Norbert Weiner before computers were anything more than a curiosity. It was not the source may any terms in English before very suspect activities like Bitcoin.
Problems
- New companies like Sentinel One start advertising on national television with no known track record. (2021-10-13 on NBC)
- Finding and fixing Cybersecurity breaches seems like an endless game of "Whack-a-Mole" where the more you whack them down, the faster that keep popping up.
- In most countries, like UK and EU, Cybersecurity is not required by law.
OoD and Biden EO
- December 2017 DFARS 48 CFR § 252.204 - 7012 (Safeguarding covered defense information and cyber incident reporting) has been a requirement of DoD. Requiring defense contractors and subcontractors through flow - down to implement 110 NIST (SP) 800 – 171 cybersecurity practices.
- November 2020, the DoD introduced DFARS 48 CFR § 252.204 – 7019, 7020 and 7021.
- DFARS clause 252.204 – 7019 (Notice of NIST SP 800-171 DoD Assessment Requirements) -
Contractors and subcontractors must submit a basic NIST SP 800 - 171 compliance score to the DoD Supplier Performance Risk System (SPRS) to be considered for contract award.
- DFARS clause 252.204 – 7020 (NIST SP 800-171 DoD Assessment Requirements) Contractor shall
provide access to its facilities, systems, and personnel necessary for the Government to conduct a Medium or High NIST SP 800-171 DoD Assessment.
- Contractors shall not award contracts to subcontractors unless a NIST SP 800-171 score is held in SPRS.
- None of that seems to apply to COTS (commercial off-the-shelf) software.
Solutions
"The past 10 years have seen a move from R&D in purely defensive enterprise protection concepts to increasingly smart, autonomous, and reactive Cybersecurity research. This movement away from boundary protection and after-attack analysis, to proactive automonic systems has opened the door to new investigations and opportunities that are vital to future R&D."[1]
References
- ↑ Terry Benzel, Cybersecurity Research of the Future CACM 64 no. 1 (2021-01)
