Difference between revisions of "Cybersecurity"
From MgmtWiki
(Created page with "==Full Title or Meme== The increase in cyber attacks and ransom-ware payments is increasing the demand for "experts" beyond the supply. ==Context== *It seems that a snake-oil...") |
(→Context) |
||
| (14 intermediate revisions by the same user not shown) | |||
| Line 3: | Line 3: | ||
==Context== | ==Context== | ||
| − | *It seems that a snake-oil industry is in development to provider service for high costs beyond the capacity of the talent to respond. | + | * It seems that a snake-oil industry is in development to provider service for high costs beyond the capacity of the talent to respond. |
| − | * | + | * [[Cybernetics]] was described by Norbert Weiner before computers were anything more than a curiosity. It was not the source many terms in English before very suspect activities like [[Bitcoin]]. |
==Problems== | ==Problems== | ||
| − | * | + | * New companies like [https://www.sentinelone.com/partners/partner-overview/ Sentinel One] start advertising on national television with no known track record. (2021-10-13 on NBC) |
| + | * Finding and fixing [[Cybersecurity]] breaches seems like an endless game of "Whack-a-Mole" where the more you whack them down, the faster that keep popping up. | ||
| + | * In most countries, like UK and EU, [[Cybersecurity]] is not required by law. | ||
| + | |||
| + | ===DoD=== | ||
| + | * December 2017 DFARS 48 CFR § 252.204 - 7012 (Safeguarding covered defense information and cyber incident reporting) has been a requirement of DoD. Requiring defense contractors and subcontractors through flow - down to implement 110 NIST (SP) 800 – 171 cybersecurity practices. | ||
| + | * November 2020, the DoD introduced DFARS 48 CFR § 252.204 – 7019, 7020 and 7021. | ||
| + | ** DFARS clause 252.204 – 7019 (Notice of NIST SP 800-171 DoD Assessment Requirements) - | ||
| + | ** Contractors and subcontractors must submit a basic NIST SP 800 - 171 compliance score to the DoD | ||
| + | ** Supplier Performance Risk System (SPRS) to be considered for contract award. | ||
| + | ** DFARS clause 252.204 – 7020 (NIST SP 800-171 DoD Assessment Requirements) Contractor shall provide access to its facilities, systems, and personnel necessary for the Government to conduct a Medium or High NIST SP 800-171 DoD Assessment. | ||
| + | ** Contractors shall not award contracts to subcontractors unless a NIST SP 800-171 score is held in SPRS. | ||
| + | * November 4, 2021 DFARS clause 252.204 – 7021 (CMMC 2.0). | ||
| + | ** 3 levels | ||
| + | ** Based on FAR & NIST 800-171 | ||
| + | ** Self-attestation/3rd Party Audit | ||
| + | * None of that seems to apply to COTS (commercial off-the-shelf) software. | ||
| + | *Legal precedence across the DoJ, DoT and SEC for prosecutions for failing to meet cybersecurity standards is documented. | ||
| + | ===[[Executive Order 14028]]=== | ||
| + | * Definitions of Critical Software | ||
| + | * [https://www.nist.gov/news-events/events/2021/11/executive-order-14028-guidelines-%03enhancing-software-supply-chain NIST presentation on enhancing the software supply chain.] (2021-22-19) | ||
| + | * Guidelines for Enhancing Software Supply Chain Security (Section 4) | ||
==Solutions== | ==Solutions== | ||
| + | "The past 10 years have seen a move from R&D in purely defensive enterprise protection concepts to increasingly smart, autonomous, and reactive [[Cybersecurity]] research. This movement away from boundary protection and after-attack analysis, to proactive automonic systems has opened the door to new investigations and opportunities that are vital to future R&D."<ref>Terry Benzel, ''Cybersecurity Research of the Future'' '''CACM 64''' no. 1 (2021-01)</ref> | ||
==References== | ==References== | ||
| + | <references /> | ||
| + | ===Other Material=== | ||
| + | * [https://www.nist.gov/cybersecurity NIST web site on Cyber security.] | ||
[[Category: Security]] | [[Category: Security]] | ||
Revision as of 15:45, 17 April 2022
Contents
Full Title or Meme
The increase in cyber attacks and ransom-ware payments is increasing the demand for "experts" beyond the supply.
Context
- It seems that a snake-oil industry is in development to provider service for high costs beyond the capacity of the talent to respond.
- Cybernetics was described by Norbert Weiner before computers were anything more than a curiosity. It was not the source many terms in English before very suspect activities like Bitcoin.
Problems
- New companies like Sentinel One start advertising on national television with no known track record. (2021-10-13 on NBC)
- Finding and fixing Cybersecurity breaches seems like an endless game of "Whack-a-Mole" where the more you whack them down, the faster that keep popping up.
- In most countries, like UK and EU, Cybersecurity is not required by law.
DoD
- December 2017 DFARS 48 CFR § 252.204 - 7012 (Safeguarding covered defense information and cyber incident reporting) has been a requirement of DoD. Requiring defense contractors and subcontractors through flow - down to implement 110 NIST (SP) 800 – 171 cybersecurity practices.
- November 2020, the DoD introduced DFARS 48 CFR § 252.204 – 7019, 7020 and 7021.
- DFARS clause 252.204 – 7019 (Notice of NIST SP 800-171 DoD Assessment Requirements) -
- Contractors and subcontractors must submit a basic NIST SP 800 - 171 compliance score to the DoD
- Supplier Performance Risk System (SPRS) to be considered for contract award.
- DFARS clause 252.204 – 7020 (NIST SP 800-171 DoD Assessment Requirements) Contractor shall provide access to its facilities, systems, and personnel necessary for the Government to conduct a Medium or High NIST SP 800-171 DoD Assessment.
- Contractors shall not award contracts to subcontractors unless a NIST SP 800-171 score is held in SPRS.
- November 4, 2021 DFARS clause 252.204 – 7021 (CMMC 2.0).
- 3 levels
- Based on FAR & NIST 800-171
- Self-attestation/3rd Party Audit
- None of that seems to apply to COTS (commercial off-the-shelf) software.
- Legal precedence across the DoJ, DoT and SEC for prosecutions for failing to meet cybersecurity standards is documented.
Executive Order 14028
- Definitions of Critical Software
- NIST presentation on enhancing the software supply chain. (2021-22-19)
- Guidelines for Enhancing Software Supply Chain Security (Section 4)
Solutions
"The past 10 years have seen a move from R&D in purely defensive enterprise protection concepts to increasingly smart, autonomous, and reactive Cybersecurity research. This movement away from boundary protection and after-attack analysis, to proactive automonic systems has opened the door to new investigations and opportunities that are vital to future R&D."[1]
References
- ↑ Terry Benzel, Cybersecurity Research of the Future CACM 64 no. 1 (2021-01)
