Full Title or Meme
The increase in cyber attacks and ransom-ware payments is increasing the demand for "experts" beyond the supply.
- It seems that a snake-oil industry is in development to provider service for high costs beyond the capacity of the talent to respond.
- Cybernetics was described by Norbert Weiner before computers were anything more than a curiosity. It was not the source may any terms in English before very suspect activities like Bitcoin.
- New companies like Sentinel One start advertising on national television with no known track record. (2021-10-13 on NBC)
- Finding and fixing Cybersecurity breaches seems like an endless game of "Whack-a-Mole" where the more you whack them down, the faster that keep popping up.
- In most countries, like UK and EU, Cybersecurity is not required by law.
DoD and Biden EO
- December 2017 DFARS 48 CFR § 252.204 - 7012 (Safeguarding covered defense information and cyber incident reporting) has been a requirement of DoD. Requiring defense contractors and subcontractors through flow - down to implement 110 NIST (SP) 800 – 171 cybersecurity practices.
- November 2020, the DoD introduced DFARS 48 CFR § 252.204 – 7019, 7020 and 7021.
- DFARS clause 252.204 – 7019 (Notice of NIST SP 800-171 DoD Assessment Requirements) -
- Contractors and subcontractors must submit a basic NIST SP 800 - 171 compliance score to the DoD
- Supplier Performance Risk System (SPRS) to be considered for contract award.
- DFARS clause 252.204 – 7020 (NIST SP 800-171 DoD Assessment Requirements) Contractor shall provide access to its facilities, systems, and personnel necessary for the Government to conduct a Medium or High NIST SP 800-171 DoD Assessment.
- Contractors shall not award contracts to subcontractors unless a NIST SP 800-171 score is held in SPRS.
- November 4, 2021 DFARS clause 252.204 – 7021 (CMMC 2.0).
- 3 levels
- Based on FAR & NIST 800-171
- Self-attestation/3rd Party Audit
- None of that seems to apply to COTS (commercial off-the-shelf) software.
- Legal precedence across the DoJ, DoT and SEC for prosecutions for failing to meet cybersecurity standards is documented.
"The past 10 years have seen a move from R&D in purely defensive enterprise protection concepts to increasingly smart, autonomous, and reactive Cybersecurity research. This movement away from boundary protection and after-attack analysis, to proactive automonic systems has opened the door to new investigations and opportunities that are vital to future R&D."
- Terry Benzel, Cybersecurity Research of the Future CACM 64 no. 1 (2021-01)