White papers: Looking for solutions

Cybersecurity risk management and Cybersecurity Maturity Model Certification (CMMC)


Cybersecurity and the small business paradigm

The management of the Life cycle (LCM) of defence systems, from the drawing board through manufacture, deployment, maintenance and removal from service requires careful consideration for the defence industry base (DIB) and the end user. US DoD Cyber security requirements defined by the Cyber Security Maturity Model (CMMC) impact how CUI data is managed by the DIB. For LCM it has an impact on the creation, storage and usage of CUI through the whole life of ‘any’ component part of a US defence system.

Requiring the implementation of NIST SP 800 – 171 and CMMC cyber security practices and certification to the required CMMC Level (level 1 to Level 5).

White Papers

Cybersecurity compliance ‘Left of bang?

Cybersecurity is the most significant non-financial risk faced by the public and private sector. A risk that market forces alone has failed to manage and a risk that governments are starting to regulate, in order to manage it.

Where once boards had an option to implement cybersecurity they must decide if they want to participate in a regulated market, they must implement cybersecurity risk management. Organisations that are not publicly traded should also be concerned, as they maybe suppliers of public firms that will be expected to understand and manage their cybersecurity supply chain risks.

The Securities and Exchange Commission is coming.  Now is the time to prepare for cyber-risk management?

Cybersecurity is the most significant non-financial risk faced by the public and private sector. A risk that market forces alone has failed to manage and a risk that governments are starting to regulate, in order to manage it.

The SEC announced proposals on the 9th of March 2022 requiring registrants of US Capital Markets to comply with cybersecurity risk management, strategy, governance and incident reporting requirements formally. The implications of which are far reaching and will require public firms and their boards to manage cybersecurity risks, governance, strategy ad incident disclosure.

Is cyber an insurable risk today?

Cyber-risk is a dynamic and unstable risk that today is poorly managed in general by public and private sector companies. Demonstrated by the frequency, complexity and severity of cyber attacks; the ability of the insurance industry to economically underwrite and mediate cyber insurance claims, and recent interventions by the US government in cyber legislation and cyber regulatory enforcement.

Organisations have relied upon cyber insurance as a tool to mitigate cyber-risk at the expense of implementing appropriate cyber security controls. However the erosion of cyber insurance coverage in 2021 is likely to continue into 2022 forcing insurers, reinsurers and organisations to reconsider the way forward for cyber-risk mitigation.
Cybersecurity and the small business paradigm

For small businesses, cyber-risk management is a significant challenge.  It is a complex, expensive, and resource-intensive risk to manage, and a risk most small businesses cannot afford.  This creates a significant issue for the Federal Government and larger corporations, that are dependent upon the products and services which small businesses provide.

Small business makes up a significant number of companies trading in the U.S. and abroad. These companies range in size and complexity from 1 person businesses up to those employing 500.  These companies design, manufacture, and maintain the products and services that society depends on, using cyberspace as a critical tool to conduct business.

Small Business America is a sector upon which the Federal Government and big business rely on.  They create and deliver products and services that make their way through complex supply chains into the US economy.  They employ nearly 50% of the US labor force, making significant contributions to new employment, tax income, innovation, and US GDP, which the US economy is dependent on.

US Department of DefenceFISMA, RMF and DoDI 5000.90 – DoD procurement, Supply Chain Risk Management and Cybersecurity
On the 31st of December 2020, the DoD released a necessary Instruction DoDI 5000.90 “Cybersecurity for Acquisition Decision Authorities and Program Managers,” establishing policy, prescribing procedures, and management of cybersecurity risk by program Decision Authorities (DA) and Program Managers (PM) in the DoD acquisition process.  For those organizations who contract with the DoD, this is a critical instruction. It sets out the foundations for cybersecurity risk-based decision making within the Defence Acquisition System (DAS), utilizing the RMF, which includes an SCRM policy requirement for program managers.  It will significantly affect the relationship between DoD, DIB contractors, and subcontractors.
CMMC -The complex road ahead following the IFRThe challenges and opportunities for companies complying with the US DoDs requirements

The international Defence Industry Base (DIB) is an important contributor to the US DoD and the CMMC programme will have an impact on the international supply chain.  In this paper we discuss the Interim Final Ruling which came into effect on the 1st December 2020.  The 2 part approach adopted by the DoD for the deployment of NIST and CMMC, and the implications for companies across the DIB.  With some practical examples on what to do to start the compliance process.

DFARS D041 balancing actThe DFARS Balancing Act

An important read if you are interested in cyber regulation and supply chain security.  CMMC has been on the radar for many months and with the release last week of the interim ruling and the ‘Unpublished’ release by the Federal Government of DFARS: Assessing Contractor Implementation of Cybersecurity Requirements for public comment; is a pivotal moment for deployment of cyber security standards within the US DoD supply chain and in general.  Pulling together some of the salient points raised by the Interim Final Ruling and bridging the gap between CMMC deployment and regulation.

DFARS D041 balancing actCMMC an international perspective

It won’t be long before the draft DFARS text for the US DoD CMMC programme is released for public consultation.  Whilst no one knows what it will say, the MoU between the Department of Defence and the CMMC AB is in the public domain.  The first round of training for CMMC provisional assessors has taken place and deployment of the standard is widely discussed in the US.  For international contractors the standard will have a profound effect on how trade, specifically procurement takes place with the US.  Whilst the first phase of CMMC regulation is firmly focused upon the Department of Defence, other Federal Agencies have added CMMC requirements into their own procurement requirements.  It is expected that it will gain momentum over the coming months and CMMC requirements will make their way into procurement policies.

The paper outlines the history of CMMC and some of the opportunities and potential issues which companies will face, as the model is deployed.

Board governance

The Elephant in the board room

Cyber is one of the biggest non-financial risk’s boards deal with today.  By any measure it has been shown to have a significant impact on an organisation’s financial statements.  Cyber has both significant upside and down side costs.  Cost to secure the organisation from the attack and costs to remediate a successful attack. Cyber is an enterprise wide risk, wherever data is created, transmitted and consumed, cyber is a risk.  Whether that is CUI, FCI, PII or corporate IP its damage, loss or destruction has a cost. A risk requiring board oversight and assurance?

Securing the corporate balance sheet

Cyber security has evolved, for many years it has been seen as the responsibility of the IT department and CIO.  Cyber is an enterprise wide business risk, which is demonstrated through the impact of an attack on corporate financial statements. Costs to deploy security solutions and costs to remediate incidents impact P&L, Cash flow and the balance sheet.  The conversation around the board table has traditionally been a technology conversation.  This has to change to be a business conversation, managing a risk which touches the physical and logical foot bring of any organisation.

Professional standards

Setting professional standards for cyber security
Cyber security is a complex capability to manage.  International frameworks and standards such as ISO 27001 or NIST 800 – 171 identify over 170 practices, which should be applied to manage cyber risk. Whilst there are over 120 cyber related qualifications there are no professional standards for a board to assess the capability of cyber leadership, as there are in finance, legal, engineering or the medical profession.  How does the chairmen or CEO assess the capabilities of their CISO?