Be Prepared with RedSeal: DOD-Required Cybersecurity Maturity Model Certification

Cybersecurity Maturity Model Certification (CMMC) is a tiered system in which defense contractors—or any organization holding Controlled Unclassified Information (CUI) must be vetted by a third-party assessor on a five-level scale to determine the maturity of their enterprise security. This requires companies that do business with the Department of Defense to protect their data since it is critical to national security and America’s competitive military edge.

Even though China and other countries have been stealing plans and other intellectual property (IP )for some time now, the defense industrial base have been allowed to sign off on their own audit of compliance with cybersecurity regulations concerning unclassified information.

As cyber theft of IP has continued, it is important and worth doing to hold contractors to a higher, enforceable standard.

Essentially, CMMC is an expanded, enhanced and enforced version of NIST SP 800-171 compliance. The key differences are:

  • Enhanced controls for Levels 4 and 5
  • Requirement for third-party audit instead of self-certification

A non-profit organization, the CMMC Accreditation Body has been established to oversee certification of Third-Party Assessment Organizations (3PAOs), assessors who will serve as auditors. A certification is expected to be valid for three years.

The 110 security controls established by SP 800-171 are the foundation of the 171 practices across 17 security domains required to reach the highest level of CMMC. Each Request for Proposal (RFP) will state the level of certification required to be awarded the contract. Based on what we know right now, it is expected for CMMC Level 3 certification to be the de facto standard for most organizations to do business with the DOD— with Levels 4 and 5 reserved for more sensitive projects. The DOD is working on a DFARS rule change to incorporate CMMC into contracts by Fall 2020, although full roll-out is targeted for 2025.

How Can RedSeal Help?

For defense contractors who want to continue to bid and win business, maintaining CMMC standards will now be mandatory. For large organizations, adding CMMC to already existing audit and compliance processes may not be that hard of a lift. However, smaller companies will not have sufficient staff or resources. Therefore, automating and simplifying as much of the process as possible is key to success.

RedSeal’s cyber terrain analytics platform helps automate 67 of the 171 controls mandated by CMMC. Many of the controls are tedious to complete and must be checked repeatedly at specific intervals determined by NIST 800-171. By using RedSeal, your team can quickly identify where your network has drifted out of compliance, allowing them to rapidly remediate identified misconfigurations without having to pore over hundreds of spreadsheets, reviewing tens of thousands of lines of firewall rules and access control lists to determine if you are still compliant.

Additionally, when it comes time for re-certification you can rest assured that your company is prepared for the audit because RedSeal has been continuously monitoring the configuration state of those 67 controls, allowing your network and cybersecurity teams to efficiently use their time by keeping the business prepared and mission ready.

This comprehensive, continuous inspection allows RedSeal to report a risk-based audit of a network and then continuously monitor its security posture. Operators, analysts, and members of your leadership team can track how defensive operations are trending over time via RedSeal’s Digital Resilience Score, which also measures vulnerability management, secure configuration management, and overall understanding of the network.

RedSeal’s platform shows you what is on your network, how it’s connected, and the full context of the associated risk. With RedSeal, you can visualize end-to-end access, intended and unintended, between any two points of the network to accelerate incident response. This visualization includes detailed access and attack paths for individual devices in the context of exploitable vulnerabilities to speed decision making during a mission.

RedSeal builds a complete model of your network—including cloud, SDN, and physical environments—using configuration files retrieved either dynamically or completely offline. It brings in vulnerability and all available endpoint information. Your teams will be able to validate that network segmentation is in place and configured as intended. RedSeal checks all network devices to see if they comply with industry best practices and standards such as DISA STIGs and NIST guidelines. This proactive automation greatly reduces audit prep time (CCRI, others) and assists with speedy and better informed remediation.

RedSeal provides the DOD—as well as commercial, civilian, intelligence organizations—with real-time understanding and a model of their cyber terrain so they can discover, detect, analyze, and mitigate threats and deliver resilience to the mission.

For more information, click here to read the RedSeal and CMMC PDF or click here to visit our webpage focused on CMMC.

‘Red Teams’ Need to Deliver Context — Let’s Help Them

Working on a Red Team is frustrating. I know, I was on one.

Red Teams work hard penetrating systems, gathering data and presenting findings to senior management only to get strongly dismissive responses- “So what?” This is frequently followed by an order to not to share detailed information with the Defensive Cyber Operations (DCO) teams defending the network. Sometimes the reason is obvious. Sometimes not.

I came to realize that the underlying problem is that the findings don’t include enough information to make an impact on a culture of inertia that comes with the cybersecurity world. I have actually had executive leaders tell me they would lose plausible deniability.

This obviously sub-optimal situation hasn’t changed since my time serving on a Red Team.

The DOD Office of Inspector General just released a new report, “Followup Audit on Corrective Actions Taken by DoD Components in Response to DoD Cyber Red Team-Identified Vulnerabilities and Additional Challenges Facing DoD Cyber Red Team Missions.

This was a check up on the earlier report “Better Reporting and Certification Processes Can Improve Red Teams’ Effectiveness,”  a more easily understandable title.

They investigated three areas to see what had changed in eight years.

  • Did DoD Cyber Red Teams support operational testing and combatant command exercises?
  • Were corrective actions being taken to address DoD Cyber Red Team findings?
  • Did the assessed risks affect the ability of DoD Cyber Red Teams to support DoD missions and priorities?

The results? In a word: No.

The data generated by Red Teams and the teams conducting Defensive Cyber Operations is still not being shared. Worse, even with better procedures, part of the problem is that both the results and the analysis of the results of penetration testing and vulnerability management functions are superficial.

They don’t pass the “so what” test.

But, Red Teams can’t do their job well unless they have an accurate map of the cyber terrain to put information into a larger context. This context is more important for reducing the risk to missions.

Unique in the industry, RedSeal can model and evaluate Layers 2, 3, 4 and now 7 — application-based policies. And, it includes endpoint information from multiple sources.

If both Red Teams and the DCO teams tasked with defending the cyber battlespace can easily analyze 3-4 layers of complex attack depth to connect vulnerabilities exposed to the Internet with pivots and attack paths buried deep in a network’s hybrid infrastructure, their recommendations will be seen as worthy of immediate attention. This will lower the risk to mission in a real way.

Maybe then, senior management will listen, the process will radically improve, and the DOD Inspector General will not have to write a report saying nothing has changed in seven years.

For more information, click here to speak with a RedSeal government cyber expert.

Don’t believe the hype: AI is no silver bullet

Computer Weekly | August 7, 2020

We want to believe AI will revolutionise cyber security, and we’re not necessarily wrong, but it’s time for a reality check

Chief information security officers (CISOs) looking for new security partners must therefore be pragmatic when assessing what’s out there. AI is helpful, in limited use cases, to take the strain off stretched security teams, but its algorithms still have great difficulty recognising unknown attacks. It’s time for a reality check.

RedSeal’s Julie Parrish Named to Top 100 Women in Cybersecurity for 2020

Cyber Defense Magazine | August 3, 2020

RedSeal Chief Operating Officer Julie Parrish was named to Cyber Defense Magazine’s Top 100 Women in Cybersecurity for 2020, which recognizes and honors the industry’s most respected and accomplished women in cybersecurity.

Julie Parrish has more than 30 years of experience across sales, channel management and marketing in Fortune 500 companies. Prior to joining RedSeal, Julie held CMO roles at both Check Point Software and NetApp, where she oversaw all aspects of marketing, including product, field, brand, digital, events, and both public and analyst relations.

RedSeal Named Winner in Black Unicorn Awards for 2020

Cyber Defense Magazine | August 3, 2020

RedSeal has been named a Winner in the Black Unicorn Awards for 2020 for the second consecutive year.

The term “Black Unicorn” signifies a cybersecurity company that has the potential to reach a $1 billion dollar market value as determined by private or public investment and these awards showcase those companies with this kind of incredible potential in the cybersecurity marketplace.