News and Articles in the realm of Security Compliance and Vulnerability Assessment.
News and Articles in the realm of Security Compliance and Vulnerability Assessment.
On November 14, Leah McGrath, Executive Director of StateRAMP, presented the 2023 Staff Report to the Steering Committee. As we wrap up 2023, these Top 10 Updates serve as a reflection on the year and a glimpse into the future. Join us as we dive into the Top 10 StateRAMP updates going into the new year.
The StateRAMP Staff collaborated with the StateRAMP Board to submit a response to the ONCD’s Request for Information (RFI) in October 2023.
StateRAMP prioritized updating our security framework based on NIST 800-53 Rev.5 (from Rev. 4). Updating this framework results in closely aligning with FedRAMP’s low and moderate impact baselines. The Rev. 5 policies and procedures will be updated on the StateRAMP website by early January. StateRAMP Ready, Authorized, and Provisional will all be required to meet Rev. 5 requirements by October 1, 2024.
Launched in January 2023, the StateRAMP Security Snapshot and Progressing Snapshot Program have become highly successful. In October 2023, the StateRAMP Standards and Technical Committee updated the criteria and scoring to align with NIST 800-53 Rev. 5 and the MITRE ATT&CK framework. The new criteria prioritize the highest-scoring MITRE ATT&CK threat controls, emphasizing best practices for improved security defense. The updated Security Snapshot criteria will be effective January 1, 2024.
StateRAMP and strategic partner NASPO have formed a joint Task Force to enhance best practice templates and solicitation/contract language. The Task Force plans to meet from October 2023 to March 2024 and will provide recommendations and findings to the Board and Steering Committee.
The Standards and Technical leadership, in collaboration with FBI CJIS leadership, are initiating a StateRAMP CJIS Task Force. The objective is to unite State and Local Government stakeholders with FBI CJIS guidance to develop a StateRAMP overlay to align with CJIS requirements. Even though no CJIS certification exists, the CJIS-focused overlay aims to showcase a product’s potential for compliance. Obtaining StateRAMP Authorization with this overlay would be directional, and any CJIS compliance would still be determined by the appropriate agency personnel. FBI CJIS team will serve as advisors, and outreach will begin this quarter, with Task Force starting in Q1 of 2024.
TX-RAMP now recognizes StateRAMP Progressing Snapshot and StateRAMP Ready status for Provisional Status with no expiration, a change from the usual 18-month limit. StateRAMP Authorized qualifies for full TX-RAMP compliance. Discussions with DIR are ongoing to update the TX-RAMP Program Manual for pathways to full TX-RAMP compliance through StateRAMP Ready and StateRAMP Provisional.
StateRAMP is actively engaged in CISA’s Joint Cyber Defense Collaborative, contributing to the High-Risk Communities Protection Planning. We’ve collaborated with CISA to co–author a blog on third-party risk management. Stay up to date for its publication on the CISA site. Additionally, discussions are in action for StateRAMP to potentially join the CISA Supply Chain Task Force.
StateRAMP’s 2024 events will kick off with the inaugural StateRAMP Cyber Summit in Indianapolis on September 12th. Additionally, there are plans for a Provider Leadership Council and Leadership Retreat on September 11th and 13th. StateRAMP is also collaborating with Government Technology for strategic partnerships, involving panel discussions at GovTech’s Public Sector Cybersecurity Summits and State Digital Government Summits.
The Board elected to move to Tiered Memberships for Providers, Consultants, and 3PAOs in 2024. This update will provide members with options for different levels of engagement with StateRAMP that will help support the organization long-term. Additionally, all members will move to the same annual renewal date of June 1. View a summary of the 2024 Membership Update (pdf).
StateRAMP presented at the GW Law Summer Series 2023 during the July webinar on Reforming the ABA Model Procurement Code (MPC). Our presentation highlighted StateRAMP’s role, its alignment with emerging state and local cybersecurity strategies, and our vision for key MPC areas. As a result, we were invited to speak in a law school class on a related topic and connected with key players in the MPC reform process.
StateRAMP has demonstrated a commitment to adaptation, collaboration, and education.
The non-profit prioritizes adapting to regulatory security changes, engaging successfully in partnerships, and organizing events that emphasize education. As we gain momentum heading into 2024, these principles show StateRAMP’s dedication to continue shaping the future of cybersecurity.
I'm relatively new to this standard as far as trying to understand how to properly implement it. Based on what I've heard and read I'm a bit confused and just looking for some guidance/clarity.
I think that's it, hopefully the above makes sense. Ultimately, what i'm looking for confirmation on is if I were to take a non-compliant off the shelf product, is there anyway I can host it and result in us being able to make it FIPS compliant (e.g. putting it behind a FIPS approved load balancer/firewall, encrypt with hardware SAN encryption, running on a FIPS compliant window server). To me, this seems to not be possible, but i'm not able to find a clear answer on this.
Good Morning fellow IA / Cyber Sec Pros,
Anyways enough with the formalities. I am having trouble signing up for this dumb training. I took this class many a year ago and have not retained my certificate for it, thus can not just take the BGP exam to get re-certified. I have looked all over the cyber.mil catalog and can not find anywhere to sign up for this thing. Any alternate avenues to complete this or suggestions would be appreciated. Thank you very much for your time.
I am looking over the worksheets that FedRAMP has given to do control selections for Annual Assessments. The old one...the one from 2018...is still out on their Documents and Templates page..it's called Annual Assessment Controls Selection Worksheet. There is a new one provided now called FedRAMP rev 4 to rev 5 Assessment Controls Selection Template. I am trying to figure out if FedRAMP has added new CORE controls that are tested every year. From the FedRAMP rev 4 to rev 5 Assessment Controls Selection Template, it looks like they have. But I am not sure if I am interpreting it correctly. Anyone have a clear answer on this?
Hey, r/CMMC community! 🌐
I'm curious about the rules and regulations surrounding access to Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), I've heard varying information, and I'm wondering if non-U.S. citizens are allowed to access such data.
Scenario: The parent company is in Canada, and the subsidiary company is located and operating from the USA, supplying network equipment DoD. Is it allowed for non-U.S. citizens can process the purchase order, build software applications, and install equipment at the site(DoD) location?
Does anyone have insights or experiences to share on this topic? Any relevant laws or policies I should be aware of? Thanks in advance for your input! 🤔🌎 #FederalContract #CUI #Regulations
My state org. is looking at adopting various provisions of 800-171 to comply with new mandates. Does anybody have a cheat sheet of applicable NIST docs that outline best practices? I.e. for the access control family look at NIST Pub 800-XYZ, for data destruction look at NIST Pub 800-ABC? Thanks!
Basically, I'm tasked with setting up a CMMC 2.0 L2 compliant Azure environment. I'm expecting there to be a good amount of controls/practices that are managed by and inherited from Microsoft. Essentially, I just need the control implementation summary or the customer responsibility matrix with artifacts/evidence so I can show it to an assessor and document it in our policies/SSP.
Anyone know where to get that for Azure commercial and/or GCC High? Is there a place I can access it in Azure or do I have to ask an MS rep or what? Thanks!
I've been told by our POC that our CUI will eventually be marked as CUI//OPSEC//FEDCON. The TCAQ helpdesk told me that our cloud services used in performance of the contract must be FedRAMP Moderate, with no mention of GCC. We only provide a "commercial service" to the DoD, and this doesn't involve any manufacturing, coding, production, munitions (including encryption), providing cloud services, or such.
Our contract also states "Compliance with NIST SP 800-171 measures is required at the prime contractor level and does not apply to subcontractors and other entities that the prime contractor engages with in order to meet the requirements of this contract."
Putting all of this together would seem to indicate that we do not need GCC, as we do not fall under ITAR. I will be asking our POC soon, but would like some feedback from non-DoD people. I have already confirmed (directly from the DoD) that this contract does NOT fall under 252.239-7010 Cloud Computing Services, although this wasn't via our actual POC but from the TCAQ help desk.
Hey gang, could use a sounding board. I'm a QA guy, not IT or security, but have been pushed to implement CMMC 2.0 at my new job. Small business, maybe 25-30 people, all local network with only 1 laptop on VPN (that I will deal with later). Cost and Culture are big factors in what I can try to implement, and I'm trying to understand what is required without much guidance. So, I had a thought today, and wanted to try it on you guys. Please tell me if it's ridiculous outright, or if it just has holes in it. We need to solve our data encryption, MFA, and mobile data media issues. I know it's not perfect, but I hope that it's workable. We are definitely installing CCTV cameras on all entrances, and badge-entry on doors, and securing fences/gates. However, we are working on securing the interior and databases. I've been working on utilizing Bitlocker to at least get us up and running for encryption, but we don't have any TPMs on the computers, as they are mostly home-build types, not office models. So, rather than using passwords for Bitlocker, since we are still using those for log-ins on desktops, I thought I might be able to use the other options.
My hope was, if I ordered some bulk USB drives:
These USB drives can also have encryption to-go, plus we could have some larger SSD drives for bigger files on the log. My instincts tell me there are so many reasons why this can't work, but I need other eyes to tell me what, exactly.
Appreciate any help you all can give me!
Sorry if this is not the right place for this question because its note really related to CMMC. We are expecting a DFARS flow down to implement "PDNS" (protected DNS) an all systems to protect all CDI.
We are planning on incorporating the DoD PDNS services that supply this service, but the question came up if AWS's Route 53 Resolver DNS Firewall should also meet this requirement. Any opinions/advice on this subject?
How do you approach this?
The project that I am on wants me to mark data labels (ex. public, internal, PII, etc.) for the database tables within the application. This is new territory for me, outside of the traditional assessors skillset to implement this. A couple of questions:
Please give me your wisdom. I am a bit stumped.