Blog

PCI DSS 4.0 Requirements – Network Security Controls and Secure Configuration

We have officially entered the 12-month countdown to the enactment of the new Payment Card Industry Data Security Standard (PCI DSS). The new version, 4.0, set to go into effect on April 1, 2024, contains some interesting and notable changes. Is your organization ready to meet the new requirements? In this 6-part series, we spoke with specialists who help to break down the changes to make your...
  • Cosmic-Nesting-Boxes-Look-from-the-outside-in-e1538020123683 ) Don't we like boxes? Encoding and decoding data across programs and systems is a "solved problem." Why should we still care? Context time Binary data Text data
     Like  Bookmark
  • December 6, 2023

    NIST has released Cybersecurity White Paper (CSWP) 30, Automation Support for Control Assessments – Project Update and Vision, which describes planned updates to the NIST Interagency Report (IR) 8011 series.

    On November 14, Leah McGrath, Executive Director of StateRAMP, presented the 2023 Staff Report to the Steering Committee. As we wrap up 2023, these Top 10 Updates serve as a reflection on the year and a glimpse into the future. Join us as we dive into the Top 10 StateRAMP updates going into the new year.

    StateRAMP’s Top 10 Updates of 2023:

    1. Office of the National Cybersecurity Director’s (ONCD) Request for Information on Opportunities for and Obstacles to Harmonizing Cybersecurity Regulations Office

    The StateRAMP Staff collaborated with the StateRAMP Board to submit a response to the ONCD’s Request for Information (RFI) in October 2023.

    2. Security Program Rev 5 Updates

    StateRAMP prioritized updating our security framework based on NIST 800-53 Rev.5 (from Rev. 4). Updating this framework results in closely aligning with FedRAMP’s low and moderate impact baselines. The Rev. 5 policies and procedures will be updated on the StateRAMP website by early January. StateRAMP Ready, Authorized, and Provisional will all be required to meet Rev. 5 requirements by October 1, 2024.

    3. StateRAMP Security Snapshot Criteria and Scoring Update

    Launched in January 2023, the StateRAMP Security Snapshot and Progressing Snapshot Program have become highly successful. In October 2023, the StateRAMP Standards and Technical Committee updated the criteria and scoring to align with NIST 800-53 Rev. 5 and the MITRE ATT&CK framework. The new criteria prioritize the highest-scoring MITRE ATT&CK threat controls, emphasizing best practices for improved security defense. The updated Security Snapshot criteria will be effective January 1, 2024.  

    4. NASPO – StateRAMP Joint Procurement Task Force

    StateRAMP and strategic partner NASPO have formed a joint Task Force to enhance best practice templates and solicitation/contract language. The Task Force plans to meet from October 2023 to March 2024 and will provide recommendations and findings to the Board and Steering Committee.

    5. CJIS Task Force Set to Begin in 2024

    The Standards and Technical leadership, in collaboration with FBI CJIS leadership, are initiating a StateRAMP CJIS Task Force. The objective is to unite State and Local Government stakeholders with FBI CJIS guidance to develop a StateRAMP overlay to align with CJIS requirements. Even though no CJIS certification exists, the CJIS-focused overlay aims to showcase a product’s potential for compliance. Obtaining StateRAMP Authorization with this overlay would be directional, and any CJIS compliance would still be determined by the appropriate agency personnel. FBI CJIS team will serve as advisors, and outreach will begin this quarter, with Task Force starting in Q1 of 2024.  

    6. TX-RAMP Partnership

    TX-RAMP now recognizes StateRAMP Progressing Snapshot and StateRAMP Ready status for Provisional Status with no expiration, a change from the usual 18-month limit. StateRAMP Authorized qualifies for full TX-RAMP compliance. Discussions with DIR are ongoing to update the TX-RAMP Program Manual for pathways to full TX-RAMP compliance through StateRAMP Ready and StateRAMP Provisional. 

    7. CISA Participation

    StateRAMP is actively engaged in CISA’s Joint Cyber Defense Collaborative, contributing to the High-Risk Communities Protection Planning. We’ve collaborated with CISA to coauthor a blog on third-party risk management. Stay up to date for its publication on the CISA site. Additionally, discussions are in action for StateRAMP to potentially join the CISA Supply Chain Task Force. 

    8. 2024 Events and Collaboration

    StateRAMP’s 2024 events will kick off with the inaugural StateRAMP Cyber Summit in Indianapolis on September 12th. Additionally, there are plans for a Provider Leadership Council and Leadership Retreat on September 11th and 13th. StateRAMP is also collaborating with Government Technology for strategic partnerships, involving panel discussions at GovTech’s Public Sector Cybersecurity Summits and State Digital Government Summits.  

    9. 2024 Membership Updates

    The Board elected to move to Tiered Memberships for Providers, Consultants, and 3PAOs in 2024. This update will provide members with options for different levels of engagement with StateRAMP that will help support the organization long-term. Additionally, all members will move to the same annual renewal date of June 1. View a summary of the 2024 Membership Update (pdf).

    10. ABA Model Procurement Code

    StateRAMP presented at the GW Law Summer Series 2023 during the July webinar on Reforming the ABA Model Procurement Code (MPC). Our presentation highlighted StateRAMP’s role, its alignment with emerging state and local cybersecurity strategies, and our vision for key MPC areas. As a result, we were invited to speak in a law school class on a related topic and connected with key players in the MPC reform process. 

    Reflecting on a Year of Achievements as We Head into 2024

    StateRAMP has demonstrated a commitment to adaptation, collaboration, and education.

    The non-profit prioritizes adapting to regulatory security changes, engaging successfully in partnerships, and organizing events that emphasize education. As we gain momentum heading into 2024, these principles show StateRAMP’s dedication to continue shaping the future of cybersecurity.

    The post StateRAMP 2023: Top 10 Updates appeared first on StateRAMP.

    We’re ringing in the New Year by giving you a sneak peek into what the NIST Small Business Program has planned for 2024. During this webinar, we’ll: Introduce you to the new NIST Lead for Small Business Engagement Provide an overview of upcoming
  • oscal-content 1.x.x release will be a minor release ?? patch release ??? with minor enhancements to the NIST SP 800-53 catalog and alignment with the NIST SP 800-53 v5.1.1 CPRT release. Key Take-aways for Ready Changes Key take-away for this release are as follows: resolved profiles by adding and by aligning the catalog and the profiles with the NIST SP 800-53 v5.1.1 release. Enhances NIST SP 800-53 catalog with links added to the assessment objectives to link them with the control statements they bolong to. Updated NIST SP 800-53 content to align with the NIST SP 800-53 v5.1.1 CPRT release. Updated profiles and resolved profiles to align with the NIST SP 800-53 v5.1.1 CPRT released data.
     Like  Bookmark
  • I'm relatively new to this standard as far as trying to understand how to properly implement it. Based on what I've heard and read I'm a bit confused and just looking for some guidance/clarity.

    1. As I understand it, to meet FIPS requirements, software, client and server applications as well as any hardware involved (disk encryption on a SAN for example) must all be compliant. Is this correct?
    2. If the above is true, i'd assume then that if ANY segment of the configuration is not compliant (e.g. the application is not, but the server, SAN, firewalls, etc all are) that this would lead to the full solution not being compliant?
    3. FIPS Validated vs FIPS Compliant. As I understand it, FIPS Compliant indicates we believe the application is compliant, but we have not gone through the process of validating the specific solution. FIPS Validated indicates it's been reviewed fully either specific to your implementation or via the vendors OOTB solution.
    4. I've seen mixed messages on this last aspect, but from what I gather, this standard enforces data protections "at rest" and "in transit". If you are not validating against both, then the solution would not technically be compliant with the standard.

    I think that's it, hopefully the above makes sense. Ultimately, what i'm looking for confirmation on is if I were to take a non-compliant off the shelf product, is there anyway I can host it and result in us being able to make it FIPS compliant (e.g. putting it behind a FIPS approved load balancer/firewall, encrypt with hardware SAN encryption, running on a FIPS compliant window server). To me, this seems to not be possible, but i'm not able to find a clear answer on this.

    Thanks!

    submitted by /u/Tweak3D
    [link] [comments]

    Good Morning fellow IA / Cyber Sec Pros,

    Anyways enough with the formalities. I am having trouble signing up for this dumb training. I took this class many a year ago and have not retained my certificate for it, thus can not just take the BGP exam to get re-certified. I have looked all over the cyber.mil catalog and can not find anywhere to sign up for this thing. Any alternate avenues to complete this or suggestions would be appreciated. Thank you very much for your time.

    submitted by /u/ElDr_Eazy
    [link] [comments]

    How to Simultaneously Achieve Identity, Operational Resilience, and Third Party Access Management Goals with Exostar Access: One

    In a world where cyber threats are on the rise, organizations face complex challenges when protecting sensitive data – especially […]

    Read More
    Attend the NICE K12 Cybersecurity Education Conference in Phoenix, Arizona on December 4-5, 2023 -- the national conference for K12 cybersecurity education! Gain tools to accelerate learning, identify methods to nurture a diverse learning community

    I am looking over the worksheets that FedRAMP has given to do control selections for Annual Assessments. The old one...the one from 2018...is still out on their Documents and Templates page..it's called Annual Assessment Controls Selection Worksheet. There is a new one provided now called FedRAMP rev 4 to rev 5 Assessment Controls Selection Template. I am trying to figure out if FedRAMP has added new CORE controls that are tested every year. From the FedRAMP rev 4 to rev 5 Assessment Controls Selection Template, it looks like they have. But I am not sure if I am interpreting it correctly. Anyone have a clear answer on this?

    submitted by /u/goetzecc
    [link] [comments]

    Hey, r/CMMC community! 🌐

    I'm curious about the rules and regulations surrounding access to Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), I've heard varying information, and I'm wondering if non-U.S. citizens are allowed to access such data.

    Scenario: The parent company is in Canada, and the subsidiary company is located and operating from the USA, supplying network equipment DoD. Is it allowed for non-U.S. citizens can process the purchase order, build software applications, and install equipment at the site(DoD) location?

    Does anyone have insights or experiences to share on this topic? Any relevant laws or policies I should be aware of? Thanks in advance for your input! 🤔🌎 #FederalContract #CUI #Regulations

    Thanks

    submitted by /u/No_Seaworthiness3349
    [link] [comments]

    Hi all,

    My state org. is looking at adopting various provisions of 800-171 to comply with new mandates. Does anybody have a cheat sheet of applicable NIST docs that outline best practices? I.e. for the access control family look at NIST Pub 800-XYZ, for data destruction look at NIST Pub 800-ABC? Thanks!

    submitted by /u/Proof_Shopping_6945
    [link] [comments]

    Basically, I'm tasked with setting up a CMMC 2.0 L2 compliant Azure environment. I'm expecting there to be a good amount of controls/practices that are managed by and inherited from Microsoft. Essentially, I just need the control implementation summary or the customer responsibility matrix with artifacts/evidence so I can show it to an assessor and document it in our policies/SSP.

    Anyone know where to get that for Azure commercial and/or GCC High? Is there a place I can access it in Azure or do I have to ask an MS rep or what? Thanks!

    submitted by /u/TheGainsWizard
    [link] [comments]

    I've been told by our POC that our CUI will eventually be marked as CUI//OPSEC//FEDCON. The TCAQ helpdesk told me that our cloud services used in performance of the contract must be FedRAMP Moderate, with no mention of GCC. We only provide a "commercial service" to the DoD, and this doesn't involve any manufacturing, coding, production, munitions (including encryption), providing cloud services, or such.

    Our contract also states "Compliance with NIST SP 800-171 measures is required at the prime contractor level and does not apply to subcontractors and other entities that the prime contractor engages with in order to meet the requirements of this contract."

    Putting all of this together would seem to indicate that we do not need GCC, as we do not fall under ITAR. I will be asking our POC soon, but would like some feedback from non-DoD people. I have already confirmed (directly from the DoD) that this contract does NOT fall under 252.239-7010 Cloud Computing Services, although this wasn't via our actual POC but from the TCAQ help desk.

    submitted by /u/visibleunderwater_-1
    [link] [comments]

    Hey gang, could use a sounding board. I'm a QA guy, not IT or security, but have been pushed to implement CMMC 2.0 at my new job. Small business, maybe 25-30 people, all local network with only 1 laptop on VPN (that I will deal with later). Cost and Culture are big factors in what I can try to implement, and I'm trying to understand what is required without much guidance. So, I had a thought today, and wanted to try it on you guys. Please tell me if it's ridiculous outright, or if it just has holes in it. We need to solve our data encryption, MFA, and mobile data media issues. I know it's not perfect, but I hope that it's workable. We are definitely installing CCTV cameras on all entrances, and badge-entry on doors, and securing fences/gates. However, we are working on securing the interior and databases. I've been working on utilizing Bitlocker to at least get us up and running for encryption, but we don't have any TPMs on the computers, as they are mostly home-build types, not office models. So, rather than using passwords for Bitlocker, since we are still using those for log-ins on desktops, I thought I might be able to use the other options.

    My hope was, if I ordered some bulk USB drives:

    1. Format all USB drives, to remove any data/potential malware
    2. Use partitions in each USB drive to store a user's encryption key, and log each device as issued to a specific user, as well as print the encryption keys to go to the ISSO/ISSM if we need to recover the device
    3. Each user would use the USB as the encryption key for MFA (something they have), and still use a password to log into the device (something they know), while we work to get away from passwords
    4. These USB drives would also be able to move CUI on approved devices, and would force a session lock/sign-out when they take the drive to another location to move the CUI, as the encryption key for the device they are leaving

    These USB drives can also have encryption to-go, plus we could have some larger SSD drives for bigger files on the log. My instincts tell me there are so many reasons why this can't work, but I need other eyes to tell me what, exactly.

    Appreciate any help you all can give me!

    submitted by /u/BrainFriedandStupid
    [link] [comments]

    Sorry if this is not the right place for this question because its note really related to CMMC. We are expecting a DFARS flow down to implement "PDNS" (protected DNS) an all systems to protect all CDI.

    We are planning on incorporating the DoD PDNS services that supply this service, but the question came up if AWS's Route 53 Resolver DNS Firewall should also meet this requirement. Any opinions/advice on this subject?

    submitted by /u/hinkbomb
    [link] [comments]

    How do you approach this?

    The project that I am on wants me to mark data labels (ex. public, internal, PII, etc.) for the database tables within the application. This is new territory for me, outside of the traditional assessors skillset to implement this. A couple of questions:

    1. Is this a common practice in security programs to do this, and if so, what is the purpose and why? Are we going in the right direction or there is no need to do this.
    2. The data labeling the table exercise apparently cannot all be completed at the same time since we are in the agile app lifecyle, where there are changes that take place that make it hard to do have a complete the data label exercise for the tables to be compelte. Not sure if it is because the application team didn't want to give us the data definitions of the data tables.

    Please give me your wisdom. I am a bit stumped.

    submitted by /u/Mindless-Holiday-995
    [link] [comments]
    Blog

    How Does NIST's AI Risk Management Framework Affect You?

    While the EU AI Act is poised to introduce binding legal requirements, there's another noteworthy player making waves—the National Institute of Standards and Technology's (NIST) AI Risk Management Framework (AI RMF) , published in January 2023. This framework promises to reshape the future of responsible AI uniquely and voluntarily, setting it apart from traditional regulatory approaches. Let's...
    Loading ...