Security Compliance
News and Articles in the realm of Security Compliance and Vulnerability Assessment.
News and Articles in the realm of Security Compliance and Vulnerability Assessment.
CCM v4.0 Addendum - ECUC PP v2.1 This document is an addendum to the 'ECUC Position Paper v2.1 (ECUC PP v2.1) that contains controls mapping between the CSA CCM v4.0 and the ECUC PPv2.1. ... Request to download |
CSA Large Language Model (LLM) Threats Taxonomy This document aims to align the industry by defining key terms related to Large Language Model (LLM) risks and threats. Establishing a common language red... Request to download |
Cloud Controls Matrix and CAIQ v4 The Cloud Controls Matrix (CCM) is a cybersecurity control framework for cloud computing aligned to the CSA best practices, that is considered the de-facto s... Request to download |
Hello, I hope this makes sense as I have been thrown in the deep end here.
A coworker asked me to help find information what a VA hospital is asking. We need the fips certificate 4 digit code for a risk assessment. Our product is a dental 3d digital scanner on wheels which is a pc with a fancy camera with wifi. They use a intel ax210 wifi 6e care and onboard intel as well. For fips info do we just need the OS info which will be 10 and soon to be 11, or just the wifi card or both? I found a few resources that seem to point to just the OS would enable fips and the card can handle it. Just confused as to what exactly to tell the VA IT person.
Normally one can use STIG Viewer 3 to convert .cklb files to .ckl files, but if one cannot use STIG Viewer 3 (long story), is there another app/method to convert .cklb files to .ckl files? Thanks..
Hello CMMC people! I’m lucky to have stumbled on this forum. I’m trying to better understand CMMC constraints and try to enhance productivity at my company. For some context, I am an electrical and software engineering manager at a small company. We have been working toward CMMC compliance and in the process we have hit some challenging road blocks. I have been trying to figure out a way to enable work for my group however I am struggling to understand the constraints imposed by CMMC. For more context, my group works very close to hardware and given this, we frequently need admin access to our computers to install software to perform our job. It is challenging because we need to be able to go fast and we are relatively young so workflows haven’t been fully established. Currently there are only two people in the company that have admin privileges and I am trying to figure out if there is a way to allow certain subsets of people admin access to enhance productivity. For even more context I am a complete CMMC noob so I may be missing the point all together. Any advice would be helpful to either better understand or to find a way to work around very strict constraints. It is also worth noting that we do not have any contracts that require CUI data handling however we work with companies that do.
As StateRAMP continues to grow, our mission is being driven by the dedicated efforts of our diverse committees. Each committee plays a pivotal role in shaping the standards, governance, and operational excellence that guide our commitment to improving cloud cybersecurity for state and local governments.
Our committees provide a valuable opportunity for the StateRAMP community to actively participate in our evolution. While each committee has unique standards and requirements, they are predominantly composed of public sector representatives, complemented by private sector members to ensure a balanced industry perspective. Having a wide range of expertise enables us to meet both industries’ needs.
In this blog, we explore the committees that make up the StateRAMP governing body, their responsibilities, and recent accomplishments.
The Board of Directors is instrumental in guiding our mission, making strategic decisions, and ensuring the seamless operations of StateRAMP. The Board’s leadership ensures StateRAMP remains aligned with its mission and continues to serve both its members and stakeholders.
A major undertaking this year for StateRAMP is the StateRAMP Cyber Summit with presenting sponsor Carahsoft that will be held on September 12th, 2024, in Indianapolis, Indiana. The Board of Directors is spearheading the planning of our inaugural Summit, aiming to create a unique event that addresses real-world cybersecurity problems, fosters solution-focused discussions, and advances state and local government cybersecurity practices and framework harmonization.
Formed in April 2020, the StateRAMP Steering Committee is comprised of distinguished government and industry leaders. This committee founded StateRAMP, aiming to unify public and private sector leaders in developing a streamlined approach to risk and authorization management (RAMP).
The Steering Committee’s work led to the formation of StateRAMP as a 501(c)6 nonprofit, in partnership with state government CIOs, CISOs, Chief Privacy Officers, Procurement Officials, and private industry experts who serve state governments. This essential group determines StateRAMP’s priorities and manages our operations.
The Standards and Technical Committee is at the heart of maintaining and enhancing StateRAMP’s reliability, ensuring that we adhere to the highest levels of security and effective approaches. The committee provides recommendations to the Board regarding PMO policies, security standards, best practices, and assessment processes. Their diligent work ensures that our security measures and best practices remain top-notch, benefiting all members and stakeholders.
This group has been tasked with overseeing the transition to NIST 800-53 Rev. 5, which sets the standard for best practice controls essential to StateRAMP’s Security Snapshot Program and StateRAMP Authorizations. Noah Brown, StateRAMP PMO Director, emphasizes the significance of Rev. 5, stating, “Updating our control baselines was critical for safeguarding government data, as NIST 800-53 Rev. 5 represents the latest advancements in cloud security controls, aligning with current threat landscapes.” StateRAMP is scheduled to fully adopt Rev. 5 controls by October 1, 2024.
Meet the Standards and Technical Committee.
The Appeals Committee plays a key role in maintaining StateRAMP’s integrity by ensuring that conflicts and disputes are addressed in an equitable and transparent manner. Comprising of at least five members, the committee includes representation from all stakeholders and at least one Board of Directors member.
In the absence of appeals to review, the Appeals Committee collaborates closely with the Standards and Technical Committee. Recently, these committees joined efforts to assess the NIST 800-53 Rev. 5 baselines, facilitating member feedback on these updated controls. Both committees determined the update enables StateRAMP to implement the most advanced and exhaustive guidelines for cloud security.
The Approvals Committee ensures that providers can verify their products and achieve StateRAMP Authorized status. Composed of at least five members representing state and local government and higher education, this group was formed by the StateRAMP Board and Nominating Committee to address community feedback and guarantee comprehensive product security verification.
Members of the Approvals Committee bring technical expertise and government policy knowledge to the process, carefully reviewing six to eight security packages to grant StateRAMP Authorized Status.
The Nominating Committee identifies and recommends qualified individuals to join our Board of Directors and other leadership positions. Additionally, the committee provides recommendations on best practices for governance, ensuring the effectiveness and transparency of StateRAMP’s operations.
Recognizing the importance of procurement in our initiatives, the Nominating Committee assessed the need for championing the establishment of the Procurement Committee.
The group is instrumental in selecting suitable individuals who will drive the future of StateRAMP forward. Their dedication to identifying capable leaders ensures StateRAMP remains at the forefront of cybersecurity governance.
Meet the Nominating Committee.
We are excited to announce the formation of the Procurement Committee, which will begin its term in 2025. This new committee will play a crucial role in advising on procurement best practices for cloud cybersecurity, ensuring that our members are equipped with the most effective and efficient strategies for securing cloud services.
By leveraging the expertise and insights of this committee, we aim to enhance the procurement processes across the board, driving forward our mission to improve cybersecurity standards and practices. Nominations for this committee are now open, and we look forward to welcoming dedicated professionals who are passionate about advancing cybersecurity procurement.
We invite you to shape the future of StateRAMP by submitting nominations for the 2025 term. Your nominations ensure our committees and boards benefit from diverse expertise, driving our mission forward. Nominations are open until August 1st. If you know individuals with the right qualifications and commitment, please visit our nominations page to submit their information today.
StateRAMP offers multiple ways to engage, including the 3PAO and Advisory Council, Provider Leadership Council, and various task forces. Introduced in 2024, the 3PAO and Advisory Council facilitates quarterly collaboration among peers. The Provider Leadership Council offers a platform for providers to share insights and stay updated. Our Board of Directors also forms task forces, inviting members to contribute their expertise. Stay tuned for opportunities to participate and help shape StateRAMP’s future.
The post StateRAMP Governance: Meet Our Committees appeared first on StateRAMP.