Events
Blog
FAQs

- August 2024 -

Facebook  Linkedin  X

Welcome to the new Cyber Newsletter, a monthly publication from the Wisconsin Procurement Institute (WPI), Wisconsin's Apex Accelerator


If your organization needs assistance meeting Federal or Department of Defense cyber security requirements, contact Marc Violante, Director of Federal Market Strategies at marcv@wispro.org, or Matt Frost, Government Contract Specialist at mattf@wispro.org

NEWS & UPDATES

Cybersecurity is not just an IT issue


Cybersecurity involves all facets of a business. Not only must all employees need to be trained and be vigilant about cybersecurity, there needs to be a champion – the CEO. The champion sets the tone, supports and prioritizes initiatives, and works to establish realistic and needed budgets. Some companies will have staff to carry out all functions; others will need to contract for support. Sound decisions require information. CEOs require information related to active threats, risks and how these threats can impact all aspects of operations.


A company’s cybersecurity efforts do not end when a plan has been completed. Cybersecurity extends to all staff in all functions and requires daily awareness. A company’s cybersecurity efforts can be totally negated by an errant mouse click which triggers a Ransomware attack.

However, other company functions can also create unexpected risk.


Awareness, vigilance and resources are some of the key components that all companies need to create and manage their cybersecurity operations. This edition of WPI’s Cybersecurity Newsletter hopes to provide information and resources that may be useful for protecting the Confidentiality, Integrity and Accessibility of specified information.

What should CEOs know about the cybersecurity threats their companies face?

The follow-on question is what resources are available to provide up to date, mission-oriented information?

                                                                                                                                       

CEOs should ask the following questions about potential cybersecurity threats:



  • How could cybersecurity threats affect the different functions of my business, including areas such as supply chain, public relations, finance, and human resources?
  • What type of critical information could be lost (e.g., trade secrets, customer data, research, personally identifiable information)?
  • How can my business create long-term resiliency to minimize our cybersecurity risks?
  • What kind of cyber threat information sharing does my business participate in? With whom does my business exchange this information?
  • What type of information sharing practices could my business adopt that would help foster community among the different cybersecurity groups where my business is a member?


https://www.cisa.gov/news-events/news/questions-every-ceo-should-ask-about-cyber-risks

Security Firm Accidentally Hires North Korean Hacker, Did Not KnowBe4


A software engineer hired for an internal IT AI team immediately became an insider threat by loading malware onto his workstation.


A security firm recently hired a software engineer for its internal AI team that turned out to be a North Korean threat actor, who immediately began loading malware to his company-issued workstation.

KnowBe4, which provides security awareness and training, conducted standard pre-hiring background checks for the employee and four separate video-conference interviews with him before his hiring, Stu Sjouwerman, KnowBe4's founder, shared in a blog post about the situation. The company also verified that the person interviewed was the same one in the photo sent in with a resume.


https://www.darkreading.com/vulnerabilities-threats/security-firm-hires-north-korean-hacker-knowbe4?

Better metrics can show how cybersecurity drives business success

https://www.csoonline.com/article/3480316/better-metrics-can-show-how-cybersecurity-drives-business-success.html

 

There are many ways you can improve your business’ cybersecurity. The following are actions recommended by NIST.gov


  • Understand that cyber threats are a business risk, and having strong cybersecurity is a competitive advantage.
  • Require employees to enable multi-factor authentication (MFA), particularly phishing-resistant MFA, on all accounts that offer it.
  • Require strong passwords and consider using a password manager.
  • Change default manufacturer passwords to ones that are unique to you.
  • Install and maintain updated antivirus software.
  • Update and patch all software when new versions are available.
  • Learn how to protect your business from phishing.
  • Train employees on basic cybersecurity hygiene.


Visit the following site to learn more: https://www.nist.gov/itl/smallbusinesscyber/cybersecurity-basics

 

NIST’s Cybersecurity Framework 2.0 which was released on February 26, 2024. This updated framework is a solid reference which should be familiar to all members of the DIB. As stated in the Abstract –


It offers a taxonomy of high-level cybersecurity outcomes that can be used by any organization — regardless of its size, sector, or maturity — to better understand, assess, prioritize, and communicate its cybersecurity efforts. The CSF does not prescribe how outcomes should be achieved. Rather, it links to online resources that provide additional guidance on practices and controls that could be used to achieve those outcomes.


NIST’s Cybersecurity Framework 2.0 can be viewed and/or downloaded from - https://doi.org/10.6028/NIST.CSWP.29


ISACS – just another acronym or a resource that businesses in one of the 16 sectors of critical infrastructure should know about?

ISACS or Information Sharing and Analysis Centers are an important resource that businesses should learn more about.

There is an ISACS for each of the 16 sectors of Critical Infrastructure. ISACS have the same mission. - protecting our critical infrastructure. There will be some overlap in information, services and resources available from different ISACS. However, each ISAC focuses on its specific element of critical infrastructure and what is necessary to protect that sector.

To see a list of all ISACS visit: https://www.nationalisacs.org/members

The focus of this newsletter is to inform members of the Defense Industrial Base (DIB). Therefore, the following ISAC is listed separately.

National Defense Information Sharing and Analysis Center


The ND-ISAC supports members of the DIB. It offers “defense sector companies, their suppliers, and related interests a community and forum for sharing cyber and physical security threat indicators, best practices and mitigation strategies.” This is the information which is essential to developing and managing a risk-based information security program.

Even the largest companies with the most sophisticated and best funded programs may not have the wherewithal to know everything about every threat. Smaller firms who proceed on their own, will only be able to see a fraction of the threats and therefore will be unable to develop a true risk-based management approach and a sound System Security Plan (SSP). Firms should determine if joining their ISAC will provide beneficial information and resources.

For more information about the ND-ISAC visit: https://ndisac.org/

DoD’s Defense Industrial Base Cybersecurity Program


DoD’s Defense Industrial Base Cybersecurity Program is another program in which eligible members of the DIB can participate. This program used to be only open to cleared companies – companies which had classified contracts and therefore held security clearances. Recently a change was made to modify the program to include eligible members of the DIB that handles Controlled Unclassified Information (CUI).



The goal of the program is to “enhance and supplement DIB participants' capabilities to safeguard DoD information that resides on or transits DIB unclassified networks or information systems. This public-private cybersecurity partnership is designed to improve DIB network defenses, reduce damage to critical programs, and increase DoD and DIB cyber situational awareness.”

The following are some of the DIB CS Program offerings:


  • Actionable information, mitigation, and remediation strategies
  • Increases industry understanding of cyber threats as well as USG's role
  • Enables Partners to better protect unclassified defense information
  • Engagement opportunities at many levels between USG and DIB from the C-suite to analyst level
  • Indicators and threat products informed from DIB reporting, multiple USG data streams, and industry cyber threat reports
  • Collaborative partnership with USG and almost 1,000 DIB Partners
  • Quarterly DIB Cybersecurity Summit, including topics on policy, operations, technology, architecture, and bi-annual Technical Exchanges
  • Virtual Industry Partner Exchanges (VIPEX)


To see the full listing, visit: https://dibnet.dod.mil/dibnet/#dibcsprogram-dibcsprogram-2

National Security Agency Resources for DIB Members.

Do you have an active DoD contract?


Contractor Protection


“Department of Defense (DoD) contractors have access to sensitive U.S. Government information and are frequently targeted by nation-state actors to gain access to USG information and intellectual property. Once you sign a contract with the DoD, you become an attractive target to our adversaries. Fortunately, you don't have to defend against them alone.”

NSA offers no-cost cybersecurity services to any company that contracts with DoD (sub or prime) or has access to non-public DoD information.


“NSA's services help protect against some of the most common nation-state exploitation vectors and are powered by unique, non-public indicators of known malicious activity derived from NSA's signals intelligence, cybersecurity analytic expertise, and engagements with partners. These services include Protective DNS (a DNS filter), attack surface management, and access to non-public, DIB-specific NSA threat intelligence.”

https://www.nsa.gov/About/Cybersecurity-Collaboration-Center/DIB-Cybersecurity-Services/

Cyber News


NIST Releases First 3 Finalized Post-Quantum Encryption Standards


“Researchers around the world are racing to build quantum computers that would operate in radically different ways from ordinary computers and could break the current encryption that provides security and privacy for just about everything we do online. The algorithms announced today are specified in the first completed standards from NIST’s post-quantum cryptography (PQC) standardization project, and are ready for immediate use.”


“These post-quantum encryption standards secure a wide range of electronic information, from confidential email messages to e-commerce transactions that propel the modern economy.”


“These finalized standards include instructions for incorporating them into products and encryption systems,” said NIST mathematician Dustin Moody, who heads the PQC standardization project. “We encourage system administrators to start integrating them into their systems immediately, because full integration will take time.”


For more details, see: https://www.nist.gov/news-events/news/2024/08/nist-releases-first-3-finalized-post-quantum-encryption-standards


To access the three new standards, FIPS 203, FIPS 204, and FIPS 205 visit: https://csrc.nist.gov/publications/fips


On August 15, 2024, DoD issued the following proposed rule:


Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041)

 

Comments on the proposed rule should be submitted in writing to the address shown below on or before October 15, 2024, to be considered in the formation of a final rule.


SUMMARY:

DoD is proposing to amend the Defense Federal Acquisition Regulation Supplement (DFARS) to incorporate contractual requirements related to the proposed Cybersecurity Maturity Model Certification 2.0 program rule, Cybersecurity Maturity Model Certification Program. This proposed DFARS rule also partially implements a section of the National Defense Authorization Act for Fiscal Year 2020 that directed the Secretary of Defense to develop a consistent, comprehensive framework to enhance cybersecurity for the U.S. defense industrial base.


Details related to the proposed rule can be found at:

See: https://www.federalregister.gov/documents/2024/08/15/2024-18110/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of

If your organization needs assistance meeting Federal or Department of Defense cyber security requirements, contact Marc Violante, Director of Federal Market Strategies at marcv@wispro.org, or Matt Frost, Government Contract Specialist at mattf@wispro.org

FEATURED EVENTS

The focus on this year’s series is Building a CMMC Ready Program.



Registration now available at

https://www.wispro.org/wpi-events/featured-webinars/cyber-fridays/

This series is intended as an information tool and resource for contract managers and those with a compliance function.  



Registration now available at

https://www.wispro.org/wpi-events/featured-webinars/emerging-issues/

Save the Date

December 10

 

Registration and more information will be available at

https://wicontractingacademy.org/

OTHER NEWS
  • Be sure to follow WPI on social media (Facebook, LinkedIn, X) for regular updates on events, news and opportunities.
WPI 10437 Innovation Dr. Suite 320, Milwaukee, WI 53226 414-270-3600
Newsletter Editor: Doug Clemons, dougc@wispro.org 
Facebook  Linkedin  X

Not currently a subscriber to WPI's Newsletters?

Click Here to Subscribe