Welcome to the WPI Cyber Newsletter, a monthly publication from the Wisconsin Procurement Institute (WPI), Wisconsin's Apex Accelerator
If your organization needs assistance meeting Federal or Department of Defense cyber security requirements, contact Marc Violante, Director of Federal Market Strategies at marcv@wispro.org, or Matt Frost, Government Contract Specialist at mattf@wispro.org
| |
CMMC: Preparing for Full Implementation
The Cybersecurity Maturity Model Certification (CMMC) is in the final regulatory stages before becoming fully operational. By late Spring or early Summer, DFARS clause 252.204-7021 will likely be added to solicitations and contracts.
Key Regulatory Updates:
- 32 CFR Rule: Authorizes the CMMC program. Expected to be published in the Federal Register on December 16, 2024.
- Title 48 Rule: Addresses CMMC implementation in contracts via the Federal Acquisition Regulations (FAR). Expected to be finalized in early to mid-2025.
For active members of the Defense Industrial Base (DIB) and companies interested in entering the DIB but hesitant to move forward with full CMMC compliance efforts, it’s time to make a crucial decision – stay or go.
Why Act Now?
- Time and Resources: CMMC requirements take time, effort, expertise, and funds to implement. A company needs all of these resource plus most importantly a champion, likely the CEO or Owner, to lead this effort.
- Compliance Journey: Achieving full compliance is not instantaneous. It requires knowledge of the requirements and the resources required to develop and execute a well-planned and comprehensive journey.
Value Proposition:
- Without the necessary CMMC Level, a company will not be eligible for contract awards, either as a prime or subcontractor. Each company must evaluate the value of becoming compliant with these cybersecurity requirements.
Call to Action:
- The time to act is now! Begin your CMMC compliance journey to ensure eligibility for future contracts and secure your place in the DIB.
Where to Start:
- Need assistance with understanding what is required or where to start? Give a call to WPI at 414-270-3600 or APEXaccelerator@wispro.org. Staff members can assist with these starting questions and questions related to plan development, implementation and execution. Staff members can also assist with Technical Assistance to implement, assess and update your System Security Plan.
| |
Staying current can help manage cyber risk
At its core, cybersecurity is about managing risk, which is constantly evolving and changing. Consequently, companies must continuously monitor the dynamic cyber landscape for new threats and attack vectors. These may necessitate adjustments to the company's System Security Plan.
Companies may seek to outsource this function. Ultimately, it is the companies that are responsible for establishing and maintaining an environment designed to safeguard both information systems and information. There are many online resources that can help a business maintain a reasonable level of general situational awareness. Together, these resources can provide valuable insight and technical information, and resources needed to stay current or to assist with understanding the need for change.
One such resource is provided by UpGuard (https://www.upguard.com) and is available at no cost and with no registration required at the following URL- The Top Cybersecurity Websites and Blogs of 2024 | UpGuard. As advertised, this site provides “The 27 Best Cybersecurity sites in 2024.” Together these sites address a variety of topics and provide insight, technical information and resources.
Another set of resources is available through DoD Defense Industrial Base Cybersecurity Services – see: https://dibnet.dod.mil/dibnet -- Cybersecurity as a Service and Support
Members of the DIB are also eligible to participate in the following program - Defense Industrial Base Collaborative Information Sharing Environment Overview. This program, is a voluntary public-private cybersecurity partnership in which program participants share cyber threat information, mitigation, and remediation strategies. In order to learn more about the requirements to join the DIB CS Program click the following link - https://www.dc3.mil/Missions/DIB-Cybersecurity/DIB-Cybersecurity-DCISE/
| |
Attach or Link – that is the question – and why
Businesses have a continuing need to share information both internally and externally. Sending information as an email attachment is quick and straightforward but less secure, as attachments can be intercepted and more importantly, attachments can be inadvertently forwarded to unintended recipients who also may not be eligible to view or possess the information. Further, attachments can “grow stale.” The source information may continue to be updates may not be shared with the intended recipients.
Using a system that requires both access credentials and requires users to log in to access information enhances security by controlling who can view the information, though it requires more setup and management. The choice depends on the sensitivity and security needs of the information.
Information categories such as FCI, CDI, CTI, CUI, JCP, ITAR, and others should not be shared without using approved encryption as these categories of information are not intended for public release. Furthermore, senders need to ensure that the receiving company and person are eligible to receive the information. Companies may also be able to utilize different technologies to provide access and necessary security restrictions.
Companies should review and update their policies, practices and procedures as necessary to align with their System Security Plan and ensure that staff uniformly apply these requirements.
| |
Look Before You Leap
This is an old and enduring maxim that applies to many scenarios. As can be seen from the following article, it also applies to cybersecurity. Apps, tools and open software are marketed as productivity tools and resources that can assist a business with achieving its goals.
That’s true, however some tools if used without performing the necessary knowledge and setup can create unintended security risks. This is another example of unintended security risks inadvertently created by a company’s Access Control policies.
The following article highlights how users bypassed necessary set-up steps. In turn, millions of private records were leaked.
Microsoft Power Pages Leak Millions of Private Records
Less-experienced users of Microsoft's website building platform may not understand all the implications of the access controls in its low- or no-code environment.
https://www.darkreading.com/cybersecurity-operations/microsoft-power-pages-millions-private-records
| |
How Public Key Cryptography Really Works, Using Only Simple Math
The security system that underlies the internet makes use of a curious fact: You can broadcast part of your encryption to make your information much more secure.
The counterintuitive solution, known as public key cryptography(opens a new tab), relies not on keeping a key secret, but rather on making it widely available. The trick is to also use a second key that you never share with anyone, even the person you’re communicating with. It’s only by using this combination of two keys — one public, one private — that someone can both scramble and unscramble a message.
https://www.quantamagazine.org/how-public-key-cryptography-really-works-20241115/
| |
Trump 2.0 May Mean Fewer Cybersecurity Regs, Shift in Threats
Given increased tensions with China over tariffs, companies could see a shift in attacks, but also fewer regulations and a run at a business-friendly federal privacy law.
Overall, however, companies should expect far less emphasis on regulations and more focus on protecting critical infrastructure and technology companies, says Michael Bahar, co-lead of global cybersecurity and data privacy at Eversheds Sutherland, a global legal advisory firm.
"We are going to see — at the federal level — a deprioritization of cybersecurity regulations and cybersecurity enforcement," he says. "One really important exception is where cybersecurity intersects with trade policy and national security and technology. That's actually where you're going to see an increase of enforcement and at least a continuation of the regulatory environment."
https://www.darkreading.com/cloud-security/trump-20-mean-cybersecurity-regs-shift-threats
| |
Cyber Threats Target Children and Young Teens
Cybersecurity as commonly used implies utilization of equipment, software and staff to protect information and information systems. Doing so is incredibly important to protecting our nation’s information and a business’ information. However, the idea of cybersecurity can be expanded to include protecting those who regularly visit online platforms using their devise – computer, tablet or phone.
Not only are there enemies who seek to access our systems and information, there are also those who target some of the country's most vulnerable – our children.
A television ad caught my attention. This ad made the following text statement across the screen.
"Know2Protect, Together We Can Stop Online Child Exploitation™"
Know the Threats
Online child sexual exploitation and abuse (CSEA) is a horrific crime that targets some of the most vulnerable people in our communities — our children and teens. It includes a broad range of criminal acts that involve exploiting minors for sexual gratification or some other personal or financial gain.
“A 19-second conversation with a stranger online can put your child in danger of being exploited or abused.” https://www.dhs.gov/medialibrary/assets/video/53937
Online CSEA can take many forms. Predators may be a family member or family friend, someone the child knows in person or online or a complete stranger. They work to earn a child’s trust (and sometimes the parent or caregiver’s trust, as well) to develop a relationship where a child feels comfortable doing things they wouldn’t ordinarily do, such as sharing explicit images or videos of themselves.
Know the Threats | Homeland Security
This press release provides more information - https://www.dhs.gov/news/2024/04/17/dhs-launches-know2protecttm-public-awareness-campaign-combat-online-child
How does this DHS program relate to federal contracting? Review of FAR 52.222-50 Combating Trafficking in Persons for the answer.
| |
If your organization needs assistance meeting Federal or Department of Defense cyber security requirements, contact Marc Violante, Director of Federal Market Strategies at marcv@wispro.org, or Matt Frost, Government Contract Specialist at mattf@wispro.org | |
January 15
17th Annual End of Year Federal Contractor Update
In-Person | Appleton, WI
Join Wisconsin’s Federal contractors and subcontractors for this annual event. Briefings during the event will provide an overview of the current Federal contracting environment as well as highlight up and coming trends for future business opportunities.
| |
New Sessions Added
Presented by the National Contract Management Association (NCMA) Wisconsin Chapter, this webinar series covers a range of topics from market entry, sales growth, small business certifications, compliance, and more. Attendees receive 1 CPE credit for attending.
- December 20 - CMMC Update – December 2024
- January 22 – Federal Acquisition Regulations (FAR) Overview
- January 28 – Service Contracts with Federal Agencies
- January 31 – CMMC Update – January 2024
- February 18 – Federal Contracting: Contract Methods and Types of Contracts
- February 19 – Mastering Federal Construction Contract Performance
- February 26 – Understanding the US SBA and DOD Mentor Protégé Programs (MPP)
Registration now available at
https://www.wispro.org/wpi-events/featured-webinars/acquisition-hour/
| |
-
Be sure to follow WPI on social media (Facebook, LinkedIn, X) for regular updates on events, news and opportunities.
| |
WPI 10437 Innovation Dr. Suite 320, Milwaukee, WI 53226 414-270-3600
| | | | |