In response to the repeated attacks on the Department of Defense (DoD) supply chain, the release of the Cybersecurity Maturity Model Certification (CMMC) introduces a verification mechanism that will ensure the necessary security mechanisms are in place to better protect Controlled Unclassified Information (CUI) and other sensitive data made available to contractor organizations. CMMC was developed from the contributions of multiple organizations and entities, including the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD[A&S]), leveraging inputs from the Defense Industrial Base (DIB) sector, University Affiliated Research Centers (UARCs), Federally Funded Research and Development Centers (FFRDC), and private industry. CMMC will soon be incorporated into Defense Federal Acquisition Regulation Supplement (DFARS), making it a requirement for DIB contractors that wish to be eligible for contract awards. This report provides an overview of CMMC for DoD contractors and subcontractors that are new to this requirement.
CSIAC reports offer timely cutting-edge information to address the needs of our user community. CSIAC provides a variety of products developed by our subject matter experts (SMEs) in response to gap analyses and specific DoD stakeholder requirements related to our technical focus areas. Here you will find a variety of document types including State-Of-The-Art Reports (SOARs), technical study results, CSIAC Podcast papers, Quick-to-Community (QTC) reports, process documents, and guidelines. CSIAC's goal is to provide relevant products to meet your cybersecurity, software development, information management and modeling & simulation needs.
Real-time data monitoring of systems and system forensics is an essential aspect to keeping your Data Security Platform safe when relying on the use of Infrastructure as Code (IaC) and the potential vulnerabilities associated with its Continuous Deployment (CD). Many organizations are facing an information overload and are inadequately prepared for understanding and designing a cyber incident response plan with near-real-time monitoring, to include detection, analysis of system event logs, user activities and system access tracking.
A privacy impact assessment (PIA) is an essential element for effective privacy by design. It enables privacy leaders to be assured that the privacy controls implementation satisfies regulations and organizational requirements, and is key to determining what steps must be taken to manage privacy risk for the organization. The standard ISO 29134 (Guidelines for privacy impact assessment, June 2017) defines a PIA as: the overall process of identifying, analyzing, evaluating, consulting, communicating and planning the treatment of potential privacy impacts with regard to the processing of personally identifiable information (PII), framed within an organization’s broader risk management framework.
Integration of Smart City Technologies to create Smart Bases for DoD will require due diligence with respect to the security of the data produced by Internet of Things (IOT) and Industrial Internet of Things (IIOT). This will increase more so with the rollout of 5G and increased automation “at the edge”. Commercially, data will be moving to the cloud first, and then stored for process improvement analysis by end-users. As such, implementation of Secure Cloud Architectures is a must. This report provides some use cases and a description of a risk based approach to cloud data security. Clear understanding, adaptation, and implementation of a secure cloud framework will provide the military the means to make progress in becoming a smart military.
Cyber as a domain and battlespace coincides with the defined attributes of a “wicked problem” with complexity and inter-domain interactions to spare. Since its elevation to domain status, cyber has continued to defy many attempts to explain its reach, importance, and fundamental definition. Corresponding to these intricacies, cyber also presents many interlaced attributes with other information related capabilities (IRCs), namely electromagnetic warfare (EW), information operations (IO), and intelligence, surveillance, and reconnaissance (ISR), within an information warfare (IW) construct that serves to add to its multifaceted nature. In this cyber analysis, the concept of hypergaming will be defined and discussed in reference to its potential as a way to examine cyber as a discipline and domain, and to explore how hypergaming can address cyber’s “wicked” nature from the perspectives of decision making, modeling, operational research (OR), IO, and finally IW. Finally, a cyber-centric hypergame model (CHM) will be presented.
CSIAC SME and member of the American Bar Association’s Information Security Committee, Richard “Rick” Aldrich, gives a snapshot of the recent developments in cyberlaw, policy, standards, court cases and industry legal frameworks.
CSIAC SME and member of the American Bar Association’s Information Security Committee, Richard “Rick” Aldrich, gives an overview of the Cybersecurity Issues facing Security Managers.
The Internet of Things (IOT) is based upon the integration of commercial TCP-IP networks with ubiquitous, embedded, Control Systems hardware attached to such things as wall plugs, speakers, lights, cameras, thermostats, and multiple other domestic appliances. To date the implementations have been networked at the home or facility end using distributed Wi-Fi or Zigbee interfaces, hooked into standard ISP backbones. The implementation of this by industry has not been without security concerns and actual exploits, such as the 2016 IOT Botnet DDOS event.
Even though technical solutions for security problems are widespread, there are no adequate security measures against precarious user behavior. Even if hashing and encrypting are used correctly in masking the passwords, attackers can bypass these strongpoints by going for the weakest link. Most likely this will happen through sharing a password, using an already leaked password, or creating an feasibly guessable password (Olmstead & Smith, 2017). Furthermore, people seem to feel safe in cyberspace, even if they engage in risky behaviors (Vozmediano, San-Juan, Vergara & Lenneis, 2013).
Cybercriminals have developed many methods to exploit browser applications in order to obtain individual’s credentials. One such method, Emotet is a Trojan malware that targets windows-based computers and was originally designed to steal sensitive, private information from banking customers. Later versions of this software were modified to enable Emotet to be spread via spam emails. In the latter half of 2018, modifications were made to the Emotet code to add a capability to exfiltrate email. This enhanced Trojan malware entitled TrickBot became the top threat attackers employed to penetrate organizational business networks.