Monthly Archives: October 2022

Cybercriminals relentlessly try to breach business systems and steal sensitive and valuable information. Not only do hackers not take the holidays off, but these digital thieves also take advantage of increased online activity and everyday people letting their guard down. So how can businesses prevent cyberattacks during the holidays? 

In terms of situational attacks, cybercrime skyrocketed by upwards of 600 percent during the pandemic as hackers exploited fear and companies shifted to remote workforces. These are other troubling statistics involving data breaches and digital theft.

• Approximately 42 percent of all data breaches involve small or mid-sized businesses.
• Hackers are able to penetrate 93 percent of all business networks.
• Weekly business data breach attempts increased by 50 percent in 2021.
• The most targeted industries included healthcare, the military, and communications.

When including major corporations, the average cost of a data breach in 2021 hovered at $4.24 million. Before 2022 closes, that estimate will likely exceed $4.35 million. With that kind of money at stake, hackers will not be taking the holidays off.

Common Hacking Schemes Used During the Holidays

Online thieves typically change their techniques to maximize data breach success rates. During the pandemic, hackers trolled out disgraceful email scams tricking recipients into believing a loved one was hospitalized and needed money to start treatment. That shows just how low these nefarious individuals will sink. They are more than willing to exploit the holidays to steal your digital assets. These rank among the commonly deployed schemes during the holidays.

• Phony Shipping Alerts: Packages making their way through the delivery system often involve a tracking component. Cyber-thieves targeting businesses are well aware professionals check these emails and text messages from the same devices they use for work. One of the high-percent tricks involves prompting someone to click on a fake tracking link. That’s when malware automatically downloads into the business network, giving criminals access to digital assets.
• Fake Invoices: Along with phony tracking alerts, hackers now send seemingly digital invoices that consumers are inclined to save on a device. It’s basically the same scheme as fake shipping alerts, but the malicious application is embedded in the PDF. Hackers can activate it, at will, and steamroll a business network.
• Unauthorized Transactions: Personal and business accounts are more vulnerable during the run-up to the holidays because purchases are made more frequently. End-of-year business gifts to colleagues, employees, and charitable donations can result in financial confusion sometimes left to clean up after the holidays. Hackers are quick to swipe credit card and bank account numbers of platforms that are not necessarily secure.

Although the number of data breaches increases year-over-year, that doesn’t mean business leaders cannot avoid theft. Hackers bank on the fact that a high percentage of small, mid-sized, and even large corporations have persistent vulnerabilities. By hardening your defenses and educating staff members about hacking schemes, digital bandits are more likely to pass over your network and find an easier mark.

How to Prevent Cyberattacks During the Holidays

It’s essential to maintain a robust cybersecurity posture during the entire year. Digital thieves make a living stealing business and personal information and selling it on the Dark Web. During the holidays and other periods when people change behaviors, cybercriminals reach into their situational bag of tricks to improve their odds. The following measures can help stop hackers before they breach your business network.

• Cybersecurity Awareness: The overwhelming majority of hacks are related to human error. Some employees click on a malicious link or provide their login credentials, and the system gets breached. Many of the hacking schemes deployed during the holidays can be easily recognized by providing staff members with ongoing cybersecurity awareness training. Instead of clicking on that link, they’ll delete the electronic message.
• Password Protections: Most of us have multiple online accounts that require usernames and passwords. The habit of using simple, easy-to-remember combinations makes our personal and professional data vulnerable. By following through with a policy of changing passwords and requiring complex ones are used, the entire company is safer.
• Multifactor Authentication: This ranks among the simplest and most effective ways to prevent cybercriminals from exploiting employee login credentials. When someone goes to access the business network, a code is sent to a secondary device. That code must be entered before the person can proceed. Even if a hacker learns a username and password, they are highly unlikely to possess that second device.
• Zero-Trust Credentials: This cybersecurity strategy involves limiting each user’s bandwidth. Each profile is analyzed to allow only access to the data they need to complete tasks. Should a hacker use the team member’s credentials, their access is similarly restricted.

Perhaps the best way to prevent a data breach during the holidays is to build a culture around cybersecurity. Every decision-maker and frontline employee has a stake in the organization’s success. That makes preventing data breaches everybody’s business.

Contact Sedulous Consulting Services for Determined Cybersecurity

Based in Triangle, Virginia, Sedulous Consulting Services works with small and mid-sized businesses to assess their cybersecurity vulnerabilities, secure network defenses, and prevent data breaches. If you’re concerned about potential cybersecurity vulnerabilities, contact Sedulous Consulting Services.

Business professionals in the military-industrial base have been inquiring about the Cybersecurity Maturity Model Certification (CMMC) for upwards of two years and now is the time to act with urgency.

The federal government decided to pull back the initial CMMC plan, revise it, and develop CMMC 2.0. Like a dark cloud hanging over the contractors and subcontractors, organizations that tap into the U.S. Department of Defense (DoD) revenue stream have been eager to comply. That’s one of the reasons Sedulous Consulting Services was among the first 100 organizations to qualify as a Third-Party Assessment Organization.

Although DoD contractors, supply chain outfits, and managed IT cybersecurity firms have all been stuck in a holding pattern, it appears the DoD is ready to move forward with the long-anticipated CMMC 2.0. The newly minted cybersecurity mandate will task companies with building out technological infrastructure, educating employees about best practices, and maintaining different types of certification.

The goal is to prevent garden variety hackers and advance persistent threats, funded by rival nations, from acquiring Controlled Unclassified Information (CUI) for the purposes of breaching our national security. Organizations that are unprepared or fail to meet the stringent regulatory requirements can expect to find themselves outside the industry, losing profit-driving contracts and subcontracting work.

What Businesses Need to Know About CMMC 2.0 Timeline

The initial CMMC version was put forward in January 2020 and was met with complaints regarding costs, complexity, and confusion regarding assessments and compliance. Small businesses found the mandate particularly challenging because it was difficult for those outside the managed IT cybersecurity industry to determine which level was applicable and how to implement the required controls.

The imminent CMMC 2.0 streamlines the guidelines from five levels to three. But, in all honesty, there are baked-in items that small and mid-sized operations may find frustrating. However, the mandate is here to stay, and your company will be required to meet one of the following three CMMC 2.0 levels.

• Level 1: The federal government calls this the “Foundational” level and it pertains to companies that store or transmit Federal Contract Information (FCI). Generally applicable to suppliers and service providers, businesses will be required to meet 15 controls. Companies will need to have a cybersecurity assessment conducted annually and file the results for review.
• Level 2: This “Advanced” cybersecurity standard calls for implementing and maintaining upwards of 110 controls. The advanced cybersecurity directive has been something of a pain point for small and mid-sized organizations. That’s because it treats companies differ in terms of enlisting a Third-Party Assessment Organization, internal reviews, or a combination of both. If there’s a space where companies get tripped up and lose government-driven revenue, this may very well be it. We advise businesses to err on the side of caution, contact a Third-Party Assessment Organization, and protect their livelihood.
• Level 3: Considered “Expert” cyber hygiene, outfits will need a Third-Party Assessment Organization to review their system, cybersecurity policies, and best practices. An objective analysis will lead to certification or inform stakeholders where deficiencies persist. There are a reported 134 necessary controls embedded in Level 3.

It’s essential to keep in mind that meeting the CMMC 2.0 timeline calls for proactive measures. There are a limited number of certified Third-Party Assessment Organizations and they will be in increasingly higher demand as the rollout moves forward. Putting off scheduling a CMMC 2.0 assessment will likely result in your company landing on a waiting list. Although not visually obvious like the 110 cargo vessels anchored off the California Coast last year or the gas lines after the Colonial Pipeline hack in May 2021, businesses can expect lengthy delays.

CMMC 2.0 Rollout Has Effectively Begun

The federal government concluded its public comment period on Sept. 15, 2022, in compliance with the CMMC Assessment Process. This opens the door to voluntarily having a Third-Party Assessment Organization certify your defenses. Although there was speculation the final CMMC 2.0 version would take up to 24 months, the National Law Review indicates it could be released as soon as the first quarter of 2023.

“If DoD sticks to this new timeline, the CMMC requirements could begin appearing in solicitations as early as May 2023 (60 days after the rules are published). DoD also announced it plans to roll out the CMMC requirements in solicitations under a ‘phased approach.’ In particular, for phase one, when the CMMC requirement first starts appearing in solicitations, all offerors will be required to conduct a self-assessment (rather than have a third-party certification) and provide a positive affirmation of compliance,” the National Law Review reports. “Then, in phase two (with timing still to be determined), solicitations will require either self-assessments or third-party certifications (depending on the type of CUI and required certification level).”

Contact Sedulous Consulting Services For CMMC 2.0 Compliance

Based in Triangle, Virginia, Sedulous Consulting Services ranks among the first 100 organizations to qualify as a Third-party Assessment Organization. We work diligently with small and mid-sized businesses to assess their cybersecurity vulnerabilities, secure their network defenses, and meet the stringent CMMC 2.0 requirements. If your company enjoys profits from a military contract or works in the supply chain, contact Sedulous Consulting Services.

After decades of miscues and rival countries stealing U.S. military intelligence, the federal government effectively drew a line in the sand. The development of the Cybersecurity Maturity Model Certification (CMMC) was to be the single standard that all military contractors and supply chain businesses followed. Previously CMMC 1.0 was the required certification version until CMMC 2.0 was recently announced and released. 

But changes in the Pentagon and White House resulted in revisions of the initial CMMC standards and delayed implementation. To say this has also created confusion among organizations in the military-industrial base would be something of an understatement. Proactive industry leaders were quick to have their cybersecurity defenses assessed and updated to meet what seemed like an imminent CMMC 1.0 mandate. As the rollout date for CMMC 2.0 nears, decision-makers are trying to come to grips with the differences between CMMC 1.0, and 2.0, to maintain their lucrative Department of Defense (DoD) contracts.

Why DoD Requires CMMC 2.0

To understand CMC 2.0, it’s essential to know why the federal government decided to bring wide-reaching cybersecurity regulations under one umbrella. Before the CMMC initiative, contractors and peripheral businesses were largely given the latitude to self-assess their cybersecurity compliance.

Needless to say, not everyone maintained an adequate defensive posture, and hackers funded by America’s enemies breached systems and routinely pilfered off Controlled Unclassified Information (CUI). This data could be found in contracts, invoices, and electronic messages between outfits in the supply chain. Advanced persistent threats — working for countries such as Russia, Iran, and China — would piece CUI together to learn about our confidential national security defenses.

“A determined adversary with the right capabilities is going to find their way in, especially if they put all their resources to bear on it. So, it really comes down to, have you done everything you possibly can, have you been truthful about it,” Karlton Johnson, chair of the CMMC Accreditation Body board of directors, reportedly said. “One of the reasons we are doing CMMC is, people were not being truthful about it. If we go in and find out that you were not doing something, that’s negligence and we have to go that route.”

Back then, the federal government would fine or suspend negligent companies. As if adding insult to these injuries, foreign spies infiltrated the Solar Winds software used at almost every level of government as CMMC 1.0 was nearing its final stages. It was a cybersecurity and national defense nightmare.

How Does CMMC 2.0 Work?

CMMC sets a singular, unified standard that more than 300,000 organizations in the military-industrial base must follow. The CMMC 2.0 guidelines involve a three-tiered system that set cybersecurity controls for companies that fall into a particular category.

The DoD refers to the three groups as Foundational, Advanced, and Expert levels. Each adopts defensive strategies from existing policies such as NIST SP 800-171 and NIST SP 800-172 subsets, among others. It’s not necessarily important for business professionals to know the ins and outs of NIST or even CMMC 2.0 for that matter. But it’s crucial to have a cybersecurity firm with CMMC expertise test, assess, and update your network to meet the incoming mandate. Failing to gain certification or maintain a robust posture could result in your company getting sidelined.

What are the Key Differences Between CMMC 2.0 and 1.0?

The glaring difference between the two measures is that CMMC 1.0 was going to be rolled out with five levels. The 2.0 version reduces that number to three. Although the latest version has fewer tiers, it remains equally complex for people outside the managed IT cybersecurity niche to fully appreciate. That being said, these are the CMMC 1.0 and 2.0 levels, respectively.

CMMC 1.0 Levels

• Level 1: Basic Cyber Hygiene that involves using most current antivirus software, firewalls, and a company-wide cybersecurity policy in place.
• Level 2: Intermediate Cyber Hygiene that involves implementing NIST standards to protect CUI.
• Level 3: Good Cyber Hygiene required 72 practices to be in place to earn certification. Organizations must also create a plan that demonstrates best practices and training.
• Level 4: Proactive Cyber Hygiene typically applies to military contractors who previously followed DFARS protocols, among others. The organization must demonstrate it can identify and repel advanced persistent threats.
• Level 5: Advanced Cyber Hygiene primarily for direct DoD contractors that requires sophisticated methods for identifying and responding to advanced persistent threats in real-time.

One of the challenges business professionals faced was determining which level applied to their company and meet that standard. Although CMMC 2.0 streamlines the tiers, it creates some confusion about certification methods.

CMMC 2.0 Levels

• Foundation: Loosely considered the equivalent of CMMC 1.0 Level 1, businesses must adhere to 15 controls to safeguard contractor information.
• Advanced: Organizations that store or transmit CUI must adhere to 110 controls to protect CUI. This level has been a pain point for companies because it involves different ways to maintain certification.
• Expert: Consistent with Level 5 of CMMC 1.0, companies must be able to detect, repel, and respond to advanced persistent threats. The controls in the Advanced tier rank among the most stringent 134 cybersecurity measures.

Going forward, companies working in the military-industrial base will be required to maintain CMMC 2.0 standards and demonstrate that to the federal government. The DoD is no longer interested in doling out fines after the fact. Advanced proof of CMMC 2.0 is now the standard.

Contact Sedulous Consulting Services For CMMC 2.0 Compliance

Based in Triangle, Virginia, Sedulous Consulting Services ranks among the first 100 organizations to qualify as a Third-party Assessment Organization. We work diligently with small and mid-sized businesses to assess their cybersecurity vulnerabilities, secure their network defenses, and meet the stringent CMMC 2.0 requirements. If your company enjoys profits from a military contract or works in the supply chain, contact Sedulous Consulting Services.

The long-awaited Cybersecurity Maturity Model Certification (CMMC) has effectively arrived, and the federal government is encouraging voluntary assessments from a Third-Party Assessment Organization ahead of full implementation. The U.S. Department of Defense (DoD) completed a major rule-making phase on Sept. 15, which is expected to fast-track CMMC 2.0 into government contracts which that CMMC Compliance Requirements are important to understand. 

That being said, the three levels of cyber hygiene mandated by CMMC 2.0 can prove challenging for small and medium-sized businesses. The stringent regulations have companies that enjoy revenue as contractors and subcontractors implementing cybersecurity controls numbering from 15 to 134. Organizations will also face hurdles in terms of developing a policy that articulates best practices and educates employees about cybersecurity awareness.

Proactive business professionals are taking steps now to avoid getting put on waiting lists when a bottleneck of companies reaches out to comply during the eleventh hour. Sedulous Consulting Services qualified as a Third-Party Assessment Organization early in the process so that our CMMC experts could help shepherd businesses through the process. In The How-To Guide to CMMC Compliance Requirements, we provide insight and tips on CMMC 2.0 Compliance Requirements. 

What are the CMMC 2.0 Requirements?

There are different types of compliance requirements assigned to organizations based on the information they store and transmit. These typically include Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The former poses a limited national security risk and companies that manage FCI can expect less rigorous — although complex — cyber hygiene requirements.

By contrast, CUI tends to involve a wide range, and some pose a significant threat should the data fall into the hands of a rogue nation. Determining which of the three CMMC 2.0 levels an organization must comply with remains the first hurdle. Following an assessment regarding the FCI and CUI your operation handles, the following requirements may be applicable.

• Level 1: Considered “Basic” cyber hygiene by the DoD, companies that primarily handle FCI fall under its requirements. The level1 CMMC mandate is expected to include 15-17 security controls and 6 covering domains. The controls breakdown relates to the following: Access (4), Identification and Authentication (2), Media Protection (1), Physical Protection (4), System and Communication Protections (2), and 4System and Information Integrity (4).
• Level 2: Touted as “Advanced” cyber hygiene, companies working with a combination of FCI and CUI can anticipate meeting 110 control and 14 domain requirements. Some rank among the most determined forms of cybersecurity, and they pertain to the following: Access Control (22), Awareness Training (3)Audit and Accountability (9), Configuration Management (9), Identification and Authentication (11), Incident Response (3) Maintenance (6), Media Protection (9), Personnel Security (2), Physical Protection (6), Risk Assessment (3), Security Assessment (4), System and Communications Protection (16), and System and Information Integrity (7).
• Level 3: Direct military contractors and those who handle high-level CUI can expect to meet “Expert” cyber hygiene requirements. The cybersecurity of DoD contractors is expected to be hard enough to identify, deter, and repel threats from enemy nations. This will entail more than 130 defense items that include the following: Access Control (8), Asset Management (1), Audit and Accountability (7), Awareness Training (1), Configuration Management (3), Identification and Authentication (4), Incident Response (2) Maintenance (2), Media Protection (4), Personnel Security (6), Physical Protection (6), Recovery (3), Risk Assessment (3), Security Assessment (2), Situational Awareness (1), System and Communications Protection (15), and System and Information Integrity (3).

Businesses on tight IT budgets might have considered in-house assessments as a cost-effective way to comply. Given the number of cybersecurity controls and the complexity of these defenses, it may be prudent to work with a third-party cybersecurity firm with CMMC expertise.

Key Steps to Achieving CMMC Compliance Requirements

Meeting the federal mandate allows businesses to remain in the military-industrial base and generate profits from the often lucrative DoD contracts. The compliance process can be relatively seamless when performed by a CMMC professional. These are the general steps needed to meet the inbound CMMC regulations.

• Identify Data: Review the information your organization stores or transmits and determine whether it is FCI or CUI. If it’s CUI, further analysis may be necessary to align it with one of the three cyber hygiene levels.
• Readiness Assessment: Conduct a thorough audit of your network to identify cybersecurity vulnerabilities. Document the findings and create a plan to cure the gaps.
• Test System: Enlist the support of a Third-Party Assessment Organization to conduct a trial run before the CMMC requirements come online. This provides an opportunity to take corrective measures and earn certification ahead of schedule.
• Cybersecurity Plan: Updates your organization’s best practices, response strategies, and technologies required to meet CMMC demands. It’s also crucial to incorporate cybersecurity awareness training to educate frontline employees about existing and emerging threats.

The DoD has made it abundantly clear that all 300,000 businesses in the military-industrial base will meet the CMMC requirements or find themselves out of the loop. Taking proactive measures before the regulations are part of the process better positions your operation to bid on contracts and generate revenue as a subcontractor.

Contact Sedulous Consulting Services For CMMC 2.0 Compliance

Based in Triangle, Virginia, Sedulous Consulting Services ranks among the first 100 organizations to qualify as a Third-party Assessment Organization. We work diligently with small and mid-sized businesses to assess their cybersecurity vulnerabilities, secure their network defenses, and meet the stringent CMMC 2.0 requirements. If your company enjoys profits from a military contract or works in the supply chain, contact Sedulous Consulting Services.