David Gerendas, Group Product Manager, Intel Security
Ray Potter, CEO of SafeLogic
With the advent of the cloud and the explosion of mobile endpoints, enterprises have increased their focus on maintaining data integrity and confidentiality from growing threats. As a result, the Federal Risk and Authorization Management Program, a.k.a. FedRAMP, has taken on greater significance outside of federal deployments. By standardizing requirements and expectations, the program has set a strong benchmark for the entire cloud industry. In response to repeated security breaches that have damaged brands’ credibility, corporate mandates are now matching and even exceeding their government counterparts. If you are not FedRAMP compliant, enterprises demand to know why not.
The use of encryption is integral to FedRAMP and has become ubiquitous in the effort to protect information assets. But while certain crypto algorithms are often installed alone and unverified, customer expectations have risen in recent years. Enterprises certainly no longer accept homegrown cryptography from vendors, strongly preferring to rely upon solutions that have been vetted by third-party labs and validated by the government. Federal Information Processing Standard (FIPS) 140-2 is the leading international standard for encryption and the Cryptographic Module Validation Program (CMVP) was established to certify solutions that meet the stringent benchmark. In tandem, FedRAMP and FIPS offer the highest level of assurance for cloud buyers, but both are still generally misunderstood.
You will learn:
• What FedRAMP compliance entails
• Advantages of using a validated cryptographic module in the cloud
• How encryption modules become validated and the pitfalls of the process
• Meaning of FedRAMP compliance claims and how to confirm
• Right questions to ask vendors about their encryption and FedRAMP compliance
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...Schellman & Company
FedRAMP is the federal government's risk and security assessment program for cloud-based services as part of the cloud-first initiative, and is designed to make the assessment process more efficient by providing a "do once, use many times" framework.
If you work with or want to work with federal agencies, your organization will need to be FedRAMP compliant.
On this webinar, you will:
• Learn the background and overview of the FedRAMP program
• Take a deep dive of the assessment process
• Discover the benefits and challenges companies experience during the assessment process
Federal Agencies & Cloud Service Providers meeting FISMA requirements via FedRAMP
This presentation covers Federal Risk Authorization Management Program with FISMA, SCAP and Federal Data Center Consolidation Initiative to clarify how US government agencies purchase cloud services need to meet Federal Information Security Management Act (FISMA) requirements.
January 2013 - The FedRAMP Joint Authorization Board has granted its first provisional authorization to Autonomic Resources, who used Veris Group as their FedRAMP accredited 3PAO.
TrustedAgent GRC streamlines the complexity of obtaining security authorization from FedRAMP for cloud IaaS, PaaS, and SaaS services and applications. From tracking evidence and key control implementation to create key deliverables like security plans and managing continuous monitoring for ongoing compliance. TrustedAgent significantly reduces the amount of work to be done manually including managing vulnerabilities from ongoing compliance. Download and contact us to learn more how TrustedAgent GRC can create opportunities for your cloud offerings in the Federal Government.
stackArmor - FedRAMP and 800-171 compliant cloud solutionsGaurav "GP" Pal
Conducting a Security Assessment and Authorization (SA&A) phase is essential to deliver a fully compliant solution and ensure adequate verifiable evidence to support the assertion that the system is compliant with FedRAMP or 800-171 requirements. Documentation standards as prescribed by FIPS-199, NIST SP 800-53 and the newly released Rev 5 as well as the DOD RMF are proven frameworks for ensuring a secure and compliant cloud system.
Work With Federal Agencies? Here's What You Should Know About FedRAMP Assessm...Schellman & Company
FedRAMP is the federal government's risk and security assessment program for cloud-based services as part of the cloud-first initiative, and is designed to make the assessment process more efficient by providing a "do once, use many times" framework.
If you work with or want to work with federal agencies, your organization will need to be FedRAMP compliant.
On this webinar, you will:
• Learn the background and overview of the FedRAMP program
• Take a deep dive of the assessment process
• Discover the benefits and challenges companies experience during the assessment process
Federal Agencies & Cloud Service Providers meeting FISMA requirements via FedRAMP
This presentation covers Federal Risk Authorization Management Program with FISMA, SCAP and Federal Data Center Consolidation Initiative to clarify how US government agencies purchase cloud services need to meet Federal Information Security Management Act (FISMA) requirements.
January 2013 - The FedRAMP Joint Authorization Board has granted its first provisional authorization to Autonomic Resources, who used Veris Group as their FedRAMP accredited 3PAO.
TrustedAgent GRC streamlines the complexity of obtaining security authorization from FedRAMP for cloud IaaS, PaaS, and SaaS services and applications. From tracking evidence and key control implementation to create key deliverables like security plans and managing continuous monitoring for ongoing compliance. TrustedAgent significantly reduces the amount of work to be done manually including managing vulnerabilities from ongoing compliance. Download and contact us to learn more how TrustedAgent GRC can create opportunities for your cloud offerings in the Federal Government.
stackArmor - FedRAMP and 800-171 compliant cloud solutionsGaurav "GP" Pal
Conducting a Security Assessment and Authorization (SA&A) phase is essential to deliver a fully compliant solution and ensure adequate verifiable evidence to support the assertion that the system is compliant with FedRAMP or 800-171 requirements. Documentation standards as prescribed by FIPS-199, NIST SP 800-53 and the newly released Rev 5 as well as the DOD RMF are proven frameworks for ensuring a secure and compliant cloud system.
Explore the Implicit Requirements of the NERC CIP RSAWsEnergySec
Regulated entities should consider the RSAW templates when preparing evidence of compliance with the NERC CIP Standards. There are a number of implicit requirements in CIP v5 which an entity needs to fulfill to be compliant, which are not specifically identified in the actual requirements.
In this webinar, our experts will discuss such implicit requirements. Key learning's from this session would be:
RSAW format
Implicit requirements of CIP RSAWs
Leveraging technology for RSAW management
Click Here to visit the FedRAMP blog - https://www.controlcase.com/what-is-fedramp/?utm_source=webinar&utm_campaign=webinar
Click Here for FedRAMP Compliance Checklist - https://www.controlcase.com/fedramp-checklist-lp/?utm_source=webinar&utm_campaign=webinar
ControlCase covers the following:
- What is FedRAMP?
- What is FedRAMP Marketplace?
- Who does FedRAMP apply to?
- How hard is it to get FedRAMP certified?
- How long does the FedRAMP process take?
- How to get FedRAMP certified?
- ControlCase methodology for FedRAMP compliance
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s RoleEnergySec
Presenter: Joseph Loomis, Southwest Research Institute (SwRI)
Asset Owners face challenges as they strive towards implementing the NERC-CIP V5 requirements. Meeting the requirements often require documentation and technical knowledge of how an asset operates that can only be provided by a Vendor. Vendors, likewise, may be unclear about how the NERC-CIP requirements affect them, and are unsure about how to meet the technical requirements. In this presentation we detail the lessons learned from a recent project where SwRI worked with a Vendor to determine how the requirements apply to them and what the Vendor needs to have to help support an Asset Owner in an audit.
Lessons Learned For NERC CIPv5 Compliance & Configuration Change ManagementEnergySec
The NERC CIPv5 deadline is fast approaching, and it’s not too late to be prepared. Join Mark Prince, Manager Operational Technology Fossil, from Entergy, Karl Perman, VP Member Services from EnergySec and Tim Erlin, Director from Tripwire to discuss achieving and maintaining NERC CIPv5 compliance in a fossil generation plant. We’ll cover some of the challenges that Entergy has experienced in their NERC CIPv5 compliance journey. Specifically, we will discuss configuration change management and how to leverage technologies for these requirements and consider what life would be without them.
The complexities of NERC CIP-007-5 Requirement 1 (R1) make this one of the most violated requirements in all the NERC standards. NERC CIP-007-5 is the standard focused on Systems Security Management. R1 is intended to minimize the attack surface of critical systems by disabling or limiting access to unnecessary network accessible logical ports and services. For most electric utilities, meeting the mandatory controls of this requirement is an incredibly tedious and labor-intensive effort.
Tripwire has a unique whitelisting profiler extension that can automate monitoring ports, services, user accounts, software, and other requirements within NERC CIP-007-05-R1. Join Robert Held, Senior Systems Engineer, as he live-demos how customer sites are saving man-years of effort in preparing and automating for their audits. Also joining to share their customer experience will be Marc Child, CISSP , Information Security Program Manager at Great River Energy.
Key Takeaways:
-Understand what CIP-007-5-R1 means to your organization
-Learn how to automate the processes required for assessing High and Medium Impact Cyber Assets
-Get audit-ready “Evidence of Compliance” reporting to provide auditors with what they need
-Hear how Marc Child at Great River Energy uses the whitelisting profiler for security and compliance
ControlCase discusses the following:
•About the cloud
•About PCI DSS
•PCI DSS in the cloud
•How to keep sensitive data secure as you move to the cloud
•Q&A
Performing PCI DSS Assessments Using Zero Trust PrinciplesControlCase
- PCI DSS Requirements & Secure Remote Working
- Assessments In Work From Home (WFH) Scenario
- Remote Security Testing
- Key Aspects For Remote Assessments
Project Forecasting from the Perspective of an EVMA and EIA-748Unanet
EIA-748 guidelines, as interpreted for major U.S. Government projects, require that project managers develop and maintain bottoms-up estimates of the cost and schedule outcomes of their projects. There is a requirement for a comprehensive bottoms-up forecast to be done at least annually. That is supported by a requirement for a monthly update to the forecast, including best-case, worst-case, and most-likely outcomes for the project estimated final total cost.
This webinar covers these requirements and common associated processes and methods for developing the forecasts.
Included in the discussion are the topics of risk and opportunities management and their relationship to the EVMS; especially focused on the development of the risk/opportunities informed forecasts.
Rather than the development of three potential outcomes for the project timeline, the schedule portion of the discussion focuses on building and maintaining an Integrated Master Schedule (IMS) that meets the Generally Accepted Scheduling Principles (GASP) and the use of that IMS in establishing the probability of meeting the end date based on Schedule Risk Analysis (SRA) techniques.
The discussion ends with the topic of independent evaluations of the forecast using the Independent Estimate-at-Complete (IEAC) analysis process.
Download the presentation to learn more or visit us at www.unanet.com.
Performing a detailed security risk assessment is a time-consuming and challenging task. However, in today’s high-risk environment, it is required. A common misconception that can leave IBM i systems open to data breaches is that addressing physical and network security is enough to keep systems and data safe. Though controlling physical access and ensuring network security is important, the most common vulnerabilities in IBM i environments come from improper security configurations.
To understand security risks on your IBM i, it is essential to review security settings and configurations throughout the system. This requires significant knowledge of dozens of IBM i capabilities and their related configurations. Assure Security Risk Assessment thoroughly examines dozens of security settings, comparing values against best practice, to produce reports that identify security vulnerabilities.
View this webcast on-demand to learn:
• The dangers of improperly configured security setting on your IBM i
• How many compliance regulations, such as PCI DSS and HIPAA, require annual IT risk assessments
• How to request Syncsort’s FREE Assure Security Risk Assessment
Cyber Security in Energy & Utilities IndustryProlifics
In September 2011, Prolifics & IBM hosted a speaking session at a Cyber Security Summit in California. The presentation focused on the importance of Identity and Access Management in the Energy & Utilities industry as well as today's critical regulatory requirements.
The Cybersecurity Maturity Model Certification (CMMC) continues to take shape, with the formation of the Accreditation Body (AB) and continued release of framework and contract guidance. The CMMC will be used as a unified standard for defense contractors to demonstrate cybersecurity program maturity and protection of CUI, and will ultimately require a third party assessment to achieve required certification. The DoD acknowledges that contractors of varying sizes struggle to maintain an appropriate cybersecurity posture and believes this new framework will help contractors implement effective cybersecurity controls tailored to the size and nature of their business and meet the DoD’s requirements.
In this webinar, Tom Tollerton, Managing Director of Cybersecurity & Privacy at DHG will discuss the latest developments around the framework, expectations in contracts in the coming months, and offer actionable recommendations for steps to prepare for potential requirements.
Download the presentation today or visit us at www.unanet.com.
Lexcomply - ERM enables organizations to implement an Enterprise Risk management (ERM) & Internal Controls framework. Risk Manager captures information such as loss events, key risk indicators (KRIs), assessment responses and scenario analysis data in a flexible and connected way. Connecting the entire risk eco system including internal and external stakeholders, it allows Risk managers to analyse risk intelligence and communicate effectively.
Unanet is a leading provider of Cloud and On-Premise software for project-based professional services organizations. Unanet delivers a purpose built Project ERP solution with skills management, resource planning, budgeting & forecasting, time & expense reporting, billing & revenue recognition, project management analytics and dashboards, and integrated financials with AR, AP, GL and cost pool calculations.
Over 2,000 organizations trust Unanet to maximize staff utilization, reduce overhead and administrative costs, improve speed and accuracy of invoicing, and support forward decision-making for improved operations.
Learn more about Unanet at www.unanet.com/videos .
Firehost Webinar: Validating your Cardholder Data EnvirnmentArmor
An in-depth look at how to validate your Card Data Environment. Join us as we discuss: PCI 3.0 documentation, cardholder data searches, and pen testing.
Explore the Implicit Requirements of the NERC CIP RSAWsEnergySec
Regulated entities should consider the RSAW templates when preparing evidence of compliance with the NERC CIP Standards. There are a number of implicit requirements in CIP v5 which an entity needs to fulfill to be compliant, which are not specifically identified in the actual requirements.
In this webinar, our experts will discuss such implicit requirements. Key learning's from this session would be:
RSAW format
Implicit requirements of CIP RSAWs
Leveraging technology for RSAW management
Click Here to visit the FedRAMP blog - https://www.controlcase.com/what-is-fedramp/?utm_source=webinar&utm_campaign=webinar
Click Here for FedRAMP Compliance Checklist - https://www.controlcase.com/fedramp-checklist-lp/?utm_source=webinar&utm_campaign=webinar
ControlCase covers the following:
- What is FedRAMP?
- What is FedRAMP Marketplace?
- Who does FedRAMP apply to?
- How hard is it to get FedRAMP certified?
- How long does the FedRAMP process take?
- How to get FedRAMP certified?
- ControlCase methodology for FedRAMP compliance
NERC CIP Version 5 and Beyond – Compliance and the Vendor’s RoleEnergySec
Presenter: Joseph Loomis, Southwest Research Institute (SwRI)
Asset Owners face challenges as they strive towards implementing the NERC-CIP V5 requirements. Meeting the requirements often require documentation and technical knowledge of how an asset operates that can only be provided by a Vendor. Vendors, likewise, may be unclear about how the NERC-CIP requirements affect them, and are unsure about how to meet the technical requirements. In this presentation we detail the lessons learned from a recent project where SwRI worked with a Vendor to determine how the requirements apply to them and what the Vendor needs to have to help support an Asset Owner in an audit.
Lessons Learned For NERC CIPv5 Compliance & Configuration Change ManagementEnergySec
The NERC CIPv5 deadline is fast approaching, and it’s not too late to be prepared. Join Mark Prince, Manager Operational Technology Fossil, from Entergy, Karl Perman, VP Member Services from EnergySec and Tim Erlin, Director from Tripwire to discuss achieving and maintaining NERC CIPv5 compliance in a fossil generation plant. We’ll cover some of the challenges that Entergy has experienced in their NERC CIPv5 compliance journey. Specifically, we will discuss configuration change management and how to leverage technologies for these requirements and consider what life would be without them.
The complexities of NERC CIP-007-5 Requirement 1 (R1) make this one of the most violated requirements in all the NERC standards. NERC CIP-007-5 is the standard focused on Systems Security Management. R1 is intended to minimize the attack surface of critical systems by disabling or limiting access to unnecessary network accessible logical ports and services. For most electric utilities, meeting the mandatory controls of this requirement is an incredibly tedious and labor-intensive effort.
Tripwire has a unique whitelisting profiler extension that can automate monitoring ports, services, user accounts, software, and other requirements within NERC CIP-007-05-R1. Join Robert Held, Senior Systems Engineer, as he live-demos how customer sites are saving man-years of effort in preparing and automating for their audits. Also joining to share their customer experience will be Marc Child, CISSP , Information Security Program Manager at Great River Energy.
Key Takeaways:
-Understand what CIP-007-5-R1 means to your organization
-Learn how to automate the processes required for assessing High and Medium Impact Cyber Assets
-Get audit-ready “Evidence of Compliance” reporting to provide auditors with what they need
-Hear how Marc Child at Great River Energy uses the whitelisting profiler for security and compliance
ControlCase discusses the following:
•About the cloud
•About PCI DSS
•PCI DSS in the cloud
•How to keep sensitive data secure as you move to the cloud
•Q&A
Performing PCI DSS Assessments Using Zero Trust PrinciplesControlCase
- PCI DSS Requirements & Secure Remote Working
- Assessments In Work From Home (WFH) Scenario
- Remote Security Testing
- Key Aspects For Remote Assessments
Project Forecasting from the Perspective of an EVMA and EIA-748Unanet
EIA-748 guidelines, as interpreted for major U.S. Government projects, require that project managers develop and maintain bottoms-up estimates of the cost and schedule outcomes of their projects. There is a requirement for a comprehensive bottoms-up forecast to be done at least annually. That is supported by a requirement for a monthly update to the forecast, including best-case, worst-case, and most-likely outcomes for the project estimated final total cost.
This webinar covers these requirements and common associated processes and methods for developing the forecasts.
Included in the discussion are the topics of risk and opportunities management and their relationship to the EVMS; especially focused on the development of the risk/opportunities informed forecasts.
Rather than the development of three potential outcomes for the project timeline, the schedule portion of the discussion focuses on building and maintaining an Integrated Master Schedule (IMS) that meets the Generally Accepted Scheduling Principles (GASP) and the use of that IMS in establishing the probability of meeting the end date based on Schedule Risk Analysis (SRA) techniques.
The discussion ends with the topic of independent evaluations of the forecast using the Independent Estimate-at-Complete (IEAC) analysis process.
Download the presentation to learn more or visit us at www.unanet.com.
Performing a detailed security risk assessment is a time-consuming and challenging task. However, in today’s high-risk environment, it is required. A common misconception that can leave IBM i systems open to data breaches is that addressing physical and network security is enough to keep systems and data safe. Though controlling physical access and ensuring network security is important, the most common vulnerabilities in IBM i environments come from improper security configurations.
To understand security risks on your IBM i, it is essential to review security settings and configurations throughout the system. This requires significant knowledge of dozens of IBM i capabilities and their related configurations. Assure Security Risk Assessment thoroughly examines dozens of security settings, comparing values against best practice, to produce reports that identify security vulnerabilities.
View this webcast on-demand to learn:
• The dangers of improperly configured security setting on your IBM i
• How many compliance regulations, such as PCI DSS and HIPAA, require annual IT risk assessments
• How to request Syncsort’s FREE Assure Security Risk Assessment
Cyber Security in Energy & Utilities IndustryProlifics
In September 2011, Prolifics & IBM hosted a speaking session at a Cyber Security Summit in California. The presentation focused on the importance of Identity and Access Management in the Energy & Utilities industry as well as today's critical regulatory requirements.
The Cybersecurity Maturity Model Certification (CMMC) continues to take shape, with the formation of the Accreditation Body (AB) and continued release of framework and contract guidance. The CMMC will be used as a unified standard for defense contractors to demonstrate cybersecurity program maturity and protection of CUI, and will ultimately require a third party assessment to achieve required certification. The DoD acknowledges that contractors of varying sizes struggle to maintain an appropriate cybersecurity posture and believes this new framework will help contractors implement effective cybersecurity controls tailored to the size and nature of their business and meet the DoD’s requirements.
In this webinar, Tom Tollerton, Managing Director of Cybersecurity & Privacy at DHG will discuss the latest developments around the framework, expectations in contracts in the coming months, and offer actionable recommendations for steps to prepare for potential requirements.
Download the presentation today or visit us at www.unanet.com.
Lexcomply - ERM enables organizations to implement an Enterprise Risk management (ERM) & Internal Controls framework. Risk Manager captures information such as loss events, key risk indicators (KRIs), assessment responses and scenario analysis data in a flexible and connected way. Connecting the entire risk eco system including internal and external stakeholders, it allows Risk managers to analyse risk intelligence and communicate effectively.
Unanet is a leading provider of Cloud and On-Premise software for project-based professional services organizations. Unanet delivers a purpose built Project ERP solution with skills management, resource planning, budgeting & forecasting, time & expense reporting, billing & revenue recognition, project management analytics and dashboards, and integrated financials with AR, AP, GL and cost pool calculations.
Over 2,000 organizations trust Unanet to maximize staff utilization, reduce overhead and administrative costs, improve speed and accuracy of invoicing, and support forward decision-making for improved operations.
Learn more about Unanet at www.unanet.com/videos .
Firehost Webinar: Validating your Cardholder Data EnvirnmentArmor
An in-depth look at how to validate your Card Data Environment. Join us as we discuss: PCI 3.0 documentation, cardholder data searches, and pen testing.
The DoD released v1.2 of the CMMC on March 18, 2020, Walkthrough the slides to understand
1. CMMC/DFARS/NIST SP 800-171
2. CMMC Framework
3. CMMC Levels & Requirements
4. The CMMC effort builds upon existing regulation
5. CMMC – Asset Management
6. CMMC Practices Across Domains per Maturity Levels
7. NIST 800-171 to CMMC Gaps
8. Certification & Accreditation Details
9. CMMC Training
10. Challenges being solved by Ignyte | Training
11. Challenges being solved by Ignyte | Automation
12. What is included within the Full CMMC Accreditation Package?
13. CMMC Accreditation Process Automated
How safe are your Lightning Components? Join us and learn about the foundations required for a secure application built on Lightning. We'll cover common misconceptions around field-level security, CRUD, content security policy (CSP), as well as other common mistakes with Lightning. You'll walk away with all the best practices for hardening your application and keeping your data secure.
Analyzing Your GovCon Cybersecurity ComplianceRobert E Jones
APTAC Spring Training Conference 2018
Left Brain Professionals Inc.
The FAR and DAR Councils issued new cybersecurity rules for government contractors. The FAR rule, effective in June 2016, affects all government contractors and lists 15 items "a prudent business person would employ…even if not covered by this rule." The DFARS rule, 252.204-7012 "Safeguarding Covered Defense Information and Cyber Incident Reporting" requires compliance with NIST (SP) 800-171 R1, a more robust guideline, by December 31, 2017. While no audit plan or third-party system approval process exists for the FAR and DFARS rules, contractors imply compliance by signing and accepting contracts with these clauses. More importantly, these clauses exist in current contracts so your compliance is already implied. Join me for a conversation about practical steps toward cybersecurity compliance. We'll talk about the unique cybersecurity requirements for government and defense contractors, walk through the categories of NIST 800-171 compliance, and discuss the audit and survey process.
Webinar presentation September 20, 2016.
This deck introduces the CSCC’s deliverable, Cloud Security Standards: What to Expect and What to Negotiate V2.0, which was updated in August 2016 to reflect the latest developments in cloud security standards. The presentation is an overview of the various security standards, frameworks, and certifications that exist for cloud computing. This information will help cloud customers understand and distinguish between the different types of security standards that exist and assess the security standards support of their cloud service providers.
Read the CSCC's deliverable here: http://www.cloud-council.org/deliverables/cloud-security-standards-what-to-expect-and-what-to-negotiate.htm
Government Webinar: RMF, DISA STIG, and NIST FISMA Compliance Using SolarWindsSolarWinds
In this webinar, we discussed how SolarWinds® infrastructure monitoring tools can help improve your agency’s RMF, NIST FISMA, and DISA STIG compliance. Our presenter discussed how our solutions help manage everything from configurations and access control rights to system and application patching and log management.
During this interactive webinar, attendees learned:
How SolarWinds Network Configuration Manager (NCM) and SolarWinds Server Configuration Monitor (SCM) support compliance with STIG templates and how NCM also includes out-of-the box FISMA templates
How SolarWinds Security Event Manager (SEM) provides log and event processing and notifications and offers active responses to help meet your organization’s security objectives
How SolarWinds Access Rights Manager™ (ARM) helps reduce insider threat risks by managing and auditing access rights for systems, data, and files, including Active Directory® support
How SolarWinds Patch Manager quickly addresses software vulnerabilities for Microsoft® and third-party applications
Analyzing Your Government Contract Cybersecurity ComplianceRobert E Jones
Govology
Left Brain Professionals Inc.
The FAR and DAR Councils issued new cybersecurity rules for government contractors. The FAR rule, effective in June 2016, affects all government contractors and lists 15 items "a prudent business person would employ…even if not covered by this rule." The DFARS rule, 252.204-7012 "Safeguarding Covered Defense Information and Cyber Incident Reporting" requires compliance with NIST (SP) 800-171 R1, a more robust guideline, by December 31, 2017. While no audit plan or third-party system approval process exists for the FAR and DFARS rules, contractors imply compliance by signing and accepting contracts with these clauses. More importantly, these clauses exist in current contracts so your compliance is already implied. Join me for a conversation about the unique cybersecurity requirements for government and defense contractors as we discuss CUI, the audit and survey process, the costs of non-compliance, and compliance strategies.
CSP and LegalTech in Leeds hosted an event on Thursday 9th February 2023. This event discussed ‘Data and Cyber Security’ to help the Legal sector be more aware, protected and secure.
Because many organizations don't perform security unless they have to, more than 80% of all web applications are being exposed to vulnerabilities. In comes regulation. There are a number of different industries other than financial and healthcare that deal with PII and PHI but are either not regulated at all or are regulated very loosely. This presentation will discuss the various regulations (PCI, SOX, HIPAA, etc.) and what each does to address web application security, if any, as well as the shortcomings of each. Finally, it will further address industries that need to be more strictly regulated in order to better protect personal information.
Andrew Weidenhamer, Senior Security Consultant, SecureState
Andrew Weidenhamer, Senior Security Consultant, joined SecureState in January 2008. As a former member of the Profiling Team, Andrew performed technical security assessments on a weekly basis. These assessments included Internal and External Attack and Penetration Assessments, Wireless Penetration Assessments, Web Application Security Reviews, Physical Penetration Tests, and Social Engineering Assessments.
Bring your Shmoo Balls, we have some juicy opinions on how the federal government should vet cloud services. After going through the FedRAMP authorization process with multiple companies, we have grey hair, scars, and some things to say.
We’ll go through some systemic problems and flag some of those weird controls that have always bugged us, and then when we’ve finished airing our grievances we’ll dig into the tough stuff: what can possibly change? Should it change? Will r5 ever be fully adopted? Should FedRAMP continue to exist?
Shea Nangle is a Director at a cybersecurity consultancy. He has been involved with FedRAMP (as a consultant and working for cloud service providers) since 2014. In 2023, he was recruited for the position of FedRAMP Director but chose to stay in private industry.
Wendy Knox Everette is a software developer & hacker lawyer who is currently the CISO at a healthcare data analytics firm. She has co-authored a peer reviewed article on FedRAMP in IEEE Security & Privacy, as well as another reviewing other security issues caused by control frameworks in NDSS.
Third Party Security Testing for Advanced Metering Infrastructure ProgramEnergySec
In July 2010, BC Hydro, the electric utility and grid operator of British Columbia began implementation of its AMI program, formally known as the Smart Meter & Infrastructure (SMI) program. The SMI program transformed BC Hydro from a traditional metering utility to a smart metering utility by implementing smart meters on the customer service points. It was the first step in the smart grid transformation.
The SMI program required the introduction of many new devices and applications into BC Hydro’s infrastructure. Some of these had never been deployed before anywhere in the world. Many were field deployed, outside of BC Hydro’s physical security perimeter.
The SMI Security Delivery Team was formed to deliver on these commitments and to take responsibility for the end to end security of the SMI program. The Team implemented a multi-pronged approach to securing SMI including security risk assessments, security penetration testing by the team, design reviews, whole project risk assessments and third party security penetration testing.
A standards based approach was required to ground the test plan both in best practice and in a common set of principles that BC Hydro and its vendors could accept. The Advanced Metering Infrastructure (AMI) Risk Assessment document prepared by the Advanced Metering Infrastructure Security (AMI-SEC) Task Force was used as a basis for the test plan. This document has since been passed to the National Institute of Standards and Technology (NIST) Cyber Security Working Group and was integrated into NIST IR 7628. NIST IR 7628 contains a comprehensive list of possible threats to AMI systems.
The program was highly successful. Test results informed BC Hydro’s deployment decisions and allowed the manufacturers to improve their products. Lessons were learned about how best to conduct third party security testing. A full lessons learned section is included in the presentation.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Amped for FedRAMP
1. Amped for FedRAMP
Cloud Security World, New Orleans
Ray Potter
CEO
SafeLogic
David Gerendas
Group Product Manager
Intel Security
2. Takeaways
• What FedRAMP compliance entails
• Advantages of using a validated cryptographic
module in the cloud
• How encryption modules become validated and
the pitfalls of the process
• Meaning of FedRAMP compliance claims and how
to confirm
• Right questions to ask vendors about their
encryption and FedRAMP compliance 2
3. Assurance
• A measure of confidence and trust (usually via
a third party) that a product, product
component, or system meets its claims or
meets a specified set of requirements
• Applies to products and to systems
3
5. Systems Assurance
• Using evaluated products does not provide an
appropriate level of assurance by default
• Need to look at overall functionality of the
system
• Risk mitigation / due diligence
5
6. FedRAMP
• December 9, 2010
• Office of Management and Budget (OMB) released the 25 Point
Implementation Plan To Reform Federal Information Technology
Management
• Cloud First policy was enacted -- requiring agencies to use cloud-
based solutions whenever a secure, reliable, cost-effective cloud
option exists.
• December 8, 2011
• OMB FedRAMP Policy Memo: Security Authorization of
Information Systems in Cloud Computing Environments
• Establishes the Federal Risk and Authorization Management
Program (FedRAMP)
• Requires all Federal agencies to meet FedRAMP requirements
by June 2014
7. Purpose
• Ensure that cloud based services have
adequate information security
• Eliminate duplication of effort and reduce risk
management costs
• Enable rapid and cost-effective procurement
of information systems/services
8. Applicable Standards and Guidance
FIPS Publication 140-2: Security Requirements for Cryptographic Modules
FIPS Publication 199: Standards for Security Categorization of Federal
Information and Information Systems
FIPS Publication 200: Minimum Security Requirements for Federal
Information and Information Systems
NIST SP 800-37, Rev 1: Guide for Developing the Risk Management
Framework to Federal Information Systems: A Security Life Cycle Approach
NIST SP 800-53, Rev 4: Recommended Security Controls for Federal
Information Systems
NIST SP 800-53A: Guide for Assessing the Security Controls in Federal
Information Systems
NIST SP 800-137: Information Security Continuous Monitoring for Federal
Information Systems and Organizations
9. Goals
• Standardize security requirements
• Accredit qualified third-party assessors
• Provide repository of authorized secure cloud
packages
• Standardize on-going assessment
methodologies
• Standardize contract language
10. Key Stakeholders
• Federal agency customer – has a requirement for cloud technology
that will be deployed into their security environment and is responsible
for ensuring FISMA compliance
• Cloud Service Provider (CSP) – is willing and able to fulfill agency
requirements and to meet security requirements
• Joint Authorization Board (JAB) – reviews the security package
submitted by the CSP and grants a provisional Authority to Operate
(ATO)
• Third Party Assessor (3PAO) – validates and attests to the quality and
compliance of the CSP provided security package
• FedRAMP Program Management Office (PMO) – manages the process
assessment, authorization, and continuous monitoring process
12. Security Assessment Packages
• JAB Provisional ATO
• may take 18+ months; requires broader reviews/approvals
• more widely accepted (government wide)
• Agency ATO
• May take 12+ months; only requires sponsoring Agency ATO
• Agency reputation and experience matters
• CSP Supplied
• Package “in-waiting”
• May not meet all acquiring agency requirements
Category Assessed By Authorizing
Authority
FedRAMP Provisional Authorization Accredited 3PAO JAB
Agency ATO w/ FedRAMP 3PAO Accredited 3PAO Agency
CSP Supplied Accredited 3PAO None
13. Security Testing
• Systems Security Plan
• Security Assessment Plan
• Security Test Cases
• Security Assessment Report
• Scanning / Continuous Monitoring
14. Authorization Process and Timeline
Authorize
CSP
Addresses
JAB
Concerns
JAB
Review
ISSO &
CSP
Review
SSP
3PAO
Creates
SAP/ ISSO
Reviews
SAP
JAB
Review
Final JAB
Review /
P-ATO Sign
Off
3PAO
Tests &
Creates
SAR
System Security Plan Security Assessment Plan SAR & POA&M ReviewTesting
JAB
Review
ISSO /
CSP
Reviews
SAR
CSP
Addresses
Jab
Concerns
Creates
POA&M
CSP
Addresses
JAB
Concerns
CSP
Addresses
Agency
Concerns
Agency
Review
CSP
Implements
Control
Delta
Agency
Review
SAP
Address
Agency
Notes
Final Agency
ATO Sign Off
3PAO
Tests &
Creates
SAR
System Security Plan Security Assessment
Plan
SAR & POA&M ReviewTesting Authorize
CSP
Addresses
Concerns
Agency
Reviews
SAR
CSP
Creates
POA&M
Quality of documentation will determine length of time
and possible cycles throughout the entire process
-
18. Product Assurance
• Certification or evaluation of a product or
product functionality against a set of
requirements
• Required for product procurement in
government and commercial industry
• Sets a barrier to entry
18
19. FIPS 140-2
• Federal Information Processing Standard 140
• Specifies requirements for cryptographic
hardware and software modules
• Published by US (NIST) and Canadian
Governments
• Tested by independent laboratories
• Offers 4 levels of validation
19
20. Areas of Validation
• Module Definition
• Ports and Interfaces
• Roles, Services, and Authentication
• Finite State Model
• Physical Security
• Operating Environment
• Key Management
• Self Tests 20
21. Why FIPS 140-2?
• Required for Federal and industry procurement
• Provides a level of confidence that encryption functions
are implemented correctly and to a benchmark
• FIPS Compliant
– Embedding a module that already has a FIPS validation
– Uses proven crypto functions
• FIPS Validated
– Getting your own certificate
– Reassures buyers
21
22. Challenges of a Typical FIPS 140-2
Validation
• Definition of the Module
• HW & OS platform support
• Use of approved algorithms
• Development of appropriate documentation
• Algorithm testing
• Lengthy validation process
• Significant time and resource requirements
22
23. Where Does FIPS 140 Fit?
• Encrypt
Data in
Motion
• Encrypt
Data at
Rest
24. The Role of FIPS 140-2 in FedRAMP
• Validated crypto is required for government
– FedRAMP
– FISMA
– SP800-53
• If crypto isn’t validated, it might as well be
plaintext
25. Do Your Due Diligence
• Where is your FIPS 140 Certificate?
• Is the product / module FIPS-tested on a
current platform?
• For consumers / developers, is your CSP doing
the right things?
• Did you go through the FedRAMP process?
Intro SafeLogic, RapidCert, and this presentation will tell you why what we do is important
Assurance != Security
1. Products are used in different types of systems
Different systems address disparate risks and threats
2. Does the system do what it is supposed to do?
Does the system do something it’s not supposed to do?
3. Structured approach to identifying components and concerns
Much like everything else, we need a standard and a process
FedRAMP processes are designed to assist agencies in meeting FISMA requirements for cloud systems and addresses complexities of cloud systems that create unique challenges for complying with FISMA
Federal has historically sucked at procurement. FedRAMP helps them get the latest tech while still meeting their requirements for assurance.
JAB is security experts from the (DHS) (DOD) (GSA)
Fedramp.gov
SAP: describe the security test plan and get approval to proceed from JAB
Test cases modified from NIST SP 800-53A due to the uniqueness of cloud implementations.
SAR highlights findings, mitigations, and operational requirements, as well as identify any problems or areas of concern.
Systems certification and accreditation requirements include the use of evaluated products
-2 is second revision
Document, Test, Validate
Perform CAVP algorithm testing
Build tools / harnesses to accept input vectors from lab and properly format responses
Guide testing laboratory through source code to demonstrate compliance to functions specified in FIPS 140
Develop functional test harnesses
Patrick talked about this from a CSP perspective. Penetration tests, etc. Trust is sometimes a shortcut. These assurance programs provide a level of trust