SlideShare a Scribd company logo

GACO Webinar: Practical Cybersecurity Compliance for Small Business Contractors

Download as PPTX, PDF
Robert E Jones
Robert E Jones

This document provides an overview of cybersecurity requirements for small government contractors. It discusses the requirements in FAR 52.204-21 and CMMC Level 1. CMMC Level 1 contains 17 basic practices, such as limiting system access, verifying user identities, updating malware protection, and conducting security scans. The document reviews each of these requirements and provides tips and examples of tools that can help contractors achieve compliance, such as using a password manager, conducting security training, and purchasing an organizational domain. It encourages connecting with the presenters for any other questions.

1 of 39
Practical Cybersecurity Compliance for Small Business Contractors
We Know Government Contracts
Who we are Left Brain Professionals is a boutique accounting firm that serves government contractors. We specialize in accounting system design, implementation and audit support.
Our Team Robert E. Jones Government Contracts & Accounting Expert CPA, CPCM, NCMA Fellow Melissa Metzger Government Accounting & Finance Advisor MAFM, CPA Candidate Steven Bressler Government Contract Associate steve@LeftBrainPro.commelissa@LeftBrainPro.comrobert@LeftBrainPro.com
Our Expertise Accounting Systems Audit Support Cybersecurity Compliance Training
Our Services
Learning Objectives • Identify the cybersecurity requirements in government contracts. • Describe the basic requirements of FAR 52.204-21 and CMMC Level 1. • List tools to address CMMC Level 1 requirements. • Locate resources for cybersecurity compliance.
Cybersecurity Requirements in Government Contracts
Cybersecurity Requirements in Government Contracts Cont…
Generally looking for FAR 52.204-21, DFARS 204.208-7012 and CMMC • Look in RFQ, final award, and modifications • Note that requirements may change over time • Not all agencies follow the same format • Government and primes have different format • May be listed in T&C or separate document • All contractors require certification under CMMC to perform work on any contract Cybersecurity Requirements in Government Contracts, Continued…
Describe the Basic Requirements of FAR 52.204-21 and CMMC Level 1
CMMC Comprised of Five Levels All government contractors will be required to certify at least Level 1. Cont…
CMMC Comprised of Five Levels, Continued… Level 1 contains 17 practices or requirements. Cont…
CMMC Comprised of Five Levels, Continued… Progression of CMMC certification goes from basic safeguarding to advanced or progressive reduction of risk. Cont…
CMMC Comprised of Five Levels, Continued… If you remember our studies on NIST (SP) 800-171, the categories of protection look similar. Cont…
CMMC Comprised of Five Levels, Continued… A quick comparison of CMMC to FAR and NIST requirement.
The Requirements
The Requirements Basic Requirement 1 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). (P1001) Deny by default, allow by exception. Create accounts only for known individuals, processes, or devices. Cont… Tip or Tool: Implement Active Directory or LDAP and limit access to networks and external services to only listed users. Consider single sign-on (SSO) solution to provision accounts and manage access. • Office 365 & Azure AD
Basic Requirement 2 Limit information system access to the types of transactions and functions that authorized users are permitted to execute. (P1002) Cont… The Requirements, Continued… Tip or Tool: Employ rule of least privilege – assign only minimal access to user and system accounts as necessary.
Basic Requirement 3 Verify and control/limit connections to and use of external information systems. (P1003) Synchronization with external systems such as backups or data sharing between systems. Cont… Tip or Tool: Deny external traffic by default. Policy to review any apps, cloud or external services before use. The Requirements, Continued…
Basic Requirement 4 Control information posted or processed on publicly accessible information systems. (P1004) Cont… Tip or Tool: Policy to review what is posted on any website, portal, social media, or newsletter. The Requirements, Continued…
Basic Requirement 5 Identify information system users, processes acting on behalf of users, or devices. (P1076) Cont… Tip or Tool: Create unique logins for all users and service accounts. No generic or shared logins. The Requirements, Continued…
Basic Requirement 6 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. (P1077) • Username and password Cont… Tip or Tool: Enable multi-factor authentication (MFA) on all networks, devices and cloud services. The Requirements, Continued…
Basic Requirement 7 Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse. (P1118) Cont… Tip or Tool: Remove and shred hard drives from all devices (including printers). Sanitization is not an acceptable practice for many IT professionals. The Requirements, Continued…
Basic Requirement 8 Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals. (P1131) Cont… Tip or Tool: Put a lock on all servers – put them in a locked closet room, or cage. The Requirements, Continued…
Basic Requirement 9 Escort visitors and monitor visitor activity (P1132); maintain audit logs of physical access (P1133); and control and manage physical access devices (P1134). Cont… Tip or Tool: Visitor logs and badges. Require all non-employees to check-in and check-out, even if you have a no-escort policy for certain visitors. Ensure access cards limit access in terms of days, times and locations (geographic, rooms, etc.) The Requirements, Continued…
Basic Requirement 10 Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems. (P1175) Cont… Tip or Tool: Block unknown network. Implement rule of least privilege. The Requirements, Continued…
Basic Requirement 11 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. (P1176) Cont… Tip or Tool: Guest network must be separate from internal network. Host website on third-party server. Remove any links from public website to internal networks or cloud services. The Requirements, Continued…
Basic Requirement 12 Identify, report and correct information and information system flaws in a timely manner. (P1210) Cont… Tip or Tool: Policy and forms/mechanisms for reporting and follow-up. Implement help desk tool for tracking. The Requirements, Continued…
Basic Requirement 13 Provide protection from malicious code at appropriate locations within organizational information systems. (P1211) Cont… Tip or Tool: Install antivirus & anti-malware on all devices (including phones and tablets). The Requirements, Continued…
Basic Requirement 14 Update malicious code protection mechanisms when new releases are available. (P1212) Cont… Tip or Tool: Set antivirus software to update automatically (usually daily). The Requirements, Continued…
Basic Requirement 15 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, or executed. (P1213) Antivirus & anti-malware should be configured to scan files downloaded or copied from external media before opening. The Requirements, Continued… Tip or Tool: Ensure proper configuration of antivirus & anti-malware..
Other Tools for Basic Cyber Hygiene
Buy a domain - • No more Gmail, Hotmail, Yahoo, etc. • Setup Office 365 or Google G Suite for Business • Why Office 365: • Affordable • Scalable • Built-in security Domain
Select a Password Manager such as- • LastPass • 1Password • Dashlane Password Management
Train all employees annually on basic cyber hygiene- • NICCS • Cybersecurity Training Training, Training, Training
Connect with us Download the presentation Left Brain Professionals Inc. @LeftBrainPro @LeftBrainPro www.LeftBrainPro.com/presentations
Discussion | Q&A
Melissa R. Metzger MAFM melissa@leftbrainpro.com Robert E. Jones CPA, CPCM, NCMA Fellow robert@leftbrainpro.com Let’s connect Left Brain Professionals Inc. @LeftBrainPro @LeftBrainPro

Recommended

Practical Cybersecurity Compliance for Small Business Contractors
Practical Cybersecurity Compliance for Small Business ContractorsPractical Cybersecurity Compliance for Small Business Contractors
Practical Cybersecurity Compliance for Small Business Contractors
Robert E Jones
 
PCI Compliance White Paper
PCI Compliance White PaperPCI Compliance White Paper
PCI Compliance White Paper
Raz-Lee Security
 
Department of Defense
Department of DefenseDepartment of Defense
Department of DefenseDarius Dozier
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)
Kimberly Simon MBA
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
Kimberly Simon MBA
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) Certification
Kimberly Simon MBA
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSS
Kimberly Simon MBA
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
Kimberly Simon MBA
 

Recommended

Practical Cybersecurity Compliance for Small Business Contractors
Practical Cybersecurity Compliance for Small Business ContractorsPractical Cybersecurity Compliance for Small Business Contractors
Practical Cybersecurity Compliance for Small Business Contractors
Robert E Jones
 
PCI Compliance White Paper
PCI Compliance White PaperPCI Compliance White Paper
PCI Compliance White Paper
Raz-Lee Security
 
Department of Defense
Department of DefenseDepartment of Defense
Department of DefenseDarius Dozier
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)
Kimberly Simon MBA
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
Kimberly Simon MBA
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) Certification
Kimberly Simon MBA
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSS
Kimberly Simon MBA
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
Kimberly Simon MBA
 
P2PE - PCI DSS
P2PE - PCI DSSP2PE - PCI DSS
P2PE - PCI DSS
ControlCase
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Kimberly Simon MBA
 
Glossary of PCI terms
Glossary of PCI termsGlossary of PCI terms
Glossary of PCI terms
Gerrard Dawson
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
ControlCase
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Kimberly Simon MBA
 
Continual Compliance Monitoring
Continual Compliance MonitoringContinual Compliance Monitoring
Continual Compliance Monitoring
Kimberly Simon MBA
 
Experience for implement PCI DSS
Experience for implement PCI DSS Experience for implement PCI DSS
Experience for implement PCI DSS
Nhat Phan Canh
 
Card Data Discovery and PCI DSS
Card Data Discovery and PCI DSSCard Data Discovery and PCI DSS
Card Data Discovery and PCI DSS
Kimberly Simon MBA
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and review
isc2-hellenic
 
Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...
Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...
Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...
ControlCase
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) Certification
ControlCase
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated Compliance
Kimberly Simon MBA
 
Data Discovery and PCI DSS
Data Discovery and PCI DSSData Discovery and PCI DSS
Data Discovery and PCI DSS
Kimberly Simon MBA
 
Final Presentation
Final PresentationFinal Presentation
Final Presentationchris odle
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated Compliance
ControlCase
 
Performing PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust PrinciplesPerforming PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust Principles
ControlCase
 
access-control-week-2
access-control-week-2access-control-week-2
access-control-week-2jemtallon
 
Hipaa security compliance checklist for developers & business associates
Hipaa security compliance checklist for developers & business associatesHipaa security compliance checklist for developers & business associates
Hipaa security compliance checklist for developers & business associates
Shoba Krishnamurthy
 
Log Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringLog Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity Monitoring
Kimberly Simon MBA
 
Determining Scope for PCI DSS Compliance
Determining Scope for PCI DSS ComplianceDetermining Scope for PCI DSS Compliance
Determining Scope for PCI DSS Compliance
Schellman & Company
 
Absolute Software Governance-Risk-Compliance
Absolute Software Governance-Risk-ComplianceAbsolute Software Governance-Risk-Compliance
Absolute Software Governance-Risk-Compliance
Sébastien Roques
 
Absolute grc-
Absolute grc-Absolute grc-
Absolute grc-Sébastien Roques
 

More Related Content

What's hot

P2PE - PCI DSS
P2PE - PCI DSSP2PE - PCI DSS
P2PE - PCI DSS
ControlCase
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Kimberly Simon MBA
 
Glossary of PCI terms
Glossary of PCI termsGlossary of PCI terms
Glossary of PCI terms
Gerrard Dawson
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
ControlCase
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Kimberly Simon MBA
 
Continual Compliance Monitoring
Continual Compliance MonitoringContinual Compliance Monitoring
Continual Compliance Monitoring
Kimberly Simon MBA
 
Experience for implement PCI DSS
Experience for implement PCI DSS Experience for implement PCI DSS
Experience for implement PCI DSS
Nhat Phan Canh
 
Card Data Discovery and PCI DSS
Card Data Discovery and PCI DSSCard Data Discovery and PCI DSS
Card Data Discovery and PCI DSS
Kimberly Simon MBA
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and review
isc2-hellenic
 
Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...
Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...
Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...
ControlCase
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) Certification
ControlCase
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated Compliance
Kimberly Simon MBA
 
Data Discovery and PCI DSS
Data Discovery and PCI DSSData Discovery and PCI DSS
Data Discovery and PCI DSS
Kimberly Simon MBA
 
Final Presentation
Final PresentationFinal Presentation
Final Presentationchris odle
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated Compliance
ControlCase
 
Performing PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust PrinciplesPerforming PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust Principles
ControlCase
 
access-control-week-2
access-control-week-2access-control-week-2
access-control-week-2jemtallon
 
Hipaa security compliance checklist for developers & business associates
Hipaa security compliance checklist for developers & business associatesHipaa security compliance checklist for developers & business associates
Hipaa security compliance checklist for developers & business associates
Shoba Krishnamurthy
 
Log Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringLog Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity Monitoring
Kimberly Simon MBA
 
Determining Scope for PCI DSS Compliance
Determining Scope for PCI DSS ComplianceDetermining Scope for PCI DSS Compliance
Determining Scope for PCI DSS Compliance
Schellman & Company
 

What's hot (20)

P2PE - PCI DSS
P2PE - PCI DSSP2PE - PCI DSS
P2PE - PCI DSS
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
 
Glossary of PCI terms
Glossary of PCI termsGlossary of PCI terms
Glossary of PCI terms
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
 
Continual Compliance Monitoring
Continual Compliance MonitoringContinual Compliance Monitoring
Continual Compliance Monitoring
 
Experience for implement PCI DSS
Experience for implement PCI DSS Experience for implement PCI DSS
Experience for implement PCI DSS
 
Card Data Discovery and PCI DSS
Card Data Discovery and PCI DSSCard Data Discovery and PCI DSS
Card Data Discovery and PCI DSS
 
Pci standards, from participation to implementation and review
Pci standards, from participation to implementation and reviewPci standards, from participation to implementation and review
Pci standards, from participation to implementation and review
 
Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...
Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...
Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) Certification
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated Compliance
 
Data Discovery and PCI DSS
Data Discovery and PCI DSSData Discovery and PCI DSS
Data Discovery and PCI DSS
 
Final Presentation
Final PresentationFinal Presentation
Final Presentation
 
Integrated Compliance
Integrated ComplianceIntegrated Compliance
Integrated Compliance
 
Performing PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust PrinciplesPerforming PCI DSS Assessments Using Zero Trust Principles
Performing PCI DSS Assessments Using Zero Trust Principles
 
access-control-week-2
access-control-week-2access-control-week-2
access-control-week-2
 
Hipaa security compliance checklist for developers & business associates
Hipaa security compliance checklist for developers & business associatesHipaa security compliance checklist for developers & business associates
Hipaa security compliance checklist for developers & business associates
 
Log Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringLog Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity Monitoring
 
Determining Scope for PCI DSS Compliance
Determining Scope for PCI DSS ComplianceDetermining Scope for PCI DSS Compliance
Determining Scope for PCI DSS Compliance
 

Similar to GACO Webinar: Practical Cybersecurity Compliance for Small Business Contractors

Absolute Software Governance-Risk-Compliance
Absolute Software Governance-Risk-ComplianceAbsolute Software Governance-Risk-Compliance
Absolute Software Governance-Risk-Compliance
Sébastien Roques
 
Disaster and RecoveryBusiness Impact AnalysisSystem .docx
Disaster and RecoveryBusiness Impact AnalysisSystem .docxDisaster and RecoveryBusiness Impact AnalysisSystem .docx
Disaster and RecoveryBusiness Impact AnalysisSystem .docx
duketjoy27252
 
GDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceGDPR Part 2: Quest Relevance
GDPR Part 2: Quest Relevance
Adrian Dumitrescu
 
Analyzing Your Government Contract Cybersecurity Compliance
Analyzing Your Government Contract Cybersecurity ComplianceAnalyzing Your Government Contract Cybersecurity Compliance
Analyzing Your Government Contract Cybersecurity Compliance
Robert E Jones
 
System analyst
System analystSystem analyst
System analyst
returnasap
 
Secure Financial Intelligence System
Secure Financial Intelligence SystemSecure Financial Intelligence System
Secure Financial Intelligence SystemJoseph Yosi Margalit
 
HELP DESK interview questions and answers
HELP DESK interview questions and answersHELP DESK interview questions and answers
HELP DESK interview questions and answers
Vignesh kumar
 
Generic_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_ProceduresGeneric_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_ProceduresSamuel Loomis
 
CISA (1).pdf
CISA (1).pdfCISA (1).pdf
CISA (1).pdf
Infosec Train
 
FREQUENTLY ASKED QUESTIONS IN CISA CERTIFIED ROL INTERVIEW
FREQUENTLY ASKED QUESTIONS IN CISA CERTIFIED ROL INTERVIEWFREQUENTLY ASKED QUESTIONS IN CISA CERTIFIED ROL INTERVIEW
FREQUENTLY ASKED QUESTIONS IN CISA CERTIFIED ROL INTERVIEW
infosec train
 
Novatek- Regulatory Compliant User Requirement 21CFR Part 11 & Annex 11.pdf
Novatek- Regulatory Compliant User Requirement 21CFR Part 11 & Annex 11.pdfNovatek- Regulatory Compliant User Requirement 21CFR Part 11 & Annex 11.pdf
Novatek- Regulatory Compliant User Requirement 21CFR Part 11 & Annex 11.pdf
patemalabanan
 
Cybersecurity Compliance in Government Contracts
Cybersecurity Compliance in Government ContractsCybersecurity Compliance in Government Contracts
Cybersecurity Compliance in Government Contracts
Robert E Jones
 
Scenario Overview Now that you’re super knowledgeable about se.docx
Scenario Overview Now that you’re super knowledgeable about se.docxScenario Overview Now that you’re super knowledgeable about se.docx
Scenario Overview Now that you’re super knowledgeable about se.docx
todd331
 
SanerNow Endpoint Management
SanerNow Endpoint ManagementSanerNow Endpoint Management
SanerNow Endpoint Management
SecPod Technologies
 
Analyzing Your GovCon Cybersecurity Compliance
Analyzing Your GovCon Cybersecurity ComplianceAnalyzing Your GovCon Cybersecurity Compliance
Analyzing Your GovCon Cybersecurity Compliance
Robert E Jones
 
Integration_Architect_-_Study_Group_Part_1.pptx
Integration_Architect_-_Study_Group_Part_1.pptxIntegration_Architect_-_Study_Group_Part_1.pptx
Integration_Architect_-_Study_Group_Part_1.pptx
kathleenwaterworth
 

Similar to GACO Webinar: Practical Cybersecurity Compliance for Small Business Contractors (20)

Absolute Software Governance-Risk-Compliance
Absolute Software Governance-Risk-ComplianceAbsolute Software Governance-Risk-Compliance
Absolute Software Governance-Risk-Compliance
 
Absolute grc-
Absolute grc-Absolute grc-
Absolute grc-
 
Disaster and RecoveryBusiness Impact AnalysisSystem .docx
Disaster and RecoveryBusiness Impact AnalysisSystem .docxDisaster and RecoveryBusiness Impact AnalysisSystem .docx
Disaster and RecoveryBusiness Impact AnalysisSystem .docx
 
GDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceGDPR Part 2: Quest Relevance
GDPR Part 2: Quest Relevance
 
ISS CAPSTONE TEAM
ISS CAPSTONE TEAMISS CAPSTONE TEAM
ISS CAPSTONE TEAM
 
Analyzing Your Government Contract Cybersecurity Compliance
Analyzing Your Government Contract Cybersecurity ComplianceAnalyzing Your Government Contract Cybersecurity Compliance
Analyzing Your Government Contract Cybersecurity Compliance
 
System analyst
System analystSystem analyst
System analyst
 
Secure Financial Intelligence System
Secure Financial Intelligence SystemSecure Financial Intelligence System
Secure Financial Intelligence System
 
HELP DESK interview questions and answers
HELP DESK interview questions and answersHELP DESK interview questions and answers
HELP DESK interview questions and answers
 
OwnYIT CSAT + SIEM
OwnYIT CSAT + SIEMOwnYIT CSAT + SIEM
OwnYIT CSAT + SIEM
 
Generic_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_ProceduresGeneric_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_Procedures
 
CISA (1).pdf
CISA (1).pdfCISA (1).pdf
CISA (1).pdf
 
FREQUENTLY ASKED QUESTIONS IN CISA CERTIFIED ROL INTERVIEW
FREQUENTLY ASKED QUESTIONS IN CISA CERTIFIED ROL INTERVIEWFREQUENTLY ASKED QUESTIONS IN CISA CERTIFIED ROL INTERVIEW
FREQUENTLY ASKED QUESTIONS IN CISA CERTIFIED ROL INTERVIEW
 
Novatek- Regulatory Compliant User Requirement 21CFR Part 11 & Annex 11.pdf
Novatek- Regulatory Compliant User Requirement 21CFR Part 11 & Annex 11.pdfNovatek- Regulatory Compliant User Requirement 21CFR Part 11 & Annex 11.pdf
Novatek- Regulatory Compliant User Requirement 21CFR Part 11 & Annex 11.pdf
 
Cybersecurity Compliance in Government Contracts
Cybersecurity Compliance in Government ContractsCybersecurity Compliance in Government Contracts
Cybersecurity Compliance in Government Contracts
 
Scenario Overview Now that you’re super knowledgeable about se.docx
Scenario Overview Now that you’re super knowledgeable about se.docxScenario Overview Now that you’re super knowledgeable about se.docx
Scenario Overview Now that you’re super knowledgeable about se.docx
 
SanerNow Endpoint Management
SanerNow Endpoint ManagementSanerNow Endpoint Management
SanerNow Endpoint Management
 
Analyzing Your GovCon Cybersecurity Compliance
Analyzing Your GovCon Cybersecurity ComplianceAnalyzing Your GovCon Cybersecurity Compliance
Analyzing Your GovCon Cybersecurity Compliance
 
Ch06 Policy
Ch06 PolicyCh06 Policy
Ch06 Policy
 
Integration_Architect_-_Study_Group_Part_1.pptx
Integration_Architect_-_Study_Group_Part_1.pptxIntegration_Architect_-_Study_Group_Part_1.pptx
Integration_Architect_-_Study_Group_Part_1.pptx
 

Recently uploaded

Sustainability: Balancing the Environment, Equity & Economy
Sustainability: Balancing the Environment, Equity & EconomySustainability: Balancing the Environment, Equity & Economy
Sustainability: Balancing the Environment, Equity & Economy
Operational Excellence Consulting
 
RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...
RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...
RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...
BBPMedia1
 
Premium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern BusinessesPremium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern Businesses
SynapseIndia
 
Attending a job Interview for B1 and B2 Englsih learners
Attending a job Interview for B1 and B2 Englsih learnersAttending a job Interview for B1 and B2 Englsih learners
Attending a job Interview for B1 and B2 Englsih learners
Erika906060
 
India Orthopedic Devices Market: Unlocking Growth Secrets, Trends and Develop...
India Orthopedic Devices Market: Unlocking Growth Secrets, Trends and Develop...India Orthopedic Devices Market: Unlocking Growth Secrets, Trends and Develop...
India Orthopedic Devices Market: Unlocking Growth Secrets, Trends and Develop...
Kumar Satyam
 
Unveiling the Secrets How Does Generative AI Work.pdf
Unveiling the Secrets How Does Generative AI Work.pdfUnveiling the Secrets How Does Generative AI Work.pdf
Unveiling the Secrets How Does Generative AI Work.pdf
Sam H
 
Business Valuation Principles for Entrepreneurs
Business Valuation Principles for EntrepreneursBusiness Valuation Principles for Entrepreneurs
Business Valuation Principles for Entrepreneurs
Ben Wann
 
Improving profitability for small business
Improving profitability for small businessImproving profitability for small business
Improving profitability for small business
Ben Wann
 
Global Interconnection Group Joint Venture[960] (1).pdf
Global Interconnection Group Joint Venture[960] (1).pdfGlobal Interconnection Group Joint Venture[960] (1).pdf
Global Interconnection Group Joint Venture[960] (1).pdf
Henry Tapper
 
Memorandum Of Association Constitution of Company.ppt
Memorandum Of Association Constitution of Company.pptMemorandum Of Association Constitution of Company.ppt
Memorandum Of Association Constitution of Company.ppt
seri bangash
 
Cree_Rey_BrandIdentityKit.PDF_PersonalBd
Cree_Rey_BrandIdentityKit.PDF_PersonalBdCree_Rey_BrandIdentityKit.PDF_PersonalBd
Cree_Rey_BrandIdentityKit.PDF_PersonalBd
creerey
 
5 Things You Need To Know Before Hiring a Videographer
5 Things You Need To Know Before Hiring a Videographer5 Things You Need To Know Before Hiring a Videographer
5 Things You Need To Know Before Hiring a Videographer
ofm712785
 
Cracking the Workplace Discipline Code Main.pptx
Cracking the Workplace Discipline Code Main.pptxCracking the Workplace Discipline Code Main.pptx
Cracking the Workplace Discipline Code Main.pptx
Workforce Group
 
anas about venice for grade 6f about venice
anas about venice for grade 6f about veniceanas about venice for grade 6f about venice
anas about venice for grade 6f about venice
anasabutalha2013
 
BeMetals Presentation_May_22_2024 .pdf
BeMetals Presentation_May_22_2024 .pdfBeMetals Presentation_May_22_2024 .pdf
BeMetals Presentation_May_22_2024 .pdf
DerekIwanaka1
 
The Parable of the Pipeline a book every new businessman or business student ...
The Parable of the Pipeline a book every new businessman or business student ...The Parable of the Pipeline a book every new businessman or business student ...
The Parable of the Pipeline a book every new businessman or business student ...
awaisafdar
 
Taurus Zodiac Sign_ Personality Traits and Sign Dates.pptx
Taurus Zodiac Sign_ Personality Traits and Sign Dates.pptxTaurus Zodiac Sign_ Personality Traits and Sign Dates.pptx
Taurus Zodiac Sign_ Personality Traits and Sign Dates.pptx
my Pandit
 
Affordable Stationery Printing Services in Jaipur | Navpack n Print
Affordable Stationery Printing Services in Jaipur | Navpack n PrintAffordable Stationery Printing Services in Jaipur | Navpack n Print
Affordable Stationery Printing Services in Jaipur | Navpack n Print
Navpack & Print
 
20240425_ TJ Communications Credentials_compressed.pdf
20240425_ TJ Communications Credentials_compressed.pdf20240425_ TJ Communications Credentials_compressed.pdf
20240425_ TJ Communications Credentials_compressed.pdf
tjcomstrang
 
What is the TDS Return Filing Due Date for FY 2024-25.pdf
What is the TDS Return Filing Due Date for FY 2024-25.pdfWhat is the TDS Return Filing Due Date for FY 2024-25.pdf
What is the TDS Return Filing Due Date for FY 2024-25.pdf
seoforlegalpillers
 

Recently uploaded (20)

Sustainability: Balancing the Environment, Equity & Economy
Sustainability: Balancing the Environment, Equity & EconomySustainability: Balancing the Environment, Equity & Economy
Sustainability: Balancing the Environment, Equity & Economy
 
RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...
RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...
RMD24 | Retail media: hoe zet je dit in als je geen AH of Unilever bent? Heid...
 
Premium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern BusinessesPremium MEAN Stack Development Solutions for Modern Businesses
Premium MEAN Stack Development Solutions for Modern Businesses
 
Attending a job Interview for B1 and B2 Englsih learners
Attending a job Interview for B1 and B2 Englsih learnersAttending a job Interview for B1 and B2 Englsih learners
Attending a job Interview for B1 and B2 Englsih learners
 
India Orthopedic Devices Market: Unlocking Growth Secrets, Trends and Develop...
India Orthopedic Devices Market: Unlocking Growth Secrets, Trends and Develop...India Orthopedic Devices Market: Unlocking Growth Secrets, Trends and Develop...
India Orthopedic Devices Market: Unlocking Growth Secrets, Trends and Develop...
 
Unveiling the Secrets How Does Generative AI Work.pdf
Unveiling the Secrets How Does Generative AI Work.pdfUnveiling the Secrets How Does Generative AI Work.pdf
Unveiling the Secrets How Does Generative AI Work.pdf
 
Business Valuation Principles for Entrepreneurs
Business Valuation Principles for EntrepreneursBusiness Valuation Principles for Entrepreneurs
Business Valuation Principles for Entrepreneurs
 
Improving profitability for small business
Improving profitability for small businessImproving profitability for small business
Improving profitability for small business
 
Global Interconnection Group Joint Venture[960] (1).pdf
Global Interconnection Group Joint Venture[960] (1).pdfGlobal Interconnection Group Joint Venture[960] (1).pdf
Global Interconnection Group Joint Venture[960] (1).pdf
 
Memorandum Of Association Constitution of Company.ppt
Memorandum Of Association Constitution of Company.pptMemorandum Of Association Constitution of Company.ppt
Memorandum Of Association Constitution of Company.ppt
 
Cree_Rey_BrandIdentityKit.PDF_PersonalBd
Cree_Rey_BrandIdentityKit.PDF_PersonalBdCree_Rey_BrandIdentityKit.PDF_PersonalBd
Cree_Rey_BrandIdentityKit.PDF_PersonalBd
 
5 Things You Need To Know Before Hiring a Videographer
5 Things You Need To Know Before Hiring a Videographer5 Things You Need To Know Before Hiring a Videographer
5 Things You Need To Know Before Hiring a Videographer
 
Cracking the Workplace Discipline Code Main.pptx
Cracking the Workplace Discipline Code Main.pptxCracking the Workplace Discipline Code Main.pptx
Cracking the Workplace Discipline Code Main.pptx
 
anas about venice for grade 6f about venice
anas about venice for grade 6f about veniceanas about venice for grade 6f about venice
anas about venice for grade 6f about venice
 
BeMetals Presentation_May_22_2024 .pdf
BeMetals Presentation_May_22_2024 .pdfBeMetals Presentation_May_22_2024 .pdf
BeMetals Presentation_May_22_2024 .pdf
 
The Parable of the Pipeline a book every new businessman or business student ...
The Parable of the Pipeline a book every new businessman or business student ...The Parable of the Pipeline a book every new businessman or business student ...
The Parable of the Pipeline a book every new businessman or business student ...
 
Taurus Zodiac Sign_ Personality Traits and Sign Dates.pptx
Taurus Zodiac Sign_ Personality Traits and Sign Dates.pptxTaurus Zodiac Sign_ Personality Traits and Sign Dates.pptx
Taurus Zodiac Sign_ Personality Traits and Sign Dates.pptx
 
Affordable Stationery Printing Services in Jaipur | Navpack n Print
Affordable Stationery Printing Services in Jaipur | Navpack n PrintAffordable Stationery Printing Services in Jaipur | Navpack n Print
Affordable Stationery Printing Services in Jaipur | Navpack n Print
 
20240425_ TJ Communications Credentials_compressed.pdf
20240425_ TJ Communications Credentials_compressed.pdf20240425_ TJ Communications Credentials_compressed.pdf
20240425_ TJ Communications Credentials_compressed.pdf
 
What is the TDS Return Filing Due Date for FY 2024-25.pdf
What is the TDS Return Filing Due Date for FY 2024-25.pdfWhat is the TDS Return Filing Due Date for FY 2024-25.pdf
What is the TDS Return Filing Due Date for FY 2024-25.pdf
 

GACO Webinar: Practical Cybersecurity Compliance for Small Business Contractors

  • 3. Who we are Left Brain Professionals is a boutique accounting firm that serves government contractors. We specialize in accounting system design, implementation and audit support.
  • 4. Our Team Robert E. Jones Government Contracts & Accounting Expert CPA, CPCM, NCMA Fellow Melissa Metzger Government Accounting & Finance Advisor MAFM, CPA Candidate Steven Bressler Government Contract Associate steve@LeftBrainPro.commelissa@LeftBrainPro.comrobert@LeftBrainPro.com
  • 7. Learning Objectives • Identify the cybersecurity requirements in government contracts. • Describe the basic requirements of FAR 52.204-21 and CMMC Level 1. • List tools to address CMMC Level 1 requirements. • Locate resources for cybersecurity compliance.
  • 9. Cybersecurity Requirements in Government Contracts Cont…
  • 10. Generally looking for FAR 52.204-21, DFARS 204.208-7012 and CMMC • Look in RFQ, final award, and modifications • Note that requirements may change over time • Not all agencies follow the same format • Government and primes have different format • May be listed in T&C or separate document • All contractors require certification under CMMC to perform work on any contract Cybersecurity Requirements in Government Contracts, Continued…
  • 11. Describe the Basic Requirements of FAR 52.204-21 and CMMC Level 1
  • 12. CMMC Comprised of Five Levels All government contractors will be required to certify at least Level 1. Cont…
  • 13. CMMC Comprised of Five Levels, Continued… Level 1 contains 17 practices or requirements. Cont…
  • 14. CMMC Comprised of Five Levels, Continued… Progression of CMMC certification goes from basic safeguarding to advanced or progressive reduction of risk. Cont…
  • 15. CMMC Comprised of Five Levels, Continued… If you remember our studies on NIST (SP) 800-171, the categories of protection look similar. Cont…
  • 16. CMMC Comprised of Five Levels, Continued… A quick comparison of CMMC to FAR and NIST requirement.
  • 18. The Requirements Basic Requirement 1 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). (P1001) Deny by default, allow by exception. Create accounts only for known individuals, processes, or devices. Cont… Tip or Tool: Implement Active Directory or LDAP and limit access to networks and external services to only listed users. Consider single sign-on (SSO) solution to provision accounts and manage access. • Office 365 & Azure AD
  • 19. Basic Requirement 2 Limit information system access to the types of transactions and functions that authorized users are permitted to execute. (P1002) Cont… The Requirements, Continued… Tip or Tool: Employ rule of least privilege – assign only minimal access to user and system accounts as necessary.
  • 20. Basic Requirement 3 Verify and control/limit connections to and use of external information systems. (P1003) Synchronization with external systems such as backups or data sharing between systems. Cont… Tip or Tool: Deny external traffic by default. Policy to review any apps, cloud or external services before use. The Requirements, Continued…
  • 21. Basic Requirement 4 Control information posted or processed on publicly accessible information systems. (P1004) Cont… Tip or Tool: Policy to review what is posted on any website, portal, social media, or newsletter. The Requirements, Continued…
  • 22. Basic Requirement 5 Identify information system users, processes acting on behalf of users, or devices. (P1076) Cont… Tip or Tool: Create unique logins for all users and service accounts. No generic or shared logins. The Requirements, Continued…
  • 23. Basic Requirement 6 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. (P1077) • Username and password Cont… Tip or Tool: Enable multi-factor authentication (MFA) on all networks, devices and cloud services. The Requirements, Continued…
  • 24. Basic Requirement 7 Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse. (P1118) Cont… Tip or Tool: Remove and shred hard drives from all devices (including printers). Sanitization is not an acceptable practice for many IT professionals. The Requirements, Continued…
  • 25. Basic Requirement 8 Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals. (P1131) Cont… Tip or Tool: Put a lock on all servers – put them in a locked closet room, or cage. The Requirements, Continued…
  • 26. Basic Requirement 9 Escort visitors and monitor visitor activity (P1132); maintain audit logs of physical access (P1133); and control and manage physical access devices (P1134). Cont… Tip or Tool: Visitor logs and badges. Require all non-employees to check-in and check-out, even if you have a no-escort policy for certain visitors. Ensure access cards limit access in terms of days, times and locations (geographic, rooms, etc.) The Requirements, Continued…
  • 27. Basic Requirement 10 Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems. (P1175) Cont… Tip or Tool: Block unknown network. Implement rule of least privilege. The Requirements, Continued…
  • 28. Basic Requirement 11 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. (P1176) Cont… Tip or Tool: Guest network must be separate from internal network. Host website on third-party server. Remove any links from public website to internal networks or cloud services. The Requirements, Continued…
  • 29. Basic Requirement 12 Identify, report and correct information and information system flaws in a timely manner. (P1210) Cont… Tip or Tool: Policy and forms/mechanisms for reporting and follow-up. Implement help desk tool for tracking. The Requirements, Continued…
  • 30. Basic Requirement 13 Provide protection from malicious code at appropriate locations within organizational information systems. (P1211) Cont… Tip or Tool: Install antivirus & anti-malware on all devices (including phones and tablets). The Requirements, Continued…
  • 31. Basic Requirement 14 Update malicious code protection mechanisms when new releases are available. (P1212) Cont… Tip or Tool: Set antivirus software to update automatically (usually daily). The Requirements, Continued…
  • 32. Basic Requirement 15 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, or executed. (P1213) Antivirus & anti-malware should be configured to scan files downloaded or copied from external media before opening. The Requirements, Continued… Tip or Tool: Ensure proper configuration of antivirus & anti-malware..
  • 33. Other Tools for Basic Cyber Hygiene
  • 34. Buy a domain - • No more Gmail, Hotmail, Yahoo, etc. • Setup Office 365 or Google G Suite for Business • Why Office 365: • Affordable • Scalable • Built-in security Domain
  • 35. Select a Password Manager such as- • LastPass • 1Password • Dashlane Password Management
  • 36. Train all employees annually on basic cyber hygiene- • NICCS • Cybersecurity Training Training, Training, Training
  • 37. Connect with us Download the presentation Left Brain Professionals Inc. @LeftBrainPro @LeftBrainPro www.LeftBrainPro.com/presentations
  • 39. Melissa R. Metzger MAFM melissa@leftbrainpro.com Robert E. Jones CPA, CPCM, NCMA Fellow robert@leftbrainpro.com Let’s connect Left Brain Professionals Inc. @LeftBrainPro @LeftBrainPro