SlideShare a Scribd company logo

Practical Cybersecurity Compliance for Small Business Contractors

Download as PPTX, PDF
Robert E Jones
Robert E Jones

Government contracts require cybersecurity compliance regardless of the agency or contract type. FAR 52.204-21 addresses the basic requirements of all businesses and the Federal Register commentary around the clause states these are “measures every prudent business should follow to protect their own data.” Defense contractors face additional requirements with DFARS 252.204-7012 and the impending Cybersecurity Maturity Model Certification (CMMC) slated for mid- to late-2020. Regardless of the specific requirements in your contracts, every business should want to exercise prudent measures to protect themselves and their employees, customers, and suppliers. Join us to learn practical measures every business can implement - measures that will help you achieve compliance with CMMC Level 1. APTAC Spring 2020 www.leftbrainpro.com

Business
1 of 39
We Know Government Contracts
Who we are Left Brain Professionals is a boutique accounting firm that serves government contractors. We specialize in accounting system design, implementation and audit support.
Our Team Robert E. Jones Government Contracts & Accounting Expert CPA, CPCM, NCMA Fellow • Robert has over 16 years of Department of Defense contract and accounting experience. • He has successfully managed over $400 million in federal contracts. Melissa Metzger • Melissa has successfully developed and instituted compliant and efficient processes that have saved businesses over $1.5 million during the last 5 years. • She has successfully managed over $100 million in annual federal funds. Government Accounting & Finance Advisor MAFM, CPA Candidate
Our Expertise Accounting Systems Audit Support Cybersecurity Compliance Training
Our Services
Practical Cybersecurity Compliance for Small Business Contractors
Learning Objectives • Identify the cybersecurity requirements in government contracts. • Describe the basic requirements of FAR 52.204-21 and CMMC Level 1. • List tools to address CMMC Level 1 requirements. • Locate resources for cybersecurity compliance.
Cybersecurity Requirements in Government Contracts
Cybersecurity Requirements in Government Contracts Cont…
Generally looking for FAR 52.204-21, DFARS 204.208-7012 and CMMC • Look in RFQ, final award, and modifications • Note that requirements may change over time • Not all agencies follow the same format • Government and primes have different format • May be listed in T&C or separate document • All contractors require certification under CMMC to perform work on any contract Cybersecurity Requirements in Government Contracts, Continued…
Describe the Basic Requirements of FAR 52.204-21 and CMMC Level 1
CMMC Comprised of Five Levels All government contractors will be required to certify at least Level 1. Cont…
CMMC Comprised of Five Levels, Continued… Level 1 contains 17 practices or requirements. Cont…
CMMC Comprised of Five Levels, Continued… Progression of CMMC certification goes from basic safeguarding to advanced or progressive reduction of risk. Cont…
CMMC Comprised of Five Levels, Continued… If you remember our studies on NIST (SP) 800-171, the categories of protection look similar. Cont…
CMMC Comprised of Five Levels, Continued… A quick comparison of CMMC to FAR and NIST requirement.
The Requirements
The Requirements Basic Requirement 1 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). (P1001) Deny by default, allow by exception. Create accounts only for known individuals, processes, or devices. Cont… Tip or Tool: Implement Active Directory or LDAP and limit access to networks and external services to only listed users. Consider single sign-on (SSO) solution to provision accounts and manage access. • Office 365 & Azure AD
Basic Requirement 2 Limit information system access to the types of transactions and functions that authorized users are permitted to execute. (P1002) Cont… The Requirements, Continued… Tip or Tool: Employ rule of least privilege – assign only minimal access to user and system accounts as necessary.
Basic Requirement 3 Verify and control/limit connections to and use of external information systems. (P1003) Synchronization with external systems such as backups or data sharing between systems. Cont… Tip or Tool: Deny external traffic by default. Policy to review any apps, cloud or external services before use. The Requirements, Continued…
Basic Requirement 4 Control information posted or processed on publicly accessible information systems. (P1004) Cont… Tip or Tool: Policy to review what is posted on any website, portal, social media, or newsletter. The Requirements, Continued…
Basic Requirement 5 Identify information system users, processes acting on behalf of users, or devices. (P1076) Cont… Tip or Tool: Create unique logins for all users and service accounts. No generic or shared logins. The Requirements, Continued…
Basic Requirement 6 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. (P1077) • Username and password Cont… Tip or Tool: Enable multi-factor authentication (MFA) on all networks, devices and cloud services. The Requirements, Continued…
Basic Requirement 7 Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse. (P1118) Cont… Tip or Tool: Remove and shred hard drives from all devices (including printers). Sanitization is not an acceptable practice for many IT professionals. The Requirements, Continued…
Basic Requirement 8 Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals. (P1131) Cont… Tip or Tool: Put a lock on all servers – put them in a locked closet room, or cage. The Requirements, Continued…
Basic Requirement 9 Escort visitors and monitor visitor activity (P1132); maintain audit logs of physical access (P1133); and control and manage physical access devices (P1134). Cont… Tip or Tool: Visitor logs and badges. Require all non-employees to check-in and check-out, even if you have a no-escort policy for certain visitors. Ensure access cards limit access in terms of days, times and locations (geographic, rooms, etc.) The Requirements, Continued…
Basic Requirement 10 Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems. (P1175) Cont… Tip or Tool: Block unknown network. Implement rule of least privilege. The Requirements, Continued…
Basic Requirement 11 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. (P1176) Cont… Tip or Tool: Guest network must be separate from internal network. Host website on third-party server. Remove any links from public website to internal networks or cloud services. The Requirements, Continued…
Basic Requirement 12 Identify, report and correct information and information system flaws in a timely manner. (P1210) Cont… Tip or Tool: Policy and forms/mechanisms for reporting and follow-up. Implement help desk tool for tracking. The Requirements, Continued…
Basic Requirement 13 Provide protection from malicious code at appropriate locations within organizational information systems. (P1211) Cont… Tip or Tool: Install antivirus & anti-malware on all devices (including phones and tablets). The Requirements, Continued…
Basic Requirement 14 Update malicious code protection mechanisms when new releases are available. (P1212) Cont… Tip or Tool: Set antivirus software to update automatically (usually daily). The Requirements, Continued…
Basic Requirement 15 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, or executed. (P1213) Antivirus & anti-malware should be configured to scan files downloaded or copied from external media before opening. The Requirements, Continued… Tip or Tool: Ensure proper configuration of antivirus & anti-malware..
Other Tools for Basic Cyber Hygiene
Buy a domain - • No more Gmail, Hotmail, Yahoo, etc. • Setup Office 365 or Google G Suite for Business • Why Office 365: • Affordable • Scalable • Built-in security Domain
Select a Password Manager such as- • LastPass • 1Password • Dashlane Password Management
Train all employees annually on basic cyber hygiene- • NICCS • Cybersecurity Training Training, Training, Training
Discussion | Q&A
Connect with us Download the presentation Left Brain Professionals Inc. @LeftBrainPro @LeftBrainPro www.LeftBrainPro.com/presentations
Melissa R. Metzger MAFM melissa@leftbrainpro.com Robert E. Jones CPA, CPCM, NCMA Fellow robert@leftbrainpro.com Let’s connect Left Brain Professionals Inc. @LeftBrainPro @LeftBrainPro

Recommended

GACO Webinar: Practical Cybersecurity Compliance for Small Business Contractors
GACO Webinar: Practical Cybersecurity Compliance for Small Business ContractorsGACO Webinar: Practical Cybersecurity Compliance for Small Business Contractors
GACO Webinar: Practical Cybersecurity Compliance for Small Business ContractorsRobert E Jones
 
PCI Compliance White Paper
PCI Compliance White PaperPCI Compliance White Paper
PCI Compliance White PaperRaz-Lee Security
 
information security (Audit mechanism, intrusion detection, password manageme...
information security (Audit mechanism, intrusion detection, password manageme...information security (Audit mechanism, intrusion detection, password manageme...
information security (Audit mechanism, intrusion detection, password manageme...Zara Nawaz
 
Department of Defense
Department of DefenseDepartment of Defense
Department of DefenseDarius Dozier
 
Security Management Strategies and Defense and their uses.
Security Management Strategies and Defense and their uses.Security Management Strategies and Defense and their uses.
Security Management Strategies and Defense and their uses.Computer engineering company
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)Kimberly Simon MBA
 
What is a Firewall Risk Assessment?
What is a Firewall Risk Assessment?What is a Firewall Risk Assessment?
What is a Firewall Risk Assessment?VISTA InfoSec
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS ComplianceControlCase
 

Recommended

GACO Webinar: Practical Cybersecurity Compliance for Small Business Contractors
GACO Webinar: Practical Cybersecurity Compliance for Small Business ContractorsGACO Webinar: Practical Cybersecurity Compliance for Small Business Contractors
GACO Webinar: Practical Cybersecurity Compliance for Small Business ContractorsRobert E Jones
 
PCI Compliance White Paper
PCI Compliance White PaperPCI Compliance White Paper
PCI Compliance White PaperRaz-Lee Security
 
information security (Audit mechanism, intrusion detection, password manageme...
information security (Audit mechanism, intrusion detection, password manageme...information security (Audit mechanism, intrusion detection, password manageme...
information security (Audit mechanism, intrusion detection, password manageme...Zara Nawaz
 
Department of Defense
Department of DefenseDepartment of Defense
Department of DefenseDarius Dozier
 
Security Management Strategies and Defense and their uses.
Security Management Strategies and Defense and their uses.Security Management Strategies and Defense and their uses.
Security Management Strategies and Defense and their uses.Computer engineering company
 
PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)PCI DSS Business as Usual (BAU)
PCI DSS Business as Usual (BAU)Kimberly Simon MBA
 
What is a Firewall Risk Assessment?
What is a Firewall Risk Assessment?What is a Firewall Risk Assessment?
What is a Firewall Risk Assessment?VISTA InfoSec
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS ComplianceControlCase
 
PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSSKimberly Simon MBA
 
PCI Compliance white paper
PCI Compliance white paper PCI Compliance white paper
PCI Compliance white paper HelpSystems
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationKimberly Simon MBA
 
Security and-visibility
Security and-visibilitySecurity and-visibility
Security and-visibilityedwardstudyemai
 
Introduction to Gravitational Teleport
Introduction to Gravitational TeleportIntroduction to Gravitational Teleport
Introduction to Gravitational TeleportTeleport
 
CompTIA Security+ Module1: Security fundamentals
CompTIA Security+ Module1: Security fundamentalsCompTIA Security+ Module1: Security fundamentals
CompTIA Security+ Module1: Security fundamentalsGanbayar Sukhbaatar
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSSKimberly Simon MBA
 
System of security controls
System of security controlsSystem of security controls
System of security controlsS.E. CTS CERT-GOV-MD
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS ComplianceKimberly Simon MBA
 
CyberArk
CyberArkCyberArk
CyberArkJimmy Sze
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECKimberly Simon MBA
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECKimberly Simon MBA
 
Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...
Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...
Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...ControlCase
 
Protecting Your Business from Unauthorized IBM i Access
Protecting Your Business from Unauthorized IBM i AccessProtecting Your Business from Unauthorized IBM i Access
Protecting Your Business from Unauthorized IBM i AccessPrecisely
 
CISSP Week 9
CISSP Week 9CISSP Week 9
CISSP Week 9jemtallon
 
Log Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringLog Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringControlCase
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationControlCase
 
Con8813 securing privileged accounts with an integrated idm solution - final
Con8813 securing privileged accounts with an integrated idm solution - finalCon8813 securing privileged accounts with an integrated idm solution - final
Con8813 securing privileged accounts with an integrated idm solution - finalOracleIDM
 
Absolute Software Governance-Risk-Compliance
Absolute Software Governance-Risk-ComplianceAbsolute Software Governance-Risk-Compliance
Absolute Software Governance-Risk-ComplianceSébastien Roques
 
Communicating SOC Status
Communicating SOC StatusCommunicating SOC Status
Communicating SOC StatusAdam Alhafid
 
Absolute grc-
Absolute grc-Absolute grc-
Absolute grc-Sébastien Roques
 
ISS CAPSTONE TEAM
ISS CAPSTONE TEAMISS CAPSTONE TEAM
ISS CAPSTONE TEAMJonathan Fuller
 

More Related Content

What's hot

PCI Compliance white paper
PCI Compliance white paper PCI Compliance white paper
PCI Compliance white paper HelpSystems
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationKimberly Simon MBA
 
Introduction to Gravitational Teleport
Introduction to Gravitational TeleportIntroduction to Gravitational Teleport
Introduction to Gravitational TeleportTeleport
 
CompTIA Security+ Module1: Security fundamentals
CompTIA Security+ Module1: Security fundamentalsCompTIA Security+ Module1: Security fundamentals
CompTIA Security+ Module1: Security fundamentalsGanbayar Sukhbaatar
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECKimberly Simon MBA
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECKimberly Simon MBA
 
Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...
Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...
Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...ControlCase
 
Protecting Your Business from Unauthorized IBM i Access
Protecting Your Business from Unauthorized IBM i AccessProtecting Your Business from Unauthorized IBM i Access
Protecting Your Business from Unauthorized IBM i AccessPrecisely
 
CISSP Week 9
CISSP Week 9CISSP Week 9
CISSP Week 9jemtallon
 
Log Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringLog Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringControlCase
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationControlCase
 
Con8813 securing privileged accounts with an integrated idm solution - final
Con8813 securing privileged accounts with an integrated idm solution - finalCon8813 securing privileged accounts with an integrated idm solution - final
Con8813 securing privileged accounts with an integrated idm solution - finalOracleIDM
 
Absolute Software Governance-Risk-Compliance
Absolute Software Governance-Risk-ComplianceAbsolute Software Governance-Risk-Compliance
Absolute Software Governance-Risk-ComplianceSébastien Roques
 
Communicating SOC Status
Communicating SOC StatusCommunicating SOC Status
Communicating SOC StatusAdam Alhafid
 

What's hot (20)

PCI DSS and PA DSS
PCI DSS and PA DSSPCI DSS and PA DSS
PCI DSS and PA DSS
 
PCI Compliance white paper
PCI Compliance white paper PCI Compliance white paper
PCI Compliance white paper
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) Certification
 
Security and-visibility
Security and-visibilitySecurity and-visibility
Security and-visibility
 
Introduction to Gravitational Teleport
Introduction to Gravitational TeleportIntroduction to Gravitational Teleport
Introduction to Gravitational Teleport
 
CompTIA Security+ Module1: Security fundamentals
CompTIA Security+ Module1: Security fundamentalsCompTIA Security+ Module1: Security fundamentals
CompTIA Security+ Module1: Security fundamentals
 
PCI DSSand PA DSS
PCI DSSand PA DSSPCI DSSand PA DSS
PCI DSSand PA DSS
 
System of security controls
System of security controlsSystem of security controls
System of security controls
 
PCI DSS and PA DSS Compliance
PCI DSS and PA DSS CompliancePCI DSS and PA DSS Compliance
PCI DSS and PA DSS Compliance
 
CyberArk
CyberArkCyberArk
CyberArk
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
 
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIECVendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
Vendor Management for PCI DSS; EI3PA; HIPAA and FFIEC
 
Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...
Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...
Continual Compliance Monitoring– PCI DSS, HIPAA, FERC/NERC, EI3PA, ISO 27001 ...
 
Protecting Your Business from Unauthorized IBM i Access
Protecting Your Business from Unauthorized IBM i AccessProtecting Your Business from Unauthorized IBM i Access
Protecting Your Business from Unauthorized IBM i Access
 
CISSP Week 9
CISSP Week 9CISSP Week 9
CISSP Week 9
 
Log Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity MonitoringLog Monitoring and File Integrity Monitoring
Log Monitoring and File Integrity Monitoring
 
Introduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) CertificationIntroduction to Token Service Provider (TSP) Certification
Introduction to Token Service Provider (TSP) Certification
 
Con8813 securing privileged accounts with an integrated idm solution - final
Con8813 securing privileged accounts with an integrated idm solution - finalCon8813 securing privileged accounts with an integrated idm solution - final
Con8813 securing privileged accounts with an integrated idm solution - final
 
Absolute Software Governance-Risk-Compliance
Absolute Software Governance-Risk-ComplianceAbsolute Software Governance-Risk-Compliance
Absolute Software Governance-Risk-Compliance
 
Communicating SOC Status
Communicating SOC StatusCommunicating SOC Status
Communicating SOC Status
 

Similar to Practical Cybersecurity Compliance for Small Business Contractors

Disaster and RecoveryBusiness Impact AnalysisSystem .docx
Disaster and RecoveryBusiness Impact AnalysisSystem .docxDisaster and RecoveryBusiness Impact AnalysisSystem .docx
Disaster and RecoveryBusiness Impact AnalysisSystem .docxduketjoy27252
 
FREQUENTLY ASKED QUESTIONS IN CISA CERTIFIED ROL INTERVIEW
FREQUENTLY ASKED QUESTIONS IN CISA CERTIFIED ROL INTERVIEWFREQUENTLY ASKED QUESTIONS IN CISA CERTIFIED ROL INTERVIEW
FREQUENTLY ASKED QUESTIONS IN CISA CERTIFIED ROL INTERVIEWinfosec train
 
Best Practices For Information Security Management 2011
Best Practices For Information Security Management 2011Best Practices For Information Security Management 2011
Best Practices For Information Security Management 2011Tony Richardson CISSP
 
Analyzing Your Government Contract Cybersecurity Compliance
Analyzing Your Government Contract Cybersecurity ComplianceAnalyzing Your Government Contract Cybersecurity Compliance
Analyzing Your Government Contract Cybersecurity ComplianceRobert E Jones
 
HELP DESK interview questions and answers
HELP DESK interview questions and answersHELP DESK interview questions and answers
HELP DESK interview questions and answersVignesh kumar
 
GDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceGDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceAdrian Dumitrescu
 
Generic_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_ProceduresGeneric_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_ProceduresSamuel Loomis
 
how to become IT specialist
how to become IT specialisthow to become IT specialist
how to become IT specialistMaher Doubiane
 
Intellinx overview.2010
Intellinx overview.2010Intellinx overview.2010
Intellinx overview.2010Jim Porell
 
You have been hired as a consultant to design BCP for SanGrafix, a v.docx
You have been hired as a consultant to design BCP for SanGrafix, a v.docxYou have been hired as a consultant to design BCP for SanGrafix, a v.docx
You have been hired as a consultant to design BCP for SanGrafix, a v.docxshantayjewison
 
Security Readiness Profile
Security Readiness ProfileSecurity Readiness Profile
Security Readiness Profilepds2k.com
 
Secure Financial Intelligence System
Secure Financial Intelligence SystemSecure Financial Intelligence System
Secure Financial Intelligence SystemJoseph Yosi Margalit
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachAnchises Moraes
 
Cybersecurity Compliance in Government Contracts
Cybersecurity Compliance in Government ContractsCybersecurity Compliance in Government Contracts
Cybersecurity Compliance in Government ContractsRobert E Jones
 
Aging Services Expo Presentation
Aging Services Expo PresentationAging Services Expo Presentation
Aging Services Expo PresentationMary Derrick Cook
 

Similar to Practical Cybersecurity Compliance for Small Business Contractors (20)

Absolute grc-
Absolute grc-Absolute grc-
Absolute grc-
 
ISS CAPSTONE TEAM
ISS CAPSTONE TEAMISS CAPSTONE TEAM
ISS CAPSTONE TEAM
 
Disaster and RecoveryBusiness Impact AnalysisSystem .docx
Disaster and RecoveryBusiness Impact AnalysisSystem .docxDisaster and RecoveryBusiness Impact AnalysisSystem .docx
Disaster and RecoveryBusiness Impact AnalysisSystem .docx
 
CISA (1).pdf
CISA (1).pdfCISA (1).pdf
CISA (1).pdf
 
FREQUENTLY ASKED QUESTIONS IN CISA CERTIFIED ROL INTERVIEW
FREQUENTLY ASKED QUESTIONS IN CISA CERTIFIED ROL INTERVIEWFREQUENTLY ASKED QUESTIONS IN CISA CERTIFIED ROL INTERVIEW
FREQUENTLY ASKED QUESTIONS IN CISA CERTIFIED ROL INTERVIEW
 
Best Practices For Information Security Management 2011
Best Practices For Information Security Management 2011Best Practices For Information Security Management 2011
Best Practices For Information Security Management 2011
 
Analyzing Your Government Contract Cybersecurity Compliance
Analyzing Your Government Contract Cybersecurity ComplianceAnalyzing Your Government Contract Cybersecurity Compliance
Analyzing Your Government Contract Cybersecurity Compliance
 
HELP DESK interview questions and answers
HELP DESK interview questions and answersHELP DESK interview questions and answers
HELP DESK interview questions and answers
 
GDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceGDPR Part 2: Quest Relevance
GDPR Part 2: Quest Relevance
 
Generic_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_ProceduresGeneric_Sample_INFOSECPolicy_and_Procedures
Generic_Sample_INFOSECPolicy_and_Procedures
 
Search Inform DLP
Search Inform DLPSearch Inform DLP
Search Inform DLP
 
how to become IT specialist
how to become IT specialisthow to become IT specialist
how to become IT specialist
 
Intellinx overview.2010
Intellinx overview.2010Intellinx overview.2010
Intellinx overview.2010
 
You have been hired as a consultant to design BCP for SanGrafix, a v.docx
You have been hired as a consultant to design BCP for SanGrafix, a v.docxYou have been hired as a consultant to design BCP for SanGrafix, a v.docx
You have been hired as a consultant to design BCP for SanGrafix, a v.docx
 
Security Readiness Profile
Security Readiness ProfileSecurity Readiness Profile
Security Readiness Profile
 
SanerNow Endpoint Management
SanerNow Endpoint ManagementSanerNow Endpoint Management
SanerNow Endpoint Management
 
Secure Financial Intelligence System
Secure Financial Intelligence SystemSecure Financial Intelligence System
Secure Financial Intelligence System
 
A Case Study of the Capital One Data Breach
A Case Study of the Capital One Data BreachA Case Study of the Capital One Data Breach
A Case Study of the Capital One Data Breach
 
Cybersecurity Compliance in Government Contracts
Cybersecurity Compliance in Government ContractsCybersecurity Compliance in Government Contracts
Cybersecurity Compliance in Government Contracts
 
Aging Services Expo Presentation
Aging Services Expo PresentationAging Services Expo Presentation
Aging Services Expo Presentation
 

Recently uploaded

The CMO Survey - Highlights and Insights Report - Spring 2024
The CMO Survey - Highlights and Insights Report - Spring 2024The CMO Survey - Highlights and Insights Report - Spring 2024
The CMO Survey - Highlights and Insights Report - Spring 2024christinemoorman
 
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppelCorporation
 
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service DewasVip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewasmakika9823
 
Catalogue ONG NUOC PPR DE NHAT .pdf
Catalogue ONG NUOC PPR DE NHAT .pdfCatalogue ONG NUOC PPR DE NHAT .pdf
Catalogue ONG NUOC PPR DE NHAT .pdfOrient Homes
 
(8264348440) 🔝 Call Girls In Keshav Puram 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Keshav Puram 🔝 Delhi NCR(8264348440) 🔝 Call Girls In Keshav Puram 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Keshav Puram 🔝 Delhi NCRsoniya singh
 
Vip Female Escorts Noida 9711199171 Greater Noida Escorts Service
Vip Female Escorts Noida 9711199171 Greater Noida Escorts ServiceVip Female Escorts Noida 9711199171 Greater Noida Escorts Service
Vip Female Escorts Noida 9711199171 Greater Noida Escorts Serviceankitnayak356677
 
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...lizamodels9
 
Regression analysis: Simple Linear Regression Multiple Linear Regression
Regression analysis: Simple Linear Regression Multiple Linear RegressionRegression analysis: Simple Linear Regression Multiple Linear Regression
Regression analysis: Simple Linear Regression Multiple Linear RegressionRavindra Nath Shukla
 
Sales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for SuccessSales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for SuccessAggregage
 
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...Dipal Arora
 
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In.../:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...lizamodels9
 
Grateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdfGrateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdfPaul Menig
 
RE Capital's Visionary Leadership under Newman Leech
RE Capital's Visionary Leadership under Newman LeechRE Capital's Visionary Leadership under Newman Leech
RE Capital's Visionary Leadership under Newman LeechNewman George Leech
 
Pitch Deck Teardown: NOQX's $200k Pre-seed deck
Pitch Deck Teardown: NOQX's $200k Pre-seed deckPitch Deck Teardown: NOQX's $200k Pre-seed deck
Pitch Deck Teardown: NOQX's $200k Pre-seed deckHajeJanKamps
 
M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.Aaiza Hassan
 
FULL ENJOY - 9953040155 Call Girls in Chhatarpur | Delhi
FULL ENJOY - 9953040155 Call Girls in Chhatarpur | DelhiFULL ENJOY - 9953040155 Call Girls in Chhatarpur | Delhi
FULL ENJOY - 9953040155 Call Girls in Chhatarpur | DelhiMalviyaNagarCallGirl
 
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdfRenandantas16
 
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With RoomVIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With Roomdivyansh0kumar0
 
Eni 2024 1Q Results - 24.04.24 business.
Eni 2024 1Q Results - 24.04.24 business.Eni 2024 1Q Results - 24.04.24 business.
Eni 2024 1Q Results - 24.04.24 business.Eni
 

Recently uploaded (20)

The CMO Survey - Highlights and Insights Report - Spring 2024
The CMO Survey - Highlights and Insights Report - Spring 2024The CMO Survey - Highlights and Insights Report - Spring 2024
The CMO Survey - Highlights and Insights Report - Spring 2024
 
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation SlidesKeppel Ltd. 1Q 2024 Business Update Presentation Slides
Keppel Ltd. 1Q 2024 Business Update Presentation Slides
 
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service DewasVip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
Vip Dewas Call Girls #9907093804 Contact Number Escorts Service Dewas
 
Catalogue ONG NUOC PPR DE NHAT .pdf
Catalogue ONG NUOC PPR DE NHAT .pdfCatalogue ONG NUOC PPR DE NHAT .pdf
Catalogue ONG NUOC PPR DE NHAT .pdf
 
(8264348440) 🔝 Call Girls In Keshav Puram 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Keshav Puram 🔝 Delhi NCR(8264348440) 🔝 Call Girls In Keshav Puram 🔝 Delhi NCR
(8264348440) 🔝 Call Girls In Keshav Puram 🔝 Delhi NCR
 
Vip Female Escorts Noida 9711199171 Greater Noida Escorts Service
Vip Female Escorts Noida 9711199171 Greater Noida Escorts ServiceVip Female Escorts Noida 9711199171 Greater Noida Escorts Service
Vip Female Escorts Noida 9711199171 Greater Noida Escorts Service
 
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
Call Girls In Sikandarpur Gurgaon ❤️8860477959_Russian 100% Genuine Escorts I...
 
Regression analysis: Simple Linear Regression Multiple Linear Regression
Regression analysis: Simple Linear Regression Multiple Linear RegressionRegression analysis: Simple Linear Regression Multiple Linear Regression
Regression analysis: Simple Linear Regression Multiple Linear Regression
 
Sales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for SuccessSales & Marketing Alignment: How to Synergize for Success
Sales & Marketing Alignment: How to Synergize for Success
 
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
 
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In.../:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
/:Call Girls In Indirapuram Ghaziabad ➥9990211544 Independent Best Escorts In...
 
KestrelPro Flyer Japan IT Week 2024 (English)
KestrelPro Flyer Japan IT Week 2024 (English)KestrelPro Flyer Japan IT Week 2024 (English)
KestrelPro Flyer Japan IT Week 2024 (English)
 
Grateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdfGrateful 7 speech thanking everyone that has helped.pdf
Grateful 7 speech thanking everyone that has helped.pdf
 
RE Capital's Visionary Leadership under Newman Leech
RE Capital's Visionary Leadership under Newman LeechRE Capital's Visionary Leadership under Newman Leech
RE Capital's Visionary Leadership under Newman Leech
 
Pitch Deck Teardown: NOQX's $200k Pre-seed deck
Pitch Deck Teardown: NOQX's $200k Pre-seed deckPitch Deck Teardown: NOQX's $200k Pre-seed deck
Pitch Deck Teardown: NOQX's $200k Pre-seed deck
 
M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.M.C Lodges -- Guest House in Jhang.
M.C Lodges -- Guest House in Jhang.
 
FULL ENJOY - 9953040155 Call Girls in Chhatarpur | Delhi
FULL ENJOY - 9953040155 Call Girls in Chhatarpur | DelhiFULL ENJOY - 9953040155 Call Girls in Chhatarpur | Delhi
FULL ENJOY - 9953040155 Call Girls in Chhatarpur | Delhi
 
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf0183760ssssssssssssssssssssssssssss00101011 (27).pdf
0183760ssssssssssssssssssssssssssss00101011 (27).pdf
 
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With RoomVIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
 
Eni 2024 1Q Results - 24.04.24 business.
Eni 2024 1Q Results - 24.04.24 business.Eni 2024 1Q Results - 24.04.24 business.
Eni 2024 1Q Results - 24.04.24 business.
 

Practical Cybersecurity Compliance for Small Business Contractors

  • 2. Who we are Left Brain Professionals is a boutique accounting firm that serves government contractors. We specialize in accounting system design, implementation and audit support.
  • 3. Our Team Robert E. Jones Government Contracts & Accounting Expert CPA, CPCM, NCMA Fellow • Robert has over 16 years of Department of Defense contract and accounting experience. • He has successfully managed over $400 million in federal contracts. Melissa Metzger • Melissa has successfully developed and instituted compliant and efficient processes that have saved businesses over $1.5 million during the last 5 years. • She has successfully managed over $100 million in annual federal funds. Government Accounting & Finance Advisor MAFM, CPA Candidate
  • 7. Learning Objectives • Identify the cybersecurity requirements in government contracts. • Describe the basic requirements of FAR 52.204-21 and CMMC Level 1. • List tools to address CMMC Level 1 requirements. • Locate resources for cybersecurity compliance.
  • 9. Cybersecurity Requirements in Government Contracts Cont…
  • 10. Generally looking for FAR 52.204-21, DFARS 204.208-7012 and CMMC • Look in RFQ, final award, and modifications • Note that requirements may change over time • Not all agencies follow the same format • Government and primes have different format • May be listed in T&C or separate document • All contractors require certification under CMMC to perform work on any contract Cybersecurity Requirements in Government Contracts, Continued…
  • 11. Describe the Basic Requirements of FAR 52.204-21 and CMMC Level 1
  • 12. CMMC Comprised of Five Levels All government contractors will be required to certify at least Level 1. Cont…
  • 13. CMMC Comprised of Five Levels, Continued… Level 1 contains 17 practices or requirements. Cont…
  • 14. CMMC Comprised of Five Levels, Continued… Progression of CMMC certification goes from basic safeguarding to advanced or progressive reduction of risk. Cont…
  • 15. CMMC Comprised of Five Levels, Continued… If you remember our studies on NIST (SP) 800-171, the categories of protection look similar. Cont…
  • 16. CMMC Comprised of Five Levels, Continued… A quick comparison of CMMC to FAR and NIST requirement.
  • 18. The Requirements Basic Requirement 1 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). (P1001) Deny by default, allow by exception. Create accounts only for known individuals, processes, or devices. Cont… Tip or Tool: Implement Active Directory or LDAP and limit access to networks and external services to only listed users. Consider single sign-on (SSO) solution to provision accounts and manage access. • Office 365 & Azure AD
  • 19. Basic Requirement 2 Limit information system access to the types of transactions and functions that authorized users are permitted to execute. (P1002) Cont… The Requirements, Continued… Tip or Tool: Employ rule of least privilege – assign only minimal access to user and system accounts as necessary.
  • 20. Basic Requirement 3 Verify and control/limit connections to and use of external information systems. (P1003) Synchronization with external systems such as backups or data sharing between systems. Cont… Tip or Tool: Deny external traffic by default. Policy to review any apps, cloud or external services before use. The Requirements, Continued…
  • 21. Basic Requirement 4 Control information posted or processed on publicly accessible information systems. (P1004) Cont… Tip or Tool: Policy to review what is posted on any website, portal, social media, or newsletter. The Requirements, Continued…
  • 22. Basic Requirement 5 Identify information system users, processes acting on behalf of users, or devices. (P1076) Cont… Tip or Tool: Create unique logins for all users and service accounts. No generic or shared logins. The Requirements, Continued…
  • 23. Basic Requirement 6 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. (P1077) • Username and password Cont… Tip or Tool: Enable multi-factor authentication (MFA) on all networks, devices and cloud services. The Requirements, Continued…
  • 24. Basic Requirement 7 Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse. (P1118) Cont… Tip or Tool: Remove and shred hard drives from all devices (including printers). Sanitization is not an acceptable practice for many IT professionals. The Requirements, Continued…
  • 25. Basic Requirement 8 Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals. (P1131) Cont… Tip or Tool: Put a lock on all servers – put them in a locked closet room, or cage. The Requirements, Continued…
  • 26. Basic Requirement 9 Escort visitors and monitor visitor activity (P1132); maintain audit logs of physical access (P1133); and control and manage physical access devices (P1134). Cont… Tip or Tool: Visitor logs and badges. Require all non-employees to check-in and check-out, even if you have a no-escort policy for certain visitors. Ensure access cards limit access in terms of days, times and locations (geographic, rooms, etc.) The Requirements, Continued…
  • 27. Basic Requirement 10 Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems. (P1175) Cont… Tip or Tool: Block unknown network. Implement rule of least privilege. The Requirements, Continued…
  • 28. Basic Requirement 11 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. (P1176) Cont… Tip or Tool: Guest network must be separate from internal network. Host website on third-party server. Remove any links from public website to internal networks or cloud services. The Requirements, Continued…
  • 29. Basic Requirement 12 Identify, report and correct information and information system flaws in a timely manner. (P1210) Cont… Tip or Tool: Policy and forms/mechanisms for reporting and follow-up. Implement help desk tool for tracking. The Requirements, Continued…
  • 30. Basic Requirement 13 Provide protection from malicious code at appropriate locations within organizational information systems. (P1211) Cont… Tip or Tool: Install antivirus & anti-malware on all devices (including phones and tablets). The Requirements, Continued…
  • 31. Basic Requirement 14 Update malicious code protection mechanisms when new releases are available. (P1212) Cont… Tip or Tool: Set antivirus software to update automatically (usually daily). The Requirements, Continued…
  • 32. Basic Requirement 15 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, or executed. (P1213) Antivirus & anti-malware should be configured to scan files downloaded or copied from external media before opening. The Requirements, Continued… Tip or Tool: Ensure proper configuration of antivirus & anti-malware..
  • 33. Other Tools for Basic Cyber Hygiene
  • 34. Buy a domain - • No more Gmail, Hotmail, Yahoo, etc. • Setup Office 365 or Google G Suite for Business • Why Office 365: • Affordable • Scalable • Built-in security Domain
  • 35. Select a Password Manager such as- • LastPass • 1Password • Dashlane Password Management
  • 36. Train all employees annually on basic cyber hygiene- • NICCS • Cybersecurity Training Training, Training, Training
  • 38. Connect with us Download the presentation Left Brain Professionals Inc. @LeftBrainPro @LeftBrainPro www.LeftBrainPro.com/presentations
  • 39. Melissa R. Metzger MAFM melissa@leftbrainpro.com Robert E. Jones CPA, CPCM, NCMA Fellow robert@leftbrainpro.com Let’s connect Left Brain Professionals Inc. @LeftBrainPro @LeftBrainPro