Cybersecurity basics for government contracting

Cybersecurity is the practice of protecting computer systems, networks, digital assets, and people from unauthorized access, damage, or theft of data to ensure the confidentiality, integrity, and availability of information, systems and technologies that process, store, and transmit information.

Cyber threats that organizations need to protect against include:

• Cyberattacks – Deliberate and malicious attempts to exploit vulnerabilities in computer systems or networks. Common types include malware, phishing, ransomware, denial-of-service attacks.
• Data breaches – Unauthorized access to sensitive or confidential data, often resulting in the exposure of information to unauthorized individuals or groups.
• Identify theft – Unauthorized use of someone’s personal information, such as login credentials or financial details, for fraudulent purposes.
• Social engineering – Manipulating individuals into divulging confidential information through psychological manipulation, often using deceptive practices.
• Vulnerabilities – Weaknesses in software, hardware, or network configurations that could be exploited by attackers to compromise the security of a system.
• Malware – Malicious software designed to harm or exploit computer systems, including viruses, worms, trojan horses, and spyware.

Cybersecurity hygiene is the process of maintaining a level of preparedness and daily rituals to ensure a level of security. The Canadian Centre for Cyber Security has some good information on what is considered basic security hygiene but here are some things to keep in mind:

Network and endpoint protection

• Protect your perimeter with anti-virus and anti-malware software, mobile threat management software, firewalls and intrusion detection and prevention systems.
• Segment your networks to stop traffic from flowing to sensitive to restricted zones.
• Continuously monitor your Internet and mobile device gateways, network traffic, wireless access points and audit logs to identify anomalies.
• Rotate cryptographic keys used to protect systems, authenticate remote users and your websites.
• Monitor your DNS (Domain Name System) to ensure your site remains reliable and trusted by users.
• Implement protective DNS to protect users from inadvertently visiting potentially malicious domains on the internet.
• Implement a security information management and security event management (SIEM) system to enable real-time continuous monitoring if resources are available.

System protection

• Implement automatic updates and patches, especially for internet-exposed services and systems, to your firmware, hardware, software, and operating system (OS).
• Use passphrase or strong passwords and keep them secure and confidential.
• Enforce multi-factor authentication (MFA) for accounts and systems – especially those with admin privileges.
• Use dedicated workstations for administrator accounts that do not have web browsing or email enabled.
• Apply the principles of least privilege which ensures users are granted only the set of privileges that are essential to performing authorized tasks.
• Review user privileges within systems and their access rights to data – especially for users with admin privileges. Remove or edits those that are unnecessary.
• Manage mobile devices with Mobile Device Management (MDM) or Unified Endpoint Management (UEDM) solutions.
• Implement application allow listing to control who or what can access your networks and systems.
• Implement an incident response plan, and test it with tabletop exercises, to ensure you can restore critical functions and recover in a timely manner.
• Backup critical data and systems offline on a regular basis and ensure backups are isolated from network connections.
• Test your backups periodically to ensure data and systems can be recovered quickly and successfully.
• Assess third-party applications for components or functions that are not needed and disable them or require human intervention before they are enabled (i.e. macros).
• Conduct and maintain an inventory of your organization’s hardware and software assets.
• Categorize your assets to identify those that are most critical to the operational functions of your organization.

User education and additional protective measures

• Provide tailored cybersecurity training to your employees to ensure they know how to respond to suspicious links or emails.
• Provide privacy awareness training to your employees to reduce the risk of privacy breaches.
• Locate sources of information pertinent to your organization or subscribe to an alert service to ensure you are knowledgeable and up to date on the threats that could impact your organization.
• Develop an internal and external contact list of key stakeholders to alert during surge events.

There are several cybersecurity certifications that organizations can pursue to help them secure their data and be eligible for more government contracts.

NIST Cybersecurity Framework (CSF) Certification –

• Developed by the National Institute of Standards and Technology (NIST).
• NIST 800-53, NIST 800-171, NIST 800-37, which is the risk management framework.
• They have a number of these security frameworks and practices that you can start to apply, and they’re all very well-documented.
• Focuses on identifying, protecting, detecting, responding, and recovering from cybersecurity incidents.

ISO/IEC 27001

• Internationally recognized standard for information security management systems.
• Emphasizes a systematic approach to managing sensitive company information.
• Certification demonstrates commitment to securing information assets.

FedRAMP Certification

• Required for cloud service providers (CSPs) offering services to the U.S. government.
• Ensures cloud services meet specific security standards.

Cybersecurity Maturity Model Certification (CMMC)

• Major U.S. Department of Defense (DoD) program built to protect the defense industrial base (DIB) from increasingly frequent and complex cyber-attacks.
• CMMC will be needed you need to prove that you’re doing this to be able to participate in government contracts in the US.
• Read more about CMMC 2.0

Canadian Centre for Cyber Security (CCCS) Certification

• CCCS provides guidance and resources for organizations to enhance cybersecurity posture.
• While not a certification in the traditional sense, following CCCS guidelines is crucial for Canadian organizations.

ITSG-33 Certification (Government of Canada):

• A set of guidelines and standards for securing government IT systems.
• Provides a framework for securing sensitive information.
• ITSG-33 is Canadian equivalent of the NIST 800-53 standard.
• Depending on the size and scope of the system, the Treasury board will insist that you go through an ITSG-33 assessment before you make an application or solution live.

CSA STAR Certification:

• Cloud Security Alliance (CSA) Security, Trust, and Assurance Registry (STAR) Certification is relevant for organizations, especially those in Canada, leveraging cloud services.

Payment Card Industry Data Security Standard (PCI DSS):

• Relevant for organizations involved in payment card transactions.
• Ensures secure handling of credit card information.

CP-CSC

• Canadian Program for Cyber Security Certification is Canada’s implementation of US DOD’s CMMC program for DND contracts.
• Program definition is still in progress.

Here is some helpful resources that were presented during the webinar that will help organizations get started and enhance their cybersecurity hygiene.

• Information from Canadian Center for Cyber Security (CCCS) for Individuals, Small and medium businesses, Large organizations and infrastructure, Government institutions and Academia
• Cybersecurity Hygiene from CCCS
• Cyber security resources for small and medium organizations
• Certification Tools and Templates from CCCS
• Canadian Bankers Association Cyber Security Toolkit
• CMMC Level 1 Self-assessment documentation: Overview, Guide, Scoping, Self-assessment, Workbook
• CMMC Assessment Guides and other documentation
• Helpful templates to get SMEs started on creating internal planning, policies and procedures available from Cybersecure Canada
• Cyber security certifications from Canadian Centre for Cyber Security