Cybersecurity basics for government contracting

Cybersecurity is the practice of protecting computer systems, networks, digital assets, and people from unauthorized access, damage, or theft of data to ensure the confidentiality, integrity, and availability of information, systems and technologies that process, store, and transmit information.

Cyber threats that organizations need to protect against include:

  • Cyberattacks – Deliberate and malicious attempts to exploit vulnerabilities in computer systems or networks. Common types include malware, phishing, ransomware, denial-of-service attacks.
  • Data breaches – Unauthorized access to sensitive or confidential data, often resulting in the exposure of information to unauthorized individuals or groups.
  • Identify theft – Unauthorized use of someone’s personal information, such as login credentials or financial details, for fraudulent purposes.
  • Social engineering – Manipulating individuals into divulging confidential information through psychological manipulation, often using deceptive practices.
  • Vulnerabilities – Weaknesses in software, hardware, or network configurations that could be exploited by attackers to compromise the security of a system.
  • Malware – Malicious software designed to harm or exploit computer systems, including viruses, worms, trojan horses, and spyware.

Cybersecurity hygiene is the process of maintaining a level of preparedness and daily rituals to ensure a level of security. The Canadian Centre for Cyber Security has some good information on what is considered basic security hygiene but here are some things to keep in mind:

Network and endpoint protection

  • Protect your perimeter with anti-virus and anti-malware software, mobile threat management software, firewalls and intrusion detection and prevention systems.
  • Segment your networks to stop traffic from flowing to sensitive to restricted zones.
  • Continuously monitor your Internet and mobile device gateways, network traffic, wireless access points and audit logs to identify anomalies.
  • Rotate cryptographic keys used to protect systems, authenticate remote users and your websites.
  • Monitor your DNS (Domain Name System) to ensure your site remains reliable and trusted by users.
  • Implement protective DNS to protect users from inadvertently visiting potentially malicious domains on the internet.
  • Implement a security information management and security event management (SIEM) system to enable real-time continuous monitoring if resources are available.

System protection

  • Implement automatic updates and patches, especially for internet-exposed services and systems, to your firmware, hardware, software, and operating system (OS).
  • Use passphrase or strong passwords and keep them secure and confidential.
  • Enforce multi-factor authentication (MFA) for accounts and systems – especially those with admin privileges.
  • Use dedicated workstations for administrator accounts that do not have web browsing or email enabled.
  • Apply the principles of least privilege which ensures users are granted only the set of privileges that are essential to performing authorized tasks.
  • Review user privileges within systems and their access rights to data – especially for users with admin privileges. Remove or edits those that are unnecessary.
  • Manage mobile devices with Mobile Device Management (MDM) or Unified Endpoint Management (UEDM) solutions.
  • Implement application allow listing to control who or what can access your networks and systems.
  • Implement an incident response plan, and test it with tabletop exercises, to ensure you can restore critical functions and recover in a timely manner.
  • Backup critical data and systems offline on a regular basis and ensure backups are isolated from network connections.
  • Test your backups periodically to ensure data and systems can be recovered quickly and successfully.
  • Assess third-party applications for components or functions that are not needed and disable them or require human intervention before they are enabled (i.e. macros).
  • Conduct and maintain an inventory of your organization’s hardware and software assets.
  • Categorize your assets to identify those that are most critical to the operational functions of your organization.

User education and additional protective measures

  • Provide tailored cybersecurity training to your employees to ensure they know how to respond to suspicious links or emails.
  • Provide privacy awareness training to your employees to reduce the risk of privacy breaches.
  • Locate sources of information pertinent to your organization or subscribe to an alert service to ensure you are knowledgeable and up to date on the threats that could impact your organization.
  • Develop an internal and external contact list of key stakeholders to alert during surge events.

There are several cybersecurity certifications that organizations can pursue to help them secure their data and be eligible for more government contracts.

NIST Cybersecurity Framework (CSF) Certification –

  • Developed by the National Institute of Standards and Technology (NIST).
  • NIST 800-53, NIST 800-171, NIST 800-37, which is the risk management framework.
  • They have a number of these security frameworks and practices that you can start to apply, and they’re all very well-documented.
  • Focuses on identifying, protecting, detecting, responding, and recovering from cybersecurity incidents.

ISO/IEC 27001

  • Internationally recognized standard for information security management systems.
  • Emphasizes a systematic approach to managing sensitive company information.
  • Certification demonstrates commitment to securing information assets.

FedRAMP Certification

  • Required for cloud service providers (CSPs) offering services to the U.S. government.
  • Ensures cloud services meet specific security standards.

Cybersecurity Maturity Model Certification (CMMC)

  • Major U.S. Department of Defense (DoD) program built to protect the defense industrial base (DIB) from increasingly frequent and complex cyber-attacks.
  • CMMC will be needed you need to prove that you’re doing this to be able to participate in government contracts in the US.
  • Read more about CMMC 2.0

Canadian Centre for Cyber Security (CCCS) Certification

  • CCCS provides guidance and resources for organizations to enhance cybersecurity posture.
  • While not a certification in the traditional sense, following CCCS guidelines is crucial for Canadian organizations.

ITSG-33 Certification (Government of Canada):

  • A set of guidelines and standards for securing government IT systems.
  • Provides a framework for securing sensitive information.
  • ITSG-33 is Canadian equivalent of the NIST 800-53 standard.
  • Depending on the size and scope of the system, the Treasury board will insist that you go through an ITSG-33 assessment before you make an application or solution live.

CSA STAR Certification:

  • Cloud Security Alliance (CSA) Security, Trust, and Assurance Registry (STAR) Certification is relevant for organizations, especially those in Canada, leveraging cloud services.

Payment Card Industry Data Security Standard (PCI DSS):

  • Relevant for organizations involved in payment card transactions.
  • Ensures secure handling of credit card information.

CP-CSC

Here is some helpful resources that were presented during the webinar that will help organizations get started and enhance their cybersecurity hygiene.

Q: Who will be responsible for auditing/assessing to ensure compliance to cybersecurity requirements?

A (Arnold Villeneuve): Level 1 is a self-assessment. For Level 2 and 3, you must have a certified third-party assessor do the assessment (See CMMC assessment guides from U.S. Department of Defense).

For Level 1 self-assessment, you’ll go to the government portal, download the forms, do the assessment, and record the results. Then the executives of the department or the organization will have to attest by signing that they have achieved Level 1. This is very important because you don’t want to get caught in the False Claims Act. You will then take that attestation and all the relevant documentation, and you will upload it back to the government department portal where someone at the Canadian Centre for Cyber Security, or rather the CPCSC program, will look at your documentation, the attestation, and then they will give you a Level 1 certification.

If you’re doing a Level 2 certification, then you will need to bring in a third-party assessor to assess your 110 practices. They will go to the portal, download all the forms and templates, do the assessment, and document the assessment results. They will deliver those assessment results to you, and then they will take that package and upload it to the portal. The Government will look at it and then issue you your Level 2 certification.

For Level 3 certification, the government will be involved in oversight over the third-party assessor that you select. And in fact, depending on the contract, there may be a select group of three PAOs (Principal Authorizing Officials) that you would have to choose from. Then the government will have oversight to make sure that the three PAO are doing the process to their satisfaction.

That’s how it’s working in the US or it’s going to work in the US. And because the Canadian program is going to be reciprocal, I assume it’s going to work the same way as well. More to come.



Q: Are you able to provide a ballpark figure or some guidance on how much it costs to do an cybersecurity assessment?

A (Arnold Villeneuve): CMMC is still relatively new, but I do have some estimates. A Level 1 assessment should take anywhere between three to six weeks for one individual to do. For Level 2 or Level 3 assessment, maybe three to six months, depending on the scope of the boundary that you are assessing. If you’ve got 100 servers and 100 services to assess, that’s a lot different than having 10 servers and 10 services to assess.

In terms of the cost of doing a FedRAMP assessment which has about 150 controls, you’re talking about anywhere from 150 to $200,000. As more and more CMMC assessments are done and more CP-CSC assessments are done, we’ll have a much better ballpark of what the baseline average cost is.

 

Q: If organizations wanted to invest in their own internal cybersecurity experts, are there some suggested training or courses that you suggest?

A (Arnold Villeneuve): Having somebody who is CMMC certified and eventually CP-CSC certified internally doing your Level 1 assessments adds credibility to the information that you provide.

I’ve delivered several CMMC certified professional courses, and that would be the first place to start. There is also a lower level, which is called the registered practitioner, which you can do by simply going to the cyberab.org website. I think to register to be a member is about $250 and then you can sign up for the registered practitioner training, which I believe is about $900 Canadian. It takes about a day to go through the training. And then there is a 100-question exam that you can go through. It’s all on demand.

Whereas the CCP, you can do instructor-led training, and it’s anywhere from I’ve seen three days of brutal 10 hours a day to a four-day version and a five-day version of the same course, depending on the learning provider that you go through. So that would be the first place to start to gain internal knowledge of what are the requirements to do a CMMC Level 1 assessment, what’s the process to do the assessment, and so on.

For more options and information see Cybersecurity certifications from Canadian Centre for Cyber Security (informational purposes only).

 

Q: Where can people go to find a list of approved assessors?

A (Arnold Villeneuve): The cyberab.org has a marketplace where you can search for C3PAOs, certified assessors, CMMC-certified professionals, and anybody that’s part of the CMMC ecosystem, regardless of what country they’re in

The Standards Council of Canada is currently working on implementing the CP-CSC standard. They’re one of the seven agencies that are participating in that program launch. They will have a similar portal to cyberab.org where you can find out all the information about the program and who’s been certified in it.

 

Q: Will vendors need to have all these certifications in advance before starting to work with the DoD?

A (Arnold Villeneuve): You can bid on a contract even though you don’t have certification. But if you win the contract, you can’t start working and you certainly can’t start billing until you have your certification. If you’re going to take the time and effort and investment to bid on a contract, it is a good idea to go through a Level 1 assessment and formally submit that to CMMC, even though you’re a Canadian company.

Eventually as CP-CSC comes along, hopefully there’s going to be some grandfathering so that you don’t have to redo the whole process for the Canadian program. I’m sure there will be some transition capability just to make it easier for companies that got certified upfront under the CMMC program, but we shall see.

Do you have an opportunity with the U.S. DoD? Contact CCC

Search

Challenge.gov |

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.