banner-why-daymark.jpg

Information Technology Navigator

Tips, Advice & Insights from Technology Pros

How Much Will CMMC 2.0 Compliance Really Cost?

Many companies are currently evaluating how they might fund initiatives necessary to move their businesses towards compliance with the Cybersecurity Maturity Model Certification (CMMC). There are a few ways to fund these initiatives, but many key items have the potential to impact the amount of funding needed to prepare your organization for certification. So, where do you start to appropriately scope the project, and how do you know how much it will actually cost?

Whether your company plans to meet the CMMC objectives or to stop doing business with the Federal Government, keep in mind that cybersecurity is an important part of maintaining your business health and ensuring resiliency in the future. When businesses suffer a cyberattack and cannot afford the cost to recover, they often go bankrupt. In addition to the new federal regulations being pushed out by the Defense Federal Acquisition Regulations (DFARS), many states have laws requiring levels of protection for different types of information. Other federal governments have also enacted cybersecurity protection measures for their citizens (such as GDPR). Not doing so can also leave you open to lawsuits in the event of a breach or incident.

5 Phases for Cybersecurity Compliance

Read More
Tue, Mar 12, 2024
Share:   

Public Company CISOs Beware: The SEC Is No Longer Playing Nice

 

On October 30, 2023, the US Securities and Exchange Commission (SEC) announced fraud charges against SolarWinds and its former chief information security officer (CISO), alleging that “SolarWinds’ public statements about its cybersecurity practices and risks were at odds with its internal assessments.” This comes on the heels of the SEC’s newly implemented rules for disclosures relating to cyber risk. Publicly traded companies (along with pre-IPO and foreign private issuers) must now adhere to new and prescriptive rules requiring the disclosure of “material cybersecurity incidents” as well as annual disclosures relating to “cybersecurity risk management, strategy, and governance.”

There is a lot going on with all the recent SEC and cyber headlines, so let’s break it down piece by piece. This blog outlines several high-level calls to action that CISOs and their stakeholders should consider as they work through their cyber risk strategy and their cyber and/or directors and officers (D&O) insurance renewals.

Read More
Tue, Dec 05, 2023
Share:   

CMMC 2.0 Timeline — Where Are We Now?

It’s been almost a year since we wrote about the risks of delaying CMMC (Cybersecurity Maturity Model Certification) compliance. The only thing that has remained constant since then is that CMMC is not going away. There have been many noteworthy recent developments in the DoD supply chain news space related to updates for DIB contractors to comply with the DFARS 7012 requirements to safeguard CUI (controlled unclassified information) data. The CMMC 2.0 final rulemaking timeline continues to shift from over the horizon to right around the corner, and the recently released NIST 800-171 revision 3 draft amplifies concerns about upcoming changes to the framework requiring additional protections for prime and subprime organizations supplying the DoD.

Read More
Thu, Aug 24, 2023
Share:   

A Primer on the CMMC Ecosystem

An Introduction to Cybersecurity for the Defense Industrial Base:

In today's digital age, cybersecurity is of paramount importance, particularly for organizations within the Defense Industrial Base (DIB). In January 2020, the United States Department of Defense (DoD) introduced the Cybersecurity Maturity Model Certification (CMMC) framework, building upon established cybersecurity standards from National Institute of Standards and Technology (NIST) Special Publication 800-53 and NIST Special Publication 800-171. These publications are closely aligned with the CMMC 2.0 requirements, providing essential guidelines for protecting Controlled Unclassified Information (CUI) in non-federal systems and organizations. In addition, DFARS 252.204-7020 clause requires contractors to undergo an assessment of their implementation of NIST SP 800-171 controls by an accredited third-party assessment organization to evaluate a DIB contractor's compliance with the security requirements outlined in NIST SP 800-171 and provide assurance that adequate safeguards are in place to protect CUI.

Read More
Tue, Jun 13, 2023
Share:   

Keeping Up with the GCC High Roadmap

 

Adoption of Microsoft’s 365 Government Community Cloud (GCC) High sovereign cloud solution is on the rise as organizations in the Defense Industrial Base (DIB) work to ensure compliance with the stringent regulations related to the Cyber Security Maturity Model (CMMC) v2.0 and current NIST 800-171 framework. GCC High is an excellent option for DIB contractors who handle Controlled Unclassified Information (CUI) and International Traffic in Arms Regulation (ITAR) data in their cloud or hybrid environments.

Microsoft continuously improves and enhances features and capabilities to the GCC High platform. Just like updates to Microsoft 365, it can be hard to keep up with them all. Daymark’s Government Community Services Team has carefully selected updates we believe are worth paying attention to with our own GCC High Roadmap.

Read More
Thu, Apr 13, 2023
Share:   

The Risks of Delaying CMMC 2.0 Compliance

The Cybersecurity Maturity Model Certification (CMMC) 2.0 is the DoD framework designed to enhance cybersecurity and protect against compromise of sensitive defense information on contractors’ systems. Some defense industrial base organizations (DIB) have mistakenly taken a “wait and see” attitude about preparing for CMMC compliance, believing that they will wait until the government finalizes 2.0 requirements. While holding off on the time, resources and budget to prepare for CMMC may seem prudent (and frankly easier to delay), the risks of waiting could have a significantly negative impact on contractors’ revenue. Here’s why: 

Read More
Wed, Sep 28, 2022
Share:   

NIST and CMMC – What You Need to Know

If your organization has been working towards NIST 800-171 and is now on the journey to achieve CMMC 2.0 (the Cybersecurity Maturity Model Certification) it can be difficult to understand what you’ve already achieved and what’s left to do. Both standards are intended to reduce threats and strengthen cybersecurity for sensitive government data. Here’s some details on how they relate to each other and what’s involved to take the next steps toward CMMC compliance.

Read More
Tue, Apr 19, 2022
Share:   

Enterprise Vault 12 – Why are You Waiting?

Veritas’ latest version of Enterprise Vault (EV) has been available for almost a year now. EV12 offers the latest features that companies require to ensure effective implementation of their archiving and discovery strategies. The six listed here are particularly noteworthy:

Read More
Wed, Feb 01, 2017
Share:   

The Importance of HITRUST Certification in Azure

Healthcare providers today are continuing to rely more and more on the efficiencies of the public cloud to store, send, and manage sensitive data. But it’s challenging to leverage the benefits of the cloud while managing the increasing complexity of healthcare security, compliance and regulatory demands.

That’s where HITRUST comes in. The HITRUST Certification is the most widely recognized security accreditation in the healthcare industry.  HITRUST incorporates healthcare specific security, privacy and regulatory requirements from existing regulations such as HIPAA/HITECH, PCI, ISO 27001 and MARS-E as well as industry best practices. Microsoft has recently announced that Azure is one of the first hyperscale cloud computing platforms to become HITRUST CSF Certified.  It’s a valuable addition to Azure, providing a single framework for healthcare organizations to leverage the efficiencies, availability, and scalability that Azure provides.

Read More
Wed, Jan 11, 2017
Share:   

One Year Later – Still a Green Light for Defensible Data Remediation

In December 2015, the electronic discovery provisions of the Federal Rules of Civil Procedure (FRCP) were amended to substantially expand the Safe Harbor against sanctions for destruction of electronic data. In my November 2015 white paper, C-Level Guide to Covering Your Information Governance Assets, I predicted that the amended rules signaled a pivot away from one of the main sources of eDiscovery uncertainty - the inconsistent imposition of severe sanctions for the loss of electronically stored information relevant to dispute resolution. The prediction holds.

Read More
Wed, Dec 21, 2016
Share: