fbpx

Category Archives: Taxonomy

October Security Breach Round Up

October was Cyber Security Awareness Month, and yet, another month, another breach. In a month that is geared towards helping organizations protect themselves, large companies have yet again fallen victim to these heinous attacks. One after the other, many companies and their consumers are now wondering when these breaches will stop. 

 

Here are our top October 2022 know-worthy incidents:

 

Toyota:

    • Toyota is no stranger to data breaches. And by the looks of it, it seems as though the company hasn’t learned from past mistakes (remember the 2019 breach that affected over 3 million of Toyota’s customers?). On October 7, 2022, Toyota issued an apology after nearly 300,000 people who used T-Connect, a telematics service that connects vehicles via a network, were exposed. The Japanese car giant explained that personal data was leaked when an access key was publicly made available on GitHub for almost five years. Email addresses and customer control numbers may have been exposed since 2017.


Microsoft:

    • Another tech giant hit yet again. On October 19, 2022, Microsoft addressed the public after security researchers at SOCRadar informed Microsoft of a misconfigured Microsoft endpoint. After the discovery, Microsoft explained that the researchers exaggerated the entire situation. This misconfiguration resulted in the potential for unauthenticated access to some business transaction data corresponding to interactions between Microsoft and prospective customers. Information about planning or potential implementation and provisioning of Microsoft services was involved. In addition, the data that was potentially compromised includes names, email addresses, email content, company name, and phone numbers, and may have included attached files relating to business between a customer and Microsoft or an authorized Microsoft partner. 


Verizon:

    • In a notice, the company confirms, “we determined that between October 6 and October 10, 2022, a third party actor accessed the last four digits of the credit card used to make automatic payments on your account. Using the last four digits of that credit card, the third party was able to gain access to your Verizon account and may have processed an unauthorized SIM card change on the prepaid line that received the SMS linking to this notice.” 


Carousell:

    • On October 14, Carousell Singapore disclosed that it experienced a breach. And this wasn’t a small breach either – almost 2 million accounts were compromised. The company explains, “it is unlikely that this incident will result in an identity theft as it does not include information like your NRIC number,” but it is believed that emails were compromised. 


Medibank:

    • Bad news for Medibank, one of the largest Australian private health insurance providers. On October 12, 2022 the company discovered that customer information may have been compromised after a hack on their systems. It was thought that the original hack only affected certain customers, but after this week, the company is assuming that all 3.9 million customers were affected. The company said it had received a series of files from the alleged hacker, and they found the files included 100 ahm policy records, which include personal and health claims data, plus another 1,000 policy records from ahm, and files which contain some Medibank, ahm and international student customer data. The records provided to the company include names, addresses, dates of birth, Medicare numbers, phone numbers and medical claims data, including information about diagnosis, procedures and location of medical services.


Twilio:

    • Sometimes companies just can’t catch a break. Cloud communications company, Twilio, disclosed a new data breach stemming from a June 2022 security incident. After a lengthy investigation, the company concluded that 209 customers and 93 Authy end users had accounts that were impacted by the incident. 

 

Don’t let your company end up on this list. See how findings can help you here.

Supply Chain Risk Management: Your Black Friday Weakest Link

Supply Chain Risk Management: Your Black Friday Weakest Link

Black Friday is the time of year that is bound to put stress on many businesses’ supply chains. With demand soaring for items across the board, supply chains have already come under pressure from the effects of the past two years, and these delays are becoming more evident every day. So what does this mean for your risk management?

 

Unfortunately, not all risks originate internally. As you know, risks can also arise from within your supply chain. With increased strain (American consumers spent $8.9 billion online during Black Friday 2021), comes increased focus on your business’s reputation and possible fast tracking vetting of alternative vendors in your supply chain to keep up with demand. But thorough vetting should not be sidestepped. 

 

The Consequences Of Poor Supply Chain Risk Management On Black Friday Sales

 

Supply Chain Risk Management strategies that focus only on internal threats and ignore the supply chain fall short for 2 main reasons:

More threat opportunities

The threats that impact internal systems represent only a subset of all threats. But within your supply chain, attack vectors are far broader and numerous. You can’t always control the types of security exposures that your vendors or suppliers introduce to their products. And the last thing you want is this impacting your Black Friday sales. 


Lack of efficiency

If supply chain risk management isn’t part and parcel of your broader risk management strategy, it’s hard to manage supply chain risks efficiently. If you protect against supply chain threats at all, it ends up being through one-off audits or action against isolated threats.


At one of the busiest times of year, time and efficiency take center stage and It’s much more efficient to monitor for and address all types of risks – internal and external – through centralized tools and processes.

Read here: All you’ve ever wanted to know about Vulnerability Disclosure Programs (VDPs)

 

Major Holidays Leave The Door Open For Major Attacks

Retailers are particularly vulnerable to client-side attacks. Many online retail sites are built on CMS frameworks with a plethora of third-party plug-ins, from blog posting to popups to SEO maintenance. On average, 31 JavaScript resources are used per site, making retailers vulnerable to many forms of supply chain fraud such as formjacking, data-skimming and Magecart attacks.


Kaseya Attack Affecting the Supply Chain

Though initially thought to only affect 40 of its clients, it was further discovered that over 1,000 downstream companies were affected by this 4th July attack by Russian group, REvil. With over 40,000 organizations worldwide using at least one Kaseya software solution, the potential impact of this supply chain attack was massive. By exploiting zero day vulnerabilities in Kaseya’s software, it caused a major Swedish grocery store to completely shut for 24 hours as well as 11 schools in New Zealand. 


Magento Magecart Attack Prevented in 2021

With millions of transactions being carried out over the Black Friday period, it’s no surprise that this is a key target for threat actor’s to leverage vulnerabilities in the supply chain. In fact the UK’s National Cyber Security Centre (NCSC) notified small businesses about the risk of magecart attacks on and around Black Friday last year. They’re unique because they exploit third party scripts on companies’ websites. Because highly critical services, like Adobe’s Magento, are trusted and there are not many services like them, these attacks can impact 1000s of sites simultaneously. When the NCSC notified these businesses over 4000 were at risk.


A Better Approach To Supply Chain Risk Management And Intelligence

How do businesses avoid those shortcomings this Black Friday? How can they implement risk management that addresses both internal and external threats?

The answer is to deploy risk management processes and tools that provide the following features:

  • Continuous, real-time intelligence: Businesses need to know – immediately, before performance and security is affected – whenever a risk emerges within any internal or external asset.
  • Complete supply chain risk management: It’s crucial to identify risks that exist at any point in the supply chain. This includes risks introduced not just by third-party vendors with whom you do business directly, but also “fourth-party” vendors, meaning those who supply your direct vendors. Risks can arise from these vendors, too.
  • Automated, scalabile compliance: Checking for risks manually doesn’t scale (and takes away precious time, when time is a short commodity). Whether you have one vendor or one thousand, you need automation to ensure that you can detect all potential risks across all internal and external assets – and that nothing falls through the cracks.
  • Centralized compliance: Risk management is inherently fragmented because risks come in many forms and affect many types of systems. Nonetheless, businesses should be able to manage all risks comprehensively using a platform that works across the enterprise. When you centralize risk management, you save time and maximize risk coverage.


The Findings Difference

With Findings, you are provided with an automated, comprehensive supply chain risk management solution that empowers businesses to manage supply chain risks proactively by getting ahead of issues before they happen. Instead of treating the supply chain as a black box from the perspective of compliance, leverage Findings to implement centralized, enterprise-wide supply chain risk management for both internal and external threats. 

Don’t get caught out this Black Friday (or any day!). Get started at Findings.co.

Our Take on Gartner’s Latest Supply Chain Compliance Advice

our take on supply chain compliance

Going forward, businesses need a new strategy for vetting and monitoring the compliance of their suppliers. But don’t just take our word for it. These are among the takeaways from Gartner’s latest guidance on supply chain compliance and management

 

Gartner highlights why conventional supplier onboarding methods no longer work as businesses need to onboard suppliers quickly, while also ensuring that suppliers meet their compliance requirements.

 

The global supply chain compliance crisis

You probably already know that supply chains are under stress, to put mildly. Gartner points to a couple of main reasons why:

 

  • Businesses are increasingly working with suppliers from new geographic regions, where compliance norms may be different. This complicates onboarding and requires a deeper level of compliance inspection.
  • Organizations often need to add vendors quickly in order to keep their supply chains moving. Yet, without a fast onboarding process, integrating suppliers is time-consuming, which increases the stress placed on supply chains.
  • We’d also add, that issues like global sanctions, which have become especially pronounced as a result of the ongoing Ukraine-Russia war, add even more complexity to vendor onboarding. 

 

We agree wholeheartedly that these are among the key reasons why supply chain compliance and management have become so challenging for the typical business today.

Today, you have to worry not only about whether your vendors meet standard compliance rules, but also about potential sanctions that are subject to constant change. This adds yet more unpredictability and complexity to the onboarding process.

Add to that the surge in supply chain cyber security risks, and it’s no exaggeration to say that operating efficient, compliant supply chains has never been tougher than it is at present.

 

How to streamline supply chain compliance

Gartner suggests three main strategies for addressing the supply chain compliance challenges that businesses currently face.

 

1. Create a playbook for vetting vendors

First, Gartner recommends creating a “playbook that grades each third party’s threat level to determine who gets more attention from the business and compliance.”

 

The idea here is that you can develop preset policies to analyze vendors rapidly during and after the onboarding process. Your policies should reflect information like which risks have impacted your business in the past and how closely a given vendor matches the risk profile of other vendors who have posed challenges.

 

We love this idea not only because it helps businesses to be proactive in their approach to vendor compliance, but also because it lays the groundwork for compliance automation. Playbooks make it possible to implement vendor compliance validation automatically within a security platform, which could sort vendors into high-risk, medium-risk and low-risk categories

This may be of interest to you:

 A CISO’s VDP security roadmap based on criteria defined in the playbooks

2. Automate supply chain compliance

The piece quotes Chris Audet, Senior Director of Research at Gartner, who says, “Compliance leaders must move quickly to onboard third parties and effectively monitor for risks, but many of their traditional methods won’t cut it.”

 

The way to move quickly and monitor for risks comprehensively is to automate risk detection. Automation can help you collect the information you need to make good decisions about vendor risks. It can also automatically flag risks with the help of advanced analytics, and it can help you keep up-to-date as vendor profiles change. In all of these ways, automation helps businesses to complete vendor onboarding quickly, even if they have an increasing number of vendors to vet and face increasing complexity due to new compliance mandates, new sanctions rules or diverse vendor geographies.

 

3. Streamline upfront due diligence

As another way to speed up onboarding, Gartner advises businesses to “streamline due diligence to focus on critical risks.” It suggests doing this by reducing the number of questions you ask vendors to answer manually. Focus validation around critical risk areas, Gartner suggests, rather than asking a large number of questions that may not be relevant for every vendor.

 

We agree. We’d add, though, that it’s important to leverage automation wherever possible to collect as much data as you can about supplier insurance, safety, environment and sustainability initiatives, legal and financial data and any other information that can be helpful for gaining a 360-degree view of your suppliers and sub-suppliers. With automation, it’s possible to onboard rapidly without compromising on your visibility into supply chain compliance.

 

Bonus advice: Establish a compliance-focused company culture

We think Gartner did a great job of capturing much of what it takes to achieve supply chain compliance. But we’d suggest another strategy that Gartner hasn’t mentioned: Building a compliance-centric culture.

 

A compliance-centric culture is one that maximizes collaboration and communication related to compliance. It aligns compliance with vendor expectations, and it allows all stakeholders – both internal and external ones – to share information rapidly in order to manage compliance and supply chain cyber security risks.


Findings helps you to build this culture by providing a platform that anyone can use to raise compliance flags automatically. With Findings, you get holistic compliance that protects your entire supply chain, while also benefiting from automations that allow you to onboard vendors rapidly.

 

Learn more about how Findings can help you to streamline your compliance.

 

Top 5 Reasons Why CMMC Security Will Be Good For Your Business

Top 5 Reasons why CMMC Security will be good

Keeping up to date on the changing CMMC security requirements may seem like a hassle that’s only worth undertaking if you do business with the Department of Defense. But in reality, meeting the new CMMC compliance mandates is a great way to make your business more secure and agile.

That’s why, even if you aren’t a DoD contractor, the CMMC security updates can be beneficial to your business. Keep reading for an overview of what to know about the new CMMC Framework and how to meet it in a way that benefits your business.

Read here how to meet the CMMC compliance challenge head on 

How CMMC is changing

By May 2023, the DoD expects to implement CMMC 2.0, at least in interim form.

Among other changes, CMMC 2.0 reduces the number of compliance “levels” from five to three. This is a major benefit to businesses that need to meet CMMC security mandates because it simplifies the process of choosing which compliance path to follow and adhering to its associated rules. The 3 levels are:

  • Level 1 (Foundational)

This level must match the 15 controls of FAR52.204-21 “basic” controls to protect

Federal Contract Information. Certification is required annually. It is possible for your

organization to self-assess. This is similar to the previous model in CMMC 1.0.

  • Level 2 (Advanced): 

This level is comparable to CMMC 1.0 level 3. Its requirements mirror NIST SP 800-71, which includes 14 levels and 110 security controls developed by the National Institute of Technology and Standards (NIST) to protect sensitive information. The 20 requirements of CMMC 1.0 level 3 compliance have been dropped.

  • Level 3 (Expert)

Under this CMMC 2.0 assessment level, which is comparable to CMMC 1.0 level 5, businesses will require government-led assessments. The focus is on reducing Advanced Persistent Threats (APTs) that could lead to data exfiltration or compromised applications. Besides the 110 controls that are required for the new Level 2 certification, the NIST’s SP 800-172 is required for Level 3 certification.

5 great reasons to choose CMMC compliance

Some businesses will need to meet CMMC compliance requirements because they sell to the DoD, and CMMC 2.0 is a mandate. But even if that is not the case, there are great reasons to become CMMC-compliant.

1. Overall CMMC security protection

Implementing security controls using CMMC 2.0 levels is a great way to maximize your overall security posture. It will help to protect sensitive information within your organization and increase the security of your supply chain.

2. Tailor cyber hygiene to your business

CMMC uses maturity processes and cybersecurity best practices from multiple frameworks as its foundation. And, because CMMC security offers different compliance levels, it’s an excellent framework to follow if you want a cybersecurity plan tailored to your business. Not every organization faces the same level of threats or the same level of data sensitivity. With CMMC, you can establish cyber hygiene policies, such as vulnerability disclosure programs, that reflect your organization’s particular needs. 

3. Prepare for upcoming regulatory changes

As we’ve noted, there is a lot of overlap between the CMMC security requirements and other compliance standards, like those developed by NIST. Thus, by becoming CMMC-complaint, you prepare your business to meet similar compliance mandates that may be rolled out in the future.

4. Validate your cybersecurity from the outside

CMMC assessment is a great way to determine how well your business meets security mandates. This can be done not only by internal stakeholders, who are not objective observers, but by outsiders who understand how risks can flow through supply chains and what it takes to build a strong cybersecurity culture within an organization.

5. Winning additional contracts

The higher your level of cyber security, the more competitive you’ll be. Supply chain security is increasingly viewed as a necessity rather than a nice-to-have. Businesses that fail to prioritize security risk losing contracts and relationships with key enterprises.  Additionally, coordinated vulnerability disclosure programs that are apart of the CMMC security framework, help to build trust and positive cooperation across the supply chain.

Here’s Why Your CISO Wants To Implement A CMMC Framework

The future of supply chain security

As you assess what the CMMC security changes mean for your business, don’t think merely in terms of whether you are specifically required to undergo CMMC assessments. Instead, think about how increasing awareness of cybersecurity and building a stronger cyber culture within your organization will pay dividends now and in the future, regardless of your specific CMMC compliance requirements.

After all, security is always changing, and compliance frameworks like the CMMC change with it. Keeping pace with changing requirements is a good way to encourage accountability across your supply chain and enforce strong cyber hygiene standards.

Indeed, it’s a safe bet that, going forward, cyber security requirements will become tighter, not looser. Embrace the trend now by using frameworks like the CMMC to supercharge your cyber hygiene and disclosure programs, rather than waiting until a specific mandates is handed down that affects you.

Schedule a call to learn more

How Supply Chain Cyber Security Threats Impact Stock Value

How supply chain cyber security Threats Impact Stock Value

The most obvious types of fallout from supply chain cyber security threats are the impact on regulatory compliance or the damage to a business’s reputation. 

 

But here’s another major consequence of supply chain security attacks that keep occurring despite dogged efforts to stop them: Losses on the stock market. When businesses are affected by supply chain cyber security threats – even if the threats originate from an external vendor, rather than the business’s own systems – their stock price usually takes a major hit.

 

Here’s why supply chain cyber security threats can wreak such havoc on stocks, and what to do to protect your business from watching its market value plummet due to supply chain vulnerabilities. Your goals should be to resolve the incident in a way that protects your operations, customers and reputation, while also demonstrating to partners that supply chain security is a key priority.

 

More resources  below to keep your supply chain secure:

Take a look at how Vulnerability disclosure programs can help secure your business

&

Watch here to understand how to give your supply chain monitoring the advantage it needs.

How supply chain security threats impact stock value

When a supply chain breach occurs, you’re at risk of losing share price for a variety of reasons.

 

Probably the most obvious is the hit you’ll take to your company’s reputation. Again, even if the breach originated in a third-party product, investors may still question your commitment to security, given that you were unable to detect and mitigate the breach quickly enough to prevent it from harming the organization.

 

Regulatory fines, too, could follow supply chain breaches if the breach leads to loss of regulated data. Those fines will impact quarterly earnings reports,that investors use to decide whether to buy or sell stock in your company.

 

In more extreme cases, supply chain security threats may become vectors that allow threat actors to take control of your systems. In turn, attackers could take actions like publishing fake news through your media channels or inject false price quotes into data feeds. Such activity may breed a sense among investors that you’ve totally lost control of your business operations, leading to a dramatic fall in market value.

 

Types of supply chain cyber security threats against stock markets

As the following image shows, supply chain breaches can target both suppliers and customers.

Proposed taxonomy for supply chain attacks

Either way, the fallout from a stock market perspective is likely to be negative for the companies involved. Any type of supply chain attack – from malware infection, to brute-force attacks, to vulnerability exploits and beyond – can undercut a business’s reputation among investors and lead to swift sell-off – which brings down stock prices.

Stock losses resulting from supply chain attacks

 

The risk we’re describing here is not just theoretical. Here are some of the most recent major supply chain cyber threat exploits. You’ll notice that they led to significant loss of company value on the stock market.

Nvidia cyber attack

When Nvidia was attacked by a ransomware group called Lapsus$, Reuters reported that Nvidia’s schematics, drivers, firmware and other sensitive intellectual property may have been compromised. The credentials of 71 000 employees were leaked, after which Lapsus$ made this information available to other hacking communities. The result was an immediate drop in Nvidia’s stock price by 7%. Although the drop was modest, and the stock quickly recovered, it was still a clear example of how supply chain cyber security threats can hamper stock value.

Mimecast  breach

Mimecast is an email security and cyber resiliance platform. When the news was released in January 2021 that they had been hit by supply chain cyber security threats, this upset shareholders trust in the stock.  

 

Mimecast stock lost more than 12 percent of its value following the disclosure of a compromised certificate. Moreover, because about 10 percent of the company’s customers were using the compromised certificate, this supply chain attack likely also impacted other businesses.

 

The Chief Information Security Officer, Terence Jackson at Thycotic, a Washington, D.C. based provider of privileged access management (PAM) solutions said,”The certificates that were compromised were used by Mimecast email security products.  These products access customers’ Microsoft 365 exchange servers in order for them to provide security services (backup, spam, and phishing protection). Since these certificates were legit, an adversary would have been able to connect without raising suspicions to eavesdrop and exfiltrate email communications.”

SolarWinds attack

The SolarWinds supply chain breach, in which attackers injected malware into SolarWinds’s source code, was associated with a huge selloff that took place just days before the breach was publicly disclosed. 

 

While it has not yet been proven that the 35 investors who sold their stock right before public disclosure had insider knowledge of the breach, the timing of the selloff doesn’t seem to be coincidental.

 

Assuming it wasn’t, this is also an example of how a supply chain attack can trigger a major loss of stock value.

Staying on top of supply chain cyber security threats

 

Once a supply chain attack takes place, the damage to market value is done. The best way to contain supply chain cyber security threats, then, is to be proactive, so you can address risks before they turn into active breaches.

 

Start by gaining full visibility into your supply chain. This is the only way to know which vulnerabilities may impact you.

 

Then, take preventative measures – like application controls and network segmentation – that reduce the likelihood or mitigate the impact of cyber security incidents.

 

You should also educate your employees and partners about cyber security, and make it clear that finding and containing supply chain cyber security threats is a top priority.

 

Finally, have a crisis management plan for your supply chain security in place so that you can react swiftly if an attack does occur. Although managing your response won’t prevent all financial harm, it can reduce the total damage.

Supply chain cyber security threats aren’t bad just for your users or your IT team. They also pose a serious risk to your business’s market value. To prevent major financial losses, it’s critical to have a supply chain threat detection and mitigation solution in place.

 

Learn how Findings can help your business stay ahead of supply chain cyber security threats

 

The 7-Step Guide To CMMC Assessment

7 Step Guide to CMMC Assessment

Just when you thought you were on top of CMMC compliance, CMMC 2.0 has come along, upping the stakes for identifying and managing cybersecurity within your business. On top of that, the new National Initiative for Improving Cybersecurity in Supply Chains (NIICS) adds yet another layer of compliance complication for businesses that want to do business with the government. All of this means that having a streamlined process in place for meeting updated compliance mandates is more important than ever.

 

Fortunately, you don’t have to rebuild all of your compliance and assessment processes from the ground up to meet CMMC 2.0 and other new compliance needs. If you already have compliance procedures in place that address NIST standards or similar U.S. government mandates, there’s a good chance that you can expand upon them to address CMMC 2.0 compliance, too.

The challenge of CMMC assessment

Let’s be clear: CMMC assessments are challenging, no matter how streamlined your compliance program is or how much cybersecurity expertise you have in-house. Beyond the complex technical rules you have to meet, you have challenges such as:

 

  • Meeting deadlines: You can’t perform assessments according to timelines you create. You need to meet externally imposed deadlines.
  • Shareholder buy-in: Assessments cost time and money. You need to convince shareholders that the assessment is worth the investment.
  • Cost of certification: Becoming certified, too, comes with a cost, which makes it even harder in some respects to get buy-in.

In the long run, achieving CMMC compliance is well worth it because it allows your business to do business with the DoD. But that doesn’t mean that CMMC assessment is simple or straightforward.

 

Here’s 4 Reasons Why Your CISO Wants To Implement A CMMC Framework

Key differences between NIST and CMMC assessment

As we noted, companies that already have compliance programs designed to meet NIST cybersecurity standards are in a good position to extend upon those programs to address CMMC assessment requirements, too. Both frameworks allow for self-assessments, at least in some cases, and the assessment processes are similar.

But NIST and CMMC are not identical, of course. You must understand the differences before you devise a CMMC assessment strategy based on NIST.

 

One obvious difference is that NIST requirements are developed by the National Institute of Standards and Technology, whereas the Department of Defense oversees CMMC compliance requirements. This means that NIST and CMMC rules could evolve in different directions in the future, even though there is some overlap today.

 

On top of this, under the CMMC framework, not everyone can self-assess. Third-party assessments are required for businesses that manage data that the DoD considers critical to national defense. So, before building a CMMC 2.0 compliance strategy based on self-assessment, be sure you’re actually eligible to self-assess.

7 essential steps for CMMC assessments

If you determine that you can self-assess, then you can build a CMMC assessment process based on the assessment operations you already have in place for NIST or similar standards. Here’s how to do that, step-by-step.

Step 1: Set goals

Start by determining why you are performing a CMMC assessment. Is it because you are specifically required to do so as a contractor for the DoD? Or are you doing it voluntarily, as a means of assessing your cyber health? In the latter case, you have more control over the assessment process and its outcomes, because you won’t have to report to the DoD.

Step 2: Determine assessments you have completed

Identify which assessments your business has already performed, and compare those assessments to CMMC assessment requirements. Again, there is a lot of overlap between requirements like NIST’s and CMMC’s, so you may be able to duplicate large parts of your existing assessments.

Step 3: Perform gap analysis

Of course, there is not likely to be complete overlap between existing assessments and CMMC. You’ll need to perform a gap analysis (or hire an outside auditor for this purpose) to determine which additional data you’ll need to collect or processes you’ll have to undertake to perform CMMC assessment.

Step 4: Create or update the SSP

NIST defines the System Security Plan, or SSP, as a “formal document that provides an overview of the security requirements for the system and describes the security controls in place or planned for meeting those requirements.” You’ll want to have an SSP in place because it serves as the basis for authorization decisions, while also providing detailed information to support processes and activities in the system development lifecycle. Thus, the SSP serves as the information foundation for your CMMC assessment operation.

Step 5: Build a plan of action and milestones

Next, form a plan of action and milestones (POA&M), which is the roadmap you plan to follow after creating your SSP. The POA&M defines a clear course of action to take and goals you plan to meet to ensure that employees and stakeholders know their roles in keeping and advancing compliance goals. Your POA&M should identify the tasks that need to be completed to secure your systems, proposed remediations for risks and which employees will perform which tasks.

Step 6: Form a remediation plan

The results of your gap analysis should form the basis for a remediation plan. The purpose of this plan is to allow you to pinpoint compliance risks to remediate, prioritize activities to fix vulnerabilities and determine the associated costs you’ll pay to become CMMC-certified. You can formulate the remediation plan yourself, or outsource it to a Managed Security Service Provider (MSSP).

Step 7: Maintain compliance and reporting

Treat CMMC assessment as an ongoing process, not a one-and-done affair. You’ll need to update your plans continuously as your risks change. Changes to your vendors or supply chains may necessitate compliance changes, too. And you’ll want to monitor for risks on an ongoing basis so that you can remediate them immediately, rather than waiting till your next assessment to discover and address problems.

Achieving a well-implemented CMMC assessment framework

When you follow the steps described above, you get a well-maintained cybersecurity program that enables CMMC certification, while also enhancing supply chain security and keeping sensitive data and intellectual property more secure. And you can do it all without having to overhaul your compliance tools or processes from scratch.

 
 

Learn more about becoming CMMC compliant

Supply Chain Risk Monitoring as a Service
Join us today
Supply Chain Risk Monitoring as a Service
Join us today
Waitlist signup

Welcome to Findings

Let's go over some details to setup your tailor-made account


Please fill your details below and click "Next" to create your account:

Payment

Feature
Startup
Business
Enterprise
Price
$10 / Month
$10 / Month
$25 / Month
VDPaaS
Alerts
Assessments
Integrated Apps
API
Join today and scan ALL YOUR VENDORS for FREE*
* FREE VENDOR SCAN for all of your vendors during your first month.
Feature
Startup
Business
Enterprise
Price
$25 / Month
$200 / Month*
Contact Us
Free vendors scan for 1 month
Findings search engine
Rapid security and compliance profile
Profile/showcase engagements per year
5
40
Unlimited
Multi/unlimited showcase use cases
Showcase compliance badge for your website
Best practice self-assessment
1 Findings or 1 BYOC
Assessment response automation
Personalizable, branded security & compliance showcase page
File/evidence repository
OKTA
DKIM
Out-of-the-box TPRM
20 vendors +
20 rating scans
50 vendors +
50 rating scans
Support
Email
Priority via Phone / Email
Internal Workflows (SO/BO)
Onboarding and customization account setup
*Price for every 40 engagements
Automate assessment response and showcase your cybersecurity posture
Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!

Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!