May 26, 2020

The Verizon 2020 Data Breach Investigations Report ("DBIR") is here.  In this 13th DBIR, Verizon analyzed a record total of 157,525 incidents, of which 32,002 met their quality standards and 3,950 were confirmed data breaches. 

Before we dive into some the data, here are some helpful definitions:

  • Threat actor: Who is behind the event? This could be the external “bad guy” that launches a phishing campaign or an employee who leaves sensitive documents in their seat-back...

May 11, 2020

For some small businesses, securing your information systems (and your proprietary data) might seem complicated and expensive, but it doesn't have to be.  After all, cybersecurity can simply be described as implementing practices, procedures, and technologies to protect the confidentiality, integrity, and availability of data (i.e., to help prevent unauthorized access to data and cyberattacks).

A cybersecurity program can begin with, for example, creating i...

April 17, 2020

This week, the Government Accountability Office ("GAO") published a report finding that the Department of Defense ("DoD") has "not fully implemented three of its key initiatives and practices aimed at improving cyber hygiene."

GAO conducted this study, in part, because DoD has become "increasingly reliant on information technology (IT) and risks have increased as cybersecurity threats evolve."  GAO found that some 90% of cyberattacks could be avoided or defeated through basic cyber hygiene, which...

April 8, 2020

Today, the U.S. Cybersecurity and Infrastructure Security Agency ("CISA") published a joint advisory with the UK’s National Cyber Security Centre ("NCSC") in light of cybercriminals exploiting the COVID-19 pandemic by targeting individuals and organizations with a range of ransomware and malware.

According to the joint advisory, some examples include scams with "emails containing malware which appear to have come from the Director-General of the World Health Organization (WHO), and others wh...

March 20, 2020

Today, the Department of Defense ("DoD") released Version 1.02 of its Cybersecurity Maturity Model Certification ("CMMC"), dated March 18, 2020.  According to the CMMC Errata, all fifteen changes were termed "Administrative" changes (as opposed to "Substantive" or "Critical" changes).  Some of the Administrative changes include, for example:

  • In practice AT.4.059, the references to NIST SP 800-53 Rev 4 AT-2(3), AT-2(4), AT-2(6), AT-2(7) were removed.

  • In practice C...

January 31, 2020

Later today, the Department of Defense will release version 1.0 of its Cybersecurity Maturity Model Certification ("CMMC").  With the CMMC moving full steam ahead, several new pieces of information (below) have come to light regarding the timing of when the CMMC will appear DoD solicitations and the CMMC Accreditation Body's ("CMMC-AB") efforts to train the third-party assessors who will be performing CMMC assessments.

Given that this recent news might caus...

December 16, 2019

The Department of Defense ("DoD") recently published its Draft Cybersecurity Maturity Model Certification ("CMMC") Version 0.7 (dated December 6, 2019). DoD posted the following note with the release:

DoD is releasing this latest version (v0.7) so that the public can review the draft model and begin to prepare for the eventual CMMC roll out. This document includes CMMC Levels 1-5 as well as the associated discussion and clarification for a subset of practices and processes in Appendices B - E.

CMM...

June 23, 2019

The Department of Defense (DoD) will likely publish a draft Cybersecurity Maturity Model Certification (CMMC) standard sometime this summer (see here and here). While much focus has been on how the CMMC will help shore up defense industrial base (DIB) cybersecurity—i.e., as the enforcement mechanism for DFARS 7012/NIST SP 800-171 compliance via third-party audits––DoD also must address the process of how agency personnel will select the CMMC “go/no-go” threshold for set-aside procureme...

June 8, 2019

DoD to propose Cybersecurity Maturity Model Certification (CMMC)––via third-party audit––and it will add another layer to defense contractor cybersecurity compliance.

It appears that the CMMC will be comprised of five levels, ranging from basic to "State-of-the-Art." In addition, the article reports that, "DoD contracts will require specific levels — and awards will be 'go/no-go' based on the contractor’s certification status."

. . .

Article: https://sera-brynn.com/pentagon-to-unveil-new-cybersec...

May 8, 2019

The 2019 DBIR is finally here!  Some interesting items at first glance:

– 32% of breaches involved phishing

– 33% included Social attacks

– 43% of breaches involved small business victims

– 34% involved Internal actors

– Figure 21, page 14. In sanctioned phishing exercises, click rates are down to 3% (a good sign, but one just one click can be devastating)

– Golf analogy on page 20

The gray box on page 14 (social engineering) is also interesting: "Research points to users being significantly mor...

Please reload

About GovConJudicata

Welcome to GovConJudicata an informational blog/website focusing on government contracts issues, including bid protests (e.g., GAO, COFC), claims, disputes, SBA matters, compliance, regulatory, and cyber (e.g., DFARS, NIST SP 800-171, CMMC).

GovConJudicata is published by Joshua Duvall, managing partner at Matross Edwards, a law firm providing government contracts and cybersecurity legal services to small and mid-sized businesses.

Contact Matross Edwards
Search By Tags
Please reload

Connect
  • LinkedIn
  • Twitter
  • Podcast
  • Spotify
  • TuneIn
  • Apple

Copyright © 2020 Joshua B. Duvall. All rights reserved.

GovConJudicata™ #govconjudicata

CyberJudicata™ #cyberjudicata

LegalJudicata™ #legaljudicata