The team at Zartech is honored to help publish this great collection of literary work from highly prestigious practitioners in the field of information security and risk management.
Successful, experienced, and award-winning Chief Information Security Officers and Risk Officers share their ‘tips of the trade’ with those who want to accelerate their paths in these fields. The combination of technical sophistication, fervent determination, and strong business acumen of this remarkable group, is what makes them excel consistently and against all odds.
This is a ‘must-read’ for cyber and risk professionals that fulfill a daily crucial, global mission, and compete in one of the most intense careers in the world.
We are pleased to announce that Zartech has been approved as a ‘Registered Provider Organization’ for CMMC solution & services. Built with Security and Defense industry expertise, our software solution drives DoD Contractors forward through the CMMC assessment and certification process.
Cybersecurity Maturity Model Certification (CMMC) is undoubtedly the most complex cybersecurity framework and its implementation can be challenging. Here are some guidance on preparing for the audit – scoping the project, readiness assessment, how to reduce the cost etc.
Depending on your current environment and level of cyber hygiene, your company should plan for at least six months to achieve compliance. Here’s the link to our free CMMC readiness assessment, which will give you a high-level overview of your organization’s readiness for the CMMC certification
The Department of Defense is mandating that all contractors that conduct business with the DoD have to obtain Cybersecurity Maturity Model Certification (CMMC). CMMC will require demonstration of objective evidence to validate that the DoD contractors have implemented and operationalized their cybersecurity practices and processes against a five-level maturity standard.
Zartech has built a guidance tool to help these DoD contractors understand their readiness to meet the CMMC practices, determine effort and funding needs to address the gaps. It’s free to use!
Dallas Based Cybersecurity Solution Company Now HUB Certified
We are pleased to announce that Zartech, Inc. has been certified as a Historically Underutlized Business (HUB) by the State of Texas. Zartech is now listed listed in the State of Texas HUB Directory and may be viewed online at https://mycpa.cpa.state.tx.us/tpasscmblsearch/index.jsp.
The goal of the Historically Underutilized Business Program is to encourage and effectively promote the use of minority owned businesses in public procurement activities.
The Texas Comptroller has certified that Zartech has successfully met the established requirements of the State of Texas Historically Underutilized Business (HUB) Program to be recognized as a HUB. This certification will assist our company in fostering collaborative relationships and help expand our business. We are extremely proud of being a minority-owned business and can’t wait to serve the thriving business economy of Texas.
Continuously evolving threats create a constant challenge for CISOs and other cybersecurity leaders. It’s not insurmountable, but it’s worth keeping in mind that cybersecurity is a journey, not a destination. You will have to develop and implement a security program that is not only effective, but sustainable. Ultimately, implementing a cost-effective cybersecurity framework with your program includes careful consideration of how you identify, protect, and recover critical assets, as well as detect and respond to security breaches.
Our mission has been to enable organizations to stay up-to-date with regulatory compliance / industry standards and help transform your inefficient processes across your organization. So, we have overtime, based on our involvement with multiple security programs in different industries, enhanced our solution offering. Here is a short video on how our tool can help you to –
● Manage risk in a cyber environment ● Understand data privacy & protection issues ● Strengthen your cybersecurity posture
CMMC requirements will flow down to all subcontractors from prime contractors. All future RFPs will require adherence to various levels of CMMC. Government Contractors will have to pass a CMMC audit so they can become certified and continue to offer their products and services to the DoD. The required CMMC level will be a pass/fail evaluation at the proposal stage for contract awards. In general, a CMMC certificate will be valid for 3 years. Contracts will not be awarded to organizations that do not meet the required level.
The CMMC Model has 5 Levels with a number of defined Practices and Processes in each Level that you have to comply with to get certified at that level.
What is the deadline?
Questions have emerged as to whether that deadline would still stand with the COVID-19 crisis. On March 26th, 2020, the DoD announced that COVID-19 will not delay the implementation of the CMMC on contracts beginning July 1st, 2020.
This is based on recent updates and may change – Between June and September of 2020, the initial round of audits will begin for a select number of Department of Defense Programs/RFIs, with the required CMMC Levels identified. A CMMC 3rd Party Assessment Organization (C3PAO) will ask Defense Contractors to prove how they process, store and transmit Controlled Unclassified Information (CUI). Government Contractors will need to be certified to the required Level in order to receive and bid on the RFP.
The timing of Accreditation Audits is now projected to be Q4 2020 (Calendar) going forward, with RFI’s including CMMC references as early as June and RFPs including CMMC references by Q4.
What CMMC maturity level will you need to certify for?
The RFP/RFI will state what level the contractor must meet. If you manage Controlled Unclassified Information (CUI) in any way, you have to meet at least security level 3.
Not all government contractors deal with CUI. If you aren’t sure, ask your contracting officer or read the RFP. Examples of CUI are personally identifiable information, schematics of military equipment, sensitive information about schedules and personnel, and configuration documentation for government networks.
What effort is required to complete project tasks and evidence gathering?
There are three factors for estimating the cost and work involved with compliance.
How complex is the network you are evaluating?
Does your network already have secure configurations and security programs installed?
What CMMC level are you trying to meet?
Is it possible to isolate your information to fewer systems, fewer networks, or fewer users, while still fulfilling the terms of your contract? You don’t need to secure ALL computer systems for the entire company. You just need to secure the systems that store data (Controlled Unclassified Information) about the contract. Make the job easier by reducing your footprint.
Pouring over controls and analyzing infrastructure is a tedious and time-consuming process. If you involve an experienced SME at your organization who knows your environment well, this process will take less time.
Get a leg up on your CMMC audit preparation
Zartech’s solution and security advisors can guide you through the self-assessment process and help align your organization to the CMMC maturity level that you wish to certify for. You can leverage our tool, Cyberator to gather all required artifacts and complete the project tasks. Then schedule the CMMC auditor to conduct the certification. Assign the auditor a ‘view only’ access to the tool to review your self-assessment results with the artifacts/evidence and complete the verification. Cyberator drastically reduces the time and effort to prepare for a CMMC audit!Click here for additional details.
I recently did a webinar for the Society for Information Management’s (SIM) Cybersecurity SIG group on the topic of ‘Mature and Cost-Effective Alignment of Information Security Programs to Strategic Business Objectives’. The recording of the webinar can be found here.
Here’s the abstract of the discussion: In a typical organization, the CEO has a list of business goals and objectives that trickle down through chain of leadership. Information security supports the business in achieving these objectives. To begin the development of a strategic plan for security it is essential to understand the business objectives and the key elements of the information security function. Business objectives can be analyzed to identify dependencies on security. The security objectives can then be defined in terms of the business objectives. Weaknesses in information security can jeopardize an organization’s mission, threaten its profitability, and invite fines and penalties from regulatory bodies. As IT leaders, we need a clear vision for security, the ability to communicate its relevance and the managerial discipline to deliver its full value. A more effective means of managing the impact that IT risk can have on the business involves taking a holistic approach.
The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years!
The European Union’s General Data Protection Regulation (GDPR) came into force on May 25, 2018 and has been described as the most significant overhaul to data protection laws in a generation. The regulation applies to organizations worldwide that offer goods or services to individuals in the EU, and the penalties for non-compliance are severe. In replacing the outdated 1995 Data Protection Directive, GDPR recognizes the impact that the Internet and other new technologies have had on the data we hold and how we share it. The European Union is forcing companies to view this as an opportunity to develop and implement data governance, protection and privacy in line with consumer expectations. The Penalties can be severe for non-compliance – up to 20 million Euros or 4% of group worldwide turnover (whichever is greater).
GDPR applies to both data controllers and data processors and penalties can be imposed on one or both parties depending on their degree of responsibility. The data controller is the person (or business) who determines the purposes for which, and the way in which, personal data is processed. And the data processor is anyone who processes personal data on behalf of the data controller (excluding the data controller’s own employees).
Among other things, organizations will be required to maintain a data breach detection plan, regularly evaluate the effectiveness of security practices, and document evidence of compliance. However, GDPR doesn’t provide specific technical direction, meaning that organizations will be independently responsible for establishing and maintaining the best practices needed to uphold outlined data security requirements.
We have a very comprehensive bot that does a great job of fully explaining the law, click the icon on the bottom right of your screen.
Zartech can help you with being GDPR compliant, contact us today.