Our mobile phone system in the US is compromised. Government and cell phone companies have confirmed that. Here are my Key takeaways from the CISA Mobile Communications Best Practice Guidance, which was released this week. By taking these key steps you can better secure your mobile communications
Many of us trust Google Authenticator to add a layer of security to our accounts. But, Google Authenticator has a serious security vulnerability which makes it unacceptable for CMMC compliance and dubious for general use. By default, Google Authenticator syncs your one-time codes to your Google account in the Cloud. Read more…
Our mobile phone system in the US is compromised. Government and cell phone companies have confirmed that. Here are my Key Takeaways from the CISA Mobile Communications Best Practice Guidance, which was released this week. Adopt Phishing-Resistant Authentication. Use FIDO2 security keys or passkeys for secure, phishing-resistant multifactor authentication (MFA). Read more…
Bluetooth should be avoided on systems doing any kind of work for the Federal government – DoD or civilian. When tightening security for system access, it’s important to consider all vectors of attack—especially Bluetooth-enabled peripherals like keyboards, mice, earbuds, and other devices. Here’s why: CMMC Control AC.L1-3.1.1 (Access Control): This Read more…
You might think sophisticated hackers need to crack complex codes or plant hidden devices to steal your company’s secrets. But the truth is, sometimes the easiest way in is through your own front door…or rather, your microphone. This week, I heard a chilling story about a client. An executive, let’s Read more…
It looks like a USB charging cable. And it is. But it’s more. What looks like a simple charging cable can actually be an advanced tool with a WiFi access point that can be used to take control of a computer and steal data. To make matters worse, standard intrusion and Read more…
Are CMMC certificates really valid for three years? Yes. But… Once the CMMC program is implemented (December 16, 2024), C3PAOs will be able to issue cybersecurity compliance certifications to organizations that pass audits. These certifications are valid for three years. However, a certification may lapse if there is a change Read more…
For CMMC compliance, will DoD provide standardized templates for a System Security Plan (SSP) and Plan of Action and Milestones (POA&M)? No. The DoD does not plan to create specific templates for compliance documentation, recognizing that each organization is unique. A “one-size-fits-all” template would not generally be helpful. DFARS 252.204-7012 Read more…
For CMMC compliance, will DoD provide standardized templates for a System Security Plan (SSP) and Plan of Action and Milestones (POA&M)? No. The DoD does not plan to create specific templates for compliance documentation, recognizing that each organization is unique. A “one-size-fits-all” template would not generally be helpful. DFARS 252.204-7012 Read more…
Securely managing software and system configurations is a challenge. But software and system configuration management is critical to information security. This is where a Definitive Media Library (DML) comes in. A DML is a secure, centralized repository that stores authorized, known-good copies of software, operating systems, and configurations. It plays Read more…