Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Flyslinger2
Community Champion
‎03-27-2019 10:15 AM
‎03-27-2019 10:15 AM

The gorilla is flexing again ...

DoD is pushing to have nested contractors conform to NIST's cybersecurity rules.  This will create all kinds of additional demand on the few cybersecurity professionals that are out there.  It will add more expenses to contracts.  It will slow procurement further.  

 

My question is how do you measure your cybersecurity posture? I've read enough articles regarding this and it certainly is going to be tricky.  You would have to hire an independent firm to confirm your security before DoD audits you.  They would have to be experts (certified ... hmmmm new business opportunity for ISC2?).

 

This is going to have a huge impact on the industry.

Reply
4 Replies
MikeGlassman
Contributor II
‎03-27-2019 10:23 AM
‎03-27-2019 10:23 AM

This is already happening in Israel, and although it may seem to be a burden at the offset, in the long run, the supply chain is the most accident prone aspect of an organizations security posture out there (after idiotic users).
In the long run, more and more companies will be vetted, which will make you more secure.
Sincerely,

Mike Glassman, CISSP
Iguana man
Reply
0 Kudos
emb021
Advocate I
‎03-27-2019 10:37 AM
‎03-27-2019 10:37 AM

We kind of already have this assessment in SOC 1/2/3, SOC for Cybersecurity from AICPA, as well as Shared Assessments model.

 

ISACA just added a Cybersecurity audit certification for individuals.

 

And I guess you also have the ISO/IEC 27001 certification for companies, tho this isn't very popular in the US.  Not sure how FISMA is attested/certified, but could be applied to vendors?

---
Michael Brown, CISSP, HCISPP, CISA, CISM, CGEIT, CRISC, CDPSE, GSLC, GSTRT, GLEG, GSNA, CIST, CIGE, ISSA Fellow
Reply
CraginS
Defender I
‎03-31-2019 12:01 PM
‎03-31-2019 12:01 PM

@Flyslinger2 wrote:

 

My question is how do you measure your cybersecurity posture? I've read enough articles regarding this and it certainly is going to be tricky.  You would have to hire an independent firm to confirm your security before DoD audits you.  They would have to be experts (certified ... hmmmm new business opportunity for ISC2?).

(ISC)2  developed the CAP certification for the U.S. State Department specifically to meet the need you describe. Further, the more comprehensive CISSP-ISSEP concentration also covered the same territory in its original form. I have not kept up with details on either the CISSP-ISSEP concentration or the CAP to confirm that either of them covers the most recent NIST Risk Management Framework (RMF) processes. I'd ask recently certified CAP and CISSP-ISSEP holders to comment on the issue of currency.

 

 

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
Reply
Flyslinger2
Community Champion
‎04-01-2019 07:40 AM
‎04-01-2019 07:40 AM

I took InfosecInstitutes CAP bootcamp and read ISC2's book on it as well in preparation for taking the exam.

In my 1+ years of doing RMF in DoD I've yet to see anything in the real world that lines up with the bootcamp and ISC2's "official" publication for the exam. I'm afraid that I will be so skewed from my real world process that I'll be jaded for the exam.

 

The CISSP exam was not an issue with matching it to real life.  Based on what I've experienced so far, I don't have that same confidence CAP.

Reply