Jeff Baldwin, D.Sc.

Security Tidbits from the desk of STAVA LLC CEO In my 32-years of Intelligence, Counterterrorism and Security experience, one of the biggest, most reoccurring mistakes I have observed is the application of generic security measures to an organization.  Contrary to popular demand, security is more than armed guards, concertina wire, closed-circuit televisions (CCTVs) and card access readers. To harden a facility against the adversary, one must truly understand the risks, vulnerabilities and threats (RVTs) associated with a facility. I have interacted with many security professionals that do not know their organization’s high-valued assets, have not walked/touched every part of their facility or holdings, and do not understand the RVTs internally/externally to their facility. Regardless of your organization’s size, a robust security program starts with a comprehensive Vulnerability/Risk Assessment. If your organization requires Security Training and Vulnerability Assessment Services, look no further, STAVA LLC is willing to assist you. Regards, Dr. Yolanda Wade, ISP®, SFPC STAVA LLC CEO https://www.stavallc.org/

12

2 Comments

CMMC - Clean-up in Isle 7, There is a consistent mess in Isle 7. Only if you have had an actual CCA perform a Mock Assessment will an OSC/OSA (Organization Seeking Certification / OSA - Organization Seeking Assessment) know what an assessment requires. (14 policies; 8 plans, 320 Assessment Objectives, 280 Artifacts) You think you are ready for your final Assessment by a C3PAO for CMMC Compliance? You're not! The CMMC Certification Process: 1. You have gone thru your Self-Assessment. (With Expert guidance) 2. Created and entered your score into the SPRS system. 3. You did a "Readiness" Project which kicked out a Gap Analysis and a POA&M. 4. You have a central library (GRC Service? Spreadsheets?) of artifacts as evidence of compliance. All assembled over many months by different contributors. (Guaranteed there is a lack of conformity.) 5. You remediated and documented everything from the POA&M. 6. Your Policies, Procedures and Evidence documents are all ready, and in order? 7. You think you are in a ready state for an Assessor to breeze through all the evidence and certify you. You schedule a C3PAO for your Assessment. 8. The Assessor will review, find issues for remediation ie: gaps. 9. Back to remediation 10. Reschedule the final Assessment 11. Rinse repeat until you are fully compliant. WHAT IF WE COULD SHORTEN THIS PROCESS AND SAVE TIME ($) AND EFFORT? DoD estimates CMMC paperwork burden at 525 hours https://lnkd.in/g48JBDEb Insert step 7.1 - Run a Mock Assessment by a CCA using an AI Based Documentation review Service that produces a POA&M that addresses the integrity of your Artifacts and Evidence in less than a week. Insert step 7.2 Remediate from POA&M items. Insert step 7.3 Re-run the Service for final readiness status. WHY? - To confirm your readiness. - To present a more palatable set of documentation to the C3PAO and accelerate Certification. - To Save countless manhours in the journey to certification. - To help streamline steps 8, 9, 10, and 11 above. NOTE: The Service will generate an immediate ROI. Improve your chances of 1st time certification by working with Gailey Solutions. Get actionable results in days, not weeks. Call Gailey Solutions for CMMC help and guidance. NOTE: We White Label this Service to Partners in the CMMC Community to help you guide your clients thru the Process.

1

What’s New and What’s Next from the Center for Threat-Informed Defense MITRE-Engenuity’s Center for Threat-Informed Defense (Center) conducts collaborative research and development (R&D) projects that improve cyber defense. This webinar showcases the Center’s recent and upcoming solutions for advancing threat-informed defense with open-source software, methodologies, and frameworks. WiCyS is proud to provide members the opportunity to earn CPE/CEU credits for attending WiCyS Webinars live. https://lnkd.in/g6eMd5VV Can't make it during the scheduled time? Register to receive a recording as soon as we wrap. 📣 To earn CPE/CEU credits with the following providers, you must meet the minimum requirements: - GIAC/(ISC)2: attend for a minimum of 45 minutes or the entirety of the webinar - CompTIA: attend for a minimum of 60 minutes or the entirety of the webinar (webinar topic must relate to the certificate being renewed) Attendees who meet the requirements can log into BrightTALK to print out their attendance certificates to submit for CPE/CEU credits.

1

The real cool part about this is we as citizens get to see what our government is doing and actually build out metrics for it. This another reason why I love Splunk so much for how many use cases you can use for it and how you can use your imagine to create different aspects of your story. Cyber security, networking, marketing, DevOps, Business Intel. The list goes on and on. I cant wait to show you the rest of my tricks up my sleeve David Huynh haha.

10