Federal Information Security Management Act

FISMA is essential to prevent the exposure of confidential government assets, operations, and information from cyber attacks and threats. There are several security requirements such as information system inventory, risk categorization, system security plans, security controls, certification and accreditation.

While maintaining inventory, federal agencies must have an encrypted cloud to keep track of information systems and control the internal and external interdependencies between systems. In risk categorization, three categories define the degree of risk pertaining to IT systems. The three categories are low-impact, moderate-impact, and high-impact. The low-impact category determines that the information is general and informational. The moderate-impact category pertains to information that needs to be safeguarded. The high-impact category is high risk and could cause great danger to the government if compromised.

All government agencies must have a security plan to determine how the agency will perform security controls. The security plan is known as a System Security Plan (SSP) and Plan of Action and Milestone (POA&M) that must be updated regularly. To utilize the security controls efficiently, government agencies must document their security controls under the regulations of FIPS 200. When all security measures are implemented, and risk assessments have been completed, agencies must ensure that security controls properly function. Once all steps are completed, the information system is deemed accredited according to NIST SP 800-37.

by Marcia Cooke, Jr. Analyst



Cybersecurity Maturity Model Certification

There are 5 levels to the Cyber Security Maturity Model Certification. The first level, basic cyber hygiene, pertains to the certifications organizations must first practice. The 17 basic practices pertain to "implementing identity and authentication and basic Access Controls". Anyone with a DoD contract goes through this basic level of certification in order to protect FCI (Federal Contract Information).

The second level is the intermediate cyber hygiene, which provides cyber security to firms that have Controlled Unclassified Information and requires a more advanced level of security than corporations that only have Federal Contract Information. According to "CMMC Certification Levels", in level 2, corporations need "written policies for the 17 domains covered by the CMMC as well as documented practices for implementing the policies for each domain."

In the third level, the overall security of an organization is the primary focus and organizations who meet both the FCI and CUI requirements are required to meet the level 3 stage requirements and higher. In this third level, all of the practice requirements for NIST SP 800-171 must be fulfilled along with the requirements that encompass level one and two.

The last two levels of the CMMC requirements are the most advanced. There's a small ratio of cybersecurity firms that need to fulfill the level 4 and 5 requirements. The high level of importance to level 4 is attested to preventing attacks on the CUI. These threats are referred to as Advanced Persistent Threats, also known as APTs. Level 5 is very similar to level 4. The only differentiation between the two is there are 15 additional practices for organizations to implement in level 5.

by Marcia Cooke, Jr. Analyst


FY22 Core ig metrics

The FY22 Core IG Metrics are derived from the Core IG metrics from 2016. These Metrics are a guide for businesses to ensure the best cybersecurity. The tips created coincide with each question from the FY22 Document.

by Marcia Cooke, Jr. Analyst

Click here to review the guideline tips

how to get a job in cybersecurity

In the next 10 years, the US Bureau of Labor expects IT jobs to grow by 33% which is 4 times the amount of growth in comparison to other industries’ growth. As the industry grows, so does the demand for labor. People interested in joining the field will need to have a variety of different tasks to complete daily. These tasks include “designing firewalls to prevent data breaches”, “training coworkers on IT security best practices”, “monitoring security systems to quickly detect vulnerabilities” and “implementing security audits across the company’s systems and networks”. Of course the tasks will vary depending on the specific type of job and knowledge background. Education requirements such as a bachelor’s degree in math and engineering or computer science are great to have for a cyber security job. While some jobs may require a cyber security master’s degree, you can still get a job within the field with specific skill sets. Amongst education, you will also need specific certifications such as CompTIA Security, GIAC Security Essentials Certification, Certified Ethical Hacker and Cisco Certified CyberOps professional certification.


Cyber attacks

Cyber attacks can be a major detriment to a company's success by inhibiting the security of confidential information. There are steps that organizations can take to prevent these threats from occurring. According to Cyber Security Safety, "How to Defend your business against cyber attacks", out of the ten recommendations given, making sure all operational systems are updated, having information backed up, and communicating with team members are efficient ways to prevent malfunctions.

Updating all operational systems can ensure computer bugs are fixed and software performance improves. Computer bugs in software make organizations more vulnerable to malfunctions and give easy exposure to hackers. Software updates also ensure that viruses and password exposures are easily detected and brought to the attention of organizations. Communicating with team members about cyber attacks can ensure that everyone has the same understanding or knowledge about how to prevent putting the organization at risk.

by Marcia Cooke, Jr. Analyst

Click the links below to read more about Cyber Attacks:

Cyber Attacks in the US

Foreign Cyber Attacks

Google Play store

Over the next few months, Google will implement updates to its Play Store to prevent pesky ads from popping up. The most common advertisements that pop up are those that take up the entire screen and are previewed via photo or video for a duration of time, typically more than 15 seconds, before a game starts or an app loads. There will also be restrictions on the misinformation spread on the Google Play Store pertaining to subscriptions and health. Beginning August 31, there won’t be apps on the Play Store that mock popular apps. Google plans to ensure this by creating policies that prevent apps from using specific words/descriptions and images that may imply the linkage to a popular app. Google wants to protect consumers from unnecessary, misleading information and copycat apps to improve the overall experience for the consumer.

Source: Google Play Store update will get rid of annoying ads, copycat apps - Memeburn


Click here to read about Cryptocurrency in the US.

Contact for more information