Achieving & Maintaining Compliance
Compliance isn’t a concern, or the same, for every organization. For those with requirements to meet it can be as daunting as it is necessary. Regardless of how it is approached, alone or with support from a company like FNI, it takes ongoing work & effort. The importance of compliance is not simply a matter of non-compliance penalties organizations can face. The reason these regulations exist at all should not be dismissed simply because they can be inconvenient or involve an added cost to doing business. Securing intellectual property, personal information, and government interests has a value that often isn’t fully appreciated unless it fails. Having a minimum security standard gives organizations a better idea of the best practices they should be following and an opportunity to prevent catastrophes they would have faced in its absence.
Future Networking is the kind of ally and resource that assists organizations in efficiently and cost-effectively determining where they are in their compliance process, what needs to be done to get where they need to be, and establishing a plan to get and stay compliant.
CMMC / NIST
It is no secret that defense manufacturing companies in the United States are at risk. “If we were doing all the necessary security controls, we wouldn’t be getting exfiltrated to the level that we are. We need to level set because a good portion of our defense industrial base doesn’t have robust cyber hygiene. Only 1% of [Defense Industrial Base] companies have implemented all 110 controls from the National Institute of Standards and Technology. We need to get to scale where the vast majority of DIB partners can defend themselves from nation state attacks.” – Katie Arrington 2019 (DoD). Defense manufacturers and others in the government supply chain are high priority targets. They face threats from nation states and other highly skilled and capable malicious actors.
From www.NIST.gov: “If a manufacturer is part of a DoD, General Services Administration (GSA), NASA or other federal or state agencies’ supply chain, the implementation of the security requirements included in NIST SP 800-171 is a must.”
To date, very few small to mid-sized manufacturers have taken the necessary steps to achieve these compliance requirements. As a response to this lack of action the Department of Defense (DoD) released the Cybersecurity Maturity Model Certification guidelines on January 30th, 2020. As a part of the CMMC process, “certifiers” will meet with manufacturers to verify they meet the necessary Maturity Level requirements.
Since the CMMC is still developing, it is currently unknown what the full ramifications of non-compliance will be, but denial of government contracts may occur. If the assessment is failed, it could be a challenge to schedule another assessment as demand for assessment by Certified Assessors may be higher than their availability.
The greatest risk of non-compliance is the damage done to the country along with the businesses compromised by cyberattacks through sensitive data theft, financial loss from ransomware, and loss of production and reputation.
How We Help
Cybersecurity costs can be an allowable expense in certain defense manufacturing contracts. Future Networking helps organizations prepare for their CMMC assessments by delivering a range of necessary documentation. We can also implement a proprietary spectrum of security tools to help meet compliance and mitigate threats.
Compliance essentially consists of four overarching segments:
- Assessing the network infrastructure, detecting threats as they occur while finding other potential threat access points.
- Reporting what those threats are, prioritizing those threats and developing a timeline to mitigate those threats.
- Documenting administrative protocols on who is accountable for the network, the practices and procedures to follow if there is a breach, documenting any breaches and the procedures followed, and documenting the activities done in the ongoing process to continue to mitigate threats.
- Providing security training, both through simulated digital attacks and through on-site presentations.
We differ from companies that focus solely on compliance consulting. In addition to providing the documentation and reporting (where most companies focus as a consulting service), we implement the Cybersecurity tools uniquely tailored to assess the network. These tools actively mitigate against threats, and include an Artificial Intelligence (AI) augmented 24/7/365 US-based Security Operations Center (SOC) staffed with full time technicians and engineers. They oversee and monitor networks and respond to cyberattacks in real-time.
For those who need additional evidence of their security, we can provide attack audits (network penetration testing) as well.
What is ITAR / EAR Compliance? Put simply, ITAR governs exports made specifically for defense or aerospace purposes, whereas EAR governs exports that may be used for defense purposes or may be considered sensitive for other reasons. Failure to comply with ITAR / EAR can be harmful to national security and U.S. foreign policy. It may result in other costs including severe civil & criminal penalties (potential incarceration), damage to reputation and loss of export licenses.
The release of information to a foreign national is considered a “deemed export” under EAR, and although ITAR doesn’t use that specific term, EAR’s definition of “deemed export” is aligned with how ITAR assesses the transfer of information to foreign nationals. Information release under ITAR is defined as, “… the oral, visual or documentary disclosure of technical data by US persons to foreign persons.” It’s easy to see that information release violations of ITAR & EAR, and failure to secure data, are serious matters. They can also be disastrous for national security and organizational reputation. The government views these breaches & transfers of information as potentially causing severe damage to the United States and may impose civil and criminal penalties if a breach occurs. Violations can result in hundreds of millions in fines. Organizations may also have export licenses revoked or rejected, limiting or eliminating their ability to engage in critical activities!
What is an export? Sending or taking a defense article out of the U.S. in any manner; Disclosure, including oral or visual disclosure, or transfer of technical data to a foreign person whether in the U.S. or abroad; Performance of a defense service on behalf of, or for the benefit of a foreign person whether in the U.S. or abroad; Disclosure, including oral or visual disclosure, or transfer in the U.S. of any defense article to an embassy, agency, or subdivision of a foreign government; Transfer of registration, control or ownership to a foreign person of any aircraft, vessel, or satellite covered by the U.S. Munitions List, whether in the U.S. or abroad.
Who is a foreign person? Any natural person who is not a lawful permanent resident of the U.S. or who is not a protected individual; Any foreign corporation, business association, partnership, trust, society, or other entity that is not incorporated or organized to conduct business in the U.S.; International organizations, foreign governments, and any agency or subdivision of a foreign government.
What is a defense service? Furnishing of assistance, including training, to foreign persons, in the U.S. or abroad, in the design, development, engineering, manufacture, production, assembly, testing, repair, maintenance, modification, operation or use of defense articles; Furnishing of technical data to foreign persons in the U.S. or abroad, Military training and advice.
The Directorate of Defense Trade Controls (DDTC) is the government agency responsible for outlining the International Trade in Arms Regulations (ITAR). ITAR governs the export of military, weapons, and space related items and services as specified on the US Munitions List (USML). To ensure compliance with ITAR, the DDTC strongly encourages registered exporters, manufacturers, brokers, and others engaged in defense trade, to maintain programs that assist in the monitoring and control of exports and other regulated activities.
The Bureau of Industry & Security (BIS) is the government agency responsible for outlining the Export Administration Regulations (EAR). EAR covers the export of non-ITAR commercial goods & services including so-called “dual-use” items, which are commercial items that may also have military applications or other sensitive uses under the Commerce Control List (CCL).
The International Traffic in Arms Regulations (ITAR) The Department of State is responsible for the export and temporary import of defense articles and services governed by 22 U.S.C. 2778 of the Arms Export Control Act (AECA) and Executive Order 13637. The International Traffic in Arms Regulations (“ITAR,” 22 CFR 120-130) implements the AECA. The ITAR is available from the Government Printing Office (GPO) as an annual hardcopy or e-document publication as part of the Code of Federal Regulations (CFR) and as an updated e-document.
How We Help: Controlling the location and flow of information is mandatory to assure both ITAR and EAR compliance. By partitioning data and limiting access, through network management, encryption, password, physical security & surveillance, magnetic and even biometric tools, Future Networking helps assure compliance in these areas.
Healthcare faces significant threats from cyberattacks that can have massive financial and even life endangering impact. The perfect storm is when a cyberattack hits resulting in ransom, loss of patient records, slowing or even stopping patient care, with the attack being due to HIPAA violations – which subsequently result in heavy fines (capped in 2019 at $1,500,000 per year of violation), not to mention, the negative media attention that is sure to follow. All of the negative fall out is on top of direct losses due to cyberattacks suffered!
2019 saw unprecedented cyberattacks on healthcare providers amounting to billions of dollars in losses. These events included:
764 healthcare providers attacked
285 patient record breach incidents
Nearly 32 million patient records affected
Redirecting of emergency patients to other hospitals
Inaccessible, destroyed or permanently encrypted medical records
Canceled surgeries, postponed critical tests, admissions halted
911 services interrupted
Offline surveillance, badge scanners and building access systems
Unfortunately, in reading the bullet points above, the perfect storm does happen. It’s only the quick-thinking, care and diligence of first responders, hospital staff, doctors and nurses that kept these incidences from causing loss of life to their patients.
Though 45 C.F.R. 164.308 offers summary guidelines for incidence response (which can include ransomware, patient data theft and other intrusions), and that institutions offer training on mitigating and responding to incidences, it is not clear as to specifics of what approach to take (aside from documenting procedures and incidences) or what security tools to use to monitor and mitigate against such threats.
We Provide Security Tools to Match Policies & Procedures Specific to HIPAA compliance and the needs of healthcare facilities and organizations, Future Networking provides a full platform of threat-mitigation tools that can eradicate ransomware and malware at their entry point before they infect a network. Additionally, we put safeguards in place to deny Protected Health Information (PHI) from being compromised.
Offering a holistic approach, we also provide Security Awareness Training based on the current threats in the real-world environment, and address issues using information obtained from our Security Assessment of employee behavior and flaws within the network. If the need is there, we can also take the assessment many steps further, and do network penetration testing (an Attack Audit). Here we can provide results from penetrating the system through external or internal nodes, as well as test physical security protocols to determine where they might be lax.