Blogs & Analysis

New York Rule 500 dictates NY financial institutions must certify cybersecurity programs by February 15, 2018

New York State is the first in the U.S. to impose a comprehensive cybersecurity regulation on financial institutions, and the regulation, “Cybersecurity Requirements for Financial Services Companies,” (also known as NY Rule 500 or 23 NYCRR Part 500) has a key deadline on the horizon. February 15, 2018 is the date by which the entities… Read more »

DFARS 7012 and Supply Chain Cyber Risk Management

Day-in and day-out, U.S. companies are under cyber-attack by criminals, hacktivists, bored kids and nation-states. Nation-state sponsored actors, including China and Russia, are known as Advanced Persistent Threat (APT) actors, and have been extremely successful in compromising the networks of commercial organizations, particularly those companies conducting work for the Department of Defense. In fact, these… Read more »

Top 10 Mistakes in Implementing the NIST 800-171 Cybersecurity Requirements

Businesses supporting the U.S. Department of Defense work have 10 weeks left to fully comply with the cybersecurity provisions of the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 and associated clauses. At Sera-Brynn, we’ve been advising clients on the DFARS and NIST requirements since 2014, and we’ve seen mistakes from companies of all sizes… Read more »

DoD issues clarifying guidance on DFARS Clause 252.204-7012

2017 saw the release of additional guidance aimed at both contractors and procurement officers regarding the implementation of DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting”. Here at Sera-Brynn, we’ve written extensively on aspects of this clause and the associated NIST Special Publication 800-171. 800-171 describes adequate security for Protecting Controlled Unclassified… Read more »

Equifax Breach and Compliance

Would Better Risk Management Based on DFARS/NIST 800-171 or the NY Financial Institution Rules Have Thwarted the Equifax Breach? By Colin Glover, Senior Security Analyst, Sera-Brynn, LLC. Recently, the credit rating company Equifax announced a huge breach impacting up to 143 million U.S. consumers, including their names, social security numbers, birth dates, home addresses and… Read more »

NIST Password Guidelines Change

By Colin Glover, Sera-Brynn Sr. Cybersecurity Analyst The National Institute of Standards and Technology (NIST) recently updated their Digital Identity Guidelines, releasing NIST SP 800-63-3. This four-volume set, 800-63-3, 800-63A, 800-63B, and 800-63C, provide technical requirements for federal agencies implementing digital identity services. Of most importance to the DoD requirement for the protection of Covered… Read more »

State of DFARS Compliance 5 Months From 31 Dec 2017 Deadline

As of Q2 2017, 87% of all defense contracts contained DFARS clause 252.204-7012. As of July 2017, 93% of Navy contracts, 83% of Air Force contracts, and 72% of Army contracts had the clause, with a goal of 100%. Source: Defense Procurement and Acquisition Policy Based on non-attributable statistical data we have collected through our… Read more »

Risk Management and China’s New Cyber Security Law

China’s new Cyber Security Law, which went into effect on June 1, 2017, will impact the way multinational organizations do business in China. As national laws with global impact (like China’s) evolve, risk evolves. You probably know that a cyber risk management “best practice” includes regularly updating your Risk Assessment. If it’s been awhile and… Read more »

Thoughts on How the U.S. Government Calculates Cost of Compliance with Cybersecurity Regulations

How the U.S. Government calculates the cost of complying with the cybersecurity provisions of acquisition regulations. In 2017 the Department of Homeland Security proposed to amend the Homeland Security Acquisition Regulation (HSAR) to address requirements for the safeguarding of Controlled Unclassified Information (CUI). 82 FR 6429 (Jan. 19, 2017). Although this rule is not final,… Read more »