Connecticut approved Public Act 21-119 on July 6, 2021, to provide a safe refuge for cybersecurity-savvy businesses.
With this new legislation, Connecticut joins Ohio and Utah as the third state in the United States to provide constitutional immunity to firms who use an industry-recognized security architecture.
Connecticut’s statute affects both for-profit and non-profit organizations. Connecticut Governor signed it on July 6, 2021, and it came into force on October 1, 2021. With more states joining the league, it is becoming essential for businesses to hire DFARS consultant Virginia Beach for compliance needs.
What does the new law cover?
Organizations with a documented cybersecurity plan conforming to industry-accepted cybersecurity architecture are protected by Public Act No. 21-119.
With the passage of this law, civil penalties will not be given if a firm is sued for failing to adopt adequate cybersecurity measures, leading to a data breach, provided the company designed, updated, and adhered to a documented cybersecurity program.
Qualified Cybersecurity Structures
Connecticut’s cybersecurity law does not compel businesses to use any particular cybersecurity strategy.
Instead, you may choose the structure that best suits your needs.
Among the qualified cybersecurity frameworks are, the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity, NIST SP 800-171, 800-53, 800-53a, CIS Controls, and FedRAMP Security Assessment Framework.
In conjunction with the frameworks mentioned above, businesses are protected if they comply with any of the accompanying regulations:
Health Insurance Portability and Accountability Act, Gramm-Leach-Bliley Act, Federal Information Security Modernization Act, Health Information Technology for Economic and Clinical Health Act, and Data Security Standard for the Payment Card Industry.
Businesses have six months of release to adhere to the edited version of a guideline or regulatory document.
Information to Protect
Companies must safeguard the following personally identifiable information (PII):
Expect more cybersecurity legislation in the future.
With the increasing number of cybersecurity assaults affecting public and private firms across the country, we may presume to see these kinds of regulations urging businesses to implement cybersecurity safeguards.
New NIST and CMMC compliance standards were recently implemented, affecting all Department of Defense providers.
Commercial firms, like government military contractors, require security knowledge to avoid data loss and secure sensitive information.
Take a Lifecycle Approach to Security Controls in Cybersecurity.
Companies should consider DFARS cybersecurity as a lifecycle rather than a set of products to be acquired.
Good cyber hygiene entails a combination of technology measures and proper information-management methods.
Using a security management lifecycle approach allows businesses to invest in the proper technologies and processes to protect themselves against cyber attacks.
When it pertains to data security, there is no such thing as a one-size-fits-all solution.
The lifecycle strategy guarantees that you don’t squander money on products you don’t need or buy unnecessary software to fix process difficulties.…
Many firms, especially DoD contractors are implementing cybersecurity depending on the NIST cybersecurity architecture, which is now a worldwide acknowledged standard for assisting in detecting and mitigating new and evolving cyber threats. The NIST just issued a new draft on guarding against ransomware, which supplements the CSF. The ransomware profile has been added to the framework to assist firms in determining their readiness to deal with cyber extortion.
What exactly is ransomware?
While ransomware stories are not as prevalent as they were a few years ago, the threat persists. Many ransomware gangs that operated on the dark web have split, but the danger has not gone away. In truth, ransomware has evolved like any other type of cyber threat.
Ransomware assaults were relatively straightforward. Generally, the victim would unknowingly download a harmful file after being attacked by a social engineering fraud. When they opened the file, their whole hard drive was encrypted, and the machine was reset to showcase a ransom notice.
Ransomware assaults are less widespread today than they were several years ago, but those that endure are typically more harmful. The most recent trend is the emergence of double extortion attempts, in which bad actors exfiltrate data before encrypting it. In certain circumstances, the ransom notes not only promise to protect your information encrypted if you do not pay the ransom but also publish it on dark web communities for anyone to see.
Put simply, and these double blackmail schemes are exceedingly risky. Given that almost all firms routinely back up and isolate their critical data, they can generally recover compromised systems swiftly and with minimum long-term harm. The desire to pay the ransom increases dramatically if critical data is also taken.
What are the proposed controls in the NIST cybersecurity guideline?
The common idea is that ransomware can be readily stopped by antivirus software. However, this is not always the case owing to the constant emergence of new versions. Furthermore, these assaults are frequently conducted in tandem with precisely focused social engineering frauds such as business email compromise (BEC) assaults. Many people can circumvent standard security measures, which is why the NIST Cybersecurity Framework suggested controls go far beyond.
Antivirus should be deployed at all moments and automatically updated. Set the program to analyze email links and external media constantly. However, ransomware often exploits weaknesses in obsolete operating systems, so no organization should use the now-unsupported Windows 7. Maintaining all devices and firmware up to date will assist in mitigating the danger.
Because so many individuals work from home and use their personal devices for business, the dangers of ransomware attacks have increased. This is why companies must enact rigorous standards limiting the usage of third-party apps.
To begin with, no critical corporate data should be saved on employee-owned devices. Instead, they should act as access points to enterprise programs and data housed in the cloud instead of on local machines. Supervisors can limit access by employing regular user accounts with no administrative credentials while having a complete view of their data.
Another critical control area addressed by the NIST Cybersecurity Framework is security consciousness training. Ransomware may infect anybody, with distant workers being the most typical victims. As a result, everyone in the organization should undergo frequent awareness training to grasp the hazards and how they spread.
Finally, the most recent literature includes specific measures businesses and DoD companies may take to recuperate from a ransomware assault. This includes incident recovery planning, messaging, backup, and restoration.
The new ransomware model is intended for a broad demographic, including businesses that have previously implemented the NIST Cybersecurity Framework in its entirety. However, implementing the guidelines and policies can be prohibitively expensive for smaller enterprises desiring to do everything in-house. This is why selecting a reliable technology, and security partner is critical for reaching the same protection as large organizations.…
Every major industry, from electricity to automobile manufacture, is most likely part of a complex supply chain. And, as the term implies, if even a little component of the system malfunctions, the entire system might be weakened or collapse. CMMC for DoD contractors emphasizes on securing data infrastructure.
Today, no institution is immune to the fast surge in cyberattacks, even cybersecurity firms. This is particularly true since the start of the conflict in Ukraine, which has been marked not just by military attacks but also by cyber warfare against anything from the Ukrainian administration to US airports.
Aside from the dynamic cyber landscape, there are increasing chances for hackers to enter the supply chain as company partnership and data sharing expands. Many firms are undertaking digital transformation and releasing the massive amounts of data they have collected to allow information-based decision-making throughout the ecosystem. Malicious actors can abuse their systems and data if they are not secure.
Organizations cannot afford a severe cyberattack due to pandemic-related interruptions and shortages. If one organization is hit, the whole supply chain may suffer financial losses due to supplier delays, or they may become victims themselves via shared systems.
To avert a disastrous cyber assault, supply chain enterprises must comprehend significant security risks, system weaknesses, and ecosystem linkages. Following that, ecosystem leaders must increase insight into supplier security requirements, upgrade their security procedures, and implement a participatory cybersecurity strategy.
Current Security Risks and Vulnerabilities
Lapsus$ recently penetrated Okta, an identity management framework, via a company’s customer assistance third-party suppliers, Sitel, using a technician’s infiltrated account. Questions have previously been raised about Sitel’s security, demonstrating how the “weakest link” might be a hacker’s route into various supply chain processes.
These breaches are often caused by insecure associations such as VPNs and stolen passwords due to spoofing or spraying cyberattacks targeting poorly maintained or unmanaged accounts. When a vendor or outside supplier employee gets access to a company’s infrastructure, this is prevalent in remote access circumstances. Assailants can trade these credentials on dark websites, and businesses must pay to recover them or face the arduous process of rotating passwords on tens of thousands of assets. Once inside, attackers can travel laterally throughout a company’s networks and even farther into the supply chain due to the interrelated nature of these systems.
Many businesses nowadays follow basic security regulations and practices. When a corporation purchases services or technology from a supply chain partner, it bakes standards into contracts that compel the servicer to adhere to the same security rules as the client.
Even if the host firm has a sophisticated security policy in place, the other organization’s procedures are likely to differ. It either needs time for the servicer to catch up on what is specified in the contract, or the improvements never happen. Typical agreements do not include stringent implementation dates or periodic check-ins to confirm successful changes. Furthermore, a service with various contracts with varied security needs may be forced to implement a piecemeal security approach to fulfill these constraints.
Changes to Guidelines, Practices, and Increased Collaboration
With the recent increase in assaults, new federal government regulations like CMMC DFARS, and various innovative solutions in the marketplace, many supply chain organizations may not know where to begin to handle these concerns. A few easy procedures, however, may be followed to safeguard the supply chain.
To begin, all businesses that seek the assistance of outside vendors or suppliers should boost visibility into whether or not the contract’s security rules are being followed. The setting needed timescales, arranging regular check-ins, and conducting a final security audit and/or test are all part of this process.
Furthermore, these security criteria for enterprises and their vendors should be maintained to defend them not just from today’s attacks but also from emerging strategies in the future. In particular, companies in the supply chain should examine and comply with National Institute of Requirements and Technology (NIST) guidelines. Close to the end of 2021, the organization concluded the comment period for “SP 800-161,” a draft of improved supply chain cybersecurity policies. This report was revised and finished in 2022. Businesses should ensure that these standards are represented not just in their procedures but also in the security needs of their suppliers.…
Even if I knew that tomorrow the world would go to pieces, I would still plant my apple tree.