ComplianceForge

ComplianceForge's NIST 800-161 R1-based C-SCRM Strategy & Implementation Plan (C-SCRM SIP) can help your organization integrate cybersecurity and data protection controls into the acquisition lifecycle through acquisition planning, source selection, responsibility determination, security compliance evaluation, contract administration and performance evaluation. As today's Executive Order (EO) points out, C-SCRM is required in the Federal government, which means those requirements will filter down through US Government contractors and then down into non-government contractors. It is inevitable. https://lnkd.in/eg8pNSmX Product page: https://lnkd.in/gtqD77gc #scrm #cscrm #supplychain #supplychainsecurity #nist800161 #eo #executiveorder #tprm #riskmanagement

The Secure Controls Framework created a free cybersecurity materiality calculator template in Microsoft Excel format that you can download from: https://lnkd.in/gwdwv5T7 Materiality goes beyond SEC Form 8-K filings and is valuable for the broader concept of risk management practices, since it helps an organization clearly understand what is important vs what is not important. Prioritization is key in risk management and determining materiality thresholds is a tool that should be utilized. This is to START the process for your organization to think through both the quantitative and qualitative criteria that are used to establish thresholds for identifying (1) material controls, (2) material threats, (3) material risks and (4) material incidents. This template takes into account criteria from pre-tax income, total assets, total revenue and total equity to provide options for both "single criteria determinations" and "averaged determinations" to establish objective thresholds. If you want to read more about cybersecurity risk management practices and the concept of materiality, this guide is an excellent place to start: https://lnkd.in/g8-2Y8n5 #cybersecurity #riskmanagement #dataprotection #assessment #standards #grc #governance #risk #compliance #tprm #scf #framework #cybersecurityrisk #cyberrisk #security #materiality #material #itgovernance #policies #procedures #guidelines #ciso #cio #cyber #leadership #cybersecurityleadership #informationsecurity #infosec #sec

The Secure Controls Framework is pleased to announce the appointment of Jason Sproesser to the SCF Advisory Board! Jason brings with him a wealth of MSP and GRC experience both in public and private industries. As the SCF's Conformity Assessment Program (CAP) expands to offer a broad range of certifications, Jason's expertise in NIST 800-171 / CMMC will add value to the planned "SCF Certified - NIST SP 800-171 R3" certification to service the non-DoD side of the US Government contractor ecosystem. #grc #msp #mssp #announcement #cmmc #nist #nist800171 #winning

Determining the scope of controls (e.g., assessment boundary) is different than determining control applicability. Do you know the difference? The Unified Scoping Guide (USG) is a free resource to make control scoping more efficient, regardless of the type of sensitive / regulated data environment. You can download the latest version of the USG for free from: https://lnkd.in/gUy_iTUJ #efficiency #doge #cuiscoping #scoping #cmmc #nist800171 #cui #fci #grc #ciso https://lnkd.in/gqUegfA3

Risk management for practitioners! This document is vendor agnostic and is written for cybersecurity practitioners to gain valuable insights in how to better manage risk across organizations, regardless of the industry or size. With the concept of "material incidents" being important to public companies, ComplianceForge updated its risk management guide for cybersecurity practitioners to address the reality of enterprise-wide risk management practices. This educational reference can be downloaded from: https://lnkd.in/gPqhdT83 Special thanks to Tom Cornelius and Andy Kuykendall for their contributions to this document! #risk #riskmanagement #erm #grc #cybersecurity #ciso #board #materiality #material #negligence

There is a "materiality ecosystem" that exists within modern cybersecurity risk management discussions. The process begins with determining what constitutes materiality for an organization. This is organization-specific and is primarily based on a clearly-defined financial threshold. Defining materiality is an executive leadership determination, not a cybersecurity determination. Often, cybersecurity teams incorrectly hypothesize what “should be material” through the myopic perspective of the cybersecurity department. However, those cybersecurity-led definitions are often incorrect and are not material to the organization, much to the frustration of legal counsel that sometimes have to reprimand cybersecurity practitioners for incorrectly labeling incidents as material. For example, while a $5 million dollar incident may appear material (e.g., it is a significant sum), that financial amount may not come close to the actual materiality threshold for a prosperous organization. Once the materiality threshold is clearly defined, it then requires a look at an organization’s risk and threat management practices to identify those specific risks and threats that could lead to a material incident. Ideally, this means reviewing established risk and threat catalogs to identify known risks and threats that have material implications. In the end, the due diligence activities performed to define material risk and material threats assist with broader incident response operations. This prior work assists the organization in defining material incidents, or at least pre-determined criteria associated with incidents, that would elevate incident response activities to the proper organizational leadership, due to the existence of a material incident (e.g., external reporting requirements, reputation damage control, etc.). During incident triage is not the correct time to develop incident threshold categories to determine materiality, due to requirements such as the US Securities and Exchange Commission (SEC) requires public companies to disclose material incidents within 72 hours. #cybersecurity #sec #material #materiality #risk #incident #threat #control #grc #ciso #incidentresponse #irp

Thank you for the mention from Koren Wise! Another successful assessment using ComplianceForge documentation. Learn more at: https://lnkd.in/gC3Jy-aw #cmmc #dibcac #nist800171 #audit #assessment #compliance

The 2024.3 version focused on addressing changes associated with the recent release of 32 CFR Part 170 and updated CMMC 2.0 L2 scoping guidance. Learn more at: https://lnkd.in/gM2xbEdw   The biggest issue with 32 CFR Part 170 is the DoD cites NIST SP 800-171 R2 in this final rule, even though NIST SP 800-171 R3 was released earlier this year and per OMB NIST 800-171 R2 will be considered a deprecated standard in May 2025. The DoD’s reason for focusing on the old version of NIST SP 800-171 includes the time needed: - For industry preparation to implement; and - To prepare the CMMC ecosystem to perform assessments against the new version.   Given this DoD's focus on NIST SP 800-171 R2 for the immediate future, ComplianceForge reorganized the NCP into three different formats to meet client needs: - NCP R2 is tailored for organizations that want to focus entirely on only NIST SP 800-171 R2. - NCP R3 is tailored for organizations that want to focus entirely on only NIST SP 800-171 R3. - NCP Combined R2 & R3 is tailored for organizations that want to address both NIST SP 800-171 R2 & R3 simultaneously.

The Unified Scoping Guide (USG) has been updated, based on new requirements from 32 CFR Part 170 and the new CMMC 2.0 L2 & L3 scoping guides. This is a zone-based model to apply a data-centric security approach for scoping sensitive & regulated data. The USG can be downloaded from: https://lnkd.in/gvbSc4Tv #scoping #compliance #controls #audit #assessment #cmmc #nist800171 #privacy #cybersecurity #governance #scope

Looking for cybersecurity documentation? You can view the catalog of ComplianceForge's affordable and editable documentation solutions. #documentation #dataprivacy #cybersecurity #privacy #policy #policies #standard #standards #controls #procedure #procedures #template #templates #grc #governance #risk #compliance #riskmanagement #nist800171 #cmmc #ciso #audit Secure Controls Framework