Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

‍Cybersecurity and Infrastructure Security Agency (CISA) is a branch of the United States Department of Homeland Security (DHS) that is responsible for strengthening cybersecurity and infrastructure protection for critical infrastructure organizations across all levels of government.

On May 11, 2017, President Trump signed Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. The intention was to reduce cybersecurity risks to national security by improving federal agencies’ cybersecurity and information technology (IT) systems. The executive order holds the heads of federal agencies accountable for their agencies’ risk management practices.

The Cyber Intelligence Sharing and Protection Act (CISPA) was first introduced in 2011 by Representative Mike Rogers, the chairman of the House Select Committee on Intelligence Committee), and 111 co-sponsors. Although the House of Representatives originally passed the bill on April 25, 2012, it was later rejected by the US Senate. Since then, it has been reintroduced several times, but Congress has not passed the bill despite amendments made in good faith following criticism of some propositions.

Businesses that work with the US Department of Defense (DoD) and collect, process, transmit, or store controlled unclassified information (CUI) must comply with Defense Federal Acquisition Regulation Supplement (DFARS) standards. The DoD has responded to the growing threat of cyber incidents, including cyberattacks from cybercriminals and nation-states, by prioritizing cybersecurity best practices and insisting they are implemented throughout the DoD supply chain.

The zero-day vulnerability in Progress Software's MOVEit Transfer product is being exploited by the Clop ransomware gang and other copycat cybercriminal groups to expedite the theft of sensitive data from customer databases. To protect your organization from compromise, follow the recommended response actions in this blog. Learn how UpGuard streamlines Vendor Risk Management >

Often regarded as the Californian version of the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) aims to protect the personal information rights of Californian-based employees, contractors, customers, and vendors. The inclusion of third-party vendors means your Vendor Risk Management program needs to be updated to include CCPA compliance tracking, not only during due diligence but through the entire vendor security posture management process.

‍The Cybersecurity Maturity Model Certification (CMMC) is a cyber program and security framework used by the US Department of Defense (DoD) to measure firms’ cybersecurity maturity. All DoD contractors working with the federal government must comply with this program by 2025. CMMC compliance demands that DOD contractors pass an external CMMC assessment carried out by an approved CMMC Third Party Assessment Organization (C3PAO) for all but the lowest level of CMMC certification.

A third-party data breach refers to a data breach that has occurred through a third-party company. In a third-party data breach, the vendor or supplier’s system has been compromised and used to steal data that belongs to you. A third party can be defined as an organization with which your organization has entered into a business relationship to provide goods, access, or services for your use.

After completing an ISO 27001 audit, there may be some critical responses you must undertake based on the recommendation in your audit report. This step-by-step guide will ensure you don’t miss any of the outstanding follow-up tasks that need to be addressed after the audit process is over. Learn how UpGuard simplifies Vendor Risk Management >

This NIST CSF questionnaire template will help you understand the degree of each vendor’s alignment with the high-level function of the NIST CSF framework - Identity, Protect, Detect, Respond, and Recover. Though this assessment only offers a superficial understanding of compliance, it’s sufficient for getting a sense of a prospective vendor’s security posture, especially when coupled with an external attack surface scanning solution.