Tag Archives: VA

Tracking the Rollout of CMMC

Posted on by

The Cybersecurity Maturity Model Certification (CMMC) is a framework that requires companies contracting with the Department of Defense (DoD) to meet security standards based on the sensitivity of the data they manage. These standards, based on the National Institute of Standards and Technology's (NIST) SP 800-171 standard, have been in place for eight years, but CMMC further formalizes compliance.

As of November 10, 2025, Defense agencies now require at least a Level 1 certification to award any new contract. To meet this requirement, companies must self-certify that they comply with 15 controls--specified by 800-171--that cover basic cyber hygiene. Next November 10 (in 2026), DoD will require that Level 2 status for contracts dealing with Controlled Unclassified Information (CUI), which currently can be self-assessed, be verified through a third-party assessment of compliance with all 110 controls in the NIST standard. Then in 2027, contracting officers can start requiring those seeking Level 3 certification to undergo an assessment by the Defense Industrial Base Cybersecurity Assessment Center. A Level 3 requirement would apply to technology dealing with highly sensitive data or systems, where a breach could have far-reaching impact. Continue reading

Securing Our Healthcare Infrastructure

Posted on by

We don't typically think of healthcare as infrastructure, but the functioning of our healthcare facilities is just as essential as that of our roads and utilities. Because of this criticality, healthcare systems require 100% uptime, a necessity that is vulnerable to the reality of cyber threats.

According to the FBI's Internet Crime Report, the healthcare industry reported 444 cyber-related incidents in 2024, the most out of any critical infrastructure industry. Despite this reality, many hospitals and health systems feel unprepared to respond and recover from these threats. The Travelers Risk Index survey found that only 51% of healthcare respondents were confident their organizations have best practices in place to prevent or mitigate a cyber event. Key challenges driving this lack of confidence include: Continue reading

Goodbye RMF, Hello CSRMC

Posted on by

The Risk Management Framework (RMF) was introduced in 2022 to create a standardized way to measure and manage cybersecurity risk in the federal government. Modeled with standards including the Federal Information Security Modernization Act and NIST Special Publication 800-53, the RMF was a repeatable, structured method to manage cybersecurity risk and ensure compliance with federal standards. The RMF allowed agencies to identify, understand, prioritize, and reduce risks to their information systems and missions. It informed leaders of security risks, allowing them to make educated decisions about trade-offs between security and mission needs.

While it was designed to be more than a checklist, in practice the RMF had become just that. Rather than engaging with it dynamically, agencies employed highly manual processes that slowed the adoption of much-needed solutions. The process could not keep up with the quickly evolving threat landscape. Continue reading

How Cyber Basics Make a Big Impact

Posted on by

October is a fitting month for cybersecurity awareness. Phishing emails can be even more deceptive than a convincing costume and ransomware attacks can feel like a jump scare in a horror movie. Each year, the National Cybersecurity Alliance and the U.S. Department of Homeland Security spearhead an educational campaign to ensure everyone knows their role in protecting the vast amounts of online data we depend on for daily life.

The 2025 theme is "Stay Safe Online" with a focus on four key steps everyone can take to improve online safety:

  • Use strong passwords and a password manager
  • Turn on multifactor authentication
  • Recognize and report scams
  • Update your software

These tactics are important at a personal as well as enterprise level. Agencies across government have taken these best practices and implemented new security measures to protect data. Continue reading

Ready or Not CMMC is Here

Posted on by

Cybersecurity Maturity Model Certification (CMMC) sets security standards for contractors working with the Department of Defense (DoD) to ensure the data they interact with is protected. The standards have been in place since the introduction of the Defense Federal Acquisition Regulation (DFARS) in 2015, and now, 10 years later, a more formalized compliance process is being implemented.

Starting October 1, 2025, the CMMC clause will start to be used in DoD contracts. This clause requires contractors to align their security practices with the CMMC level required by the contract. While contractors have been required to meet rigorous security standards for some time, whether they did was determined primarily through self-attestation. This roll-out introduces the need for third-party validation of compliance claims, ensuring the security of the defense supply chain. Continue reading