Chunli Lu

🛡️ RA.L2-3.11.1 (NIST SP 800-171 Rev.2 / CMMC 2.0 L2) simply says: do periodic, documented risk assessments for anything that stores, processes, or transmits CUI, show frequency/triggers, and keep evidence of risk-based decisions (risk register, POA&M, mitigation plans). A practical, auditable checklist you can use now: ✅ 📋 Prepare scope: define systems, cloud tenants, third parties, Risk Owner and Assessment Lead, cadence (annual + triggered), and a template that captures scope, tools, approvers. 🗺️ Inventory & map: list endpoints, servers, AWS/Azure accounts, SaaS, backups; diagram CUI flows; capture OS versions, open ports, auth methods, encryption (AES-256, TLS 1.2+). 📊 Score risks: use Likelihood × Impact (1–5), or CVSS for vulnerabilities; build a risk register with asset, CVSS, likelihood, impact, owner, deadline, status. 🛡️ Mitigate high risks: MFA, least privilege/RBAC, disk/cloud encryption, logging/Audit, EDR; use monthly scans (Nessus/Qualys), automated patching, centralized logging/SIEM; log fixes into a POA&M and ticketing system. 🔎 Monitor & document: keep scan outputs, patch reports, CIS baselines, meeting notes, signed risk acceptance; schedule quarterly light reviews and annual full assessments. Example: a 30-person contractor 👥 fixed misconfigured S3 ☁️, enforced MFA 🔐, ran monthly scans 🔎, and used a POA&M 📋 to show auditors progress—avoiding costly discoveries after a breach 💸. Which part would you like a ready-to-use template or checklist for? ❓ Read more: 🔗 https://lnkd.in/eYjKGgun

1

Learn to break in. Build stronger defenses. Cybersecurity is learning how to break in so you can build stronger defenses. If you want a fast tour of popular platforms for labs and assessments, start here. 1. Kali Linux Curated pentest distro, great docs, runs on bare metal, VM, or WSL. https://www.kali.org 2. Parrot Security OS Debian-based, lighter feel, solid privacy defaults, and the “Home” edition works as a daily driver. https://www.parrotsec.org 3. BlackArch Arch-based with a massive tool repo. Best if you already live in Arch and want breadth of tools https://www.blackarch.org 4. Commando VM Windows-focused pentest environment from Mandiant. Handy for AD, Windows internals, and red team workflows. https://lnkd.in/ezFrrdez 5. CAINE Live Linux for digital forensics. Built for imaging, triage, timelines, and reporting. https://www.caine-live.net 6. Mobexler Prebuilt mobile app testing platform with Android and iOS tooling in one place. https://www.mobexler.com Note: Practice legal and ethical testing only.

1

1 Comment

As organizations continue to adopt cloud-native technologies, implementing strong security practices is crucial. In this RSAC Blog, CloudRay Developer Relations Engineer Durojaye Olusegun outlines strategies, challenges, and advice for optimizing your cloud-native security practices. https://spr.ly/6043CXC75

13

1 Comment

Big news: Exacom’s HindSight™ 4 logging recorder is officially JITC recertified and approved for virtual deployments on Windows Server 2022! This recertification keeps HindSight on the DoDIN APL through 2027, ensuring federal, public safety, and critical infrastructure agencies can rely on secure, flexible, and future-ready recording — whether on-premises or virtual. Proud to keep raising the bar for trusted mission-critical recording. Read the full announcement: https://lnkd.in/eCp4fVq4 #DoDINAPL #JITC #MissionCritical #PublicSafety

15

For small defense subcontractors, cybersecurity compliance means understanding the critical importance of DFARS 252.204-7012. Here’s a clear explanation of how the DFARS clause ties into NIST SP 800-171 and Cybersecurity Maturity Model Certification (CMMC) framework requirements. https://lnkd.in/e-dSabHg #DefenseContracting, #DFARS, #CMMC, #Cybersecurity, #SupplyChainSecurity #NIST

7

A new joint publication from CISA, NSA, ASD’s ACSC, NCSC-NZ, BSI, ANSSI, CERT-In, CSA, and 10+ other national cybersecurity agencies sets a shared vision for Software Bill of Materials (SBOM) adoption as a baseline for software supply chain security. ▪️Why do we think this is important? Modern software is composed, not built, bundling dozens to hundreds of libraries and transitive dependencies. Without visibility, vulnerabilities like Log4Shell spread silently across critical infrastructure, OT/ICS environments, and enterprise IT. SBOM = Transparency. ▪️For Product, Platform & Integrators (incl. developers & vendors) Automate build-time SBOM generation with SPDX, CycloneDX, or SWID. Track upstream components to avoid end-of-life or unsupported code. Reduce code bloat by mapping unused or redundant dependencies. Integrate SBOM into CI/CD pipelines for real-time dependency vetting. Combine with VEX (Vulnerability Exploitability eXchange) to communicate exploitability context, not just presence of a CVE. ▪️For Buyers (procurement & supply chain teams) Require SBOM deliverables in RFPs and contracts as part of software assurance. Automate correlation of SBOM entries with vulnerability databases (e.g., NVD, CSAF advisories). Enforce geographic, supplier, or license restrictions at procurement stage. ▪️For Operators (post-deployment teams) Use SBOM data to enable asset inventory convergence, knowing not just the system, but what’s inside the system. Integrate with threat intel feeds to triage exposure when new vulnerabilities appear. Apply compensating controls (segmentation, firewall rules, isolation) when patches are unavailable. Reduce MTTR (mean time to remediate) across the supply chain by enabling automated dependency scanning. Core Technical Principles from the Guidance Machine-processable formats: Essential for automation, manual SBOMs lose value. Continuous monitoring: Map components to CVE/CVSS data continuously, not at release only. Lifecycle integration: Generate SBOMs at multiple points, source, build, and binary analysis. Secure by Design alignment: Embedding SBOM supports the principle of “radical transparency & accountability” in software supply chains. License intelligence: Automate compliance tracking to avoid fines, recalls, or legal disputes. ▪️Why it’s a turning point When agencies across Five Eyes, EU, and Asia-Pacific align, it signals SBOM adoption will shift from best practice → procurement baseline → regulatory mandate. Expect to see SBOM requirements embedded in: Critical infrastructure procurement (energy, water, telecoms). Regulatory regimes (e.g., EU Cyber Resilience Act, U.S. EO 14028). Global certification schemes and secure software labeling. Read the full guidance here: CISA – A Shared Vision of SBOM for Cybersecurity https://lnkd.in/gua2XCeQ

7

CMMC is not ISO 27001. It’s not Essential Eight. And it’s directly tied to DoD contract eligibility. CMMC Level 2 requires demonstrable alignment to NIST SP 800-171. That means: ·        Technical control implementation ·        Evidence-backed compliance ·        Defined ownership ·        Ongoing monitoring For Australian Defence suppliers, this isn’t branding. It’s a commercial gatekeeper. Understanding your gap early gives you time to plan remediation properly – instead of reacting under pressure. Request a CMMC Gap Briefing now 👉 www.whitehawk.com

3

When posed with a question about quantum cryptography readiness, Ankit Gupta, ISSMP, CISSP, CCSP, realized he and the organization didn’t have an answer. He explains what he did, what worked and what he learned trying to make quantum security real before the threat becomes real: https://ow.ly/bxca50WrXU3

27

1 Comment

This document contains mappings of the CIS Controls v8.1 and CIS Safeguards to the AICPA Trust Services Criteria (SOC2) March 2020 Update. https://bit.ly/3ESt0Xs #CISControls #cybersecurity

19

"For companies working under DFARS 252.204-7019, DFARS 252.204-7020, NIST SP 800-171, and CMMC, self-scoring in SPRS isn’t optional—it’s a contractual requirement. And failing to submit or update your score could cost you current & future opportunities." #SBIR #SPRS #Compliance

1

Cybersecurity isn’t optional — it’s mission-critical. Together, IMPRES and Cisco deliver secure, compliant architectures built to meet and exceed DoD STIG standards. From hardening systems to supporting ATO packages, our engineers ensure every deployment aligns with DISA, RMF, and FedRAMP requirements — protecting missions that matter most. #IMPRES #FederalIT #Cybersecurity

15

Yesterday, FERC formally approved NERC CIP-015-1 for internal network security monitoring. CIP-015-1 is a clear message: perimeter defenses alone aren’t enough. Medium and High Impact NERC facilities must now monitor internal OT network traffic to detect and respond to threats *inside* the Electronic Security Perimeter. This aligns directly with what we deliver at ProArch: ✅ Internal network visibility ✅ Actionable response ✅ Compliance reporting ✅ And it’s all managed by experts who know SCADA, not just Windows logs. What CIP-015-1 requires: R1 – Implement processes to monitor, detect, and evaluate anomalous activity within the Electronic Security Perimeter (ESP) (i.e., control/SCADA networks). R2 – Retain data related to the anomalous activity detected under R1. R3 – Protect retained data from unauthorized modification or deletion. While Low Impact sites aren’t in scope (yet), now is the time to level up OT security across the board.

16

The DoD has launched a framework applying zero trust principles to operational technology and critical systems that manage physical infrastructure. This move highlights the growing need for continuous authentication and granular controls as data flows between IT and OT environments. Protecting these systems is essential to safeguarding sensitive operational data and ensuring resilience against ever-evolving cyber threats.  Read more: https://lnkd.in/du95MrEz #Data #ZeroTrust #CyberResilience #OperationalTechnology

6