Friday, March 17, 2017

Manufacturing meets Security

If you are a government defense contractor and you receive controlled unclassified information, you must comply with NIST SP800-171.

In April of 2015, NIST published the first public draft of something called SP800-171 which described requirements for protecting controlled unclassified information on non-federal information systems and organizations. The government also published regulation (DFARS 252.204-7012) that states that any entity that collects, develops, receives, transmits, uses, or stores defense information in support of a government contract must abide by the guidance in SP800-171 – with a deadline of compliance to happen by December of 2017. That’s right around the corner!

What does all of this mean?

There are 14 categories of compliance and each one has numerous objectives that must be achieved. This means that there are various processes, procedures and probably systems that you will have to implement to achieve compliance with this mandate. There is a lot of guidance on the internet on how to comply, but much of this information is obscure and difficult to read. Putting together a game plan for compliance can be a daunting task – especially if you don’t know how to comply with items such as Performing a Risk Assessment or Create a Vulnerability Program.

Let me know if I can help - I'm continually working with organizations that have compliance challenges and helping put together strategies for understanding where the gaps are and executing projects to close those gaps.

Wednesday, March 1, 2017

Examinations focusing on Cyber for brokerage and securities firms

The banking industry has traditionally been the poster child of regulation. I’ve been dealing with federal and state regulators since I started in the industry back in the early 90’s. I can remember one of my first “IT Examinations” back in 1995 - The examiners at the time were more interested in getting up to speed on the rapidly evolving technology than they were with being able to provide direction to the bank. Those days are definitely over and many very talented and skilled examiners now exist at every agency that regulates banking.

Review of technical controls back then may have been a bit of a joke, but nowadays, it’s no laughing matter, which is evident by the ramping up of cyber-security by the examination body that regulates brokerage and securities firms – the OCIE.  While the OCIE has always been in place as an examining body of the SEC, the effort spent on IT was marginal at best - That is about to change.

Last year around this time, the OCIE came out with a Risk Alert that stated that they were going to be focusing  their efforts on cyber-security and published a document that illustrates what they will be looking for ( Additionally, the SEC came out with a document illustrating their Examination Priorities for 2017. (

Glancing through the appendix of the first document, the traditional banker wouldn’t bat an eye, but if you are a small securities firm, this is something that will likely give you pause. It discusses such topics as periodic assessments, vulnerability scans, and policies. These are not typically a problem and can be put in place rather quickly, but what about nebulous areas like data mapping, data classification, risk management, vendor management and incident response? That’s a heavy weight on the shoulders of a small IT staff – especially if most of those terms are unfamiliar!

The company I work for can help you put together a strategy for understanding where the gaps are and executing the project to close those gaps. Compliance initiatives are something we work with continually across many industries. Contact me for more information or if I can help in any way.