Mike DeYoung

Censys and VirusTotal are part of the backbone of threat monitoring and alerting services which Cybersecurity and Infrastructure Security Agency provides - free of charge - to American critical infrastructure sectors. The agency uses Censys and VT data to inform your schools, your towns, your hospitals, energy, food supply, water, you name it, the list goes on - CISA informs them when something looks imminently dangerous in their public facing networks. This monitoring has to happen, because our government doesn't fund cyber protections for our critical infrastructure sectors. Not even your hospitals. It is the haves, and the have nots. If you have the money, you are aware of your security problems and can fix them. If you don't have the resources, you are destined to experience a security event, which could and often is the worst case scenario: complete operational disruption. When this happens in a hospital, people can die. So we are grateful to CISA, as they extend their services to our nation's 6,000+ hospitals, all of which are built completely differently. I have directed many needy healthcare organizations to use these service offerings, many of which had no ability to fund such a capability on their own. CISA quite literally keeps their lights on and keeps their doors open. In your darkest hour of need, you are grateful for that. Tampering with the integrity of these services, which is what we are seeing here, makes this nation less safe. Cybersecurity intelligence requires marrying disparate sources of information to create a composite. Not all services see the same things. You need as much as you can get. Censys is an incredibly deep well of data which - in the years I have been using their data - surfaces things no one else sees. Virustotal is one of our planet's oldest and largest malware resources. You would never consciously stop using it as a reference. Unless your endgame was some wet behind the ears, AI-generated efficiency mission lacking any kind of practical experience. Which seems in large part what our administration is hell bent on moving forward lately. Chop it down, drive it off a cliff, don't worry - we'll let you know later what the plan is. That's not how you run a business. It's not how you run a government. It's shadowy, it's not transparent, and it's not democratic. Everyone deserves more than this. Everyone. There are costs to be saved in this government. This is not how you do it. I don't care how you voted, but you didn't vote for this. This isn't some kind of chainsaw artistry, where the end result defies your initial expectations. This is a hack job which very likely intends to line someone's pocket. It's not going to be yours, and it's going to be at the expense of your safety. If you are so inclined, please tell your elected representatives to leave CISA the hell alone. The unfollow button is right there. https://lnkd.in/e7T6uq6j

211

14 Comments

I gave a SOC leader more clarity in 4 weeks than his team had in 12 months. That’s not a brag. Here's how. It’s a reflection of how stuck most Security Operations Centers really are. I was brought in to help a SOC that had been trying (and failing) to build a reporting process. No metrics. No dashboards. No visibility. The CISO pulled me aside and said: “I’ve been asking for a monthly metrics deck for over a year. I’ve got nothing. Can you help?” My answer was clear: “You’ll have it in 4 weeks.” And they did. We didn't buy buy new tools. We didn’t hire a dozen people. We just sat down, looked at what was already there, and used it properly. The data already existed. The tools were already installed. But nobody had connected the dots. We built a one-page dashboard. All the right indicators. The leader described it as “dense as a neutron star.” It became their monthly briefing. Their single source of truth. And a huge trust driver across the business. Here’s the lesson for every SOC leader: Speed doesn’t come from new technology. It comes from clarity, focus, and execution. Sometimes, the answer is already on your desktop. You just need someone who knows where to look.

47

6 Comments

My two cents: A common theme I am seeing is you need to do the following better (not inclusive). 0. This is not a 1-month effort - don't underestimate it. It is a CMMC transformation of you organization in many cases. 1. Scoping 2. Scoping 3. Review the CMMC L2 Scoping Guide again understanding asset types and CSP -vs- ESP. You don't have to agree with it and you can go through the 7 stages of CMMC grief, but you have to do it. As an assessor I won't debate it, I will apply it. 4. Scoping 5. Understand your CUI categories. 5. SSP - it is a real document!!!! Be serious about it and make it CMMC compliant. It should have 110 CMMC requirements explicitly noted with CMMC and 320 objectives with CMMC nomenclature. Get help from a CMMC professional for scoping and SSP and the rest of the prep. 5. SSP - be serious about it. Read the CMMC L2 Assessment Guide. Notice it has 110 requirements and 320 OBJECTIVES. NIST SP 800-171 without reading 800-171A will mislead you. 110 statements saying "We do this" is not sufficient. Use the CMMC L2 Assessment Guide and NIST SP 800-171A to do your work in preparation. 6. SSP and supporting policies and procedures. In SSP please refer to the supporting document (and section). This mapping ensures you have things covered. 7. There are some good examples for artifacts for each objective. Look at it, create the artifacts for your assessment. 8. Again for emphasis. SSP and supporting documents should have 110 controls/requirements and 320 objectives. Linkage in references in SSP to the other documents is crutial. it not only aids the assessors but also aid you in making sure you have quality documents that cover everything. 9. Use a GRC tool like FutureFeed or IntelliGRC or others to help you manage you documentation package. I know I repeated some things. Why - because I am trying to emphasize these. 10. Along the way, have multiple versions of the SSP so you can show periodic review, create POA&Ms for the work you are doing. Use a helpdesk tool to track things (even for a 1 person shop). Perform organizational risk assessments and anything else where you have to define a frequency or period and have proof it is being done.

33

11 Comments

A lot of folks get tripped up when they hear the word overlay in RMF. Let me break it down real quick ⬇️ In simple terms, an overlay is just an adjustment to the baseline controls. Think of it like this: You start with a base like the Low, Moderate, or High baseline from NIST 800-53. But not every system is the same. Some need extra protection. Some have specific mission needs. Some operate in unique environments. 💡 That’s where overlays come in. They tailor the baseline to meet the specific risks or conditions of that system. 🔷 Working with classified systems? You’ll probably see CNSSI 1253 overlays. 🔷 Cloud systems? FedRAMP overlays all day. 🔷 A DoD system? It might pull from DoD-specific overlays on top of NIST. You’re not reinventing the wheel you’re customizing the ride. Overlays make sure the security controls actually make sense for the system’s context. If you’re an ISSO, ISSE, or assessor, learn how to identify and apply overlays early in the process. It’ll save you a lot of rework when that SAR or ATO package gets reviewed. 🛡️ Want more RMF tips and real-world breakdowns? I got you. Follow for practical GovTech and compliance content that doesn’t put you to sleep. #RMF #GRC #NIST80053

17

2 Comments

I saw someone post something like this in LinkedIn and this is happening quite a bit to us as well. If the MSSP/MSPs are not also falling in line with CMMC compliance then they need to be replaced... Tough conversations Client (DIB OSC): “Hello, thanks for jumping on. We’re prepping for CMMC Level 2 and want to make sure we’re doing everything right. Our MSP handles the tech side.” Me: “Great. So just to confirm: who manages your firewall, patching, remote access, backups, endpoint management, MFA, logging?” Client: “All of that goes through our MSP. We trust them and they’ve been with us for years.” Me: “Perfect. Then we’ll need to include them in the assessment scope.” MSP (suddenly alert): “Wait…us? We're just the service provider. Why would we be in scope?” Response: “Because, in terms of CMMC you’re an External Service Provider. You manage, protect, and remotely access systems that process, store, or transmit CUI.” MSP: “But we’re not storing CUI ourselves.” Me: “You don’t have to. If you provide security protection like monitoring, patching, access control, end point management or even hold admin credentials, then you’re in. Typical questions asked to MSPs they get nervous on: “Do you log admin activity and how long do you retain the logs?” “Do you use FIPS-validated encryption on all backups and data at rest?” “Do you have a documented incident response plan aligned to your client’s CUI systems?” "How are printers managed to ensure that CUI is handled as required by CMMC?" ETC. ETC. MSP (uncomfortably): “...Um, No. I don't know. We didn’t know we’d be assessed too.” MSPs: Time to make a BUSINESS decision You're either: A CMMC-aligned External Service Provider with a customer responsibility matrix, SSP, documented controls, full implementation, and audit-ready discipline OR You’re pretending you’re ready while your client’s contract and reputation hangs in the balance You’re either securing the mission or compromising it. For some clients, a limited set of users are only in scope. Are those uses going to be managed by 2 MSPs? Or separate them in groups? I have a client considering this now. thoughts?

23

2 Comments

The Truth About Zero Trust: Strategy vs. Marketing Hype In recent years, "Zero Trust" has become a cybersecurity buzzword. But has its true meaning been lost in the noise? Reality Check: Zero Trust isn't a product you can buy off the shelf. It's a comprehensive security strategy aimed at minimizing implicit trust and enforce continuous verification across an organization's entire digital ecosystem. What it's NOT: 1. A single tool or solution 2. A quick fix for all security woes 3. A one-size-fits-all approach What it IS: 1. A mindset shift in how we approach security 2. A continuous process of authentication and authorization 3. A holistic strategy that touches every layer of IT infrastructure Key Principles: 1. Never trust, always verify 2. Assume breach 3. Least privilege access Let's move beyond the marketing hype and focus on implementing Zero Trust the right way as a strategic, adaptable security framework that strengthens our defenses. #ZeroTrust #CyberSecurity #SecurityStrategy

16

🔒 Access your CMMC L2 Enclave securely in a browser without bringing your endpoint into scope 👇 Read on if: -You don't want 2 workstations: 1 for CMMC and 1 for Corporate -You want to be able to access applications from any device while being secure and compliant -You don't want to worry about disrupting your current corporate infrastructure -You still want to use desktop Microsoft Applications Using Cloudflare, M365 GCC High, and Windows 365 Cloud PCs for Government we can create a robust and efficient architecture that also works with on-premise applications. 🌐 Cloudflare Remote Browser Isolation (RBI) When users access any application, Cloudflare RBI creates a virtual browser in the cloud that executes all web code at Cloudflare's edge. Only safe rendered information is streamed to the end-user device as pixels. No actual HTML, JavaScript, potentially malicious code, company data, or CUI ever reaches the local device. 💻 Windows 365 Cloud PCs All desktop applications (including M365 suite) run entirely within Windows 365 Cloud PCs hosted in Azure Government. This environment is: • Secured by Microsoft Defender • Managed via Intune • Protected by Entra ID conditional access 🔐 Complete Access Control Architecture End users → Cloud PC → M365 GCC High Desktop applications End users → Cloudflare RBI → M365 GCC High web applications 🌟 Key Benefits of This Approach 1️⃣ Dramatic Scope Reduction By isolating all CUI to cloud environments and ensuring no data reaches end-user devices, you shrink CMMC assessment boundaries significantly. This means fewer systems to document, fewer controls to implement, and faster assessment completion. 2️⃣ Simplified Remote Work Security Employees can access sensitive systems using any device without compromising security. If you're interested in easy-to-use and low cost CMMC L2 solutions DM me for more information!

23

27 Comments

✅ Just wrapped up training on building a HIPAA compliance program — specifically designed for IT and information security professionals working with healthcare organizations. This isn’t just about checking boxes. Understanding HIPAA is critical if you’re protecting networks, systems, or data tied to patient health information. In healthcare, a data breach isn’t just a PR issue — it can affect lives, careers, and entire practices. 🧠 Here’s why this matters: •HIPAA isn’t optional — it’s the law. •Cybersecurity in healthcare comes with a different level of accountability. •IT pros who understand HIPAA stand out as trusted advisors — not just tech support. 🎯 Whether you’re managing a small clinic’s systems or advising a hospital, being able to guide them through HIPAA compliance makes you indispensable. If you’re in IT, Information Security or Cybersecurity, get familiar with the frameworks that matter in your clients’ industries — HIPAA for healthcare, PCI for retail, NIST/CMMC for gov contracts. It’s not just about being secure, it’s about being compliant and secure. I’m grateful to keep learning, growing, and equipping myself to serve better — especially in spaces where lives and livelihoods are on the line. #HIPAACompliance #HealthcareCybersecurity #ITSecurity #CyberPros #ComplianceMatters #InformationSecurity #TechForGood #AspireByte #LearningNeverStops #FrameworkFocused #ITLeadership #CyberTech

16

4 Comments