Understanding cybersecurity frameworks can be confusing due to the multitude of frameworks mandated by various entities to accomplish specific goals. Most modern compliance frameworks focus on protecting an organization’s data—both the data it uses and creates—to support its business operations. The loss of data accessibility, confidentiality, or integrity can lead to severe consequences, including business closures. Compliance frameworks are designed to mitigate the most common risks identified for specific sectors or business types, and because of the variety of frameworks, there is significant overlap between them.

For instance, every framework typically requires measures such as authentication, endpoint security, and firewalls. Despite these overlapping technologies, each framework also has unique requirements that must be strictly followed. Understanding these differences is crucial when implementing one or more frameworks. Atlantic Digital can help you navigate these requirements, assess your current compliance status, plan your implementation, and facilitate your CMMC implementation. Below is an overview of common cybersecurity frameworks and how they compare to a CMMC implementation.

Cybersecurity Maturity Model Certification (CMMC)

The Cybersecurity Maturity Model Certification (CMMC) framework is a comprehensive set of standards designed to enhance the cybersecurity posture of companies within the Defense Industrial Base. It draws from various global cybersecurity standards, including the UK Cyber Essentials and Australia’s Cyber Security Centre Essential Eight Maturity Model, incorporating long-standing best practices into its structure. When compared to other frameworks like the NIST Special Publications 800 Series, CMMC shares many similarities, especially with NIST SP 800-53 and SP 800-171, which are tailored for US government and federal contractors respectively. However, CMMC distinguishes itself by mandating specific levels of security based on the sensitivity of the data handled, rather than basing controls on assessed risk as NIST does. 

ISO/IEC 27000 Family

Another notable framework is the ISO/IEC 27000 family, which is internationally recognized and includes standards such as ISO/IEC 27001 for developing information security management systems. While ISO/IEC 27000 focuses on comprehensive security management, CMMC provides a tiered approach with three levels of requirements that scale with the type of data being protected, offering a more granular control structure. 

Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS) is another framework often compared with CMMC. While PCI DSS requires a fundamental level of security, CMMC’s tiered system is far more comprehensive, potentially leading to a more robust security posture when followed correctly. 

Implementation

The cost and difficulty of adopting various cybersecurity frameworks can vary significantly. For instance, achieving full compliance with NIST SP 800-53 is a considerable undertaking for small to medium-sized businesses. In contrast, compliance with NIST SP 800-171, CMMC and ISO/IEC 27001 is generally easier and less expensive to implement and maintain. The Cybersecurity Maturity Model Certification (CMMC) functions as a hybrid model that integrates elements from these and other frameworks, specifically tailored to the defense sector’s needs. Its structured levels enable organizations to incrementally enhance their cybersecurity measures, making it a dynamic and scalable option suitable for companies of all sizes and capabilities. For detailed comparisons and further insights into how CMMC stacks up against other compliance frameworks, resources like Totem’s analysis, Infosec’s mapping, Security Boulevard’s in-depth examination, and Mass News’s discussions on CMMC versus other regulated standards provide valuable information. These resources are excellent starting points for professionals seeking to understand the nuances and practical implications of implementing CMMC in comparison to other cybersecurity compliance frameworks. 

Conclusion

Navigating cybersecurity frameworks can be challenging due to numerous mandates aimed at specific goals. These frameworks are crucial for protecting an organization’s data and preventing severe consequences such as business closures. While many frameworks share common requirements, each also has unique mandates that must be followed. Understanding these distinctions is essential for effective implementation.

Atlantic Digital offers expertise in navigating these complex requirements, assessing compliance statuses, planning implementations, and facilitating CMMC integrations. The CMMC framework is tailored for the Defense Industrial Base, integrating global cybersecurity standards and best practices, and mandating specific security levels based on data sensitivity. This makes it distinct from other frameworks like NIST SP 800-53 and SP 800-171, which focus on risk-based controls. 

Ultimately, understanding and implementing the right cybersecurity framework is crucial for securing operations and sustaining growth in a digital world. Atlantic Digital’s expertise ensures businesses can navigate these complexities, secure their data, and align technology with strategic goals. 

‍
The Securities and Exchange Commission (SEC) recently released its long-anticipated final rules on cybersecurity risk management, strategy, and governance. This monumental development has generated widespread discussion within the corporate world.

In this article, we’ll decode these rules, their implications for boardroom accountability, and their potential impact on cybersecurity governance reform. Buckle up, as we dive into the intricate world of SEC regulations and cybersecurity.

1. An Overview of the SEC’s Cybersecurity Rules

The SEC’s final rules on cybersecurity are robust and transformational in many respects. However, they have raised eyebrows for letting the boardroom off the hook for cybersecurity governance accountability, at least for now.

1.1. The Proposal for Director Cyber Expertise

The SEC proposed a rule that would require boards to disclose if they have a director with cybersecurity expertise. This proposal aimed to increase transparency about the abilities of corporate directors to govern this complex area.

1.2. The Shortcoming

Unfortunately, this proposal was not adopted. As a result, Chief Information Security Officers (CISOs) lack regulatory support for an experienced advocate in the boardroom. This increases the job difficulty and accountability of CISOs.

2. The Impact on Management Teams

The SEC amplified the pressure on management teams to understand the linkages between cybersecurity, their information systems, and their value in the eyes of a reasonable investor.

2.1. Incident Disclosure Requirement

The SEC introduced an incident disclosure requirement that triggers based on the impact of the incident and its materiality. Previously, this requirement was triggered upon incident discovery.

2.2. The Scope of the Disclosure

The disclosure focuses on the impact, not the nature of the incident. This approach aims to prevent providing valuable information to attackers. Furthermore, the SEC introduced a delay in disclosure if it is in the interest of national security or public safety.

3. The Role of Third-Party Systems

The SEC final rules stipulate the disclosure of cybersecurity incidents involving third-party systems that companies use. This new provision puts a challenging systemic risk disclosure requirement in place for the first time.

4. The Definition of a Cybersecurity Incident

The definition of a cybersecurity incident, as discussed in the SEC Open Meeting, is an unauthorized occurrence. This implies that inherent risks realized from within the system would not need to be disclosed.

5. Increased Transparency and Accountability

The final rules retain a disclosure requirement around the use of third-party experts in cybersecurity. This aims to provide more transparency regarding in-house versus outsourced capabilities for investors.

6. The Boardroom’s Role

The SEC did not entirely exempt the boardroom from the final rules. However, they did remove the requirement of disclosing how the board integrates cybersecurity into its business strategy, risk management, and financial oversight.

7. The Importance of Investors

Now that the SEC has established some rules, investors will play a pivotal role in cybersecurity governance reform. As they interact more with boards on these issues, they might exert more influence and drive reforms.

8. The Future of Cybersecurity and Board Reform

The SEC’s final rules are seen as the first steps on a crucial journey. Despite the softened stance on boardroom accountability, the need for management to understand the impacts of digital business systems remains.

9. The Role of Lawmakers

Lawmakers are not giving up on director cyber expertise. An example is S. 808 Cybersecurity Disclosure Act of 2021, which would compel the SEC to issue final rules on boardroom cyber expertise.

10. Final Thoughts

While the SEC’s final rules have sparked a crucial conversation about boardroom accountability in cybersecurity governance, they also underscore the need for individual corporate boards to take self-regulatory initiatives. As we move forward, the role of investors and lawmakers in shaping cybersecurity governance reform will be crucial.

So, there you have it! A comprehensive breakdown of the SEC’s final rules on cybersecurity. As always, it’s important to remember that regulation is just one piece of the cybersecurity puzzle. Whether you’re a CISO, a board member or an investor, the ultimate responsibility for cybersecurity lies with you. Here’s to safer, more secure digital futures for us all!

‍
In today’s interconnected world, the proliferation of network-connected products has revolutionized the way we live and work. From smartphones and smart speakers to internet routers and wearable devices, the average household is now equipped with multiple network-connected devices. However, this rapid growth in the Internet of Things (IoT) industry has also brought about significant cybersecurity challenges.

The Risks of Unsecure Smart Devices

The market is flooded with unsecure smart devices, posing a risk not only to their owners but also enabling the creation of botnets for malicious activities. Numerous examples highlight the damage that can be caused by unsecure smart devices. In 2016, the Mirai botnet co-opted over 2,000 routers and smart cameras to launch devastating Distributed Denial of Service (DDoS) attacks¹. Hackers also targeted smart heating systems in apartments, leaving residents without heat². These incidents are not isolated, as attacks against IoT devices have been on the rise, with 1.5 billion attacks reported in the first half of 2021³.

The Need for Legislation

To address this growing concern, the UK government has taken a proactive approach by enacting the Product Security and Telecommunications Infrastructure (PSTI) Act 2022⁴. This comprehensive legislation focuses on enhancing the security of smart devices and the country’s telecommunications infrastructure. The PSTI Act is divided into two parts, with the first part emphasizing device security. Accompanying this is the Security Requirements for Relevant Connectable Products Regulations 2023⁵.

The PSTI Act is a groundbreaking move that establishes the UK as the first country to mandate minimum cybersecurity requirements for consumer connectable products before they are made available for sale. This legislation aims to protect consumers and drive improvements in product security across the industry. It addresses key issues such as default passwords, vulnerability disclosure policies, and the duration of security update support⁶.

Key Provisions of the PSTI Act

The PSTI Act outlines several crucial provisions that organizations responsible for smart devices in the UK must adhere to:

1. No default passwords: Manufacturers must ensure that their devices do not come with default passwords, which are often a weak point exploited by hackers.
2. Vulnerability disclosure policy: Organizations should have a clear policy in place for reporting and addressing security vulnerabilities in their products.
3. Transparency on security updates: Manufacturers must provide information about the minimum length of time for a product’s security update lifecycle, ensuring that devices remain protected throughout their intended lifespan⁶.

The legislation covers a wide range of devices, including smartphones, wearable products, IoT devices, children’s toys, internet routers, smart appliances, and home assistants. The scope of the PSTI Act encompasses anything that can connect to a network or the internet⁶.

The Power of the Secretary of State

The PSTI Act grants the Secretary of State significant authority to enforce security requirements on relevant connectable products. The Secretary of State has the power to specify security requirements to protect consumers and users of such products. These requirements apply to manufacturers, importers, and distributors⁶.

The Act also allows the Secretary of State to issue compliance notices, ensuring that organizations take cybersecurity seriously. Compliance notices can be issued to manufacturers, importers, and distributors, making cybersecurity legally enforceable rather than merely advisory. Importantly, the Act prevents organizations from bypassing security requirements by importing products from outside the UK⁶.

Ensuring Compliance and Accountability

The PSTI Act introduces measures to ensure that organizations comply with security requirements. The Act empowers the Secretary of State to deem compliance with security requirements under certain conditions. Compliance can be determined based on conformity to specified standards or meeting requirements imposed by recognized standards, including those set outside the UK⁶.

It is worth noting that while the legislation does not explicitly cover second-hand products, it does regulate refurbished or reconditioned devices sold as new. This ensures that even these products meet the necessary security standards to protect consumers⁶.

The Act also enables the Secretary of State to issue Stop Notices and Recall Notices. These measures can be imposed on organizations covered by the PSTI Act, forcing them to halt the sale of specified products or recall products already in the market. This mechanism ensures that swift action can be taken to address cybersecurity concerns, similar to how cars can be recalled for safety reasons⁶.

The Grace Period and Penalties

The PSTI Act was given Royal Assent in December 2022, allowing organizations a grace period of 12 months to prepare for compliance. This grace period gives organizations time to establish the necessary systems and policies to meet the security requirements outlined in the legislation. The Act will come fully into force in December 2023⁶.

Organizations that fail to comply with the PSTI Act will face financial penalties. These penalties can include fines of up to £10 million or 4% of the person’s worldwide revenue, whichever is higher. These penalties aim to hold organizations accountable for their cybersecurity practices and drive the adoption of robust security measures⁶.

The Impact on Innovation and Market Dynamics

While there have been concerns that the PSTI Act may stifle innovation and impose financial burdens on startups and emerging technologies, its primary goal is to create a more secure market. By removing insecure products that compete solely on price, the legislation drives the market towards more secure alternatives. This encourages innovation in security and fosters a safer environment for consumers⁶.

The PSTI Act aligns with a broader global trend in cybersecurity regulation. Initiatives such as the EU’s Cybersecurity Act and the California Senate Bill 327 in the United States demonstrate a growing recognition of the importance of cybersecurity in protecting consumers and driving global standards⁶.

The Future of Cybersecurity Regulation

The PSTI Act represents a fundamental shift in how governments approach cybersecurity. By establishing a regulatory framework and enabling enforcement, the Act ensures that security requirements keep pace with technological advancements. The legislation can be easily updated through supplementary material, allowing for flexibility and adaptability in the face of evolving cybersecurity threats⁶.

Regulation and legislation alone are not sufficient; enforcement is crucial. The PSTI Act’s effectiveness will depend on the willingness to take action against non-compliance. With robust enforcement, the PSTI Act can drive significant improvements in the security of smart devices and protect consumers from the risks posed by unsecure products⁶.

In conclusion, the PSTI Act is a landmark piece of legislation that addresses the cybersecurity challenges posed by unsecure smart devices. By mandating minimum security requirements and enforcing compliance, the Act aims to create a safer environment for consumers and drive improvements in product security. As the first of its kind in the world, the PSTI Act positions the UK as a leader in cybersecurity regulation, setting an example for other countries to follow. With the Act coming into full force in December 2023, organizations must prioritize cybersecurity and ensure their products meet the necessary security standards to protect consumers and the integrity of the telecommunications infrastructure.

Additional Information

The PSTI Act complements other cybersecurity initiatives, such as the European Union’s Cybersecurity Act and the California Senate Bill 327. These efforts demonstrate a global recognition of the need for robust cybersecurity measures and the importance of protecting user data and privacy⁷⁸. The National Cyber Security Centre (NCSC) and key allies have also released guidance on smart city security, emphasizing the need to balance cybersecurity risks in the development of smart cities⁹. These collective efforts contribute to a more secure and resilient digital landscape.

Footnotes

1. More than 2,000 TalkTalk routers hijacked by Mirai botnet variant ↩
2. DDoS attack leaves Finnish apartments without heat ↩
3. Kaspersky: Attacks on IoT devices double in a year ↩
4. Product Security and Telecommunications Infrastructure (PSTI) Act 2022 ↩
5. Security Requirements for Relevant Connectable Products Regulations 2023 ↩
6. References from the original article have been rephrased and rewritten to maintain originality. ↩ ↩² ↩³ ↩⁴ ↩⁵ ↩⁶ ↩⁷ ↩⁸ ↩⁹ ↩¹⁰ ↩¹¹ ↩¹² ↩¹³ ↩¹⁴
7. Product Security and Telecommunications Infrastructure Bill will reinforce protections for consumer devices and mandate improvements to default security settings ↩
8. European Commission lays out proposed security regulations on device and software security to better protect consumers and drive global standards ↩
9. The NCSC and key allies have drawn up new guidance to help communities balance the cybersecurity risks involved with creating smart cities ↩