While so much happens in the security and compliance industry each year, if we were to pick one theme to emphasize in 2021, it would be this: Expectations on an organization’s cyber hygiene and the maturity of their compliance program have ratcheted up. After companies and government agencies have suffered numerous devastating attacks for years—including major attacks on the nation’s critical infrastructure sectors this year (e.g., oil pipeline, financial, food, and transportation sectors were all affected), organizations have finally begun to step up their own cyber defenses and their oversight of vendors and suppliers.
As a SaaS provider, Hyperproof saw this trend of heightened scrutiny play out in our own sales cycle. In the past, potential customers asked us just a few security questions during the security review process. Now, many potential customers want to see a lot of detailed information to validate that our service is able to meet their security requirements. They are conducting detailed reviews of our SOC 2 report and asking a number of follow-up questions.
We’ve also seen more instances of customers asking us to make contractual commitments to meet specific security requirements. These organizations are legally required to ask their SaaS providers to do this kind of due diligence per their contract with their customers. Many of Hyperproof’s customers—both Fortune500 and privately held companies—are in a similar situation and facing a barrage of security questions from their customers.
Recent Regulations With Supply Chain Risk Management Requirements
The notion that supply chain risk management needs to become programmatic (vs. ad-hoc) has made its way into a number of regulations and industry standards in the last few years. Here are just a few of the more prominent regulations and standards organizations should pay attention to.
EU’s General Data Protection Regulation (GDPR)
GDPR’s scope includes all European Union organizations that collect, store, or process the personal data of any person residing within the EU, as well as any non-EU organizations that offer goods and services to European residents or non-EU organizations that process personally identifiable data. The European Union expects data processors—including managed service providers (MSPs) and SaaS providers—throughout the world to become compliant with GDPR legislation. EU organizations (data controllers) that leverage non-EU data processors must make sure their data processing vendors are following GDPR guidelines.
Under GDPR guidelines, data processors have a duty to protect data in a manner that ensures the security of all personal data, including protection against unauthorized or unlawful processing, as well as against accidental loss and damage. Administrative, physical, and technical safeguards must be put in place, as EU law puts equal liability on data controllers and data processors.
California’s Consumer Privacy Rights Act (CPRA)
The CPRA, which will go into full effect on January 1, 2023, imposes a similar set of requirements on data processors—those who process personal data on behalf of another company—as GDPR. It obligates organizations that collect data (e.g., any company with consumers who reside in California) to hold their service providers accountable for protecting data in a manner that ensures the security of all personal data.
NIST SP 800-53, Security and Privacy Controls for Information Systems and Organizations
Any organization that handles federal information is required to implement NIST SP 800-53 controls and prove its compliance posture in order to maintain the relationship with its government customer. NIST SP 800-53 got a major update in September 2020. It added a new control family on Supply Chain Risk Management with clear language that NIST wants organizations to put the risk at the heart of supply chain management. This control family emphasized several key points:
- All agencies and contractors are required to have formal risk policies and procedures to identify and manage supply chain risk.
- All agencies and contractors need to be aware of the origins and components of systems they use to ensure that changes upstream are assessed and documented
- All agencies and contractors must assess suppliers based on identified risks, and agreed contractual or terms and conditions.
- All agencies and contractors must identify key supply chain information related to sensitive operations and systems; identify security controls to countermeasure third-party risks associated with the operations and systems.
- Third-party agreements or contracts should clearly underline any privacy-related controls that third parties should adhere to as part of the development of the supply of systems and services.
- There must be notification agreements established to ensure third parties know when and how to alert organizations in the event of issues.
In other words, NIST is saying that if your company is considered a “supplier” of a government contractor, you will need to implement the security controls your customer expects you to have and attest that you have them in your contractual agreement with the customer. If you are using a third-party component in your own application, you will need to assess the risks posed by using that third-party component and verify that the third party has adequate data protection safeguards in place to neutralize risks.
CMMC 2.0
The Cybersecurity Maturity Model Certification (CMMC) program was created in 2020 by the Department of Defense to verify that all companies in the Defense Industrial Base – both contractors and subcontractors—have sufficient security and privacy safeguards in place to protect federal information (specifically, controlled unclassified information) within their care. The original version set five levels and required all contractors and subcontractors—regardless of whether they handle sensitive data or not – to go through a third-party certification assessment to verify their security controls and compliance posture.
In November 2021, the Department of Defense revamped the program (CMMC 2.0) to three levels and canceled the third-party certification requirement from companies in level 1 – those who do not handle controlled unclassified information. However, all level 1 companies (mostly small businesses) must perform an annual self-assessment and a company officer or executive will need to affirm that the answers provided in the annual self-assessment are accurate and complete.
To make sure that no one makes false claims in their security self-assessment, the Department of Justice has the legal power to investigate government contractors who allegedly submitted “false claims” regarding their cybersecurity practices under the False Claims Act (FCA). The DOJ can impose hefty fines on entities and individuals who are found guilty.
The DOJ said the following types of situations may trigger an investigation into an organization or an individual:
- Knowingly providing deficient cybersecurity products or services
- Knowingly misrepresenting their cybersecurity practices or protocols
- Knowingly violating obligations to monitor and report cybersecurity incidents and breaches
Under the FCA, a person acts knowingly when the person 1) has actual knowledge of the information, 2) acts in deliberate ignorance of the truth or falsity of the information, or 3) acts in reckless regard of the information. Further, the person need not have any specific intent to defraud the government.
Thus, as it relates to the CMMC 2.0’s self-assessment affirmation, if the affirmation is incorrect, the DIB company could be liable under the FCA even though its leadership did not intend to defraud the government and did not have actual knowledge that its affirmation was incorrect. The DIB company could be found “in reckless disregard of the truth” by failing to conduct sufficient due diligence on its cybersecurity practices and procedures prior to its affirmation. This subjects the company to damages and monetary penalties.
Here’s the key takeaway from all these regulations:
When organizations fail to put sufficient focus on their compliance program (including failing to conduct sufficient due diligence on their own and their third-parties’ cybersecurity practices and procedures), they can lose customers and face significant legal liability. Executives overseeing company operations can also face personal liability under certain regulations like CMMC 2.0.
The Challenge for 2022: Operating Under a Continuous Assurance Model
To reduce this potential liability, it’s important for organizations to fully understand the requirements they’re asked to meet and implement the controls necessary to meet those legal and contractual requirements. Organizations should test their controls and collect proof on an ongoing basis to show customers (and regulators) that they are meeting their contractual obligations throughout the duration of the contract.
In addition to legal risk mitigation, continuous review and management of controls are critical for maintaining resilience. Cyber attack schemes are evolving quickly. New security and compliance risks can be introduced through routine business decisions, like when employees start using a new cloud service to boost operational efficiency or when a division decides to launch a new product.
At this junction, organizations must rise to a new challenge. They need to build the capabilities necessary to operate under a continuous assurance model. This includes finding a way to scale the activity of implementing controls—activities undertaken to meet legal requirements, mitigate security and privacy risks and improve operational efficiency. Organizations will need to stand up a structured, repeatable, continuous approach for training the right people on controls, assigning ownership of controls, assessing compliance to controls, and remediating gaps.
To be successful in operating in a continuous assurance model, organizations will need to use technology to centrally manage their compliance program and distribute the responsibility of operating controls to people within multiple business functions. Technology will empower people to perform control activities properly, on time, and efficiently – so that assurance work becomes a business enabler, not something that slows down the business too much.
This model of continuous assurance is a big departure from the audit-centric model of yesterday, where organizations relied on point-time audits to measure their security posture and determine what remediations are needed. Those who rise to the challenge of operating in a continuous assurance model will be the organizations that are trusted and beloved by their customers.
Monthly Newsletter