Need GSA OASIS+ J-3 C-SCRM Deliverables? The US Government's General Services Administration (GSA) has the One Acquisition Solution for Integrated Services (OASIS+) that is a new Indefinite Delivery, Indefinite Quantity (IDIQ) contract vehicle. From a cybersecurity perspective, Contract Attachment J-3 (Cybersecurity and Supply Chain Risk Management (C-SCRM) Deliverables) has: (1) A pre-award evaluation with questions that must be adequately addressed; and (2) Post-award deliverables that must be provided to the GSA within ninety (90) days of contract award. There is a considerable amount of work that must be implemented to both be able to (1) attest to certain requirements and (2) provide documented evidence of the capability. This is more than just cybersecurity, since it involves: - Information Technology (IT) - disaster recovery / business continuity teams; - Human Resources (HR) - background check & personnel management processes; - Physical Security - facility management / physical security controls; - Legal / Contracts Management - ongoing supplier due care and due diligence activities; and - Other teams related to supply chain management practices. Several ComplianceForge products are applicable to OASIS+ J-3 and these include: (1) NIST 800-171 or NIST 800-53 aligned policies, standards & procedures; (2) Continuity of Operations Plan (COOP); (3) C-SCRM Strategy & Implementation Plan (C-SCRM SIP); and (4) Integrated Incident Response Program (IIRP). The "pre-award evaluation" is the Basic Safeguarding of Covered Contractor Information Systems Questionnaire that consists of the following questions to evaluate the contractor's suitability. The "post-award deliverable" section is a list of attestations and required deliverables. These are meant to provide the GSA with visibility into the contractor's Cybersecurity Supply Chain Risk Management Plan. It is the GSA's "SCRM Plan Template" with relevant questions the GSA wants answers to, since the contractor is part of the GSA's supply chain Useful charts showing the pre and post award deliverables can be seen on https://lnkd.in/gYaUjVGd #gsa #oasis #oasis+ #cscrm #scrm #contracting #contracts #grc #cybersecurity #compliance #policies #irp #coop
ComplianceForge
计算机和网络安全
Sheridan,Wyoming 4,138 位关注者
Where your cybersecurity & privacy documentation is made!
关于我们
We specialize in offering professionally-written cybersecurity and privacy security documentation. We offer comprehensive written information security policies and standards to meet common information security requirements that businesses face. We've been doing this since 2005, so we have a long track record of successfully writing information security policies and other security-related documentation, such as risk assessments, vulnerability assessments and audit templates. Our Written Information Security Program (WISP) and Digital Security Program (DSP) products offer the most comprehensive information security documentation you can implement. If you are in need of a Microsoft Word-based template to build a complete information security program for your company or just want to do a refresh of your existing policies and standards, then either our WISP or DSP are something you should consider. Our documents are delivered in Microsoft Word format, so you can edit it to your specific needs. The footnotes for best practices and legal requirements makes it easy for users to understand their compliance requirements. We have editable, professionally-written cybersecurity documentation for your compliance needs that range from NIST 800-171 to GDPR, PCI DSS, HIPAA and many more.
- 网站
-
https://complianceforge.com
ComplianceForge的外部链接
- 所属行业
- 计算机和网络安全
- 规模
- 2-10 人
- 总部
- Sheridan,Wyoming
- 类型
- 自有
- 创立
- 2005
- 领域
- Information Security Policy Development、PCI DSS Compliance Documentation、Vendor Compliance Program、IT Security Audit Template、NIST 800-171、EU GDPR、CCPA、NY 23CRR500、NIST 800-53、ISO 27002、NIST Cybersecurity Framework、Secure Controls Framework、SCF、Digital Security Program (DSP)和Cybersecurity Policies
地点
-
主要
30 N Gould St
Suite 9141
US,Wyoming,Sheridan,82801
ComplianceForge员工
动态
-
We've seen interest from clients in being able to demonstrate "NIST CSF compliance" so the ability have a conformity assessment that is specific to NIST CSF 2.0 fits a need. #nistcsf #certification
NIST CSF certification? Is your organization interested in being able to demonstrate conformity with the NIST Cybersecurity Framework? If so, the Secure Controls Framework and The Cyber AB would like to hear from you, since there is a path to certification against NIST CSF 2.0 requirements through the SCF's Conformity Assessment Program (SCF CAP). Soon (starting in early Q2 2025), the "SCF Certified - NIST CSF 2.0" certification will be available for organizations wanting to demonstrate conformity with NIST CSF 2.0 and earn a valuable certification that can be used to highlight their secure practices to partners, clients and others in their supply chain. Please take a few minutes to read the brochure shown below, since it answers a lot of basic questions you may have. Contact us to learn more: https://lnkd.in/gqmRVGZm #nistcsf #nist #csf #scf #controls #compliance #governance #risk #cybersecurity #cyber #grc #ciso #board #conformity #certification #tprm #riskmanagement #scrm #supplychain #cyberab
-
ComplianceForge's NIST 800-161 R1-based C-SCRM Strategy & Implementation Plan (C-SCRM SIP) can help your organization integrate cybersecurity and data protection controls into the acquisition lifecycle through acquisition planning, source selection, responsibility determination, security compliance evaluation, contract administration and performance evaluation. As today's Executive Order (EO) points out, C-SCRM is required in the Federal government, which means those requirements will filter down through US Government contractors and then down into non-government contractors. It is inevitable. https://lnkd.in/eg8pNSmX Product page: https://lnkd.in/gtqD77gc #scrm #cscrm #supplychain #supplychainsecurity #nist800161 #eo #executiveorder #tprm #riskmanagement
-
The Secure Controls Framework created a free cybersecurity materiality calculator template in Microsoft Excel format that you can download from: https://lnkd.in/gwdwv5T7 Materiality goes beyond SEC Form 8-K filings and is valuable for the broader concept of risk management practices, since it helps an organization clearly understand what is important vs what is not important. Prioritization is key in risk management and determining materiality thresholds is a tool that should be utilized. This is to START the process for your organization to think through both the quantitative and qualitative criteria that are used to establish thresholds for identifying (1) material controls, (2) material threats, (3) material risks and (4) material incidents. This template takes into account criteria from pre-tax income, total assets, total revenue and total equity to provide options for both "single criteria determinations" and "averaged determinations" to establish objective thresholds. If you want to read more about cybersecurity risk management practices and the concept of materiality, this guide is an excellent place to start: https://lnkd.in/g8-2Y8n5 #cybersecurity #riskmanagement #dataprotection #assessment #standards #grc #governance #risk #compliance #tprm #scf #framework #cybersecurityrisk #cyberrisk #security #materiality #material #itgovernance #policies #procedures #guidelines #ciso #cio #cyber #leadership #cybersecurityleadership #informationsecurity #infosec #sec
-
The Secure Controls Framework is pleased to announce the appointment of Jason Sproesser to the SCF Advisory Board! Jason brings with him a wealth of MSP and GRC experience both in public and private industries. As the SCF's Conformity Assessment Program (CAP) expands to offer a broad range of certifications, Jason's expertise in NIST 800-171 / CMMC will add value to the planned "SCF Certified - NIST SP 800-171 R3" certification to service the non-DoD side of the US Government contractor ecosystem. #grc #msp #mssp #announcement #cmmc #nist #nist800171 #winning
-
-
Determining the scope of controls (e.g., assessment boundary) is different than determining control applicability. Do you know the difference? The Unified Scoping Guide (USG) is a free resource to make control scoping more efficient, regardless of the type of sensitive / regulated data environment. You can download the latest version of the USG for free from: https://lnkd.in/gUy_iTUJ #efficiency #doge #cuiscoping #scoping #cmmc #nist800171 #cui #fci #grc #ciso https://lnkd.in/gqUegfA3
-
Risk management for practitioners! This document is vendor agnostic and is written for cybersecurity practitioners to gain valuable insights in how to better manage risk across organizations, regardless of the industry or size. With the concept of "material incidents" being important to public companies, ComplianceForge updated its risk management guide for cybersecurity practitioners to address the reality of enterprise-wide risk management practices. This educational reference can be downloaded from: https://lnkd.in/gPqhdT83 Special thanks to Tom Cornelius and Andy Kuykendall for their contributions to this document! #risk #riskmanagement #erm #grc #cybersecurity #ciso #board #materiality #material #negligence
-
There is a "materiality ecosystem" that exists within modern cybersecurity risk management discussions. The process begins with determining what constitutes materiality for an organization. This is organization-specific and is primarily based on a clearly-defined financial threshold. Defining materiality is an executive leadership determination, not a cybersecurity determination. Often, cybersecurity teams incorrectly hypothesize what “should be material” through the myopic perspective of the cybersecurity department. However, those cybersecurity-led definitions are often incorrect and are not material to the organization, much to the frustration of legal counsel that sometimes have to reprimand cybersecurity practitioners for incorrectly labeling incidents as material. For example, while a $5 million dollar incident may appear material (e.g., it is a significant sum), that financial amount may not come close to the actual materiality threshold for a prosperous organization. Once the materiality threshold is clearly defined, it then requires a look at an organization’s risk and threat management practices to identify those specific risks and threats that could lead to a material incident. Ideally, this means reviewing established risk and threat catalogs to identify known risks and threats that have material implications. In the end, the due diligence activities performed to define material risk and material threats assist with broader incident response operations. This prior work assists the organization in defining material incidents, or at least pre-determined criteria associated with incidents, that would elevate incident response activities to the proper organizational leadership, due to the existence of a material incident (e.g., external reporting requirements, reputation damage control, etc.). During incident triage is not the correct time to develop incident threshold categories to determine materiality, due to requirements such as the US Securities and Exchange Commission (SEC) requires public companies to disclose material incidents within 72 hours. #cybersecurity #sec #material #materiality #risk #incident #threat #control #grc #ciso #incidentresponse #irp
-
Thank you for the mention from Koren Wise! Another successful assessment using ComplianceForge documentation. Learn more at: https://lnkd.in/gC3Jy-aw #cmmc #dibcac #nist800171 #audit #assessment #compliance
** ?????????????? ?????????? ???????????????? ???????????? ?????????????? ?????? ???? ?????? ?????????? ???????????????????????? ?????????????????? ???????????????????? - ?????? ?? ???????????? ??????&?? **? We are on a roll and very proud to announce the ?????? ?????????????? ?????? ??????-?????? ???????????????????? ?????????????? has done it again! Eight months ago, we embarked on another journey to help an amazing small business fulfill their goal of going to the Joint Surveillance Voluntary Assessment for CMMC. Peerless Electronics Inc. should be the CMMC role model to small businesses. Like many small businesses, they came in early 2024 seeking advice about where to start and what approach to take for their 800-171 compliance journey. Unlike many small businesses, they recognized the importance of the program, respected the end goal, and worked extremely hard to play an active role every single day in this very difficult transformation. They had full support at every level of the organization. I feel so lucky to have had this mutual learning experience with the staff of Peerless Electronics Inc. The MVP Enclave and 800-171 Compliance Program is even better than before because of customers like them. We are thankful to have had a very professional and detailed assessment by Fernando Machado, CISSP, CISM, CCA, CCP (AKA "Eagle Eye") of Cybersec Investments and the DIBCAC. There were five assessors in total. It was also amazing to experience being assessed by one hearing impaired assessor and his translators - that process was seamless and should give inspiration to anyone with hearing impairments. Our goal from the beginning was to have this enclave scrutinized by as many DIBCAC and C3PAO assessors as possible. This is what we have spent the past two years doing. I would like to thank ComplianceForge for their thorough documentation package which gives companies the tools they need to document their solution, program, and operations. I would like to thank FutureFeed, Mark Berman, James Goepel, and Chase Berman for their awesome product which is invaluable to manage this program. **Peerless Electronics will not be officially recognized until DIBCAC outbrief, which can take a few weeks. They have received their C3PAO outbrief. Kyle Lai, Carter Schoenberg, Regan Edens, Leia Kupris Shilobod, CCP, CISM, Matthew Titcombe, Alexy J., Melvin Scott, Jacob Hill, Joy Belinda Beland CMMC CCA, PI, QTE, CISM, Amy Williams PhD CISSP, CMMC-CCA, PA, PI, Katie Arrington, Stacy Bostjanick, Robert Metzger, Fernando Machado, CISSP, CISM, CCA, CCP, Derrich Phillips, CMMC Certified Assessor, Olatokunbo "AB" W., Stuart Itkin, Steve Treanor, Alexandria Saey Burke, MS, CMMC/CCP/CCA, Scott Serafin, Timothy Esler, Kirk Little, DBA, PMP, Dasha Little, Palmer Sims, David A. Africano, Erin O'Donnell, CCP, CCA, Michael Dempsey,
-
-
The 2024.3 version focused on addressing changes associated with the recent release of 32 CFR Part 170 and updated CMMC 2.0 L2 scoping guidance. Learn more at: https://lnkd.in/gM2xbEdw ? The biggest issue with 32 CFR Part 170 is the DoD cites NIST SP 800-171 R2 in this final rule, even though NIST SP 800-171 R3 was released earlier this year and per OMB NIST 800-171 R2 will be considered a deprecated standard in May 2025. The DoD’s reason for focusing on the old version of NIST SP 800-171 includes the time needed: -?For industry preparation to implement; and -?To prepare the CMMC ecosystem to perform assessments against the new version. ? Given this DoD's focus on NIST SP 800-171 R2 for the immediate future, ComplianceForge reorganized the NCP into three different formats to meet client needs: -?NCP R2 is tailored for organizations that want to focus entirely on only NIST SP 800-171 R2. -?NCP R3 is tailored for organizations that want to focus entirely on only NIST SP 800-171 R3. -?NCP Combined R2 & R3 is tailored for organizations that want to address both NIST SP 800-171 R2 & R3 simultaneously.
-