A False Sense of Security: Why VPNs Are Not a Silver Bullet

Posted on
virtual private network security, VPN safety, VPN risks, cybersecurity strategies, VPN breaches, VPN security measures
virtual private network security, VPN safety, VPN risks, cybersecurity strategies, VPN breaches, VPN security measures

In a world of hybrid organizations and a rising number of remote employees, virtual private networks (VPNs) are rapidly growing as a solution for secure access between enterprise networks and external endpoints. In 2022, the global VPN market was valued at $44.6 billion, with experts projecting a $93.1 billion increase by 2030.

But while VPNs play an important role in today’s enterprise security stack, the growth in adoption may represent overconfidence in a technology with distinct risks and limitations. Misconceptions surrounding VPNs abound and with VPN-directed attacks on the rise, those who depend on them as a silver bullet for cybersecurity are in for a rude awakening.

VPN Breaches

In June, cybersecurity researchers reported that 360 million user data records were leaked in a breach affecting SuperVPN, a free VPN service operating in China.

While users of the application had expected it to protect their personal data and identities, instead it exposed both of them – including email addresses, location and online activities – to the open Web.

This story would be less concerning if security flaws were limited to free and consumer-facing VPN services. Unfortunately, they are not – they affect VPN products used by major companies, including federal agencies, local governments, and critical infrastructure operators.

To protect themselves from these risks, organizations must understand the limited role that VPNs play in a comprehensive cybersecurity strategy, the risks they can introduce to an IT ecosystem, and best practices for utilizing them effectively.

What VPNs Really Do

According to a study from the University of Maryland, VPN ads directed at consumers through social media include “overpromises and exaggerations that could negatively influence viewers’ mental models of internet safety”. But overpromising and exaggerations only work because viewers don’t know what a VPN really does.

In an enterprise configuration, a VPN creates an encrypted connection between a VPN client installed on a device outside your organization, and a VPN server hosted on-site or at an off-site data center. Once there, traffic is directed either to the open Web, to cloud services, or to internal resources.

When a VPN works properly, the encrypted connection between client and server forms a secure “tunnel” that provides protection against snooping from attackers: it masks the identity of remote endpoints connecting to your organization, their external destinations, and any data sent between them.

What VPNs Don’t Do

Unfortunately, VPNs do not always work properly. And even when they do, there are many risks they don’t protect against. For instance:

  • VPNs do not protect software as a service (SaaS) apps which reside outside your organization. While employees can use your VPN to connect with them, they will often choose not to since VPNs can be slow and cumbersome. This compounds the growing risk of Shadow IT that organizations already suffer from, with data scattered across unmanaged and poorly protected external services.
  • While a VPN can prevent attackers from intercepting or decrypting traffic as it travels through the VPN tunnel, it does not protect data at ingress or egress. If attackers have already compromised devices inside or outside your network – which they can do through malware, phishing or social engineering attacks – they can still spy on data sent both ways.
  • VPNs do not always prevent devices from broadcasting their real IP addresses or the destination of their traffic. Weaknesses in the VPN client – or non-VPN software – can tip watchful adversaries off to the identity of protected endpoints.

VPN-Associated Risks

Aside from the fact that VPNs do not protect against all cyber risks, they often introduce new ones, including:

  • Keys to the Kingdom – enterprise VPNs are typically deployed without layered controls, network segmentation or principles of least access to ensure that users are limited to certain resources. In this case, all a cyber actor needs is one set of VPN credentials or one trusted device to access everything on your network, making VPN-connected devices a valuable target.
  • Expanded Attack Surface – according to a report by Cybersecurity Insiders and Zscaler, 61% of organizations have three or more VPN gateways – with public IP addresses – and many have more than five. Together with the countless devices connected to your company via those gateways, this represents a significant increase in the attack surface for cyber actors.
  • Vulnerabilities – vulnerabilities affecting VPN servers or clients are often discovered, requiring patches to prevent exploitation. In 2020, one vulnerability affecting the SonicWall VPN rendered nearly 800,000 devices vulnerable to denial of service attacks and remote code execution exploits.
  • Weak Encryption – while decrypting traffic between a VPN client and server is usually an unrealistic attack vector, servers will sometimes default to weaker encryption standards in an effort to communicate with obsolete clients. In this case, interception and decryption of traffic is a genuine risk.

Best Practices for Enterprise VPNs

As with enterprise cloud solutions, some of the risks associated with business VPNs are attributable to misconfiguration or poor maintenance by the customer. There are key practices to help organizations enhance VPN security and protect against attacks. In 2020, the National Security Agency (NSA) published a few:

  1. Reduce VPN gateway attack surfaces – this means minimizing the number of VPN gateways, and also implementing traffic rules to “limit the ports, protocols and IP addresses of network traffic to VPN devices.” In general, arbitrary devices should not be able to connect with a VPN gateway.
  2. Verify that cryptographic algorithms are CNSSP 15-compliant – the Committee on National Security Systems Policy (CNSSP) 15 specifies safe encryption standards. At a minimum, the NSA recommends VPN configurations that include the Internet Security Association and Key Management Internet Key Exchange (IKE) policy and the IPsec policy.
  3. Avoid using default VPN settings – sticking with default VPN settings may enable weaker cryptographic standards. As a best practice, the NSA recommends that all settings for VPNs are manually configured.
  4. Apply vendor-provided updates/patches – as with any business-critical software, organizations should apply patches to their server-side software and devices as soon as they are issued, and enforce patches to VPN clients.

But while these recommendations will make your enterprise VPN configurations safer, they will not protect against complacency in other domains, such as a lack of multifactor authentication (MFA) or regular password updates – an absence of network segmentation or zero trust policies for internal resources – or a lack of cyber training to prevent phishing/social engineering attacks or improper handling of trusted devices.

Secure VPNs Are Downstream from Secure Organizations

While many businesses are planning to move away from VPNs to alternative solutions for remote access (such as SASE and ZTN), realistically they will still have a place in hybrid work environments for many years to come. This won’t be a problem for organizations who understand that VPNs play a small part in a larger cybersecurity strategy, and work with the right partners to eliminate security gaps that affect VPN safety.

With a team comprised of veterans from the U.S security community – including DoD, DHS and the U.S Cyber Command – Securicon is equipped protect remote access solutions (including VPNs) and harden your security position with gap analysis, compliance consulting, assessment support, audit preparation and more. To learn how we can help you, contact us today.

Everything Defense Contractors Need to Know About CMMC 2.0

Posted on
CMMC
CMMC

On November 4th, the Department of Defense (DoD) announced major revisions to the Cybersecurity Maturity Model Certification (CMMC). Since it first entered federal law in December of 2020, the CMMC has only undergone minor revisions, bringing it to version 1.02. Now the framework will jump ahead to version 2.0, with a streamlined system of security levels, introduction of a waiver process, and changes to the framework core.

While full details of the CMMC 2.0 update are still forthcoming, DoD officials have indicated that the update is intended to address longstanding concerns in the defense contracting community, especially among small-to-medium sized businesses (SMBs). Most significantly, the requirement for third-party assessment will be dropped for more than half of the defense industrial base, substantially reducing the compliance burden for many organizations.

While the new CMMC requirements will not show up on contracts for at least nine months, contractors who have been preparing for CMMC compliance will need that time to change their strategy and prepare for the new rule changes. In this article, we’ll explain what these rule changes are, and what they entail for your business.

New Direction for CMMC

Since it was first announced in 2019, the CMMC has provided a model for government agencies seeking to enforce better standards of cybersecurity compliance on their supply chain partners. After a historic year for cyberattacks that illustrates critical vulnerabilities among federal agencies and contractors, this goal has never been more important.

But – in the words of Deputy Assistant Secretary of Defense (DASD) for Industrial Policy, Jesse Salazar – the DoD has struggled to find a balance between “adopting the practices they need to thwart cyber threats” and “minimizing barriers to compliance”. Accordingly, lawmakers and industry leaders have expressed concerns that CMMC requirements are too onerous or costly for some defense contractors.

In its recent announcements, the DoD has signaled a new direction for CMMC that addresses these concerns: CMMC 2.0 will provide greater flexibility to small businesses in the defense contracting industry with less reliance on third-party assessment, and a more streamlined core framework.

CMMC 2.0 vs CMMC 1.02

As of November 29th 2021, the CMMC 2.0 framework is not publicly available, and while rules are expected to be made public in the near future – followed by a 60-day period for public comment – the rulemaking process may be extended through Fall of 2023.

Fortunately, the DoD has made some details available, primarily through the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD A&S) website, and through a notice issued on the 17th. With these sources in mind, here are some major differences between CMMC 2.0 and 1.02:

Streamlined Level System

Under CMMC 1.02, defense contractors were evaluated under five levels of security, ranging from “Basic,” “Intermediate” and “Good” cyber hygiene at levels 1-3, to an “Advanced” security program at Level 5. CMMC 2.0 eliminates levels two and four, leaving only three levels that roughly correspond to the original Level 1, Level 3 and Level 5.

  1. Level 1 “Foundational” – like the original Level 1, this level will include 17 “basic” security controls derived from Federal Acquisition Regulation (FAR) rules 52.204-21
  2. Level 2 “Advanced” – like the original Level 3, this level will include the 110 controls in National Institute of Standards and Technology (NIST) special publication (SP) 800-171. However, 20 additional rules have been eliminated, leaving only NIST-derived security controls.
  3. Level 3 “Expert” – little was known about the additional cybersecurity controls at the original Level 5. The picture is more straightforward for Level 3 under CMMC 2.0: in addition to the controls from NIST SP 800-171, organizations will be required to follow a subset of controls derived from NIST SP 800-172.

Ultimately, any “CMMC unique security practices” appear to have been eliminated from CMMC 2.0, directly mapping the core framework to existing FAR and NIST legislation alone. Furthermore, organizations will no longer be evaluated for “Process Maturity” or “Institutionalization” as they were under previous versions of CMMC.

Reduction of Third-Party Assessment

Under CMMC 1.02, all defense contractors were required to undergo assessment by a third-party assessment organization (C3PAO) once every three years, whether or not they stored controlled unclassified information (CUI) considered critical to national security. Under CMMC 2.0, this requirement has changed substantially.

Of the roughly 220,000 companies in the defense industrial base, 140,000 will fall under Level 1 of CMMC 2.0, meaning they will only be required to undergo self-assessment once per year with the oversight of a senior level executive. The same will go for companies at Level 2 who do not hold “critical” CUI – or about half of them.

At Level 3, companies will be required to undergo a triennial governmental assessment, although details are not yet available. This leaves about 40,000 companies at Level 2 who will still have to undergo third-party assessment once every three years.

Expanded Exceptions and Leniencies

Under CMMC 1.02, the conditions for contract award were straightforward: companies needed to be compliant, or lose eligibility. Under CMMC 2.0, the DoD will be more lenient, awarding contracts to some organizations without CMMC implementation, provided they submit a Plan of Action and Milestones (POA&M) and agree to abide by a hard deadline.

CMMC 2.0 will also introduce a limited waiver process which would allow organizations to forego some CMMC requirements under special circumstances. While these allowances would likely not apply to mission-critical security controls, many details of the process and its scope have not been clarified yet. Even so, a waiver process represents a radical departure from CMMC 1.02.

Preparing for CMMC 2.0

In some ways, CMMC 2.0 maintains substantial continuity with existing security legislation and compliance processes. In other ways, it is a major step forward, holding defense contractors to a high standard of accountability and cyber-readiness. While many questions about the updated program remain unanswered, it is not too early to start preparing with a few simple steps:

  1. Install C-Level officers to approve annual assessments – many organizations are familiar with the current self-certification process for NIST SP 800-171. Under CMMC 2.0, much of this process will remain the same, but organizations under Level 1 and Level 2 who are not storing prioritized CUI will need an executive level officer to sign off on the self-assessment.
  2. Take advantage of DoD resources – with the new direction of CMMC 2.0, the DoD has committed to helping its partners in any way it can, with resources like Project Spectrum, providing organizations with free educational materials and a cyber readiness check.
  3. Get a readiness assessment – since it is based on existing NIST regulations, it’s possible to start preparing your organization for compliance with CMMC 2.0 right now. A professional readiness assessment will reveal gaps in your systems and networks, establishing a roadmap for CMMC 2.0 compliance individualized to your organization.

Based on our years of experiencing conducting assessments for compliance with NIST standards that form the basis of CMMC 2.0, Securicon can perform readiness assessments and mock audits to help your organization prepare for the real thing. With a DoD background, our world-class experts are ready to take stock of your IT assets and build a security response plan that is tailored to your organization’s needs. Contact us to learn more.

The IoT Security Problem in 2020: Taking a Deeper Look

Posted on
Risk assessments, iot security
Risk assessments, iot security

In 2017, an unnamed casino found that its data servers had been compromised and called on the aid of a security firm to help them find the culprit. Shortly afterwards, the surprising results of this investigation were reported far and wide: like the plot of an ill-conceived James Bond story, hackers had entered the casino’s network through an Internet-connected thermostat in a decorative aquarium. Today’s organizations have a lot more to worry about than the old fish tank trick: this year, experts estimate that the number of devices connected to the Internet will reach 30.1 billion, setting a world record that will continue to climb for years to come. In our time, connected refrigerators, printers, TVs, and smart meters will provide points-of-entry for hackers with increasing frequency. In the past, we’ve written about the security problems plaguing the current generation of IoT devices: just two years ago, researchers at the Black Hat and DEFCON security conferences showed just how bad the problem is by hacking dozens of devices in unique and novel ways. This begs the question: how did we get here? Why is IoT so difficult to secure, and what can organizations do about it?

Why IoT is A Supply-Side Problem

To explain the IoT security problem, we have told ourselves a plausible story sometimes repeated on our website: IoT is an inherent security risk, because increasing the number of Internet-connected devices in an organization also expands the attack surface available to malicious actors. But – while there is truth to this story – it does not explain the sheer number of easily prevented security issues in business grade IoT. According to the Ponemon Institute, 51% of organizations acquire IoT products through a third party; meanwhile, 48% of organizations have been subject to at least one IoT attack, and that number is rising. As we will see, these two facts are not unrelated.

Manufacturing in the 21st Century

The way that technical products are developed today – especially technology based products – has evolved from a pure engineering perspective to a model based more on component-integration. Rather than manufacture a new TCP/IP network card for your new product, for instance, it’s quicker and less expensive to integrate one already produced by a third-party vendor. On the positive side, this means that your product can reach the marketplace quicker, or in manufacturing speak, “reduced time to market”. On the negative side, the same components may end up in hundreds of products from a variety of manufacturers, and – if one such component has a security flaw – it may end up in all those products at the same time.  This phenomenon is well-attested by the current state of IoT.

What This Means for Security

With a lack of industry regulations that encourage high security standards for IoT products, the incentive for vendors to make a quick profit by cutting corners can drive sloppy development, a lack of vulnerability testing and quality control issues galore. The IoT market is in its “wild west” phase, as the PC market was three decades ago, and organizations must be wary who they work with. The following tactics are some of the most common ways we find IoT vendors punting the responsibility for secure design from themselves to their customers:

  1. Quick Turnaround

The term “Internet of Things” has been around since the 1990s, and the basic premise has never changed: it promises to automate basic tasks, from turning on the lights in your home to adjusting the window shades in a conference room based on the level of ambient sunlight to measuring the temperature gradient over a pipeline in a refinery. At its most basic, IoT is simply the implementation of connected technology to solve a problem. But in order to drive IoT adoption, products must have a reasonable price-point. Consumers won’t pay excessive amounts of money to automate tasks they can easily do by themselves. Manufacturing costs have to be kept low enough that the final products will sell, and this is why manufacturers generally choose to integrate cheap and readily available components.

  1. No Vulnerability Testing

Vendors are not immune to the lack of security awareness which impacts their customers. While it may be in their best, long-term interest to offer products with a high bar for security, it’s all-too-easy for vendors to skip a comprehensive vulnerability testing phase, opting instead to run down a checklist of features, if even that. Many companies lack the capabilities to test their products for security issues in the first place, and without regulations forcing them to do so, they simply won’t bother.

  1. Convenience at the Cost of Risk

When it comes to ease-of-access, what benefits IoT customers also benefits hackers. For the sake of convenience, vendors make design choices that exacerbate the vulnerability of their products: web interfaces, for instance, are the biggest target of IoT attacks – even those behind a network address translation (NAT) firewall can be compromised. Likewise, the omission of two-factor authentication (2FA) and forced credential updates is a decision driven by form over function, when both features could thwart a huge number of IoT attacks. Rather than go to the trouble of building a dedicated customer support channel, vendors have even been known to add easily exploitable backdoors into a device’s firmware.

  1. Poor Firmware

Speaking of backdoors in IoT firmware, the design of firmware is a major contributing factor to IoT security issues: few vendors will dedicate the time it takes to work out all the kinks before release; debugging systems used in the staging system of a device are often left in, allowing hackers to dump a huge amount of useful information. Lack of testing may leave firmware vulnerable to buffer overflow, and the use of open-source platforms leaves a completely unprotected attack surface exposed to attackers. The best vendors update their firmware on a regular basis to patch for newly discovered vulnerabilities, but this is a rarity.

  1. API Flaws and External Threats

From the outside, IoT integration with third-party apps through an application programming interface (API) seems like a great idea, but API flaws left by vendors open the doorway to attacks from malicious code hidden within seemingly innocuous applications. Researchers have also proven the possibility of DNS-rebinding attacks on IoT through a website, infected link, advertisement or malicious redirect. In the future, organizations may have to worry that their network will be infected every time their employees browse the Internet.

How to Avoid Bad Vendors

The IoT security gap remains one of the greatest threats to security across federal agencies. In response, legislators have discussed the idea of enforcing IoT regulations for some time, and NIST has produced IR 8259, a draft of recommendations for IoT manufacturers. But until that happens, irresponsible IoT vendors will persist, and organizations must practice due diligence to protect themselves. Here’s how to do that:

  1. Take inventory of the IoT products throughout your organization, alongside any devices connected to the Internet (organizations should be keeping inventory of all their IT assets as part of a comprehensive security strategy).
  2. Conduct a vulnerability assessment to discover the devices that constitute a real threat to your organization, and remediate the issue. This will also give you an idea which vendors to avoid moving forward.
  3. Be careful who you do business with: vet your vendors during the product acquisition phase (industry reputation, quality control, customer testimonials and quality of business). Show an equal amount of caution when expanding the capabilities of IoT devices through third-party software vendors.

Prepare for the Future

While they have never been more serious than they are today, the risks of IoT and principles of supply chain security have been understood for over a decade. But sadly, it’s difficult to apply them, especially when the component integration strategy of many product developers depends on technology sourced from countries that are hostile to the U.S. The Department of Defense (DoD) believes that foreign espionage through IoT products purchased by government agencies in America will be a major issue in the near future, and soon it will require all DoD-partners to follow the policy and procedural controls in NIST 800-178 and to comply with the Cybersecurity Maturity Model Certification (CMMC). Until that happens, government contractors would do well to proactively adopt compliant security strategies, fortify their networks, and analyze their own IoT assets for vulnerabilities. The right time to beat hackers is before they strike.

Securicon Can Help

Securicon offers comprehensive IoT security and compliance solutions to organizations. Our services include penetration testing and social engineering assessments which are trusted by critical infrastructure companies across the U.S and other critical organizations to find vulnerabilities and maximize safety. In 2020, there’s no room to be lax about security – contact us today!

 

5 NIST Updates That Will Impact Security Professionals in 2020

Posted on
NIST Updates, ics warning
NIST Updates, ics warning

It’s fair to say regulations from the National Institute of Standards and Technology (NIST) are a cornerstone to the security of our federal government: NIST documents set the standard for business operations in both the public and private sector, ranging from information security controls (SP 800-53) to cybersecurity practices (CSF). As time goes by, these documents are frequently updated, and keeping track of them can be difficult.

As we mentioned in a recent article, technology has a tendency to change faster than policy can keep up – but that doesn’t mean NIST won’t try. Every year, the agency works diligently to keep its standards current, seeking the advice of industry professionals to produce new documents ahead of future trends. With a new decade ahead of us, NIST is already hard at work, announcing new standards for IoT, privacy and much more.

To ensure your organization is prepared for the next generation of risk and compliance, keeping up with NIST’s activity is vitally important. Our staff is among the industry organizations that advise NIST, in this article, we’ll share five of the biggest updates to recently come from the nation’s foremost authority on Federal and commercial enterprise technology.

1. CMMC to Supplant SP 800-53 for DoD Contractors

The Cybersecurity Maturity Model Certification (CMMC) is by the far the biggest change to policy impacting federal partners in 2020. Although for now it mainly applies to contractors working with the DoD, that may change with time, and organizations should prepare before it goes into effect later this year.

CMMC has three major goals:

  • Consolidate – and therefore supersede – multiple cybersecurity standards, including NIST documents SP 800-53 and SP 800-171, and several international standards like ISO 27001
  • Prevent organizations from winning a contract until they can demonstrate cybersecurity preparedness
  • Gauge the maturity of a company’s cybersecurity practices and processes, as they have been institutionalized

With five gradually escalating certification tiers, in some ways the CMMC will ease the burden of compliance for federal contractors. In other ways, it will raise the bar for what it means to be “compliant,” forcing organizations to take responsibility for risk and adopt a mindset of cybersecurity across its departments. As a military contractor ourselves, we too are adapting to comply.

2. Draft for IoT Standards

The IoT security gap remains one of the greatest threats to security across federal agencies. Thanks to a lack of security controls from IoT vendors – and a lack of awareness from organizations – most IoT devices suffer from multiple vulnerabilities that can be used for espionage, data theft and much more.

In response, NIST has released a draft of IR 8259, titled Recommendations for IoT Device Manufacturers: Foundational Activities and Core Device Cybersecurity Capability Baseline. The document contains policies focused on bringing IoT vendors in line with the security needs of their customers with controls like data protection, authorized software updates, End-of-Life policies and – most importantly – secure firmware designed to prevent unauthorized device access.

While compliance with IR 8259 is completely voluntary for the time being, a proposal to put NIST in charge of IoT standards remains before the House of Representatives, and may be passed at any time.

3. Privacy Framework

Federal contractors handle a lot of sensitive information, ranging from the personal data of their employees, customers and clients to levels of classified information from government agencies. As emerging data privacy laws seek to mitigate the risk of data incidents across public organizations, NIST is doing its part to prevent them in a federal context with the Privacy Framework (PF).

While the PF is only 39 pages long, it is jam-packed with advice and procedures to defend data security from threats both inside and outside of an organization. Divided into five basic sections, it is also aimed at helping organizations stay prepared for technology advancements and new data use cases:

  • Identify risk to individuals
  • Govern risk management priorities
  • Control privacy risks at a granular level
  • Communicate with stakeholders
  • Protect data from “privacy events”

Version 1.0 of the PF was released at the end of last month, after being available for public comment since September of last year. It has already been adopted by organizations outside the government and should gain wider adoption in the coming months.

4. Supply Chain Risk Management Updates

Released in 2015, SP 800-161 has existed to mitigate risks in the information and communications technology (ICT) supply chain throughout federal organizations. Now, NIST seeks to update Supply Chain Risk Management Practices for Federal Information Systems and Organizations for a new decade, following changes in federal law regarding the acquisition of ICT products in 2019, especially from foreign vendors.

In its pre-draft call for comments, NIST stated its goal to “deliver a single set of cyber supply chain risk management practices to help Federal departments and agencies manage the risks associated with the acquisition and use of IT/operational technology products and services in a way that is functional and usable.”

The ICT supply chain can introduce risk to organizations through poor design, lack of security controls and even backdoors for espionage. Since changes to SP 800-161 will be accompanied by updates to NIST SP 800-37, and SP 800-53, all federal contractors will be affected, and they should stay informed as new information becomes available.

5. Standardization of Cybersecurity Regulations

Ever feel like there are just too many security regulations to keep up with? NIST agrees: in a draft report for the National Cybersecurity Online Informative References (OLIR) Program, it states “the fields of cybersecurity, privacy, and workforce have a large number of documents, such as standards, guidance, and regulations”.

Through the OLIR, NIST aims to simplify compliance procedures through a centralized online repository of cybersecurity legislation complete with cross-references between documents, and advice from subject matter experts. Depending on the extent of the OLIR, it could change the workflow of security professionals throughout the industry and make the adoption of new standards much easier.

NIST accepted public comments on its first draft until February 24th, but we don’t know how long it will be until OLIR goes into effect, but it’s safe to assume something will be up and running by the end of this year.

Taking Responsibility

Every new update from NIST points to developing trends in technology and legislation. While keeping up with them can be difficult, the best way to stay ahead of regulations is to stay on top of risk.

Don’t stop at checking off boxes: in 2020, organizations who take responsibility for their business processes, IT infrastructure and insider threats will be the most likely to succeed on the road to full compliance.

Take stock of your IT assets and fix vulnerabilities before NIST tells you to: with a DoD background, our world-class experts in governance, pen testing and ethical hacking can help through technical consulting and federal security services. Contact us today!