OTX Partners

OTX Roundtable GRC News

September 2024

CMMC is Getting Real

It seems that CMMC has been on a slow simmer for years now. In reality its been moving along at as a brisk a pace as any federal regulation. However many have been either in wait and see mode (maybe it will just go away) or full on denial. Well, it ain’t going away. In fact, the “48 CFR CMMC” rule defining how the specific clause will appear in DoD contracts (DFARS 252.204-7021) requiring certification was written to the federal register on August 15. Once the comment period is complete, smart money has the clause appearing in contracts in late spring of 2025.

How does this affect MSPs? Back in December 2023, when the final rule for the program defining CMMC requirements was released for comment, it clearly defined MSPs as “External Service Providers” (ESPs) covered under the CMMC requirements. As part of the flowdown requirements for subcontractors, including external service providers, all subcontractors must meet the same requirements as the prime. Therefore, if the contract held by the prime requires CMMC Level 2 or 3, all subcontractors, including ESPs, must be certified at the same level. MSPs providing services to manufacturers in the Defense industrial base will be required to certify under CMMC or risk losing that business.

In a recent CyberCall, hosted by Andrew Morgan of Right of Boom, Ryan Bonner of DEFCERT summed it up succinctly:

“…the federal rule says if a contractor is entrusting any security protection data, which you know, they say is just configuration data about the contractor system, and they're entrusting that to an external service provider. That service provider is now hosting that data. They have it in their IT Glue instance. They have it in their RMM tool, they have it in their EDR stack. They are now an external service provider. They must have a matching certification for their client. So if your defense contractors all need level 2, the MSP needs a level 2 certification as well…”

This puts MSPs servicing the DIB on notice that they need to make sure they on on the path to certification or risk losing those clients. CMMC Certification is no small task. It requires significant time and money. Conventional wisdom is that is can require 12-18 month to complete, therefore, organizations (both contractors and MSPs) that have not started are already behind the eight ball.

This is going to be an “are you in or are you out?” situation. Some manufacturers and MSPs may decide that the time and expense required to attain CMMC is not worth the pay off. That may be true. However there is discussion that CMMC may become de facto standard for other federal agencies. Given the flowdown requirements of federal contracts this may ultimately affect far more industries.

Regardless of CMMC, all MSPs should be looking to adopt a formal cybersecurity framework such as CIS or NIST CSF. Compliance with any of the major frameworks will get an MSP far along the path of CMMC certification should it be required.

Aftermath of the Crowdstrike Incident

It’s been a little more than six weeks since Crowdstrike created a global disaster by releasing errant code as an update to their product. Major corporations, including airlines and airports, were brought to a standstill. Although the fix became available quickly, it was a tedious task to recover endpoints and took many organizations several days. The estimated financial impact will exceed $10 billion.

Only Microsoft Windows operating systems were affected which, of course, is by far the most popular operating system controlling about 70% of the market. The flaw created a “Blue Screen of Death” (BoD) situation requiring each endpoint to be booted in Safe Mode and a fix to be applied. Many MSPs went into scramble mode to help there clients get back up and running, even though many were not the provider of the software to the client. In fact, Crowdstrike has only had a reseller program since fall of last year.

For the most part, Crowdstrike has been considered an enterprise solution with limited penetration into the SMB market. This was probably a blessing in disguise for many small/medium MSPs as the impact was primarily felt by larger organizations.

In the aftermath, fingers have been pointed primarily at Crowdstrike for a lack of testing and a poor roll-out plan. In its own Root Cause Analysis report, Crowdstrike has admitted that its testing and roll-out process was flawed. Most patches or updates are rolled out in a staggered fashion allowing for feedback as the patches are applied. Crowdstrike updated all endpoints at once.

Microsoft has not escaped criticism either. How can a single line of code crash and entire operating system? Crowdstrike is allowed to operate at the kernel level with elevated privileges. Errors at this level are known to cause serious issues and BoDs. Critics have cited this as a bad strategy on Microsoft’s part. MacOS, on the other hand, forces vendors to use a controlled API to access kernel level functions. Microsoft has fired back, claiming that an EU ruling in 2009 requires Microsoft to allow other vendors the same access to the operation system that they use internally.

The ramifications of this incident will be felt for years to come. Result of numerous lawsuits and cyber insurance claims will reveal more details as to the true impact.

Increase in Trojan Malware Using Browser Extensions

One of the most often overlooked functions on the PC is that of browser extensions. Browser extensions have become a common tool for web-based apps to interact directly with web applications and improve productivity. They can also be used maliciously to infect the computer and steal personal information.

In recent campaigns more than 300,000 browsers have been affected. Both the Google Web Store and Microsoft Edge Add-ons have been targeted as distribution points. The installers contain various deliverables from simple adware to hijack searches to extensions that steal personal data and execute commands. Hackers are luring unsuspecting users through fake websites that mimic popular legit sites such as Youtube, Roblox FPS Unlocker, and Keepass.

Many Anti-Virus and Anti-Malware programs are not identifying this malware. Additionally it can be difficult to remove. If removed incorrectly teh malware will return on the next reboot. However a good Endpoint Detection and Response program should block the activity.

ReasonLabs recently published a blog to help identify and remove the malware.

Featured Recorded Event

National Society of IT Service Providers

Fireside Chat: Practical Application for MSPs for CMMC

Mark Jennings(OTX Partners), Joy Beland (Summit 7), and Andrew Crawford (Compliance Specialists), discuss how MSPs can prepare for CMMC.

 Recently I watched American Graffiti on TV. I had not seen the movie since it first came out in 1973.

For those not familiar with the movie, it takes place in 1962 and follows four teenagers in LA as they experience their last night before heading off to their next chapters at college or other pursuits. It takes place in a single night and captures a great slice of what life was like in 1962. When it was released it was popular as it offered a nostalgic return to a very different time in the US. By 1973, the world had changed drastically. The music, the clothing, the hairstyles, automobiles, and attitudes had evolved greatly. The Vietnam War also had a major effect on the American psyche.

But what struck me the most is that it was only 11 years between 1962 and 1973. If we were to make the same movie today, that would be the equivalent of setting it in 2013. However, the world would look virtually identical to 2024. Popular culture and artistic styling seem frozen in time.

Yes, the iPhone is now in double-digits, we are now in season 105 of Real Housewives, we have a few more Marvel characters, and Taylor Swift is now a billionaire. But there are very few original ideas. Most music today could fit into a 2013 playlist seamlessly. Completely original Broadway productions are rare. And a 2013 BMW 328 is almost indistinguishable from a 2024 model. You can turn the clock back an additional 10 years and see little difference as well…

Read More…

Next OTX Roundtable Meeting

September 26-27, 2024

Alexandria, VA

Live, In- person

OTX Partners LLC

OTX Roundtable GRC is a peer group helping MSPs build and maintain a security and compliance-focused culture. Find out more here

 © 2024 OTX Roundtable, Inc. all rights reserved. Designated trademarks, brands, logos, and service marks are the property of their respective owners.