CMMC 800-171 Solution on ServiceNow GRC Platform

Is your organization struggling to keep up with the complex requirements of Vendor Risk Management and the NIST 800-171 standards? You need Securitybricks’ innovative ServiceNow GRC Vendor Risk CMMC application.

I’m Donna, a passionate Risk, Compliance, and ServiceNow GRC expert, and I’m thrilled to introduce our latest project: a simple easy to use Vendor Risk Management application that streamlines compliance assessments of downstream vendors and suppliers in accordance with your organization’s CMMC Level.

Built upon the powerful ServiceNow Vendor Risk Management Module, our CMMC app is designed to make compliance easier for you. If you’re an existing GRC Vendor Risk Management customer, you’ll be able to integrate our app seamlessly into your current process. We built the app on ServiceNow to specifically address CMMC requirements for subcontractors. With a user-friendly Questionnaire and Assessment, it’s never been easier to launch your CMMC vendor compliance assessments. We offer two levels (Level 1 and Level 2) to suit your organization’s specific needs.  Installation is as simple as downloading from the ServiceNow Store, installing in your GRC Vendor Risk Instance and then, as the Vendor Risk Manager creating a CMMC Assessment leveraging the prebuilt CMMC assessment templates and assign to the vendor to complete.

We’re proud to offer this application to you for FREE, exclusively in the ServiceNow store. It will be available for download at the end of Q1 2023, and our Version 1 solution is designed to work with the latest ServiceNow Tokyo release and Utah. Our app uses out-of-the-box Roles for Vendor Risk Managers to create the assessments and Vendors to respond to them, making it simple and straightforward to use.

Not Your Keys, Not Your Coins

In the world of cryptocurrency, the phrase “not your keys, not your coins” is a reminder of the importance of maintaining control over your own private keys.

A private key is a secret code that grants access to a cryptocurrency wallet and the coins within it. Without the private key, the coins within that wallet cannot be accessed or transferred. This means that if you do not have control over your own private keys, you do not truly own the coins in that wallet.

This is where the concept of “not your keys, not your coins” comes into play. When you store your coins on a centralized exchange or with a third-party custodian, you are effectively giving up control of your private keys to that entity. While they may promise to keep your coins safe, they are also in control of the coins and can make decisions on how to use them without your consent.

In contrast, when you store your coins on a self-custodied wallet, such as a hardware wallet or a software wallet that you control the private keys, you always maintain control over your coins. This means that you are in full control of your coins and can make decisions on how to use them, such as transferring them to another wallet or selling them on an exchange.

When storing coins in your self-custodied wallet, you should also put a passphrase on it. You will have a key file or mnemonic phrase associated with your wallet. By using a passphrase, you’ll be able to provide more security for yourself and your funds. Tools such as Metamask are good for Ethereum, Polygon, and many other cryptocurrencies. Metamask will provide you with your mnemonic phrase when setting up your wallet, and this should be stored as if you were storing gold for Fort Knox. This phrase gives access to all your funds in your wallet.

Luckily if you believe to have been compromised, setting up a new phrase is easier than opening a bank account. You just set up a new account (on a non-compromised system) and transfer all your funds to the new wallet. The concept of “not your keys, not your coins” is especially important in the world of cryptocurrency because, unlike traditional financial systems, there is no central authority that can help you recover your coins if you lose access to them. If you lose control of your private keys, you may permanently lose access to your coins.

Self-custody of your assets means you are responsible for all your funds. This is a blessing for people who may have been affected by outages during huge volatility spikes on exchanges. Many notable spikes occur when cryptocurrencies like Bitcoin, Ethereum and Solana move 10% or more within a couple minutes. If you try and sell, you might be limited by the exchange as they try and keep liquidity available on the cryptocurrency and fiat side.

Other issues, like the recent FTX scandal show how your funds can be used in ways that you do not want to be used. This is also prevalent with the large lending coin scam of 2017-2018, the Mt. Gox scandal in 2013-2014 and many other similar events.

It is important to keep in mind that in the world of cryptocurrency, your keys are your coins. Maintaining control over your own private keys is essential for truly owning and being in control of your coins, and it is important to store your coins on a self-custodied wallet that you control the private keys.

How Secure is Your Data in the Cloud?

Have you moved to the cloud and think your data is secure because the cloud service uses encryption? This may be a false sense of security depending on the sensitivity of your data. There is much more to having secure storage of data than just the encryption algorithm that is used. Many companies have moved or are in the process of moving to the cloud for computing and data storage purposes. Overall, the cloud services are a less expensive environment for computing and data storage with the convenience of worldwide access from any number of devices.

Cloud services are inherently secure using encryption for data in flight to and from the cloud, and data at rest. This encryption is typically included in the base cost of the service, but is it as secure as the in-house datacenters that these companies once used? Even if the company did not employ encryption to protect the data there was a level of security in that the network was private that protected access from external advisories. When using a cloud service, companies loss control their data relying on the security of the cloud service and its personnel. The encryption employed by cloud services is used to protect the data in the event of a data breach which protects the service from undue financial loss. The encryption keys used are shared among the customer base and managed internally. How well these keys are actually protected is not easily assessed. Poor key management could allow internal access to their customers’ data.

When it comes to encryption It is not the algorithm that protects the secrecy of data, these are publicly known and widely distributed. The choice of an encryption algorithm is important in that some are stronger than others, however the security of encrypted data relies on the security and secrecy of the cryptographic key. Any entity that has access to cryptographic keys can decrypt the data.

For companies that have sensitive data that must be protected for business purposes may choose to use encryption where the cryptographic keys are unique to them. This is implemented as a second level encryption and most cloud services offer this. These companies must implement strong key management where split knowledge and dual control is enforced such that no one single individual has access to the encryption key. Split knowledge is where the key is broken up and distributed to separate individuals for safe keeping. Individual knowledge of these key parts does not reveal anything about the key itself. Dual control is a process where two or more individuals are required to perform key management functions which may include key recovery, distribution to other platforms or systems, internal use. Improper key management may result in the loss of keys or compromise of the key which exposes the data that was meant to remain secret.

Encryption key management is a critical part of using encryption to keep data secure and secret. Poor key management is like hiding the spare house key under the welcome mat of your house. If you don’t understand how encryption keys are managed, and more importantly know the people and systems that have access to the keys, your data may not be as secure as you think.  There are several ISO and ASC X9 standards that can help review key management processes as well as consulting firms that are willing to help.