Pratum Blog

US Department of Justice Building

If a bank or federal contractor experiences a data breach, the federal government wants to know about it—and the new Civil Cyber-Fraud Initiative has teeth to back it up.

Throughout 2021, the federal government has taken the fight to global hackers on multiple fronts, fueled by President Biden’s May 2021 executive order. Two of the latest moves are the Department of Justice’s Civil Cyber-Fraud Initiative and new FDIC rules that ramp up reporting requirements when federal contractors, federal grant recipients or banking entities experience data breaches.

This post explains what you need to know about how the Civil Cyber-Fraud Initiative and other new regulations could affect you.

Why Does the Government Want Breach Reports?

A data breach affects far more than the compromised organization. In this era of heavily interconnected supply chains, a breach of a single organization can rapidly cascade into dozens of others. (This year’s Kaseya breach provided a painful example of how supply chain attacks can go global in very little time.) Through moves like the Civil Cyber-Fraud Initiative, the government wants to know when anyone handling its data or connected to its systems experiences a compromise.

Sharing breach information also lets the greater community stop bad guys more quickly. When breaches go unreported, hackers may keep using the same kind of attack on other organizations in both the public and private sectors. When you report a breach, the government can spread the word about the vulnerability exploited and the type of attack used, etc. and help others quickly harden their defenses. Shared breach information helps developers respond with the patches that close the vulnerabilities.

An FBI agent explained in one of our recent blogs that agents like companies to report even suspected attacks so that they can add the threat data to the information shared with all their offices.

The DOJ’s announcement of its new requirements also acknowledged a critical point for private companies: Companies should have incentives to invest in good information security. With new regulations built on cybersecurity best practices, the government wants to stop companies from skimping on security investments and undercutting prices from those doing the right thing.

What’s in the Civil Cyber-Fraud Initiative

In October, Deputy Attorney General Lisa O. Monaco announced the Civil Cyber-Fraud Initiative saying, “For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it. Well, that changes today.”

The new act’s enforcement comes via the False Claims Act, a tool that lets the feds levy fines against parties who put government programs and operations at risk through inadequate information security measures. In short, if you operate under federal contracts or receive federal grant funding, you need to be aware of the new requirements. Under this new program, firms could face government penalties if they knowingly:

  • Provide deficient cybersecurity products or services
  • Misrepresent cybersecurity practices or protocols
  • Violate obligations to monitor and report cybersecurity incidents and breaches

Whistleblower provisions in the False Claims Act empower individuals to report any wrongdoing they know about (and gives them a chance to share in assets recovered). Based on the whistleblower empowerment and the regulations’ complexity, observers expect to see a significant whistleblowing, which is what the feds are hoping for. Violations could be as simple as, for example, falsely stating that you have a written incident response plan or system monitoring in place.

Plenty of questions remain about how the government will judge a “knowing” failure, how penalties would be assessed, how responsible a company is for its subcontractors, etc.

What’s in the New FDIC Notification Rules

The FDIC issued its own new regulation about incident notification in November. The new rule requires banking organizations to notify their primary Federal regulator of any “computer-security incident” that rises to the level of “notification incident,” as soon as possible, with the window not to exceed 36 hours after discovering the incident.

In short, this regulation applies to incidents that could disrupt, degrade or impair banking operations and services.

The rule also requires notification of customers if services will be disrupted or degraded for four hours or more. The rule takes effect April 1, 2022.

Clearly, it will take time for organizations to sort through the new rules and establish policies accordingly. For help understanding how the Civil Cyber-Fraud Initiative and the new FDIC rules affect you, contact a Pratum expert.

Q&A With a CMMC Registered Practitioner text overlaid on image of Pentagon

The Defense Department recently pumped the brakes on the rollout of its much-discussed CMMC cybersecurity standard—and made significant changes that should greatly simplify compliance for private companies. But that raises plenty of questions about exactly where contractors go from here. We talked with Pratum’s Jeff Hudgens, a CMMC Registered Practitioner, for guidelines on what manufacturers, software developers and other contractors need to know about CMMC 2.0.

CMMC Registered Practitioner Logo

You should be constantly honing your cybersecurity policies as a matter of smart risk management. Doing that will help you be ready for CMMC when it comes into play.

Jeff Hudgens Pratum CMMC Registered Practitioner

Answers to CMMC Certification Questions


Q:

Can you give us a 20-second reset of what CMMC is?

A:

In 2019, the DoD began a lengthy process for beefing up security for every company in its supply chain via the Cybersecurity Maturity Model Certification (CMMC)  standard. In all, about 300,000 companies face new cybersecurity compliance rules if they want to keep winning contracts from the Pentagon and its prime contractors. But, as you might expect from a massive new government program, confusion and controversy have dogged CMMC’s rollout.

In the latest move, CMMC 2.0 arrived in November with numerous adjustments handed down by the CMMC Accreditation Body (CMMC-AB).


Q:

Let’s start with timeline. How soon do companies need to comply with CMMC?

A:

No one really knows at this point, but no deadlines are looming. The DoD originally said some level of CMMC requirement would appear in all of its contracts by 2025. But with the release of CMMC 2.0, all of that is up in the air again. The DoD is diving into an open-ended “rulemaking process” and has dropped plans to include CMMC requirements in upcoming contracts. One thing we’re hearing is that the DoD may offer incentives to companies that voluntarily adopt CMMC guidelines, which sounds like an effort to motivate some early adopters.


Q:

What prompted the revisions to CMMC?

A:

The private sector pushed back heavily on the regulatory burden imposed by CMMC’s complexity. The new release makes the whole program simpler and, frankly, leaves a lot of lingering questions about how much will ever be required for DoD contractors. The DoD is making flexible implementation a key factor in the CMMC revisions.


Q:

Have CMMC levels changed under the new plan?

A:

Yes, they’ve been simplified. CMMC 1.0 included five levels that a vendor could be required to meet under any given DoD contract. CMMC 2.0 cuts the original five levels down to just three. This chart from the official federal CMMC site shows how the new levels compare to the old ones:

CMMC 2.0 Levels vs. CMMC original Levels comparison

Q:

Does CMMC 2.0 still require a third-party certification of security practices?

A:

That’s one of the biggest changes in the new release. Under CMMC 1.0, every level required assessment by an approved third-party. But CMMC 2.0 dramatically reduces the requirements for third-party assessments. Companies pursuing contracts with a Level 1 requirement can now submit a self-assessment. At Level 2, some contracts will require third-party assessment. These moves are clearly designed to address industry complaints about increasing compliance regulations. At Level 3, the DoD intends for government assessors to review the security standards of contractors handling the most sensitive information.


Q:

So the government will mostly take companies at their word regarding their security programs?

A:

You can still plan on some oversight, even when self-assessment is allowed. Companies that knowingly falsify their reporting may, for example, face false claims lawsuits from the Department of Justice.


Q:

Does the new approach allow remediation plans?

A:

Yes. In another concession meant to ease the compliance burden on companies, CMMC 2.0 lets companies achieve certification while still pursuing a Plan of Action and Milestones (POA&Ms) to fix any shortcomings. This eliminates the pass/fail nature of CMMC 1.0. In some circumstances, the DoD says it will even let companies apply for CMMC waivers.


Q:

How have the actual controls changed?

A:

CMMC 1.0 included a significant number of CMMC-specific requirements. Those are gone in version 2.0. Level 2 now mirrors the widely used NIST SP 800-171, and Level 3 will be based on a subset of NIST SP 800-172. The bottom line is that companies following industry standards should be able to achieve CMMC compliance without adopting other proprietary controls.


Q:

Do I need to do anything right now?

A:

These changes take most of the urgency out of CMMC compliance since we have no idea when it will appear in DoD contracts. But CMMC’s requirements generally follow what the industry considers basic cybersecurity best practices. So you should be constantly honing your cybersecurity policies as a matter of smart risk management. Doing that will help you be ready for CMMC when it comes into play. And if you’re unwilling to take the supply chain security steps required to meet even CMMC Level 1, you’ll probably find that many large, private companies won’t feel safe doing business with you anyway.


Q:

Where can I get help figuring out what’s required for me?

A:

Pratum’s compliance experts can help you understand the compliance requirements for your specific situation.

You also can get advice from governmental bodies tasked with helping manufacturers and other companies navigate the government procurement process. Each state has a Manufacturing Extension Partnership Center that can help you with CMMC. You can look up yours at nist.gov/mep/centers. You can also work with one of about 300 Procurement Technical Assistance Centers nationwide. You can find a nearby PTAC at aptac-us.org.

Editor's Note: This post was originally published in February 2021 and has been updated to reflect changes in CMMC.
Image of man typing on laptop

Ransomware continues to dominate the year’s headlines, but Americans suffer far more damage from business email compromise than any other attack, according to the FBI. The feds reported earlier this year that business email compromise cost more than $2.4 billion in 2021. Throw in business email compromise’s cousin of phishing, and you can tally another $44 million in damages. The boom in business email compromise (BEC) attacks means you should make it a top priority to train your team to spot this scam.

BEC attacks use sophisticated techniques that can trick all but the most attentive email users. Attackers typically impersonate a legitimate contact asking for a transfer of funds. But when victims send the money, it lands in a bank account controlled by the bad guys. The hackers quickly convert the money to crypto currency or shift it into other untraceable channels. It may be days before you even know you sent the money to an imposter.

Hackers typically send an email that seems to be coming from either a co-worker or a legitimate vendor. And, in fact, the bogus message may be coming from a legitimate account that hackers have overtaken. The hacker may even be talking about a legitimate payment you’re expecting to make. The only difference is the account they have you send it to.

The examples below show how BEC attacks work and red flags you can watch for to ensure you don’t fall prey to this ruse.

Stages of Business Email Compromise

Stages of Business Email Compromise Step One: ID Target, Step Two: Grooming Target Stages of Business Email Compromise Step Three: Transfer of Information, Step Four: Wire Transfer

Source: FBI

How to Spot Business Email Compromise

Original message used to steal user credentials:
Original email message used to steal user credentials including red flags of BEC: Spoofed email address and a malicious link
Spoofed messages used to cause fraudulent payment:
Spoofed email message used to cause fraudulent payment including red flags of BEC: Real data used to fool you Spoofed email message used to cause fraudulent payment including red flags of BEC: Timing, suspicious attachments, sudden change in normal procedure and/or urgency, and unusual name usage

Red Flags of
Business Email Compromise

1. Spoofed address – Look carefully at the actual domain name, not just the sender’s display name. This spoofed domain has an extra character in the company name.

2. Malicious link – This link actually leads to a credential harvesting site. Hover your mouse pointer over the link before clicking it to confirm that it's going to the expected address.

3. Real data used to fool you – Because hackers may be monitoring your email, they may jump into a legitimate thread. In this case, the first message in the sequence came from a real vendor talking about a real invoice. The hackers have inserted themselves and took over the discussion, cutting the real vendor out of the thread.

4. Timing – This is a fake email from the scammer, who sent the request late in the week, hoping to catch an employee rushing to complete tasks before leaving.

5. Suspicious attachments – If you’re not expecting an attachment, don’t open it. Call the sender to confirm it’s a legitimate file.

6. Sudden change in normal procedure and/or urgency – Be extremely wary of changes in deadlines, bank accounts, etc. Call your contact to confirm what’s happening.

7. Unusual name usage – Hackers posing as legitimate contacts often fumble the details of names, so pay attention to any discrepancies, such as someone who normally goes by “Michael” signing a message as “Mike.”

For help with training your team to spot BEC or creating a simulated phishing test for your organization, contact Pratum today.

*This article was updated on April 5, 2023 to accurately reflect cost of BEC and phishing attacks.
The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.