[HN Gopher] DOJ suit claims Georgia Tech knowingly failed to mee...
___________________________________________________________________
DOJ suit claims Georgia Tech knowingly failed to meet cyber
standards
Author : WaitWaitWha
Score : 11 points
Date : 2024-08-27 20:08 UTC (2 hours ago)
(HTM) web link (www.nextgov.com)
(TXT) w3m dump (www.nextgov.com)
| WaitWaitWha wrote:
| BLUF: unless there was gross negligence (meh, just put any score
| in there) that they can prove, a 98 can be explained very easily.
|
| To give a bit of context, the score they are talking about (98)
| is an entry on DISA's Supplier Performance Risk System (SPRS)
| score [0].
|
| The score almost certainly is based on self-assessment using the
| NIST SP 800-171v2 (and 800-171a). This is a document that looks
| at 110 cybersecurity controls across 16 families. Comes out to be
| about 300 or so explicit items that needs to be looked at.
|
| The score is from -203 (that is a minus) to 110. The scoring
| starts at 110, then deductions of 1, 3, or 5 points are made when
| a specific control audit fails.
|
| This is only and only for the confidentiality of Controlled
| Unclassified Information(CUI).[1]
|
| Because of this special carve out for just CUI, scoping what is
| and is not in scope is hard. I have heard audits where the
| auditor (DCMA DIBCAC) stated "everything is in scope", and in an
| elsewhere the auditor stated "only that is directly generated by
| the Government".
|
| Not only this there is a feud amongst agencies who does what,
| where, and how, when it comes to cybersecurity.
|
| [0] https://www.sprs.csd.disa.mil/
|
| [1] https://www.archives.gov/cui/about
___________________________________________________________________
(page generated 2024-08-27 23:02 UTC)