compliance
UPDATES: December 26, 2023: The Department of Defense published for comment a proposed rule for the Cybersecurity Maturity Model Certification (CMMC) 2.0 program. December 7, 2022: DMARC and other specs dropped from CMMC 1.0 have been sent to NIST to be included in future revisions of NIST SP 800-171, which CMMC is based upon. For more recent updates, you can visit the Department of Defense Chief Information Officer webpage. The following was published September 20, 2021. The Cybersecurity Maturity Model Certification (CMMC) is a cybersecurity framework being developed by the Department of Defense (DoD) to protect defense contractors from cyber threats. CMMC measures cybersecurity maturity with five levels consisting of security controls, practices and continual improvement to stop the theft of intellectual property, proprietary information and credentials that threaten economic and national security. When an organization sets out to achieve a particular CMMC level, it must also meet the preceding
When someone sends a complaint to your compliance desk there are a range of things you want to do, but one thing you always want to do is ensure that the recipient doesn’t receive any more unwanted email from your customer. Or, at least, not from your network. There are usually several different ways you can make sure that happens. There are big hammers a compliance desk can use in egregious cases – if the customer is immediately terminated, or has their ability to send mail suspended then there won’t be any more unwanted email to anyone, including the person who has reported unwanted mail. More normally, though, you’ll want to stop all mail from your customer to just the person reporting them immediately, at least while you look at the customers statistics and investigate further. If the report includes a copy of the offending email then there’ll be an
Dear Colleagues at ESPs, We have a problem. More specifically, YOU have a problem. You have a spam problem. One that you’re not taking care of in any way, shape or form. There was a point where ESPs started caring about spam out of their networks. They got blocked enough they had to take action. Because they took action a lot of the big blocklists started being nice. Spamhaus, for instance, would do ‘informational’ listings so that ESPs could fix things rather than going to a direct block. This led management at ESPs to start to think they had this spam thing under control. They stopped worrying too much about spam and compliance. I mean, to management the whole point of having a compliance desk is to stop the blocks. No blocks mean no problems with spam out of the network, right? As someone who gets a lot of B2B
I don’t send a lot of spam complaints generally. Mostly I block and move on. There are some companies, though, that I offer the professional courtesy of sending a complaint or a report to their abuse@ address. Former clients, friends and colleagues generally get that courtesy. The number of ESPs that completely fail to take any action is disappointing. Too many of them can’t even manage the simple courtesy of removing addresses. A few don’t even process bounces correctly and continue to send mail even when getting a spam block or 550 user unknown. Sometimes I’ll reach out to folks who I know work at particular ESPs, although that’s less common these days as everyone seems to be moving companies and I can’t keep track. Often I get an invite to “always send me complaints directly.” That … is not a solution, people. Expecting people who are reporting spam to…