RegDOX Solutions

The Secure Data Room solution provider for Corporate, EAR, DFARS and ITAR compliance in the cloud.

CALL US NOW: +1.800.517.3171
ADDRESS: One Tara Boulevard, Suite 300, Nashua, NH 03062
  • Facebook
  • Linkedin
  • Twitter
  • YouTube
Contact Usto schedule a demo today!
  • Home
  • Product Overview
    • Secure Data Room
    • Managed Services
    • Use Cases
      • Real Estate Management
      • Life Sciences Out-Licensing
      • Mergers & Acquisitions
      • Aerospace & Defense
      • Research & Development
      • Universities & Education
    • Free Trial
    • Extensions
      • RegDOX Secure File Editing
  • Regulatory Compliance Solutions
    • Solution for ITAR
    • Solution for DFARS
    • Solution for EAR
    • Long-Term Cloud Storage
    • RegDOX DFARS Assessment
    • RegDOX On the Fives
  • Blog & News
    • Blog
    • News
    • Media Resources
  • About
    • Careers
    • Certificates & Awards
    • Customer Support
    • High Security Platform
  • Downloads & Videos
    • Downloads
    • RegDOX Desktop tools
    • Videos
  • Contact

A New Supplement to NIST SP 800-171: NIST SP 800-172

February 26, 2021 By RegDOX Marketing

The basic federal requirements for safeguarding Controlled Unclassified Information (CUI) in nonfederal systems have relied for some time now on the 110 controls within NIST SP 800-171 rev.2 (February 2020). The National Institute of Standards and Technology (NIST), in response to advance persistent cybersecurity threats, has now released an important supplement to SP 800-171 designated as NIST SP 800-172.

This 84-page supplement is intended to enhance the previously existing SP 800-171 confidentiality controls as well as to provide additional integrity and availability protections for CUI. It applies to all nonfederal systems that agencies determine are processing, storing, or transmitting CUI associated with a critical program or high-value asset, as well as system components that provide protection to such systems.[†]

The new security requirements may be selectively applied by federal agencies implementing the new SP 800-172 standards. We expect the new requirements to start to show up in federal RFPs and contracts.

Similar to SP 800-171, the purpose, target audience, and fundamentals of the development approach for the new SP 800-172 controls are contained in chapters one and two of the publication. The specific enhanced requirements also build on SP 800-171 by relating to the same 14 categories of controls that are contained in chapter 3 of the earlier publication.

Also similar is Appendix C to SP 800-172, which maps the enhanced controls to the security controls contained in NIST SP 800-53 rev. 5 (dated September 2020) following the approach found in Appendix D of SP 800-171. SP 800-53 of course sets out mandatory minimum controls for federal information systems.

The enhancements of SP 800-172 promote the protection of CUI through additional controls for penetration-resistant architecture, damage-limiting operations, and designs in order to achieve greater cyber resiliency and survivability. Of the original 14 families of security requirements found in SP 800-171, enhancements have been made to the following 10 categories:

3.1 Access Control
3.2 Awareness and Training
3.4 Configuration Management
3.5 Identification and Authentication
3.6 Incident Response
3.9 Personnel Security
3.11 Risk Assessment
3.12 Security Assessments
3.13 System and Communications Protection
3.14 System and Information Integrity

Care should be taken to both completely understand the changes in SP 800-172 and how they affect your organization. This may be achievable through your internal resources or can be accomplished with the assistance of subject matter experts such as RegDOX Solutions.

It is acknowledged in SP 800-172 that “[c]ertain enhanced security requirements may be too difficult or cost-prohibitive for organizations to meet internally…. [and that] the use of external service providers can be leveraged to satisfy the requirements.”[‡] Included among those are those relating to threat intelligence, threat and adversary hunting, system monitoring and security management, IT infrastructure, platform and software services, threat, vulnerability, and risk assessments, response and recovery, and cyber resiliency.

RegDOX, with its ITAR and DFARS-compliant secure data storage and collaboration platform for CUI, can both jump-start and also ensure continuing compliance by organizations in satisfying these requirements. Contact us through our website at www.RegDOX.com or call 1-800-517-3171 and we will be glad to explain how.

 

About RegDOX Solutions Inc.

RegDOX Solution’s first-to-market ITAR and NIST 800-171 (DFARS) compliant online storage and collaboration product has redefined how export-controlled and CUI documents and electronic files can be handled within regulatory requirements. This was recognized by the formal opinion of compliance provided by the US State Department’s Directorate of Defense Trade Control (DDTC). RegDOX’s unique capabilities were confirmed on August 20, 2019 when the US Patent and Trademark Office issued a patent covering RegDOX’s system to store and manage export-controlled documents in the cloud. (Patent No. 10,389,716). The RegDOX® ITAR/EAR solution provides ground-breaking and unsurpassed technology enabling the efficiency and flexibility of a cloud solution to allow multiple users located at numerous locations to collaborate using controlled data while remaining fully in compliance with the strict regulatory and licensing requirements of the ITAR and DFARS.

www.RegDOX.com

[†] Covering system components including mainframes, workstations, servers, input and output devices, cyber-physical components, network components, mobile devices, operating systems, virtual machines, and applications.

[‡] Quoting SP 800-172, page 10.

Filed Under: Blog

ICYMI: New Instructions from the Department of Defenses (DOD)’s Undersecretary for Acquisition and Sustainment

February 24, 2021 By RegDOX Marketing

The Office of the Under Secretary of Defense for Acquisition and Sustainment has released a formal instruction on cybersecurity for acquisition authorities and program managers that was effective on December 31, 2020. This document is referred to as DoD Instruction 5000.90 and can be found here. DoDI 5000.90 supersedes portions of the July 2020 issued DoD Instruction 500.83.

Much of DoDI 5000.90 deals with policies, responsibilities, and procedures within the DoD for the management of cybersecurity risk acquisitions. Companies within the Defense Industrial Base (DIB) should familiarize themselves with all the instructions. However, the concluding section 3.4 titled, “Cybersecurity in the Supply Chain”, is of particular relevance to direct (prime) and indirect (subcontractors) DoD suppliers.

Section 3.4 needs to be reviewed in depth to get an understanding of the DoD’s expectations for suppliers, but in summary, it sets out several important requirements. The first is minimal Supply Chain Risk Management (SCRM) reviews including cyber-related SCRM reviews of vendors to address such issues as,

(1) Product sourcing
(2) Any history of cybersecurity compromises
(3) The existence of a CMMC certification indicating basic cyber hygiene, defined as Access, Identity and Password management, and timely software updates and patches.

DoD Program Managers (PMs) are also required under section 3.4 of DODI 5000.90 to seek alternatives to foreign sourcing of program components (hardware, software, or firmware) from commercial companies owned or under the influence of adversarial foreign governments. These instructions to DoD PMs should be understood by the DIB as defining acceptable, unacceptable, and risky suppliers of hardware and software involved in DoD contracting throughout the supply chain.

At RegDOX, we welcome the opportunity to discuss not only these requirements, but any changes, past, present, or future. Our job is to help you harden your cybersecurity infrastructure to ensure that these increasingly strict requirements do not threaten your DoD-related business.

 

About RegDOX Solutions Inc.

RegDOX Solution’s first-to-market ITAR and NIST 800-171 (DFARS) compliant online storage and collaboration product has redefined how export-controlled and CUI documents and electronic files can be handled within regulatory requirements. This was recognized by the formal opinion of compliance provided by the US State Department’s Directorate of Defense Trade Control (DDTC). RegDOX’s unique capabilities were confirmed on August 20, 2019 when the US Patent and Trademark Office issued a patent covering RegDOX’s system to store and manage export-controlled documents in the cloud. (Patent No. 10,389,716). The RegDOX® ITAR/EAR solution provides ground-breaking and unsurpassed technology enabling the efficiency and flexibility of a cloud solution to allow multiple users located at numerous locations to collaborate using controlled data while remaining fully in compliance with the strict regulatory and licensing requirements of the ITAR and DFARS.

www.RegDOX.com

Filed Under: Blog

RegDOX Position on Cyber Incident Reporting

February 8, 2021 By RegDOX Marketing

RegDOX provides a specialized, secure file sharing application that is hosted on Amazon’s AWS GovCloud and meets or exceeds all DoD requirements, including NIST SP 800-171a, CC SRG Impact Level 4[1], and the FedRAMP Moderate Baseline. RegDOX will assist in every way we can with any cyber incident reporting, including immediately responding to and tracking events, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment. All of this will be reported to affected customers.

DFARS clause 252.204-7009 specifically provides certain use and confidentiality restrictions on information obtained from a third-party’s report of a cyber incident under DFARS clause 252.204-7012.[2] DFARS clause 252.239.7010 also requires that RegDOX’s cloud service satisfies the requirements of that clause and NIST SP 800-171, which it certainly does.

The substance of the DFARS reporting requirement is contained in DFARS clause 252.204-7012. RegDOX’s System Security Policy is a comprehensive document detailing all contingency planning.

This is the portion specifically dealing with Cyber Incident Reporting:

DFARS clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting

If and when RegDOX (or any client) discovers a cyber incident that affects client information, our protocols dictate that we do the following:

Reporting: Coordinate with the client to rapidly report cyber incidents to DoD at https://dibnet.dod.mil, abiding at all times by any government or client Non-Disclosure Agreements.

Notification of Third-Party Access Requests: To the extent permitted under law, RegDOX will notify a customer promptly of any requests from a third party not licensed by that customer for access to the customer’s account, including any warrants, seizures, or subpoenas it receives, including those from another Federal, State, or local agency. RegDOX shall cooperate with the customer to take all measures to protect the customer’s data from any unauthorized disclosure.

Review and Analysis: Conduct a review for evidence of compromise of information, including, but not limited to, identifying compromised computers, servers, specific data, and user accounts in accordance with applicable laws and regulations on the interception, monitoring, access, use, and disclosure of electronic communications and data.

This review shall include analyzing all information system(s) that were part of the cyber incident. The cyber incident report shall be treated as information created by or for DoD and shall include, at a minimum, the required elements at https://dibnet.dod.mil.

Preservation: We will preserve and protect images of all known affected information systems identified and all relevant monitoring/packet capture data for at least 90 days from the submission of the cyber incident report to allow DoD to request the media or decline interest.

Remedial Actions: If and when we (or any client) discover malicious software in connection with a reported cyber incident, we shall immediately isolate the malware, and coordinate with the client to submit the malicious software to DoD Cyber Crime Center (DC3) in accordance with instructions provided by the client and DoD SOP. We will provide permission and access to additional information or equipment that is necessary to conduct a forensic analysis.

Cooperation: If the client or the DoD elects to conduct a damage assessment or any other information needed, we will provide all of the information we can. Upon notification by the Government of spillage, or upon a customer’s discovery of a spillage, RegDOX shall cooperate with the Government and the customer to address the spillage in compliance with agency procedures.

As a reflection, due to the robust security protections incorporated into the RegDOX system (among other protections), there have been no cyber incidents in the history of the company. This statement however stands as the standard by which RegDOX will support its clients and meet the DFARS requirements for any such incident.

 

About RegDOX Solutions Inc.

RegDOX Solution’s first-to-market ITAR and NIST 800-171 (DFARS) compliant online storage and collaboration product has redefined how export-controlled and CUI documents and electronic files can be handled within regulatory requirements. This was recognized by the formal opinion of compliance provided by the US State Department’s Directorate of Defense Trade Control (DDTC). RegDOX’s unique capabilities were confirmed on August 20, 2019 when the US Patent and Trademark Office issued a patent covering RegDOX’s system to store and manage export-controlled documents in the cloud. (Patent No. 10,389,716). The RegDOX® ITAR/EAR solution provides ground-breaking and unsurpassed technology enabling the efficiency and flexibility of a cloud solution to allow multiple users located at numerous locations to collaborate using controlled data while remaining fully in compliance with the strict regulatory and licensing requirements of the ITAR and DFARS.

www.RegDOX.com

________________________________________
[1] Vol. 1, Release 3, Department of Defense Cloud Computing Security Requirements Guide (March 6, 2017).
[2] DFARS clause 252.204-7009(b) Restrictions.

Filed Under: Blog

Build vs. Buy Your Compliant Storage and Use of ITAR Technical Data and CUI?

January 27, 2021 By RegDOX Marketing

Before evaluating a build versus buy discussion for any commercially available software or cloud application, the discussion should begin with the question “what exactly is the need?” In other words, “what is the use case for the solution?”

When the use case is compliance with a set of complicated and demanding regulations and cybersecurity standards, such as the Defense Federal Acquisition Regulation Supplement (DFARS), the International Traffic in Arms Regulations (ITAR), and NIST SP 800-171 governing the possession and handling of federal Controlled Unclassified Information (CUI), answering the build vs buy question can be particularly demanding.

A useful analysis considers not just the necessary internal assets, required personnel, needed features, and goals of project stakeholders, but also requires a complete understanding of those regulations and where they are headed.

By necessity, this understanding of the legal requirements will go beyond whether an internal development will be timely, cost-effective, and achieve the needs of stakeholders, but also whether the immediate and future results of the development will fulfill the expressed and intended scope of the regulatory or compliance concerns related to the information. Without that being achieved, the best run development project will efficiently produce a solution that is worthless.

This paper will start with an analysis of whether to build or acquire an ITAR or CUI compliant storage and collaboration solution by first laying out the evaluation framework using the traditional factors of Cost, Control and Maintenance. Then, it discusses how an organization considering an internal ITAR or CUI development model will need to achieve the requisite regulatory knowledge and experience for that development, and then remain current on those regulations throughout the use of the internally developed solution.

Cost of Internal Development vs. Acquisition

No business wants to spend more money than necessary to have a working IT solution. Unfortunately, some real costs are often not considered in the decision-making process. Purchasing software can have an upfront cost (or subscription fee) that may seem expensive by contrast with the use of existing resources, but the expense is known, and the product compliant and ready to use very quickly.

But are all the costs of redeploying existing programming resources and launching an internal solution known and calculated correctly? Let’s look at some often overlooked or less than completely analyzed areas when determining real costs:

Immediate Development Staff Costs: Good software requires more than just programming talent. At a minimum, those line programmers must be joined in their efforts by project planners, software architects, senior management code programmers/developers, database architects and administrators, quality assurance personnel, application testers, and the administrative support and associated managers of all those teams. Even during the initial development, changes, enhancements, and new functionality are common in any development process. The less thorough the scoping of the project, the more those unknowns will surface.

Likewise, not usually planned, but always existing are the hours and hours of often unplanned or inaccurately planned debugging, scope creep, redeployment or loss of personnel resources, and budgetary pressures. It is little wonder that Gallup has reported that one out of every six IT projects have a cost overrun of 200% and a time overrun of almost 70%.1 Some, of course, miss more widely on unplanned costs and delays than that found by Gallup.

Do you have a user experience team on staff? What about application designers? Does anyone in your organization know the possibilities and needs of a virtual data room solution addressing ITAR and CUI compliance? How strong and knowledgeable is your security team? The answers to all those questions have to be emphatically in the affirmative or the effort will be at best, at risk and at worst, a preordained failure.

Designing and building this kind of software requires more than just reassigning existing programmers or hiring an offshore team to build a scoped project. What if the technology you thought would be suitable turns out not to be sufficient? What if you need to find highly skilled or specialized employees or contractors? What happens when the technology changes? Better solutions or more efficient solutions are constantly being developed.

Long Term Support, Maintenance, and Upgrades Staff Costs: And the unknowns can multiple. If the developers that build your application leave the company, will new people be able to understand the code, address bugs, and make improvements in a timely fashion? Will those developers be available later to provide the user support, maintain the solution in an ever-changing IT infrastructure, and provide upgrades to address additional user and regulatory demands? Can it even be known how much additional work this will cause, thus challenge budgetary assumptions?

Technology Costs: There are numbers of instances where a project began using an expensive technology platform, only to discover there was a better, less expensive open-source alternative. Conversely, an organization will choose an open-source technology without fulling understanding the costs and challenges in staffing the project (as well as the limits and requirements of related technology licenses). In either instance, these technology platform issues can cause both substantial additional costs, delays, or both.

Time Costs: If a company wait to build an application, how much potential revenue will be lost while until the development is completed? What are the costs of continued regulatory non-compliance from forgoing an existing solution in favor of one internally developed, but not available during the interim? The revenue loss of being unable to address ITAR and CUI related opportunities or, perhaps even worse, suffering non-compliance penalties and fines that would not have occurred with the use of an off-the-shelf solution could far exceed the payment for a license or service subscription. When calculating return on investment (ROI), all factors need to be considered, including those associated with such a risk.

Controls for an Internally Developed Solution

One of the most popular reasons for building an inhouse solution is the company having control over the application. However, this means that the company is always going to be responsible for hosting and maintaining the application, as well as relying on the development team to make any changes or improvements to the solution. With an available commercial solution, there often is the advantage of getting exactly what is wanted or needed now, and achieving that at a fixed cost for hosting and supporting the solution.

Additionally, an internally developed solution is frequently subject to renewed or extended development as internal constituencies with access to programming resources are looking for more.
“Scope creep” is where a planned project starts to stray from its original intended purpose, and other parties want you to add a function or build something on top of the application. Scope creep can be devastating if not managed properly – and it rarely is when building inhouse. A big part of scope creep comes when a company realizes the newly developed system needs to work with other systems being used. It’s never as easy as it sounds.

As an example, Customer Resource Management (CRM) solutions aggregate customer data -which seems straightforward. It builds some forms, saves customer name, address, phone number, email, website, and some other bells and whistles. Easy enough – now we’re done!

But wait! What about sending emails out of the CRM from a sales team’s email addresses? What about modifying the design and content of those emails? What if the sales team wants to automate those tasks based on user requests? What if they want to integrate calendars? Management wants to watch our sales numbers, so integrating the CRM with accounting or ERP software becomes a requirement for the project.

That simple CRM now has tremendous scope creep. Not because it was not scoped appropriately, but because people wanted to use the system for more or improve the current processes or systems. This scope creep folds right into the development goals of a third-party provider of the system as it seeks to make a product as useful to the market as possible, sometimes by only adding niche requirements that nonetheless can attract user interest. Scope creep for a company-specific solution however cannot be leveraged across a market but involves costs that have to be absorbed by one company.

Once the internal application is built, the integration is needed so that it can talk to our other systems. Building a solution allows you to integrate with the current technology ecosystem, but that can change as well. How many databases and code bases do an IT department want to support?

Maintenance of an Internally Developed and Supported Solution

Experience shows that the third traditional factor of maintaining an internally developed solution can quickly expose a company to what is more a curse than a blessing. While additional third-party cost for a service contracts is perhaps avoided, although not in all instances as hardware and software must be obtained to support an internally developed solution, the involvement of a company’s people is still going to be a cost measured as time spent that could have addressed other projects or IT needs, as well as in money. Maintenance and support and security are a 24/7/365 requirement. Pulling resources away from current projects can have far-reaching effects on other aspects of the organization.

Other parts of maintenance include updating the system, creating enhancements, improving the system and securing the system. These require a company’s team to constantly spend time staying up to date on the latest and greatest technology to keep an internal solution current and operable – in addition to their regular responsibilities. More than likely, your company does not have the experience in building this level of complex applications. This is when you turn to a company that knows the industry, the regulations, and the nuances.

Lack of Regulatory Expertise

Having expertise in all aspects of a software is nearly impossible, but it’s just one aspect of a company’s risk when undertaking development of an internal solution. Legal ramifications, compliance requirements, and privacy concerns are not usually skills developers possess. Failure to address these factors can make your project unusable. Is the software Sarbanes-Oxley compliant? If not, no public company will buy it. Will it satisfy the requirements of the ITAR, NIST special publication 800-171, and the Defense Department’s Cloud Computing Security Requirements Guide, or the evolving standards underlying the DoD’s Cybersecurity Maturity Model Certification (CMMC) framework? If the answer to all of that is less than an emphatic Yes!, the effort is not just worthless, but dangerous to the company.

Training also must play a part in your decision. If an application is very complex, a company will need to spend a lot of time training people and integrating the process and procedures into its current system. This may require hiring more staff that is more experienced with the new technology.

Costs, Risks, and Loss of Functions Avoided by Not Seeking to Replicating the Focus of RegDOX’s ITAR and CUI Solution

RegDOX’s focus is on using its leverage across multiple customers to ensure both ongoing ITAR and CUI compliance and providing its solution without the risk of non-compliance and at price and level of functionality that cannot be replicated by any one company for its internal use. The success of this effort is demonstrated by its approval by the Directorate of Defense Controls, the agency that has issued and enforces the ITAR, and its numerous and growing number of patents covering its application. This success is the product of many working years of development and a deep expertise in the ITAR and requirements for CUI.

The bottom line for any company considering programming its way to ITAR or CUI compliance is that seeking to replicate what RegDOX’s does best is not only going to be more expensive when considering all upfront, ongoing and hidden costs, but the effort will bring greater risk of non-compliance and many fewer features and functions.

1 September 11, 2011, Why Your IT Project May be Riskier than You Think, Harvard Business Review 89(9):23-25.

 

About RegDOX Solutions Inc.

RegDOX Solution’s first-to-market ITAR and NIST 800-171 (DFARS) compliant online storage and collaboration product has redefined how export-controlled and CUI documents and electronic files can be handled within regulatory requirements. This was recognized by the formal opinion of compliance provided by the US State Department’s Directorate of Defense Trade Control (DDTC). RegDOX’s unique capabilities were confirmed on August 20, 2019 when the US Patent and Trademark Office issued a patent covering RegDOX’s system to store and manage export-controlled documents in the cloud. (Patent No. 10,389,716). The RegDOX® ITAR/EAR solution provides ground-breaking and unsurpassed technology enabling the efficiency and flexibility of a cloud solution to allow multiple users located at numerous locations to collaborate using controlled data while remaining fully in compliance with the strict regulatory and licensing requirements of the ITAR and DFARS.

www.RegDOX.com

Filed Under: Blog

RegDOX’s Growing Family of Patents Provides an Online Services Road Map for Regulated Electronic Materials

January 5, 2021 By RegDOX Marketing

Beginning in 2015, RegDOX Solutions recognized that the efficiency and productivity gains realized by the online storage and collaboration of electronic documents and files were not reaching businesses using regulated electronic materials. In particular, a then-prevalent belief that export-controlled electronic materials should never be stored or exchanged in the cloud was leaving the trade compliance community and their clients stuck in an archaic past of paper documents storage, and couriers and mail services delivering regulated materials.

As experts in online document and files storage and collaboration, RegDOX knew this belief could be overcome and that is what it has done. Through an innovative development of security controls and features, such as real-time reports and alerts, tracking of platform and user activity, time and use limited document exchanges, and granular permissioning, RegDOX introduced an online data storage and collaboration tools that not just satisfies but enhances compliance.

RegDOX’s ground-breaking efforts were recognized over a year ago when on August 20, 2019 the US Patent & Trademark Office granted RegDOX its first patent for its secure system for online storage and collaboration of export-controlled electronic materials. Over the past two months, this recognition has been enhanced by three additional US patents, one issued in November and two more in December.

RegDOX’s family of patents and the favorable review and opinion by export regulators of its innovative solutions provides the trade compliance community with not merely assured compliance, but also a road map of necessary capabilities to achieve regulatory compliant handling of electronic materials. The very online solutions that the US Patent & Trademark Office found were innovative are those the community needs to satisfy such regulations as the State Department’s International Traffic in Arms Regulations (ITAR) and the Commerce Department’s Export Administration Regulations (EAR).

RegDOX however is not resting on its laurels. Just as security needs and the resulting regulations are always growing, so too, RegDOX’s efforts to ensure that its online solutions enhance compliance with regulations are continuing.

As William O’Brien, RegDOX’s COO and the named inventor on the four patents, has stated, “Our continued innovations in this area have led to the filling for an additional patent extending the scope of coverage from export-controlled electronic materials to all regulated electronic documents and files. RegDOX has brought its online services to the federal government’s regulations governing Controlled Unclassified Information (CUI). This new patent application and more to follow show that our innovations will be as dynamic as the security and collaboration needs of our customers.”

 

About RegDOX Solutions Inc.

Operating since 2007, RegDOX Solutions Inc. is a market-leading provider of highly intuitive SaaS solutions enabling customers to securely manage and collaborate on confidential documents and information, whether inside or outside of their IT environments. RegDOX® products and services include storage and data management services, as well as DFARS assessment services. Click here for a free trial and product demo today.

Contacts

Allison Wollenberger

www.RegDOX.com
+1 603.651.0633

 

Filed Under: News

RegDOX Announces Its Newest Patent

December 1, 2020 By RegDOX Marketing

NASHUA, NH – RegDOX Solutions Inc. announced today an expansion on its August 20, 2019 U.S. patent for an online secure storage system for data controlled by the International Traffic in Arms Regulations (ITAR). On November 17, 2020, the U.S. Patent and Trademark Office granted RegDOX an additional patent recognizing the system covers data controlled by all U.S. export laws.

Together, this new U.S. patent no. 10,841,308 and the earlier issued patent no. 10,389,716 confirm the unique advantage provided to customers and users of the RegDOX® secure file storage, management, and collaboration system enabling compliance with not just the ITAR, but also the Department of Commerce’s Export Administration Regulations (EAR).

As William O’Brien, President and Chief Operating Officer of RegDOX Solutions has noted, “Through this patent grant, the U.S. Patent and Trademark Office has recognized the achievement of a milestone in the development of RegDOX’s solution for companies needing to secure and use export-controlled data. It is a clear demonstration that we and our customers are at the leading edge of technology and efficiency in achieving the protections and efficiencies of a cloud solution for ITAR and EAR controlled data. The RegDOX system cannot be matched by any other.”

 

About RegDOX Solutions Inc.

Operating since 2007, RegDOX Solutions Inc. is a market-leading provider of highly intuitive SaaS solutions enabling customers to securely manage and collaborate on confidential documents and information, whether inside or outside of their IT environments. RegDOX® products and services include storage and data management services, as well as DFARS assessment services. Click here for a free trial and product demo today.

Contacts

Allison Wollenberger

www.RegDOX.com
+1 603.651.0633

 

Filed Under: News

The 411 On The CMMC Interim Rule

October 16, 2020 By RegDOX Marketing

On September 29, 2020, the Department of Defense’s Defense Federal Acquisition Regulations Supplement (DFARS) agency issued an interim rule on Cybersecurity Maturity Model Certification (CMMC)implementation, per DFARS 252.204-7012, The rule is designed to clarify confusion about the integration of the CMMC framework, which has been a topic of concern to many people and businesses that serve the Defense Industrial Base (DiB).

The interim rule will go into effect on November 30th, 2020 and is open for comments until that date for purposes of formulating a final rule. Those comments will be posted at http://www.regulations.gov.

With the ever-changing landscape surrounding CMMC and this new interim rule, let’s take a look at what exactly CMMC is, what has changed with the interim rule, what companies need to be aware of, and finally, what RegDOX has been doing to prepare for the implementation of CMMC.

WHAT IS THE CMMC?

The CMMC was part of an initiative created in 2018 to assure the DoD that nonfederal DiB supply chain contractors and subcontractors have implemented ‘proper’ cybersecurity measures (processes and practices) to protect information at a level proportionate to the risk of exposure of that data.  The CMMC introduced five (5) security levels with increasing controls and requirements on the handling and protection of information as the level increases.

There are several reasons why this initiative was launched: Increased sophistication and number of attacks, publicized, well-known ‘incidents’, and internal auditing results.  Nearly everyone agrees that our nation’s adversaries have become more aggressive and daring and that we were not adequately protecting Controlled Unclassified Information (CUI) and other sensitive or confidential information. The then-existing system can best be explained as, “Do it yourself. Make sure you do it all and do it right, but it’s up to you.” As expected, this arrangement was haphazard and, unfortunately, not working at all for some.

The CMMC’s alternate approach was designed to have independent assessments of contractors’ IT systems, specifically cyber security, conducted by certified, trained, third-party providers. Their independent status and certification approvals were intended to ensure that compliance standards were being met.

The specific controls that the CMMC planned to implement and verify through this independent auditing mechanism were taken directly from the National Institute of Standards and Technology (NIST) SP 800-171, “Protecting Controlled Unclassified Information (CUI) In Nonfederal Systems and Organizations.”

Currently, anyone doing business with the DoD has to attest to being compliant with these controls, so the assumption was made that this foundational adherence to the NIST 800-171, together with those dictated by the presence of CUI, would not be an excessive burden to bring someone to CMMC compliance.  Most companies need to be certified at Level 1, however those with CUI would need to achieve Level 3, at a minimum.

WHAT IS CHANGING UNDER THE INTERIM RULE?

The most significant change introduced by the September 29, 2020 Interim Rule is to extend the date for third party CMMC audits and certifications.  Instead of a 2020 compliance and audit deadline, companies must meet the CMMC cyber controls, audits, and certification requirements to satisfy the CMMC level applicable by December 1, 2025. Before any future DOD contracts will be awarded, the company must submit a self-assessment to verify compliance in the cyber assessment capability module within the Supplier Performance Risk System (SPRS).

There is a specific scoring method to be followed for the Assessment.  A contractor that has fully implemented all 110 of the NIST SP 800-171 controls will have a score of “110.” Contractors must conduct a self-assessment of its compliance with the NIST Requirements, and submit that self-assessment to SPRS by October 30th, 2020. This will give DoD at least 30 days to post the self-assessment scores to SPRS ahead of the November 30th, 2020 deadline. It’s important to note that an inaccurate report could subject a company to penalties under the False Claims Act.

The interim rule definitively stated that contractors will need to be re-certified every three years – at the highest level of CMMC applicable to their contracts. Also, that the CMMC level identified for specific contractors may be different than those required of sub-contractors to that contractor.

Another significant change under the interim rule is that the use of a Plan Of Action and Milestones (POA&M), will continue to be accepted.  An organization may not be in compliance with a NIST (SP) 800-171 control, but if it has a POA&M that recognizes the deficiency for the control and documents a solution and timeframe to remediate the issue, then compliance is considered to be achieved.

The last critical change is that the previously recommended Level 1 through 5 ranking have been replaced with “Basic”, “Medium” and “High” level assessments used in the DoD Assessment Methodology.

WHAT IMPACT DOES THE INTERIM RULE HAVE FOR YOUR COMPANY?

The top five industries impacted by this interim rule are: Research and Development in the Physical, Engineering, and Life Sciences (except Biotechnology), Engineering Services, Commercial and Institutional Construction and Computer Related Services and Facilities Support Services. While those are the main target, any industry with a DoD contract will need to abide by CMMC, as well as any other requirements.

Contractors will still need to have a certified, external third-party assessor come in and conduct a formal review of its information systems and procedures for CMMC compliance before December 1, 2025. Without this certification, companies will be ineligible to participate in any DoD contract after that date.  For now, each organization is required to self-assess according to the DoD Assessment Methodology and submit the results of the assessment – their ‘score’ – to the Supplier Performance Risk System (SPRS) here.  There has been no definitive value that needs to be met or exceeded.

For those contractors that have been internally managing their systems’ security, as well as cybersecurity protocols, they need to be fully aware and understand the changes and reach of the new interim rule.  A copy of the September 29, 2020 Interim Rule can be found here (85 Fed. Reg. 61,505).
Because of the new requirement to submit an assessment score using the DoD Assessment Methodology, those companies intending to conduct the assessment internally need to be aware of what the methodology says and what it means.  A review of the NIST SP 800-171 DoD Assessment Methodology is available here (Strategically Assessing Contractor Implementation of NIST SP 800-171”).

WHAT IS REGDOX DOING TO PREPARE FOR CMMC?

RegDOX has an established practice of assisting, and at times directing, companies in achieving the self-assessment requirements that have been required by ITAR, DFARS, and now on an interim basis the CMMC. It will continue this offer this service.

Further, RegDOX has applied for training to become a Certified Third-Party Assessor (C3PA). And, depending on evolving requirements, RegDOX is also evaluating becoming a Certified 3rd Party Assessment Organization (C3PAO).

We will continue to participate in webinars, meetings (online and offline), phone calls, and networking events to keep up to date on any changes. By staying on top of current developments, RegDOX customers can be assured that our online compliance and collaboration solution and assessment services will continue to address and anticipate the current state of CMMC compliance.

About RegDOX Solutions Inc.
Operating since 2007, RegDOX is a market-leading provider of highly intuitive SaaS solutions enabling customers to securely manage and collaborate on confidential documents and information, whether inside or outside of their IT environments. RegDOX® products and services include storage and data management.

Filed Under: Blog

RegDOX Solutions Statement on Microsoft Azure Outage

September 29, 2020 By RegDOX Marketing

NASHUA, N.H.–(BUSINESS WIRE)–Along with many observers, on September 28, 2020, we learned that Microsoft Azure Public and Azure Government networks suffered a major outage involving authentication services. This outage has denied many Microsoft Azure customers access to crucial documents and files.

Affected services include 365, DevOPs, Teams, and third-party apps using SSO. A full resolution of these problems has yet to be achieved. This latest outage follows others including the six-hour outage suffered by Azure East US on March 3rd of this year.

A wide range of customers have been adversely impacted by this latest Microsoft network failure, not the least of which are those that use Azure services, directly or indirectly, to secure and collaborate with International Traffic in Arms Regulations (ITAR) technical data and other forms of federally designated Controlled Unclassified Information (CUI). Ready access to these documents and files is crucial to the efficient and compliant operations of these companies.

RegDOX Solutions, a major supplier of regulatory compliant hosting of ITAR technical data/CUI, wants its customers and those considering its services to be assured that RegDOX’s services are not in any way affected by this Microsoft outage. As a patented compliance service existing independent of Azure and hosted on AWS GovCloud, the RegDOX system continues its history of unimpeded access to its ITAR/CUI-compliant services.

RegDOX’s president, William O’Brien noted, “RegDOX is dedicated to compliance with the ITAR and the standards of NIST special publication 800-171 establishing the requirements for storage and collaboration for all forms of CUI. RegDOX offers a continuing – and now, it appears unique – history of unimpeded access to these crucial services. Those companies now waiting to gain access to documents and files frozen and unavailable in the Azure world should consider that history.”

About RegDOX Solutions Inc.

Operating since 2007, RegDOX Solutions Inc. is a market-leading provider of highly intuitive SaaS solutions enabling customers to securely manage and collaborate on confidential documents and information, whether inside or outside of their IT environments. RegDOX® products and services include storage and data management services, as well as DFARS assessment services.

 

Contacts

Bill O’Brien

www.RegDOX.com
+1 603.620.8710

Filed Under: News

RegDOX Solutions Inc. Introduces Managed Services – Customized Administration and Unlimited Storage

June 18, 2020 By RegDOX Marketing

NASHUA, N.H. June 18, 2020–(iCrowd Newswire)–RegDOX Solutions Inc., the leading company for securing and exchanging documents and files in the cloud while complying with US Federal cybersecurity mandates (ITAR/EAR/DFARS) for Controlled Unclassified Information (CUI), today announced the launch of the RegDOX® Managed Services for customized administration and unlimited Storage.

There are a number of cloud-based cybersecurity applications. Leading the list is RegDOX’s ITAR and DFARS compliant Data Room system that enables efficient and complete protection of federally regulated confidential electronic files. As with the best, RegDOX’s system can be best leveraged when it is administered with expertise and fully integrated with a company’s entire cybersecurity strategy.

As the provider of its leading application to meet this regulatory need, RegDOX works closely with its customers to enable administrator proficiency. RegDOX’s customers likewise work diligently to maintain that training and knowledge transfer to ensure ongoing compliance with cybersecurity standards.

Many customers however have requested that RegDOX’s cybersecurity experts move beyond training internal administrators to providing customized administration.

In addition to this call for more direct involvement in providing account administration of their RegDOX application, many of those customers have also requested that all storage limitations within the application be removed. Just as they do not want to be limited in their use by their own administrators not maintaining an understanding of the application, they do not want to be penalized as they bring more content in the system to obtain its protections and collaboration features.

Through its new and unique Managed Services option, RegDOX is saying yes to both these requests – our experts can administer each customer’s Data Room account and we can provide unlimited storage for no additional cost.

This new RegDOX Managed Services has two primary features:

  • RegDOX providing all account administration of customers’ RegDOX licensed application.
  • Customers having unlimited storage without any storage charges.

As William O’Brien, RegDOX’s President and COO, described this new option for its customers, “RegDOX Managed Services will enhance the use of the RegDOX cloud-based ITAR/DFARS cybersecurity solution while reducing customers’ direct and indirect costs. No longer will it be necessary to limit use of the application to reduce storage costs. Likewise, we as the experts in the RegDOX system can ensure users are getting all the system has to offer.”

Companies considering a cloud-based solution to meet their ITAR and DFARS obligations to confidentially store and collaborate using Controlled Unclassified Information (CUI) should contact RegDOX to become compliant while avoiding unnecessary storage costs and administrative overhead.

About RegDOX Solutions Inc.

Operating since 2007, RegDOX Solutions Inc. is a market-leading provider of highly intuitive SaaS solutions enabling customers to securely manage and collaborate on confidential documents and information, whether inside or outside of their IT environments. RegDOX® products and services include storage and data management services, as well as DFARS assessment services.

Call RegDOX at 1.800.517.3171, email us at or go to https://www.regdox.com/regdox-managed-services/ to learn more.

Filed Under: News

RegDOX Solutions Inc. Introduces Flexible and Cost-Effective Long-Term Cloud Storage Solution for CUI

May 18, 2020 By RegDOX Marketing

NASHUA, N.H. May 18, 2020–(BUSINESS WIRE)–RegDOX Solutions Inc., the leading company for securing and exchanging documents and files in the cloud while complying with US Federal cybersecurity mandates (ITAR/EAR/DFARS) for Controlled Unclassified Information (CUI), today announced the launch of the RegDOX® Long-Term Storage solution for archiving CUI in the cloud while enabling persistent compliance with those regulatory requirements.

Whether CUI includes customer or vendor information, employee records, financial data, or any other sensitive business documents and files, companies need to safeguard their data with specifically defined confidentiality needs. RegDOX’s patented technology for long-term, permission-based cloud storage of CUI allows both large corporations and SMEs to easily retain CUI for mandated retention periods in a very cost-effective and readily accessible secure environment.

“RegDOX’s ITAR and DFARS clients have requested that we provide long-term, compliant storage of CUI. With the RegDOX® Long-Term Storage Solution we are able to meet this need for required retention periods while achieving our shared goals of low cost, immediate accessibility, and immediately available reports of continued CUI compliance,” stated William O’Brien, President and Chief Operating Officer of RegDOX Solutions Inc.

He further said, “We are pleased to provide the RegDOX® Long-Term Storage Solution as an additional element of the most comprehensive industry offering of cloud solutions for CUI.”

About RegDOX Solutions Inc.

Operating since 2007, RegDOX Solutions Inc. is a market-leading provider of highly intuitive SaaS solutions enabling customers to securely manage and collaborate on confidential documents and information, whether inside or outside of their IT environments. RegDOX® products and services include storage and data management services, as well as DFARS assessment services.

 

Contacts

Allison Wollenberger

www.RegDOX.com
+1 603.651.0633

Filed Under: News

  • 1
  • 2
  • 3
  • …
  • 12
  • Next Page »

Looking for something else?

Share this page.

  • share 
  • tweet 
  • share 
  • e-mail 
  • rss feed 
  • Home
  • Product Overview
  • Regulatory Compliance Solutions
  • Blog & News
  • About
  • Downloads & Videos
  • Contact
Contact Us
Free Trial
RegDOX®
About RegDOX
Certificates & Awards
Site Map
Accessibility
Privacy Policy
SERVICES
Schedule a Demo
Training
Start Your Free Trial
Reseller Program
Customer Support
CONTACT US
+1.603.589.4830
RegDOX.Sales@RegDOX.com
One Tara Blvd. Suite 300
Nashua, NH 03062 USA

Copyright © 2021 - RegDOX Solutions Inc. - All Rights Reserved
Powered by EWS & CwD
  • 
  • 
  • 
  • 