Protect Your Business from Cyber Risk
IT'S OFFICIAL Reliable Energy Analytics ™ (REA ™ ) is d/b/a Business Cyber Guardian ™
Protect Your Business from Cyber Risk
IT'S OFFICIAL Reliable Energy Analytics ™ (REA ™ ) is d/b/a Business Cyber Guardian ™
Welcome to Business Cyber Guardian™
About Business Cyber Guardian ™
Business Cyber Guardian™ (BCG) is a software engineering company located in Westfield, MA providing SAG-PM software and SAG-CTR services to help businesses implement Cyber Risk Management best practices and detect cyber risks, such as CISA KEVs, in software supply chains before buying or installing a software product and verify that software products are trustworthy and adhering to CISA "Secure by Design" principles and practices following the August 1, 2024 release of the
CISA Software Acquisition Guide best practices resulting in a "Trust Score" (SAGScore)
Risk always exists, but trust must be earned and awarded.
Risk ALWAYS EXISTS.
Trustworthiness DOES NOT ALWAYS EXIST.
Risk scores are just telling us what we already know, there is risk in everything. Trust scores tell us who/what is trustworthy, knowing there is always risk. Always demand to see the trust score; "Show me the SAGScore™"
A functioning society is built on trust. Whether we’re drinking water from a faucet, riding an elevator or sending an e-mail, we’re trusting that somebody, somewhere, has taken the necessary steps to make sure that activity is safe. Trust is both a glue and a lubricant, holding society together and allowing its many parts to move smoothly. If trust can’t be made suitable for the digital age, the digital age won’t function. World Economic Forum Davos 2021
The fundamental guiding philosophy for Cyber Risk Management best practices followed by Business Cyber Guardian™ is described in this paper from ICIT, CISA's Secure by Design Software Acquisition Guide and this World Economic Forum paper on Digital Trust
The "status quo" to managing cybersecurity has failed to protect businesses from cyber-crime; a paradigm shift to Cyber Risk Management governance is critical to preventing disaster that goes well beyond "cybersecurity".Officers and Directors of companies know the importance of managing business risk within acceptable levels. No company is free of some risk, there is always risk; that's a given. But some risks are having a profound impact on businesses and governments worldwide. Cyber-risk is one such example.
This is why it's important for businesses to monitor for the presence of risk, especially CISA KEVs, in the supply chain of a digital product, such as software, across multiple categories (7 identified by BCG), which vary with regard to impact and "risk scoring". A software consumer needs to consider the risk scores across multiple categories before making a buying decision for a digital product. Ultimately, the consumer wants to know "is this product trustworthy?", before buying and installing, which is why SAG-PM produces a "balanced trustworthiness score", called a SAGScore, to identify the trustworthiness of a product and its supply chain based on the combined, up to date, risk factor scores identified in each identified risk category, applied to a weighted algorithm that incorporates "risk appetite", "risk tolerance" and "risk threshold", validated against CISA Secure by Design principles and CISA Secure Software Acquisition Guide practices .
The three most common attack paths used by hackers are 1. People, 2. Software and 3. Supply Chain. The BCG approach proactively helps companies protect the Software and Supply Chain attack paths from cyber risk and hacker exploitation using a pragmatic approach based on best known practices and standards from NIST and CISA, as time evolves and risks become more sophisticated. BCG also helps to protect Officers and Directors from personal liability in any shareholder lawsuits or regulatory actions by preserving tamper-proof evidence of "good faith" cyber risk management controls and practices that are implemented by the Company, in the SAG-CTR™ Trust Registry Evidence Locker, which may be presented as evidence at trial on behalf of Officers and Directors. SAG-CTR™ is a conceptual implementation of an IETF Supply Chain Integrity, Transparency and Trust (SCITT) Trust Registry (Transparency Service)
BCG is proud to pledge support for, and is committed to, CISAs "Secure by Design" principles, goals and objectives, which can be seen on CISAs Secure By Design pledge page. BCG's solution offerings, SAG-PM™ and SAG-CTR™, help consumers detect cyber risks and verify "Secure By Design" products before buying and installing a product. Software consumers can protect themselves and prevent disasters like the Crowdstrike/Microsoft meltdown that affected 8.5 million Windows machines by only using products that are built and verified as implementing "Secure By Design" principles and practices based on CISAs Software Acquisition Guide by checking the "trust score cybersecurity label" for a product they are interested in buying and installing beforehand.
Cyber-risk is Business Risk
There is a paradigm shift underway in how companies need to view and govern cyber-risk as business risk. The Crowdstrike incident that disabled 8.5 million Windows machines laid bare our risk and vulnerabilities when we blindly trust software products; this is why CISAs "Secure by Design" initiatives are key to preventing risky software from entering the cyber-infrastructure we all depend on. This incident is an inflection point , our "Cyberspace Pearl Harbor" moment when we all became painfully aware of the vulnerabilities that cyber risk represents and the need to invest in holistic "Cyber Risk Management " policies and practice to prevent these type of disasters. CISA's Secure by Design webpage make this need clear " As a nation, we have allowed a system where the cybersecurity burden is placed disproportionately on the shoulders of consumers and small organizations and away from the producers of the technology and those developing the products that increasingly run our digital lives. Americans need a new model to address the gaps in cybersecurity—a model where consumers can trust the safety and integrity of the technology that they use every day. "
Never trust software, always verify and report!™
This requires fundamental changes in how management views cybersecurity activities that have become the mundane status quo tasks conducted by many IT departments. Cyber risk management regulations are just one of the many force factors providing the under current for this paradigm shift. SEC regulations that took effect in December 2023 clearly emphasize the importance of management's role in managing and overseeing cyber risks and cyber protections to avoid disaster and protect investor interests. On May 14, 2024 the US Government made their intentions clear with regard to managing cyber risk by announcing that GSA will only purchase and use software that has passed a risk assessment ("Ensuring Only Approved Software is Acquired and Used at GSA" )following the CISA Secure Software Attestation Form requirements and GSA policies in MV-2023-02 Supplement 2. Secure Software Attestation Form collection by GSA begins on June 8, 2024 via the CISA RSAA portal with GSA, NASA and the State Department taking leadership positions in the collection of these secure software attestation forms.
Cyber Risk Management Practices for Business Risk Management
You need to protect what is most important to your business. It's no longer enough to simply change passwords and perform reactive detection functions. Would leak detectors have saved the Titanic? NO. Only proper, proactive risk detection and appropriate incident response could have saved the Titanic from disaster. Businesses need to take preventative and proactive actions to protect the business from cyber-risks and cyber-criminals, focusing on protecting the highest priority areas first that represent the most severe consequences and negative impact to business resilience. The US Department of Defense understands the importance of protecting what's important " The new system helps the department move away from a compliance-focused cybersecurity mindset and pushes commanders to holistically and continuously assess how a cyber risk will affect mission. "
Business Cyber Guardian ™ (BCG) products, SAG-PM™ and services, SAG-CTR™ are designed to help companies protect what's important by proactively detecting cyber-risks within software products and the supply chain for the most valuable and important parts of the business. The process starts by understanding the cyber-risks to the "crown jewels" that the company values most. This could be a particular set of processes, systems or trade secrets and intellectual properties.
BCG is also helping Software Vendors and FedRamp 3PAO's conduct software product risk assessments and submit CISA Secure Software Attestation Forms, artifacts and other materials that US Government Agencies require to perform a "Secure By Design" Risk Assessment following Executive Order 14028 requirements in CISA's RSAA portal.
The status quo approach to cybersecurity has failed to protect a business from risks of hacker attacks and Officers from personal liability in shareholder lawsuits. A new approach is needed, called Cyber Risk Management, that focuses on addressing business and personal risks that comes from risky software products, such as the Crowdstrike incident that disabled 8.5 million Windows machines globally when risky software was installed in a production environment. Remember to look both ways before installing software in production.
Here is how BCG can help your company implement policies and practices that treat cyber-risk as business risk and pass US Government approval as a "Secure Product" under the Business Cyber Guardian™ (BCG) banner:
- Cyber Risk Illumination Detection Services and Software Products for digital objects listed in GSA procurement offers. BCG now offers risk assessment services to help software suppliers meet Government regulations for the GSA CISA Secure Software Attestation Process that begins June 8, 2024 and FDA 524 B Vulnerability Disclosure Reporting following NIST Guidelines, in effect now.
- Proactive, "Left of Bang" detection of cyber-risks, especially CISA KEVs, the most dangerous software "Cyber-iceberg" vulnerabilities, to prevent disaster from happening.
- Good Faith Processes provided by BCG as both a cloud service and on premise product using the SAG-PM ™ solution and SAG-CTR Trust Registry ™ aligned with business priorities, following NIST standards and Guidelines that comply with US government regulations
- Preservation of tamper-proof evidence of controls in operation
- Litigation support; court room presentation of tamper-proof evidence
- Comprehensive documentation of cyber-risk detection, mitigation and incident response processes, including determining materiality of an incident; what to report in a Form 8-K
- Deciding what to disclose in a Form 10-K; good faith process following NIST standards and guidelines
- SEC 10-K requirements are listed here
- Assisting with formation of a Cyber Incident Response Team (CIRT) following CISA recommendations and guidelines
- A "Trust Anchor" has become an imperative in 2024 with the advances in AI enabling the introduction of fakes and the need for radical transparency to help people ascertain and verify the trustworthiness of "digital things" that we rely on in our daily lives.
- BCG's SAG-CTR ™ is a conceptual "Trust Registry" implementation of the IETF Supply Chain Integrity, Transparency and Trust (SCITT) protocol. A Trust Registry provides significant social benefits to consumers.
- What does a SAG-PM Final Report contain? Add this report to your change management system reports as proof that trust was verified before installing software in production