Imagine you’re a pirate with a pile of gold doubloons but only a flimsy cardboard box to store them in. Not exactly ideal, right? So, you enlist the help of Captain Hook, who happens to own a custom-fabricated, triple-layer steel treasure chest with three locks on each side of the lid. Now, all you’ve got to do is work with Captain Hook and his crew to ensure your precious gold doubloons stay safe.
Back to reality—that treasure chest is actually the FutureFeed application, designed to help your organization manage its cybersecurity compliance program, and the gold doubloons represent your organization’s data. This data includes information about your systems, IP addresses, vulnerabilities (security protection data (SPD)), and compliance gaps—data that, if accessed by someone with malicious intent, could cause serious harm to your organization. Here’s the thing—while FutureFeed handles a lot of the heavy lifting to keep the ‘treasure’ secure, you, as users of the application, also play a key role in protecting the data’s security and integrity.
That’s where the Customer Responsibility Matrix (CRM) comes in. Think of it as a shared game plan that clearly outlines what FutureFeed takes care of (like setting up defenses, managing access controls, and keeping the system updated) and what you, as a user, need to do to keep your data safe. It’s all about working together to maintain a secure and trustworthy environment.
Why is This Important?
- Protecting Your Data: While FutureFeed handles the backend security (like encrypting data and enforcing password policies), you’re responsible for things like managing user accounts and ensuring only authorized users access your subscription environment. If unauthorized access occurs due to weak account management, it could put sensitive data at risk.
- Maintaining Compliance: NIST SP 800-171 Rev 2 has some pretty detailed requirements. The CRM helps clarify which of those requirements are FutureFeed’s responsibility and which ones you need to meet. This way, you know exactly what’s expected from your end when it comes to compliance.
- Preventing Risk: Cybersecurity isn’t just about protecting one piece of the puzzle—it’s about keeping the whole picture safe. By knowing and fulfilling your responsibilities, you’re helping to prevent potential threats, vulnerabilities, or accidental mishaps that could affect the security of the entire application.
Making It Easy for You
We know cybersecurity can sound daunting—terms like "cryptography" and "processes acting on behalf of authorized users" probably aren’t everyone’s idea of a fun read. That’s why we designed the CRM to be clear, straightforward, and easy to follow, even if you’re not a tech wizard. We’ve done the technical thinking for you, breaking down exactly what you need to do in plain language.
CRM Scope
The FutureFeed CRM focuses exclusively on the Shared Responsibility Boundary, which includes the web-based front-end application that customers interact with to manage their cybersecurity compliance program. The CRM excludes details related to the back-end infrastructure managed entirely by FutureFeed and its service providers, such as servers and databases, as well as FutureFeed’s internal devices and endpoints used by employees to access and manage the platform.
While FutureFeed is responsible for implementing and maintaining security within the entire application, customers have specific security responsibilities as authorized users of the application. These responsibilities include user account management, user activity monitoring, and incident reporting. The CRM does not describe how FutureFeed has implemented security controls in the back-end or in front-end components that are outside the customer’s control or interaction. Instead, it is designed to clearly highlight where customer responsibility lies in ensuring the security of their data and the integrity of the application.
Customer Responsibility: Security Assessment and Continuous Monitoring
As users of FutureFeed, customers are responsible for ensuring that the application is incorporated into their broader cybersecurity compliance boundary, particularly when ingesting and managing Security Protection Data (SPD) within FutureFeed.
To maintain compliance and ensure the effectiveness of security controls, customers are responsible for defining and conducting assessments for the controls they manage:
- Shared responsibility controls: Controls where both FutureFeed and the customer share ongoing implementation and monitoring responsibilities, as outlined in the Customer Responsibility Matrix (CRM).
Regular assessments by both FutureFeed and customers are essential to maintaining a secure and compliant environment.
In addition to assessments, customers are responsible for defining and implementing processes to continuously monitor the security controls within their compliance boundary, including shared responsibility controls. Continuous monitoring ensures that controls remain effective over time, and any potential issues are promptly identified and addressed.
Customers must also define and manage a Plan of Action and Milestones (POA&M) for their compliance boundary. This plan should be used to track non-compliance with their portion of shared responsibility controls, identified through customer-led assessments and continuous monitoring activities. Managing the POA&M involves documenting control non-compliance, identifying corrective actions, and ensuring timely remediation in accordance with internal policies and procedures.
Finally, customers are responsible for developing and maintaining their own System Security Plans (SSPs), which must accurately describe their compliance environment, including how they implement both fully customer-managed and shared responsibility controls. The customer SSP may also include details about the external connection to FutureFeed and the purpose for the connection.
By fulfilling these responsibilities, customers can ensure that their data remains secure, their compliance boundary is well-maintained, and they continue to meet security requirements, such as those outlined in NIST SP 800-171 Rev 2.
The Bottom Line: A Team Effort
At the end of the day, security is a shared responsibility. FutureFeed is here to handle the platform-level protections, but we rely on you to manage your part of the security puzzle—whether it’s ensuring only the right people have access and assigned the appropriate role or reporting suspicious activity.
By working together, we create a safe, compliant, and reliable environment for everyone using FutureFeed. So, let’s be proactive, stay informed, and keep the treasure chest locked up tight!
Comments
0 comments
Please sign in to leave a comment.