In late December 2021, Congress updated NDAA compliance for FY 2022. The NDAA has evolved from a presidential directive to actual law through the FCC. GSA Rule 889 provides details, but in short the rule says:
Simply put, a number of international companies have the capacity to launch high profile cyber security attacks through the backdoors of their devices. In recent attacks, this had led to massive leakage of customer data, financial information, medical records, and more.
Cameras are just the tip of the iceberg…
The process for finding banned equipment in existing infrastructure is difficult. Many cameras are not specifically labeled as Hytera or Dahua, yet they contain components or chips that are produced by these blacklisted companies. According to a Palo Alto IoT security report “The Connected Enterprise: IoT Security Report 2021”, 54% of the 135,000 cameras examined posed a serious security risk.
Companies such as Huawei manufacture smartphones, laptops, chips, and even individual components that make up parts of non-Huawei devices, but still provide a way for hackers to get in. The Internet of Things (IoT) is continually growing with baby monitors, wearable fitness trackers, phones, kindles, voice assistants, health monitors, you name it. In order to keep IoT costs low, manufacturers invest significantly less in security putting many of these devices at risk. A study done by Infoblox revealed that in the U.S., thousands of unmanaged personal devices are connecting to enterprise networks daily. These personal devices provide an “in” for these malicious hackers to access the diverse networks where they are not only able to steal information, but also bring entire networks down. Recently, as reported by Forescout, the lack of security has been a major cause for concern beginning February 24, 2022, when invisible Russian cyber attacks started being waged against Ukraine, with the West most likely to be the next target.
Don’t wait for the cyber security attack to bite you
If you're a large enterprise, finding out where you are exposed, and specifically what devices are not NDAA compliant, can be a huge task.
Cloudastructure provides a powerfully automated solution using an easy-to-install box (Gearbox) that detects all of your IoT devices and assesses the level of risk. It can determine the original source manufacturer and compare to those products that are banned. It can also identify compliance of each device with several standards including NDAA. A report is automatically generated that presents a roadmap for eliminating these identified risks. This substantially reduces the amount of effort, cost, and time required to find banned equipment in enterprise settings.