Kelley to present a CLE webinar to Women in eDiscovery - Indianapolis Chapter on June 5 on the topic: Fabricating & Concealing Data on Smart Phones.

FAQs

FAQ Categories

  • CMMC

    Q:
    Are activities to collect evidence chargeable under CMMC?
    A:

    That’s a great question and we haven’t seen any guidance on it. Part of that is based upon the fact that the decision on Allowable Expenses under the contract came relatively recently and without much guidance, except to say that the DoD is under the firm belief that most of what falls under CMMC should have already been handled as part of the organization’s adherence to NIST 800-171. Setting that aside, we think it would be nice if might be able to squeeze it in under the initial “getting compliant” charge — as evidence gathering would be an on-going task, we don’t see how you’d be able to accommodate that long-term under the Allowable Expense designation. Further, in our opinion and the strategy we always take, is to systematize the creation/collection of evidence in such a way that there really is no burden in collecting and therefore producing it to the assessor (C3PAO).

    Q:
    Are subcontractors required to maintain the same level CMMC certification as the prime?
    A:

    I want to flip your thinking around a bit on this.  The most direct answer is yes…but it’s not the relationship with the prime that is the driving force; rather, it’s about what kind of information the subcontractor(s) will have access to and the methodology for doing so.  In its simplest form, however, the answer is the contract will call for a specific maturity level and all entities working on that will need to maintain a maturity level at the required level or higher.  So, say for instance a DoD contract requires maturity level 2 (ML2) — the prime, who holds a maturity level 3 (ML3) certification can clearly be awarded the contract and can receive Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).  A subcontractor that holds a maturity level 2 (ML2) CMMC 2.0 certification, would also be allowed access to both FCI and CUI.  Are there ways, however, for an entity that only holds a maturity level 1 (ML1) certification to work on the contract?  Yes.  However, it requires a range of constraints, which may or may not work in your environment.

    Q:
    Can we “limit” the scope of the environment to avoid having to apply the CMMC requirements to our entire IT system?
    A:

    The short answer is “it depends”.  The longer answer is “yes, but there are some caveats”.  The narrowing of the CUI environment can be a good strategy as it makes the reach of many of the controls much smaller, however, it has to be consistent with where FCI and/or CUI flow and/or are accessed, stored, etc.  In essence, you can’t simply limit the scope because you want to — the system must be designed in such a way as to ensure that FCI and CUI have been isolated. One caveat I’ll pass along based upon years of experience — sometimes limiting the scope of the (CUI) environment to “get away” from having to comply across-the-board, can actually backfire. The reasoning being that when the controls are applied across-the-board, individuals don’t have to rely upon judgment as to whether a process/practice needs to be employed — instead, it is just ALWAYS applied. As a result, it tends not to get overlooked. Additionally, when the scope is wider, there are more opportunities to address and follow the processes/practices. This leads to better “muscle memory” and therfore adherence. If you expand the environment to the entire enterprise and that results in performing a process/practice on a weekly basis, you’ll be much better at it than if limiting it to a very small subsection of only CUI such that you only ever see the need to engage that process/practice once a year, you run the risk that the opportunity to apply such process/practice is overlooked.  The best answer, however, is to contact us and let’s have a discussion surrounding your specific situation and then an educated decision can be made about the appropriate scope.

    Q:
    Can you discuss the costs involved, such as software upgrades and physical office changes, needed to achieve CMMC certification?
    A:

    This is a really hard one to answer and predict without knowing a lot more about the existing control environment, the type of contracts and types of FCI/CUI that may be in-use as well as the desired/required Maturity Level.  There are other considerations as well, such as is the environment inclusive of the entire IT environment or is this a situation where an enclave can be created to isolate the environment and only look at the minimum environment.  (Note: this may be a strategy for simplifying the environment, but it is not a one-size fits all approach.  There are some important caveats to consider with this approach).

    More importantly, I think a lot of vendors, so-called solution providers, and industry evangelists don’t fully grasp the spirit, let alone the entirety, of the CMMC.  Too often, these well-meaning entities are peddling a very specific “technological” solution.  While it may sound great and promise a lot, these solutions need to be evaluated to ensure that they adequately cover both the requirements as well as the manner in which your organization operates.  If you take a close look at the actual requirements of the CMMC, only about 50% of the requirements are what we would deem as a “technological” solution.  25% is policy/administrative and the remaining 25% is operational.  If you subscribe to the idea that you must put in new upgrades, physical office changes and new technology, you may still only be addressing a part of what’s needed.  Further, while it is true that technology does have a useful life and a “sunset” product no longer qualifies (therefore requiring purchase of new software and potentially hardware), the truth of the matter is that a significant portion of complying with the standard merely requires re-configuring settings that already exist, tightening down controls that already are available but just not used – in short, it may not require ANY new purchases.  But again, that may not be the case in your environment.

    Q:
    Did you know CMMC will be in all DoD contracts beginning Spring/Summer 2023?
    A:

    CMMC v2.0 (announced Nov 4, 2021) is presently going through the Federal Rulemaking process.  Historically speaking, this process generally runs 9-24 months.  Even if it takes the full 24 months, CMMC would be in-place by end of 2023 (2 years earlier than the original CMMC v1) – But, it’s not going to take 24 months.  While Vestige has kept a watchful eye on the Rulemaking Process, we anticipated the Interim Final Rule to be issued mid-2023.  Recently (July and August 2023), the DoD and CyberAB provided updates on the progress of the Rulemaking process and anticipate that an Interim Final Ruling on CMMC will occur somewhere between March 2023 and June 2023 – meaning that we will start seeing CMMC contracts beginning Spring/Summer 2023.  If you’re not well on your way through your CMMC Journey, now is the time to talk to Vestige’s CMMC Experts!

    Q:
    Do we have a detailed definition of what is considered CUI in any given DoD contract? In other words, if someone in our supply chain (subcontractors and vendors) has no access to CUI, they would not have to be CMMC Certified to perform work under that contract? We are concerned about the supply chain under us (Prime contractors).
    A:

    You are right to be concerned about the supply chain under you…as DFARS 252.204-7021 squarely puts that responsibility on all entities that use subcontractors by ensuring that those that you work with also have the appropriate CMMC levels and/or finding alternative ways to work with that subcontractor (i.e. without sharing CUI and even in some situations FCI if the subcontractor doesn’t even meet CMMC Maturity Level 1).  Be aware that CMMC covers more than just CUI.  It handles the broader scope of information known as Federal Contract Information (FCI).

    Your broader question about defining CUI is a bit more complicated to answer.  The National Archives and Records Administration (NARA) is the entity responsible for defining, categorizing and maintaining the CUI Registry (available at www.archives.gov/cui).  While CUI is supposed to be marked by any entity that receives and uses it, the reality is that each of us know that from time-to-time we are in receipt of information that is probably CUI, but yet, is unmarked.  Did you realize that it’s still your responsibility that even if it is unmarked, but fits the definition of CUI, that you have a responsibility for treating it as such?  See  32 CFR Part 2002, specifically 2002.14(b), 2002.14(c), 2002.20(7)

    Q:
    Do you expect documentation will be more clearly marked as CUI going forward?  We struggle with unmarked documents, incorrectly marked (FOUO) or clarity
    A:

    I do.  Ironically, I already believe that the private sector does a better job of protecting CUI than the government.  I believe that as a result of CMMC, those of us in the private sector will continue to push and hold the agencies that are contracting with us to a higher standard.  This in turn will result in better marking and closer attention to CUI within the government.

    Q:
    Does Vestige provide C3PAO services?
    A:

    In reference to the U.S. Department of Defense – Cybersecurity Maturity Model Certification (CMMC) for defense contractors:
    A CMMC Third Party Assessment Organization (C3PAO) is a company that is authorized to conduct the actual certification assessment. Vestige is NOT a C3PAO, but we are a Registered Provider Organization (RPO), so we are a part of the CMMC ecosystem. Being an RPO means that we provide consulting services to organizations that are preparing for their certification. RPOs are not certified to conduct CMMC assessments, but Vestige does understand the assessment process. To properly prepare our clients, we collect and review information from them as if we were performing the actual assessment. This way, we can identify the gaps and help remediate them before a C3PAO assessor is brought in.  After passing the certification, we can also help companies maintain compliance.

    Q:
    How does CMMC relate to ISO 27001?
    A:

    All of the cybersecurity frameworks have similarities.  The differences depend upon what the overall goals of the framework are.  The goal of ISO27001 is built around the fact that an organization that defines and follows a sound Information Security Management System, will, by definition have a well-controlled environment.  A well-controlled environment translates into an organization that is generally more secure.  That’s not too far off from the goal of CMMC.  In fact, when you dissect the DoD’s goals for the program, understand the framework at its foundation and learn about the goals promulgated through the CMMC Accreditation Body, you will see that CMMC is, in fact, about creating an Information Security Management System that is imbued within the culture of the OSC (Organization Seeking Certification).  As such, ISO 27001 and CMMC are pretty well aligned.

    Having said that, if you were to place all of the varying frameworks onto a continuum with those programs that offer weaker coverage on the left-hand side of the continuum and place those programs that offer robust coverage over to the right-hand side, you would find that CMMC is much closer to the right-hand side (robust coverage) than ISO 27001 – therefore it could be interpreted that it is more complex, more difficult and “stronger” than ISO 27001.  In fact, with NIST 800-171 being derived from NIST 800-53 (Moderate Baseline), with all 3 of those (NIST 800-171, CMMC and NIST 800-53 Moderate) considered “more robust”.

    Q:
    How much does it cost for C3PAO to conduct a CMMC level 2 or 3 Assessment?
    A:

    How big is a hole?  How much does it cost to build a house?  I say that a bit tongue-in-cheek, but the reality is that it depends on a number of factors.  Here’s what you can assume: the Maturity Level will absolutely play into that calculation.

    Level 1 only requires 17 practices;  Level 2 has 110 practices; and Level 3 builds on that.  Taken at face value, it is approximately 8.5 times more effort to address Level 2 than Level 1 and Level 3 is a bit higher.  The complexity of the environment and the manner in which it is scoped will contribute to the cost.

    The Organization Seeking Certification’s (OSC) readiness, preparedness and ability to quickly and efficiently provide evidence and meet the requests of the C3PAO will also greatly impact the overall cost as most C3PAO’s will likely charge on a Time & Material (T&M) basis.  However, it is my belief that the number one factor in determining that cost will be market competition.  The CMMC Accreditation Body (CMMC-AB) has created a Marketplace for those of us in the CMMC ecosystem (RPOs, C3PAOs, RPs, APs, etc.).  Just like in any industry there will be C3PAO’s that will focus on the biggest of the big engagements, there will be those that focus on mid-market and those on the smaller market.  There will be C3PAOs that tout quality, those that carry “well recognized brand name” and the reputation (good and bad) that comes with that.

    The same factors that make this a difficult question to answer, however, work in your favor as an OSC.  The fact that a marketplace exists and that the CMMC-AB has made that front and center of the part of picking a C3PAO gives you the ability to shop for the perfect fit.  Whether you’re shopping on price, quality, ease of use, convenience, adherence to a proven methodology, or you simply like the sound of the name of a C3PAO (I wouldn’t recommend this method any more than I’d recommend consulting a Magic 8 Ball), you will find a C3PAO that will match your criteria.

    My recommendation?  Look at all of your options and go with the one that meets your requirement!

    Q:
    How will the C3PAO handle major versus minor deficits at the time of the assessment?
    A:

    At the end of the day it is at the discretion of the C3PAO. Remember, it’s all about the risk tolerance of the auditor/C3PAO. If they feel that a deficiency is minor and doesn’t adversely impact the general adherence to the control, my experience tends to lean in the direction that the C3PAO would waive that. It’s quite possible they would issue a “verbal” comment about it so that you were aware of the deficiency, but not count it against you. HOWEVER, keep in mind that if there are enough “minor” deficiencies, the C3PAO may start to question whether the control environment really is in-place and working as designed. In those situations, I could see where they would take the approach of “a proponderence of evidence” points to the fact that all these minor deficiencies rise to the level of a material deficiency.  It also needs to be weighed in the context that a control is either in-place and working or it is not.  The C3PAO is going to be looking for evidence that the control is working as designed by corroborating evidence from at least 2 out of 3 forms of objective evidence:  a) an interview, b) direct observation and/or c) testing.  In my opinion, a minor deficiency might be something like you have evidence of monthly reviews of logs and during the interview you say you do it monthly, testing by the C3PAO shows that 11 out of 12 months you have evidence but for 1 month you seem not to be able to produce such evidence.  Would the C3PAO accept that it’s an isolated exception?  As you can see, it’s at the discretion of the C3PAO — but hopefully that sheds light on it.

    Q:
    I attended a briefing by NAVFAC SW CO recently and if I understood him correctly, he indicated the CMMC Certification would not be required until 2025. If I understand your response correctly we should not wait until then?
    A:

    Firstly, this question only referred to CMMC v 1.0.  We are now at version 2.0 and the timeline on this has dramatically changed (see When will we see CMMC requirements in DoD RFPs, above).  There is a lot of misinterpretation and misinformation out there about the timing and you need to consider your compliance journey around a number of factors.  To address the facts, yes, it is true that it is not anticipated that ALL DoD contracts will have a CMMC designation until Rulemaking is complete (2022-2024).  The problem is that when people see or hear that, they jump to the conclusion that CMMC is not yet here and that they don’t need to worry about it for several years.  Not true.

    There are two important issues to consider.  The first is timing on the actual certification process.  The second is compliance with NIST 800-171 and the “interim rule”.

    Addressing the certification process; you should anticipate that the road to certification is a minimum of 6 months and it may be longer in your particular case.  The CMMC Accreditation Body (CMMC-AB) is already advising Organizations Seeking Certification (OSCs) that it will take 6 months.  And that’s based upon the assumption that an OSC is ready-to-go, right now!  No gaps in performance, etc.

    Our experience, both with CMMC/NIST 800-171 and other similar frameworks, is that organizations that are not in that ready-to-go state, should factor in an additional 3-6 months.

    Next, you need to consider the impact of the “interim rule”.  In September 2020, DFARS Case 2019-D041 was released effectuating additions to DFARS that went into effect on November 30, 2020.  DFARS 252.204-7019, 252.204-7020 and 252.204-7021 were added to adopt CMMC, clarify some misinterpretations and to add a stop-gap requirement that ALL DoD contracts not bearing a CMMC designation require the organization to be in compliance with NIST 800-171, submit their self-assessment score into the Supplier Performance Risk System (SPRS) and directs Procurement Officers to consult such score and use it as part of the criteria in awarding ANY DoD contract (again, non-CMMC designated ones).

    What’s the practical implication?  Most OSCs are:  a) not ready-to-go with CMMC, b) are presently bidding and looking to be awarded DoD contracts, and c) don’t know when the Rulemaking will be completed and therefore not sure when contracts will come out with the CMMC requirement.  Knowing that the organization could see a CMMC designated contract as early as 2022, combined with a lack of readiness, juxtaposed against the reality of 9-12 months to achieve certification – and it could already be too late to get started.  The time to act is now!

    Q:
    If we already have to meet NIST 800-171, haven’t we all exceeded CMMC 2.0 Level 1?? So why wouldn’t we all have to target Level 2 as a minimum certification level?
    A:

    This is a really tricky one.  You’re right!  Unless you are a new provider to the DoD, yes, you would have already needed to be in compliance with NIST 800-171 (DFARS 252.204-7012).  As entities have had to be compliant with NIST 800-171 since its introduction and adoption in late 2016/early 2017.  It is also true that NIST 800-171 is more stringent than Maturity Level 1 of CMMC 2.0.  If the eventual answer is that you need to be at Maturity Level 1, why do you care about NIST 800-171?

    There’s two reasons.  One is staying in compliance with DFARS (specifically, the “Interim Rule” that went into effect on 11/30/2020).  The other reason is much more selfish for you as an organization.  It’s just good business!  I’ve been in Cybersecurity for going on 21 years.  I often get asked “what has changed over the years – what are you recommending?”  The sad response is “not much.  The same things that worked 20+ years ago are foundationally the same issues we’re facing today.  Yes, the tactics have gotten better, there’s more awareness, more visibility to the problem, but the risks remain the same AND the solutions are still the same”.   Sure, we have newer technologies, have built Artificial Intelligence into products, have more options available to us…but at the end of the day it’s all about understanding your risk and putting the right cyber hygiene practices into place.

    CMMC defines Maturity Level 1 practices as “Basic Cybersecurity”.  Even at Maturity Level 2, it’s defined as “Good Cybersecurity”.  Good.  Not great!  But good.  If you care about ensuring that your own proprietary intellectual property doesn’t go out the door; if you care about ensuring you don’t fall victim to a financial fraud by erroneously wiring 10s, 100s of thousands of dollars or even more out-the-door; if you don’t want to experience plant shut-downs, inability to communicate with customers and suppliers because the organization has suffered a ransomware attack – or if you care about any of the other myriad problems linked to poor (or even “basic”) cyber hygiene, then it’s time to put the controls in place that NIST 800-171 and/or CMMC 2.0 Level 2 dictate.  If you’re only required to be at Maturity Level 1, great, CERTIFY to Level 1 – but don’t delay in putting the controls in at Level 2!

    –mic drop—

    (Oh, and if you really don’t care about achieving Level 2 but are in this situation, CONTACT VESTIGE to discuss a strategy, because there is a way to address this.)

    Q:
    If we send documents to be printed to an outside vendor, does that vendor need to be CMMC certified?
    A:

    It depends on the contents of the documents being sent and your organization’s current contractual obligations. If you are sending CUI to be printed by the outside vendor and your organization is currently supporting a contract with a DFARS 252.204-7012 clause, then the outside vendor (considered a subcontractor) must provide the same level of protection that is required of your organization for that CUI. Your responsibility as the organization sending the CUI (documents) is to ensure that whoever your sending the CUI to is able to properly protect and control it. According to DFARS 252.204-7012 this must be performed by including the DFARS 252.204-7012 in the contract you have with the outside vendor (this is known as a ‘flow down’ of DFARS 252.204-7012).

    While this may seem like a hassle, it’s quite obvious as to why this is required. The point of CMMC is to demonstrate that your organization is mature enough to safeguard CUI. Your organization demonstrates this maturity by implementing the required controls found in NIST SP 800-171 which provides assurance that the information is properly safeguarded while in your possession. If you were to send CUI to another organization, your ability to safeguard CUI means absolutely nothing if the organization you are sending it to cannot demonstrate the same level of maturity for handling and safeguarding CUI. At best the outside vendor you are sending the documents to for printing will disregard its sensitivity and treat it as any other document they would print and at worst may share it with unauthorized individuals intentionally or unintentionally.

    Therefore, if you are sending CUI to another organization to print, you are required to flow down your contractual obligation to DFARS 252.204-7012 to that outside vendor. This flow down does not directly translate to the outside vendor being ‘CMMC certified’ but does at a minimum mean the outside vendor must demonstrate ‘adequate security’ by implementing the required controls found in NIST SP 800-171.  If you are sending documents that do not contain CUI to the outside vendor to print then a DFARS 252.204-7012 flow down is not necessary and the vendor would not be required to implement ‘adequate security’.

    Q:
    Is there a differentiation for non-US owned firms?
    A:

    Yes and no.  The standard and framework itself apply equally to any provider within the Defense Supply Chain.  However, you should note that some categories/subcategories of CUI (typically things like Export Control, nuclear, weapons systems and space) may carry with it additional safeguarding requirements similar or in addition to ITAR (International Traffic in Arms Regulation).  Therefore, there may be additional restrictions especially as it relates to No Foreign National (NOFORN).

    Q:
    Is there a layman’s pre-assessment? The jargon can be problematic for understanding the CMMC requirements.
    A:

    There are a lot of software companies in the “compliance” market and at the first signs of the CMMC, many have raced to adopt prior solutions to fit the CMMC. As a result, I suspect that there probably is something like this out there. Having said that, I’ve reviewed quite a few of these solutions and I have not found any that I felt were simple (layman’s approach), straight-forward and affordable, As these compliance solutions tend to be all encompassing, they generally include a wide range of features that overly complicate the process. I encourage you to keep an eye on developments on this front from us. We are actually in the process of trying to do just that. It is a balancing act and my hope is that we can achieve it in such a way as to keep it as simple as possible.

    Q:
    So what date should we plan to be CMMC 2.0 Level 2 if we are performing AE design of DoD Facilities?
    A:

    “I attended a briefing by NAVFAC SW CO recently and if I understood him correctly, he indicated the CMMC Certification would not be required until 2025. If I understand your response correctly we should not wait until then.”

    Q:
    We have a subcontract with a big four accounting firm performing work for the DoD. Each employee has a government laptop as well as a laptop issued by the prime for NIST compliance. All DoD client information must stay between each of the two laptops and no other system can be used. Would only Level 1 apply in this situation?
    A:

    We encourage you to pull down the CMMC requirements and look at the controls for Maturity Level 2. You will see that a small percentage of the items relate to the physical and logical access to the devices that touch, store, process or otherwise interface with CUI. Rather, quite a bit of the control objectives relate to more of the practices and processes that the overall organization follows in each of those domains — it includes things like the organization’s practices around hiring and on-boarding individuals, how access is determined, authorized and granted, how users rights are removed upon termination, technology disposal, how you keep up on compliance issues, vulnerabilities, etc. What I’m getting at is there’s much more than just those physical devices provided by the Government and the Prime. While each individual situation differs, to me, I’d want to take a very careful look at the policies and procedures around the use of those devices and whether the processes and practices are documented, practiced and strong enough to, in fact, prove that the CUI environment only applies to those particular devices and that by their very nature the CMMC controls are not applicable. The short answer though, is in my opinion, I’m leaning to the fact that your situation does not lend itself to avoiding a maturity Level 2. Finally, recall, at the end of the day it all depends on the requirement of the contract itself. If the contract has portions that require Maturity Level 2 — then all parties (prime(s) and subcontractor(s)) that need access to that information will need to be at a Level 2 or higher.

    Q:
    What is an enclave? Can an organization with a large environment have more than one?
    A:

    In order to answer this question an organization should recognize what an enclave is and why it is implemented. An enclave is an environment or ecosystem that is established to secure sensitive assets and data, including but not limited to Controlled Unclassified Information (CUI). One of the main purposes of an enclave is to ensure that sensitive data remains isolated from other environments and is not at risk of being exposed to an inappropriate/unauthorized system and does not interact with users or resources that are not relevant to contracts dealing with operations and work processes that require greater security measures.

    When an organization considers an enclave solution, it is essential for them to understand several variables that may impact their enclave implementation. Those variables include the organization’s size, number of assets, criticality of assets, and data types. In a large environment, there can be more than one enclave. The need for more than one enclave may manifest as a result of different contractual obligations. As a result, the organization must bear in mind regulations and requirements they must abide by in addition to those outlined in the Department of Defense’s CMMC Program (and by extension the DFARS 252.204-7012 clause). Developing documentation to identify, classify, and track assets (the people, systems, programs, etc. that process, store, and distribute sensitive data) is vital for organizations to understand how an enclave may be designed to suit their needs. That includes granting control over specific (separated) data types that need to be protected in accordance with regulatory requirements and assigning the appropriate access to those who fulfill duties essential for contracts.

    Q:
    What is lead time needed to reach out to a C3PAO and schedule an audit? 1 month? 2 months? Longer?
    A:

    I’m going to dissect that question a bit and put it into two categories.  You ask about the lead time in reaching out to a C3PAO.  In its simplest answer, the lead time is zero…you can reach out and get it scheduled right now.  There are C3PAOs already approved and in the marketplace.  As of this writing (November 2021), only a couple of the C3PAOs that have applied, have been approved (Vestige included).  [This is more of a matter of the logistics than anything else.]  So, if you’re ready, you can reach out right now.  (https://cmmcab.org/marketplace/)

    But I suspect you’re asking a slightly different question.  My interpretation of that is that you’re more interested in understanding how long is it going to take until the C3PAO is engaged, on-site, has conducted their work and at a place where they’ve issued their report/findings.  The CMMC Accreditation Body (CMMC-AB) is already advising Organizations Seeking Certification (OSC) to expect the process to be about 6 months.  Interpreting that a little deeper, I think you can expect it to take 1-2 months to be engaged and actually have the C3PAO on-site, another month (bringing it to 3 months) for the findings.  Add in the available 90-day “cure period” should the C3PAO find any “correctable” deficiencies, and that puts you right at 6 months.

    Now that, of course, is assuming you’re ready to go right now.  If you’re not, you need to factor that into your lead time as well.  That could easily be another 3-6 months depending on the Maturity Level as well as the complexity and overall state of affairs within your environment.

    Q:
    When will we see CMMC requirements in DoD RFPs?
    A:

    With the introduction of CMMC 2.0, we are now in the Rulemaking Process.  That Rulemaking is expected to take approximately 9-24 months.  At the conclusion of that Rulemaking, all DoD contracts will be CMMC

    Q:
    Will you have any simplified packages (documentation, etc) as a starting point for your clients? Perhaps at different levels. Like a basic simplified version for people with very limited number of internal employees and minor access – on-premises vs cloud.
    A:

    Absolutely. Having been in this area for 20 years, we have amassed a ton of experience and as such have put together turnkey solutions on the assessment, remediation and even assisting during the actual C3PAO external audit. Happy to have a scoping call and provide a proposal on that front.

    Q:
    Would like to get your perspective on the state of awareness of CMMC requirements among local firms/sub contractors in countries where US DOD work often occurs – Germany, Japan, Korea, Spain for example?  Do you have a sense through your interactions w/DOD entities managing CMMC about their awareness of the situation and challenges to attain compliance?  Our experience is that things are in a very immature state forcing decisions about risk/compliance for ongoing and prospective work.
    A:

    Unfortunately, on this one I can’t say that I have a very good insight into those particular countries and the understanding therein.   However, I can make an educated guess about it.  And that guess is that similar to what you’ve found, it’s a very immature understanding.  I feel confident with that answer because I would say that, as a whole, the ENTIRE Defense Supply Chain (and I’m mostly focusing on domestic entities) isn’t aware of the requirements.  Let’s face it, a huge majority of firms have quite readily ignored and/or have remained (blissfully) ignorant on NIST 800-171 requirements and that has been around in earnest since 2016!

  • Cybersecurity

    Q:
    Which is the better cybersecurity framework: NIST CSF or CIS?
    A:

    The decision as to whether you should focus on the NIST Cybersecurity Framework (NIST CSF) or the Center for Internet Security Critical Security Controls, is very much a personal preference.  As with all cybersecurity frameworks, there is much overlap…but there are also differences.  For the purposes of this answer we will focus on NIST CSF 2.0 (“NIST CSF” hereafter) and CIS Critical Security Controls v8.

    NIST CSF contains 106 outcomes (or practices) that should be adopted.  These outcomes are arranged within 22 categories that roll up to 6 Core Functions (formerly, domains) – specifically:  Govern, Identify, Protect, Detect, Respond and Recover.

    CIS Critical Security Controls contains 153 Safeguards (or practices), organized against 18 CIS Controls.

    From an overlapping standpoint, 46 of the NIST CSF outcomes directly map to the CIS CSC.  108 of the CIS CSCs don’t map to NIST CSF.

    Differences

    So what’s the biggest difference?  When you look at the details of the two frameworks, NIST CSF tends to be a bit higher-level and certainly more “non-prescriptive” (see “What is a prescriptive vs non-prescriptive assessment framework”).  If you’re following “best practices”, generally speaking the unmapped CSCs will generally be picked up in a well designed practice under NIST CSF.  Whereas, the CIS CSC tends to be more prescriptive – giving much more explicit instructions as to what needs to be put into place.

    NIST CSF also tends to be a bit heavier on the Governance side as well as recognizing that incidents will likely occur, and therefore an organization needs to be prepared for that – having a business process in place to respond and recover is a component of complying with NIST CSF.  CIS CSC tends to focus more around prevention, with some safeguards addressing the detection of an incident.  One CIS Control addresses Incident Response and again some of what is included in NIST CSF Categories Respond and Recover are within the CIS Control, but it is prescriptive.

    The Takeaway

    Both frameworks are excellent frameworks.  They address the best practices an organization should have in place.  They are also both agnostic when it comes to industry, regulatory/statutory environment and can be used in any size organization and are apropos for non-profit/not-for-profit as well as government and commercial organizations.

    The big takeaway is CIS CSC tends to be more tactical and NIST CSF tends to be more high-level/strategic.

    At Vestige, we like both frameworks.  They server slightly different purposes and as such, we will use components of both.

    If you find yourself in a situation where you are looking to assess the organization’s compliance with such a framework or are looking for assistance in putting these practices into place, let the cybersecurity experts of Vestige assist.  Contact Us today.

  • Digital Forensics

    Q:
    Can I erase my data without people knowing?
    A:

    While there are many methods and tools to erase, or delete, digital data; there are methods and tools that our Analysts use to attempt to recover, or trace, that deleted data. Depending on the device and the data, our Analysts may find evidence that a file has been deleted, or in other cases, we may be able recover the exact file or document. Even if files and documents have been deleted, evidence of access to those files may still remain on the device. The use of specialized applications to securely wipe data will leave evidence of the use of such an application as well. Deleted data will always be a time sensitive subject. As time goes on from the deletion date, new data has the opportunity of overwriting, or covering up, the old, deleted data.

    Q:
    Can you recover data from a RAID drive where more than 1 drive has failed?
    A:

    It is technically possible to recover data from a RAID array where more than one drive has failed. Vestige has Forensic tools that can be used to try and recover data but the feasibility and success of the recovery process depend on several factors:

    RAID Level: The RAID level being used (e.g., RAID 0, RAID 1, RAID 5, RAID 6, etc.) will greatly impact the ability to recover data. Some RAID levels offer more redundancy and fault tolerance than others. Also with certain RAID Levels if the drive is missing completely, no data can be recovered.

    Extent of Failure: If multiple drives have failed, the extent of the failure (e.g., which specific drives have failed, how many drives have failed, whether the failure is due to hardware or logical issues, etc.) will determine the difficulty of recovery or if data can be recovered at all.  It is also good practice to stop using the RAID if it is broken. Using the broken RAID longer can make the data harder to recover. It is also important to note that if you power on the raid with not all of the drives connected or in the wrong order this can potentially destroy the RAID.

    Backup Availability: The availability of recent backups can significantly simplify the recovery process. If backups are up-to-date, it may be more feasible to rebuild the RAID array from scratch using the backups rather than attempting to recover data from the failed drives.

    Q:
    Can you recover data from a RAID drive where more than 1 drive has failed?
    A:

    It is technically possible to recover data from a RAID array where more than one drive has failed. Vestige has Forensic tools that can be used to try and recover data but the feasibility and success of the recovery process depend on several factors:

    RAID Level: The RAID level being used (e.g., RAID 0, RAID 1, RAID 5, RAID 6, etc.) will greatly impact the ability to recover data. Some RAID levels offer more redundancy and fault tolerance than others. Also with certain RAID Levels if the drive is missing completely, no data can be recovered.

    Extent of Failure: If multiple drives have failed, the extent of the failure (e.g., which specific drives have failed, how many drives have failed, whether the failure is due to hardware or logical issues, etc.) will determine the difficulty of recovery or if data can be recovered at all.  It is also good practice to stop using the RAID if it is broken. Using the broken RAID longer can make the data harder to recover. It is also important to note that if you power on the raid with not all of the drives connected or in the wrong order this can potentially destroy the RAID.

    Backup Availability: The availability of recent backups can significantly simplify the recovery process. If backups are up-to-date, it may be more feasible to rebuild the RAID array from scratch using the backups rather than attempting to recover data from the failed drives.

    Q:
    Can you recover deleted text messages?
    A:

    Text messages are frequently the center of attention in a mobile forensic investigation. Updates to messaging applications have made the chance of recovering text messages greater, but not guaranteed. A useful update with iPhones that assists our analysts in the recovery process is the “recently deleted” temporary folder. This folder is created when text messages are deleted. For the 30-day period that the messages remain in the temporary folder, our forensic tools can capture and recover the deleted messages. If the messages are past the 30-day period, or have been deleted by the user from the temporary folder, in most cases our analysts can seek out gaps or missing areas in the data. In doing so we can attempt to create a timeline to which a deleted message was sent or received. Another process our analysts use to recover deleted messages is the use of a full file system extraction. A full file system is not available for every phone model, but when available, it can recover more data from a mobile device. Depending on the device model, deleted messages may have a greater chance of being recovered with the use of this method. Please keep in mind the recovery will depend heavily on multiple factors including the device, the date deleted, the texting or chat application used, etc.

    With regards to any deleted data, the sooner we collect after the suspected deletion date, the higher the chances of recovery become. As new data is being created on the mobile device, any deleted data is being overwritten.

    Q:
    How do I explain Computer Forensics to my client?
    A:

    Computer forensics and investigations is the process of preserving and analyzing all data on a computer whether or not it is visible to the operating system or user.

    Q:
    How do I know if I have a good Computer Forensics Examiner?
    A:

    Attorneys have unique needs when using computer forensic analysis. They must rely upon an expert to extract relevant data using procedures and protocol that permit the data to be admitted in court; while also relying upon the same expert to help identify and resolve issues related to rules of procedure, litigation strategy, and the theory and law of the case. The former requirement focuses upon computer technology, the latter upon legal training and trial experience.

    Good computer forensics companies will have merged computer technology and trial experience. In regard to computer technology, a good computer forensic company will use sound procedures to ensure that all relevant information is admissible in court. It will be able to explain those procedures in an intelligent, compelling manner before judges and juries. A forensic computer expert will be able to explain the technological issues and strategies to you in such a way that you will be comfortable explaining them to your opponent, or to a judge in motion practice. As to legal and trial issues, a good computer forensic company will be able to help you anticipate the procedural objections and strategies that you may encounter using computer forensics, provide you the case law support for the protocols you wish to use, suggest procedures that satisfy federal and state court rules, and recognize information relevant to your legal theories, strategies and claims.

    Before engaging a forensic company be sure to ask the following questions……

    • What is the experience level of the forensic computer examiner?
    • How long have they been in the industry?
    • Have they ever testified in court?
    • Have they been admitted as an expert witness?
    • How many cases have they worked?
    • What relevant education and training do they have?
    • What professional organizations are they affiliated with?
    • What standards and protocols have they employed to ensure the evidence is not tainted?
    • What software do they use?
    • Do they rely on a single piece of software or do they have an arsenal of tools to use as appropriate?
    • Do they have the proper licensing of the software they are using?
    • Is their software proprietary and if it is proprietary, has it been accepted in the court system? If not, you may have an uphill battle just getting the evidence admitted.
    • Do they have in-house, full time attorneys working on the cases?
    • Are the attorneys trained in the forensic analysis of computers?
    • What is the experience level of the attorneys, including trial experience?
    • Have the attorneys been admitted as expert witness?

    All of these questions are important in determining the skill level and expertise of the computer forensic company. More importantly, these questions are important to judge the degree to which the company will be able to help you in the real world of trial litigation.

    Q:
    How exactly does Computer Forensics work?
    A:

    What does a forensic computer examiner or digital forensics expert do? They will take several careful steps to identify and extract all relevant data that is resident on a subject’s computer system. Forensic analysis will extract the data that can be viewed by the operating system, as well as data that is invisible to the operating system. Proper forensic protocol will:

    • Protect the evidence during the forensic examination from any possible alteration, damage, data corruption, or virus introduction. A write-blocking device should be used at the time the computer is acquired to ensure that the evidence is not damaged, tainted or is in any other way rendered inadmissible in court.
    • Use forensically sound protocols at all times during the investigation to ensure that the information on the computer is admissible in court. Assume that every case/situation could end up in the legal system. If your Computer and Digital Forensics Examiner doesn’t make that assumption, find someone else. A true Forensic Examiner will implement write-blocking techniques, MD5 hash values and establish a Chain of Custody.
    • Address the legal issues at hand in dealing with Electronic Evidence, such as relevant case law, how to navigate the discovery process, protection of privilege and in general, working/communication with attorneys and other professionals.
    • Discover all files on the subject’s system, including: Existing normal files, invisible files, deleted yet remaining files, hidden files, password-protected files and encrypted files.
    • Recover all deleted files and other data not yet overwritten. As a computer is used, the operating system is constantly writing data to the hard drive. From time to time, the operating system will save new data on a hard drive by overwriting data resident on the drive but no longer needed by the operating system. A deleted file, for example, will remain resident on a hard drive until the operating system overwrites all or some of the file. Thus, in order to preserve as much relevant data as possible on a computer system, you must acquire relevant computers as soon as possible. The on-going use of a computer system may destroy data that could have been extracted before being overwritten. Fortunately, the costs of acquisition are very reasonable, and the process is not disruptive. Click for our Spoliation Letter.
    • Analyze all possibly relevant data found in special (and typically inaccessible) areas of a disk. This includes unallocated space on a disk (currently unused, but possibly the repository of previous data that is potentially relevant), as well as ‘slack’ space in a file (the unused space at the end of a file, in the last assigned disk cluster, that may be a possible site for previously created and relevant evidence).
    • Prepare a computer forensics report of the computer system, as well as provide you a copy of all relevant data, parsed in a format and arranged to be integrated into your legal theories and strategies. In an appropriate case, the forensic analysis will also opine regarding the system layout, file structures, attempts to hide, delete, protect, encrypt information and anything else that has been discovered and is relevant to the matter.
    • Provide Expert consultation and/or testimony, as necessary. Many times attorneys are disappointed with the quality of expert testimony. A good computer forensic company will have trained its experts to appear in court to support motion practice, discovery disputes, and at trial.
    Q:
    How long does it take to complete a Forensic Analysis of a Computer?
    A:

    The time it takes Vestige to complete a forensic analysis of a computer is going to depend heavily on the type of analysis requested. Vestige has three main analysis packages we offer. The first is an Artifact Analysis which includes a complete forensic analysis of artifacts and the standard turn-around time is 10 business days. The second is a TRO Package which also includes a complete forensic analysis of artifacts and the standard turn-around time is 3 business days. The third is a Triage Analysis which includes a brief review of common data exfiltration artifacts to determine if deeper analysis is needed. The standard turn-around for a Triage Analysis is 5 business days.

    Of course, there are times when clients need a quicker turn around and we do our best to accommodate their requests. We typically have the ability to work with a client to deliver results in a time frame that suits our clients’ needs.

    Q:
    How long does it take to complete a Forensic Analysis of a Mobile Phone?
    A:

    The time it takes to complete a forensic analysis of a mobile phone can vary significantly depending on several factors. Vestige’s standard turnaround time is two weeks. If the case needs special priorities Vestige can work with the client to understand deadlines and work on expediting the analysis.

    Listed below are factors that can alter the time an analysis takes:

    1. Extent of Examination: If the examination involves a basic analysis for specific data (e.g., call logs, text messages), it might take less time compared to a comprehensive analysis. If the client just needs an exported report from Cellebrite that can take less time than analysis.
    2. Device Type and Model: The complexity of the device and its operating system can impact the time required for analysis. Older devices with simpler operating systems might be quicker to analyze but will most likely have less data compared to newer smartphones with advanced security features and higher storage.
    3. Storage Capacity: The amount of data stored on the device plays a significant role. Larger storage capacity means more data to analyze, which can increase the time required. This will also play a factor in the Forensic collection.
    Q:
    How long does it take to make a Forensic Image of a Computer?
    A:

    The average time that Vestige takes to image a computer is between 2-4 hours.  While there are a multitude of circumstances that could affect the amount of time needed to forensically image a computer, there are three primary pieces of information the Digital Evidence Specialist will use to determine a rough estimate of time.  Those include the Operating System (OS) used, the type of hard drive within the device, and the size of the hard drive.

    1. The OS will normally be one of two options, Microsoft Windows or MacOS, but it can also include others such as Linux, Unix, and many more. Knowing the OS of the machine will determine what method will be used to image the computer.
    2. The type of drive that is used in a device can vary between hard disk drives (HDDs) and solid state drives (SSDs). SSDs are known to be faster and more efficient than HDDs and that can impact the amount of time needed to forensically image the device.
    3. Finally, the size of the hard drive is the most important factor to consider. Smaller drives such as 120 GB and 250 GB fit well within the average 2-4 hours mark.  Larger drives such as 500 GB and 1 TB fit within an estimate of 4-8 hours.  Even larger drive sizes will go up from there.
    Q:
    How long does it take to make a Forensic Image of a phone?
    A:

    The amount of time needed to create a forensic image of an iPhone is typically 2 to 4 hours. The time needed to create a forensic image of an Android typically is 4 to 6 hours. The time can vary based on the amount and types of data found on the phone. The main item for iPhones and Androids that can increase acquisition times are multimedia messages (MMS). MMS are typically group messages, long text messages, or messages that contain attached files such as pictures, videos, emoji, and website links.

    Q:
    If I think that evidence exists, is it ok if my Technology expert takes a look for the information before I get in touch with a Computer Forensics Expert?
    A:

    Most in-house technology experts are concerned with mission critical data and recovery from catastrophic data loss. They are not experts in the acquisition and preservation of data rendered invisible to the operating system. Even the most well intentioned technology expert can damage the fragile information that is stored on a computer, especially when the operating system does not recognize the data. The simple act of turning the computer on or looking through files can potentially damage the very data you’re looking for. Dates can be changed, files overwritten and evidence can be corrupted.

    Additionally, using in-house personnel can raise issues related to authentication that can increase the cost of admitting evidence. In-house personnel may be put through a Daubert-Frye challenge that could threaten the admissibility of critical evidence. If there is a remote chance that the matter could end up in court, best practices strongly suggests having the data analyzed by computer forensic investigators. The cost of computer forensic service will almost always be far less than the cost of defeating a challenge to the admission of critical evidence.

    Q:
    Isn’t Computer Forensics only useful in cases where you expect that there is a “smoking gun”?
    A:

    Computer forensic analyses are useful in cases whenever the computers have been used either to commit a crime or tort, or used to created, modify, or store data that can be used as evidence. Many times an attorney will suspect that there ought to be an email, a letter, or some other, singular, “smoking gun” that will prove his case or destroy his opponent’s legal theory. Often, however, the “smoking gun” is not one single document, but rather, an aggregate of documents and artifacts. Artifacts tell the certified computer forensics examiner how the computer was used; while documents, fragments, hidden data, and deleted data can be extracted, compiled, and presented as evidence in a case.

    Q:
    What is “Ghosting” an image and why isn’t that good enough?
    A:

    Ghost is a software application created by Symantec. Ghost is very good for creating an image of a computer that includes only those files and data visible to the operating system and the user. Ghost does claim to have settings allowing it to make an image of all data. However, Ghost has not been tested and verified through peer review to determine its worthiness in creating a forensic image. Furthermore, Ghost does not have a method for verifying whether the data that it does acquire is accurate and has not change. Vestige uses a tool called Encase which has not only been peer reviewed but also has been tested by NIST (National Institute of Standards and Technology). It maintains a unique signature of the image which it can use to compare at any point in time in order to verify the authenticity of the image.

    Q:
    What is an “Acquisition”?
    A:

    Acquiring the computer image and authenticating the data are the initial steps in a Computer Forensics examination. The Acquisition of a computer or other digital media is done using specialized software and write-blocking devices which ensure that an exact copy of the digital evidence is made. Acquisitions can be done wherever and whenever is convenient and non-disruptive. Many times acquisitions are performed at night or on weekends, either on-site or at the law offices of counsel. In some situations, acquisitions can also be completed in the home or office.

    An acquired image of the subject computer is then authenticated by forensic software which creates and embeds in the image a digital finger print. This “finger print” is called an MD5 hash and is a numeric code that represents all the information on the computer. If one single bit is changed on the computer the MD5 hash value will not match. This ensures that the Computer Forensic Examiner has not changed the data and replication of the MD5 is admissible in court.

    The sooner the acquisition is done the more likely the chance to find the evidence you are looking for. So, if you suspect you might have a problem now or in the future you can have the computer drive acquired and have the image preserved indefinitely. Acquisition costs are very reasonable, making this strategy a feasible method to prepare for potential litigation.

    Q:
    What is Computer Forensics?
    A:

    Computer forensics is the scientific and strategic examination and analysis of recovered electronic data. This data resides on any type of computer storage media in such a way that the information can be used as evidence in a court of law. Using highly specialized software, a computer forensics investigator can use digital analysis to “unlock” every bit of data on electronic media. All data that has been deleted, hidden, or otherwise rendered invisible and imperceptible to the operating system can be uncovered.

    Q:
    What risks are there if I don’t consult a Computer Forensics expert at the start of a problem?
    A:

    The most frustrating aspect of forensic analysis is that the operating system randomly overwrites data on the hard drive. This means that the longer a computer is used, the more likely it is that evidence will be lost, even to a computer forensic specialist. Fortunately, the operating system frequently records evidence in several places simultaneously. So if the data is overwritten in one area, it may still reside in another. It is impossible to tell, however, whether the data that is most important to you will survive the constant use of the computer. Indeed, the simple act of turning the computer on or looking through files can potentially damage the very data you’re looking for. The dates that files were created can be changed, files can be overwritten and evidence can be corrupted. The safest practice is to have a computer forensic company acquire an image of the computer as soon as possible; however, it may be possible to find relevant data even after years of use.

    Q:
    What types of cases is Computer Forensics useful in?
    A:

    Any case in which you file a Request for Production of Documents, or request all relevant documents from your client, is a case that will benefit from the efficiencies and scope of Computer Forensic Application. Computer Forensics will quickly obtain for you all the relevant evidence, not just the evidence that your opponent or client has determined is sufficient and responsive to your request.

    Q:
    When should I consider using Computer Forensics?
    A:

    A good rule of thumb is to use Computer Forensics as a tool to (1) determine the facts from your client, (2) discharge your duty to avoid spoliation, (3) obtain all relevant evidence from the opposing party in a manner similar to using a Request for Production of Documents, and (4) determine whether computers were used as the instrumentality of a tort or crime.

    Computer forensics software can help determine facts from client. An attorney must have all the information relevant to a matter, not only to construct effective legal strategies, but also to focus your client’s expectations, and efficiently price your forensic computer services. There is nothing more difficult to address than a case that has become complicated by new facts, where you client expected the matter to proceed smoothly and without significant cost. Knowing all the facts early in a matter, allows you to better prepare your client for those cases that will require significant legal expertise to manage.

    Discharge Duty to Preserve Evidence. In response to pending litigation, analyzing your client’s relevant computers is an excellent way to discharge your duties to preserve evidence and avoid spoliation, while also acquiring all relevant information essential to your legal theories and strategies. Similarly, as part of critical business decisions, forensically analyzing relevant computers can provide essential information. For example, analyzing the computers of corporate officers or employees as part of the termination process can alert you to possible litigation issues such as violation of non-compete agreements, improper copying of intellectual property, etc.

    In Lieu of Request for Production of Documents. In litigation, an attorney ought to determine whether a Request for Production of Documents will obtain all relevant evidence. You might simply ask yourself whether you want to discover part of the relevant information (i.e. that seen by your opponent’s operating system) or all of it (deleted, hidden, orphaned data, etc). It is not unrealistic to anticipate that information contained on a computer system that is helpful to a matter would be saved, while that which is harmful would be deleted, hidden, or rendered invisible. For example, in sexual harassment cases, it is not unusual to discover deleted emails and other data invisible to the operating system that significantly affects the case. Computer forensic analysis extracts all the emails, memos, and data that can be viewed with the operating system, as well as all invisible data. In many cases, the invisible data completely changes the nature of a claim or defense, leading to early settlement and avoidance of surprises during litigation.

    Computers as Instrumentality of Crime or Tort. In any situation in which one or more computers may have been used in an inappropriate manner, it is essential to call a forensic expert. Only a computer forensic analyst will be able to preserve, extract, and analyze the vital data that records the “tracks” left behind by inappropriate use. Taking the wrong steps in these circumstances can irretrievably destroy the vestiges of wrongful use that may result in litigation or criminal prosecution.

    Q:
    Why can’t my client perform computer forensics themselves?
    A:

    Your client should reach out to companies specializing in computer forensics because they have a vested interest in finding information that would support their case. Vestige is an impartial third party. Also, the cost of the applications and software for data analysis we use to preserve and analyze data as well as the training would cost your client more money to acquire than it would to retain us.

    Q:
    Will Digital Forensic Services interrupt my business? What is the cost of Digital Forensic Services?
    A:

    There is no reason that forensic data analysis needs to disrupt any business. Making a “clone” of a computer system for electronic evidence retrieval (even if several computers are involved) can be done during non-business hours, at night, or over a weekend. In many cases, the clone is acquired in less than 5 or 6 hours.

    As to the cost of Digital Forensics, there are many factors. Here’s our white paper for an in-depth answer:

    How Much does Digital Forensic Services Cost?  

  • Q:
    As an attorney, am I at risk of professional liability if I don’t recommend the use of computer forensics?
    A:

    If relevant information is found on the computer after the case has closed and you did not recommend Computer Forensics at the start of the case you could be found negligent. Given that Computer Forensics is not cost prohibitive, follows all the traditional discovery protocol, is not obtrusive to the operations of business and can find visible and invisible documents it is a potential tool in each and every case. Don’t fall into this trap, consider the use of Computer Forensics experts from our digital forensics company in any case which could end up in court.

    Q:
    How do I prevent the opposition from continuing to use the computer and potentially damaging the evidence?
    A:

    In our resources section under Motion Practice, Vestige has sample spoliation letters which will inform the opposition of their duty to preserve all evidence including all data on the computer that they are using to prevent any forensic fraud. Vestige’s legal group will walk you through the process of customizing a letter to fit your specific needs so that you are successful in ensuring preservation of electronic records.

    Q:
    How do you prevent the release of information from being considered a waiver of client-attorney privilege?
    A:

    The use of forensic IT services for comprehensive computer forensics data recovery does not circumvent traditional Rules of Discovery. Privileged information will still be redacted from the Initial Findings Report. The searches will be done according to agreed upon key terms and will not extend beyond the established parameters.

    Q:
    How does Vestige prevent “fishing expeditions” or overly-broad searches?
    A:

    Vestige has years of experience in performing computer forensics services. From our experience, we can determine which searches will be too broad and therefore pointless and which ones will find the information you are looking for, should it exist. Furthermore, Vestige has the skills to refine searches so that if a search becomes too broad but is necessary, we can narrow down the parameters to still achieve the results you are looking for.

    Q:
    What about protecting the attorney client privilege?
    A:

    When performing a computer forensic examination, Vestige always turns over data we find to the producing party allowing them to redact anything that may be considered client confidential information. We then turn over the resulting data to the opposing side. This process occurs regardless of whether we are analyzing your client’s data or the opposing side’s data. When retained by you, the attorney, Vestige is acting as an agent for you and is therefore bound by the client attorney relationship including the protecting of attorney client privileged information.

    Q:
    What is “Non-Adversarial Discovery”?
    A:

    Vestige’s job is to work with our client to determine the strategy of a case and uncover the information that is pertinent. We may also be called to testify how the data got on the computer and what that data means. Either way, Vestige is only testifying to whatever facts are uncovered off of the computer. Our opinion is in no way tainted by who hires us. We have many times been retained by both sides in a case to uncover all facts relating to the case and have done so in a complete and accurate way.

    Q:
    What is the benefit of using Computer Forensics in Electronic Discovery versus traditional “paper” discovery?
    A:

    Unlike paper evidence, computer evidence can often exist in many forms, with earlier versions still being accessible on a computer. With 90% of office correspondence never being printed there is a lot of material that could potentially be missed if you’re only looking for traditional documents. With the use of Vestige’s data recovery service this “hidden” digital information can be unlocked.

    Q:
    What is the difference between Computer Forensics and Electronic Discovery?
    A:

    Electronic Discovery of data is an extension of RULE 26(a)(1) of the Federal Rules of Civil Procedure which governs the disclosure of “all documents, data compilations and tangible things” subject to discovery in litigation. Electronic Digital Discovery is primarily an organization tool, allowing the user to process, locate, recall, and parse large amounts of data using powerful electronic searching and indexing tools. Considering that more than 90% of all documents and communications are produced digitally, and many of these items are never printed to paper media, Electronic Digital Discovery is a very powerful tool.

    Electronic Digital Discovery is not an investigative or analytic tool. It is limited for example, to organizing and retrieving only that portion of the information on a computer that everyone can see, access, and copy. If data that supports your legal theory or strategy has been deleted, hidden, or otherwise rendered invisible to the computer’s operating system, you won’t find that information using Electronic Discovery.

    Computer forensic analysis, on the other hand, is an inclusive analytic tool that identifies, extracts, preserves, and searches both the visible and the “invisible” information on a computer. With the use of computer forensics investigation and analysis you can find, compile, and parse all the evidence. This includes evidence comprising deleted files, unallocated space, slack space, hidden files, and encrypted files. Once all the evidence has been located, extracted, compiled, and parsed, it can be inserted into common Electronic Discovery tools and integrated into a case. Thus, Computer Forensics is a powerful engine that enhances the Electronic Discovery process because Computer Forensic analysis gives you all the information Electronic Discovery can provide plus a whole lot more.

    Q:
    Why can’t my law firm or I offer this service for our clients?
    A:

    There are three reasons why you, as a law firm, might run into issues when offering this service to your client. The first reason has to do with client confidential information. In the course of searching a hard drive, an analyst may come across information that is considered client confidential. At Vestige, we always give the producing party the information we find first in order to let them redact any client confidential information. Second, being your client’s attorney, you have a vested interest in finding anything to support your client’s case. That could open the door for challenges from the opposing side that you were not examining the data with a clear conscious, especially if you are working on contingency. While Vestige is hired by you, we do not work on contingency and our reputation is based on giving an unbiased report on what we find on the computer. We have a vested interest to do a thorough job and not let anything cloud our report.

    Vestige’s staff of computer technicians are comprised of experts in the computer forensics field and attorneys, this gives us the edge in uncovering the legal and technical aspects of any case. Furthermore, we use tools that are geared towards forensic analysis and have a wealth of information to pool from.