Columbia Advisory Group Adds Extended Detection and Response to IT Managed Service Portfolio with Abacode Partnership

"In this time of increasing global attacks, it is critical to have around-the-clock eyes on the network.”

— David McLaughlin, President and CEO, Columbia Advisory Group Tweet

DALLAS, TEXAS, UNITED STATES, June 13, 2022 / — Dallas-based Columbia Advisory Group (CAG), a leading provider of IT Managed and Cybersecurity Services, today announced the expansion of its services via a partnership with Abacode, a leading provider of managed Extended Detection and Response (XDR).

The partnership between CAG and Abacode will allow clients to one-stop-shop for specialized IT Managed Services, Governance, Risk Management, and Compliance (GRC), Virtual CISO services and managed XDR services to analyze data breaches as they occur.

As organizations face increasing threats of ransomware, data breach, and phishing, they must simultaneously upgrade their governance and compliance activities to minimize risk while simultaneously detecting and responding to breaches as they arise to understand, contain and prevent them. This capability requires increasingly scarce competent cybersecurity leadership and specialized, virtual Security Operations Center (vSOC) services that can investigate problems in real-time and provide visibility across the enterprise of controls compliance.

“Our many public-sector, educational, manufacturing, and health care clients already rely upon CAG for cybersecurity guidance and IT expertise. CAG is pleased to bolster our leading Cybersecurity practice by offering 24x7x365 SOC 2 Type 1 and 2 XDR services via our partner, Abacode. In this time of increasing global attacks, it is critical to have around-the-clock eyes on the network,” said David McLaughlin, President and CEO of Columbia Advisory Group.

“Abacode is constantly striving to push the technology industry forward by partnering with top-notch leaders in the MSP space,” said Greg Chevalier, Senior Vice President – Partners and Sales Strategy for Abacode. “Partnering with Columbia Advisory Group ensures that clients not only have their information technology operations humming along at peak efficiency with their managed services but now includes Abacode’s Managed Detection and Response and Security Operations Center support.”

About Columbia Advisory Group:

Columbia Advisory Group (CAG) is a well-respected Information Technology (IT) consulting firm. CAG’s team has assessed and helped improve the performance of more than 300 technology organizations and IT departments, including many institutions of higher education, state agencies, and Fortune 500 customers. By focusing on practical solutions and straightforward analysis, CAG’s team supports many regulatory and economic environments and organizations of all sizes. Practice specialty areas include Cybersecurity, Infrastructure, IT Service Management, Application Management and A/V Services. Whether a client is high-growth or economically challenged, CAG can improve business outcomes with IT insight and support. Based in Dallas, Texas, CAG works extensively with clients throughout the U.S. For more information, visit

About Abacode

Abacode combines leading technologies and professional services to implement Cybersecurity and Compliance programs for clients throughout the world. Abacode enables clients to implement a Cyber Capability Maturity Model and benefit from our expert Extended Detection and Response capabilities. Offices in the Americas and Europe. Learn more at or connect with us at

Log4J: Neutralizing the latest global cybersecurity threat


Every day we see news about cybersecurity attacks, exploits, and hacks to the point that we are relatively immune to what feels like sensationalized news about the latest and most devastating threat no matter how legitimately concerned we should be.
And on December 6th when we were getting ready to go to the office holiday party and a weekend of shopping, the world was read-in on a significant security vulnerability known as LogJ4.

What is Log4J?

Log4J is a widely used open-source Java code library from the Apache Software Foundation used by many servers across the world to record a log of activity and send it to a centralized server. It is integrated into thousands of software applications, services, and systems, and websites from Fortune 100 firms down to small providers.

What is the new vulnerability?

It was discovered that some common versions of Log4J are vulnerable to being forced to execute code via specially crafted URLs (web address) that pass through the logs. This address passes through the system and is used to download and execute code that can provide remote access to the machine or perform other malicious tasks. Having information pass through the logs can be done from a chat, submitting an online form, sending an email that is processed by a system that uses Log4J to log emails, or any other means in which data enters the logs, effectively allowing someone with nefarious intentions to see sensitive user data, install malware and spyware, or even take over machines for nefarious purposes.

How widespread is this?

As noted on, Twitter users have experimented with changing their display names to trigger the vulnerability, users in the game Minecraft triggered it through the in-game chat, and an iPhone user changed their device name to trigger the vulnerability (and did notify Apple). Cloud service providers, such as Cloudflare, rolled up temporary fixes for their customers while heavily used systems from companies such as VMWare, Oracle, Adobe, RedHat, and others have worked to update to the latest release of Log4j released by Apache that addresses the remote code execution vulnerability and downgrading the risk to moderate.

What do I need to do?

Your institution’s IT departments and security teams should be assessing their catalog of systems and software that use Apache with Java libraries to determine which systems may be vulnerable. Initial focus should be on public-facing systems, most likely to be ERP and SIS systems used by the institution. They should also be working with those vendors on obtaining patches and scheduling updates to the systems as soon as practical.

In addition, it is important to make sure that faculty, staff and students are aware of the exploit and how it can impact their personal BYOD (Bring Your Own Device) devices such as iPhones and share best practices such as using 2-Factor Authentication and keeping their devices up to date with the latest security patches.

If your IT department and security teams are unsure of a system’s potential vulnerability, they should check with the vendor to validate those systems have the latest security patches. If your institution does not have a security team, check with your managed security services provider. If you do not have a managed security service provider, reach out to Columbia Advisory Group as part of E&I contract CNR01469 to engage our team of experts to ensure your institution adheres to appropriate NIST standards and can manage, detect and respond to Log4j and other threats.


The Log4J vulnerability has been patched by Apache with the introduction of Log4j 2.17.1, yet the threat is being actively exploited across the globe and still poses one of the largest security threats to date. The National Institute of Standards and Technology (NIST) that maintains a database of vulnerabilities has listed this at its highest severity classification. Due to the widespread use of the open-source Log4J application by vendors from small software applications to large enterprise systems and cloud services, there is a high-likelihood most organizations will have some risk to mitigate.

While the risk associated with Log4J has concrete solutions, the next cyber exploit will present a danger to your university’s operations.

CMMC: What It Is and Why It Is Important

The Cybersecurity Maturity Model Certification (CMMC) is a security framework implemented by the US Department of Defense (DoD) to improve protection of the defense industrial base. Like other security frameworks, the CMMC has a collection of controls for processes and practices with the goal of achieving a certain level of cybersecurity maturity. The main purpose of the CMMC is to provide assurance to the DoD that a company holding federal contracts has the appropriate measures in place to safeguard Controlled Unclassified Information (CUI) and Federal Contract Information (FCI), and to account for how that information flows. It’s also a powerful framework that can apply to anyone looking to boost their security posture.

If the University uses Federal funds for research with the Department of Defense, you may want to consider CMMC certification. CAG can help with a pre-assessment to ensure the University passes the certification.

CMMC is a scalable framework, so dependent upon the sensitivity of data involved, a federal contract will require specific CMMC controls be in place. Currently, the CMMC has five levels. The higher the level, the more controls required. And because they are cumulative, CMMC Level 3 would demand implementing everything in the preceding two as well.

  • CMMC Level 1: Basic cyberhygiene—focused on safeguarding Federal Contract Information (FCI)
  • CMMC Level 2: Intermediate cyberhygiene—serve as a transition step in cybersecurity maturity
  • CMMC Level 3: Good cyberhygiene—protect Controlled Unclassified Information (CUI)
  • CMMC Level 4: Proactive—protect CUI and reduce risk of advanced persistent threats (APTs)
  • CMMC Level 5: Advanced/progressive—protect CUI and reduce risk of APTs

How Is CMMC different from other security frameworks?

The biggest difference is that it does away with self-attestation. With standards like NIST 800-171, you could self-attest you were following the appropriate controls and standards and win a federal contract. CMMC changes this by requiring that anyone seeking a federal contract with the DoD must receive certification from an approved CMMC third-party assessment organization (C3PAO).

You can easily perform self-assessments by leveraging resources made available by the Office of the Under Secretary of Defense for Acquisition & Sustainment. However, you will still need to engage a C3PAO to receive CMMC certification of the appropriate level to win a federal contract. During the audit by a C3PAO, they should be able to help identify any gaps that will prevent receiving certification. If you or your research entities are subject to CMMC, engaging with a C3PAO is going to be inescapable. The earlier you start, the more flexibility you will have in implementing any recommendations.

There is currently a grace period to allow CMMC to become fully implemented, but in the future federal DoD contracts will not be awarded without the appropriate certification.

Why is CMMC important to universities?

For Universities, CMMC is no different than any other set of standards or frameworks—it contains an established baseline of best practices, and controls and processes that must be implemented. In fact, most of the controls in CMMC are mapped directly to NIST 800-171. So, if you have already been building your cyber program around NIST 800-53 and NIST 800-171, you should look at CMMC as an opportunity to help you stand apart.

For Universities that have not traditionally implemented NIST or other security frameworks because it wasn’t a requirement for your stakeholders, this is an opportunity to own risk and reap the rewards. If you decided to implement the controls within CMMC Level 3—even if you don’t receive certification—you will have a more mature cybersecurity posture, a larger portfolio of services you can offer within your research, and improved scalability.

If you have made it this far and think CMMC doesn’t apply to you since you don’t support these types of projects, you may be interested to know that CMMC has the potential to work down the hierarchy from federal to state and local governments. When NIST 800-53 was originally released in 2005 as recommended security controls for federal information systems, it was intended for federal information systems. In August 2017, federal was removed to indicate that it may be applied to any organization. Many state governments, local municipalities, insurance providers, and public and private entities of all types have required NIST 800-53 controls and processes be followed for years.

One day, CMMC, or an evolution of it, may be just as prevalent as NIST 800-53. With the heightened public awareness concerning the risk cybersecurity threats pose, it’s likely we may eventually see self-attestation as a relic of the past.

CAG Performs Policy Assessments and Controls alignments according to the following standards

  • Gramm–Leach–Bliley Act (GLBA)
  • NIST 800-171
  • NIST 800-53
  • PCI Compliance
  • TAC 202 or other state standards

If you would like to learn more about how CAG can advance your organization’s cyber security maturity, please contact


CAG is a highly experienced IT consulting firm. With 100+ years of combined technology experience and business acumen, CAG’s team has assessed and helped improve the performance of more than 300 technology organizations and IT departments. By focusing on simple, meaningful, and practical solutions combined with straight-forward analysis and recommendations, CAG’s team has experience in many regulatory and economic environments with companies and organizations of all sizes. CAG not only offers a deep understanding of IT, but its solutions are software and hardware agnostic. Whether a client is high growth or economically challenged, CAG can adapt to the complexities and nuances of that business. Based in Dallas, Texas, CAG works extensively with clients throughout the U.S. For more information, visit