bredemarket

Frame, Assess, Respond, and Monitor (FARM) in Third-Party Risk Management

A farmhouse being attacked by iguanas with machine guns, representing third-party risk management threats.

I just listened to a third-party risk management (TPRM) Mitratech webinar about NIST cybersecurity frameworks, hosted by OCEG, which talked about a farm.

No, they’re not planting corn at NIST’s Gaithersburg headquarters.

(At least I don’t think so. I haven’t been there since early 2009, back when Motorola and Safran people couldn’t talk about the possible acquisition. We did anyway. But I digress.)

Back to TPRM. In Mitratech’s case, FARM stands for “frame, assess, respond, and monitor.”

Here’s how Mitratech introduced the topic in a 2022 post:

NIST SP 800-53 is considered the foundation upon which all other cybersecurity controls are built. With SP 800-161 Rev. 1, NIST outlines a complementary framework to frame, assess, respond to, and monitor cybersecurity supply chain risks. Together, SP 800-53 and supplemental SP 800-161 control guidance present a comprehensive framework for assessing and mitigating supplier risks.

If you visit the latest (as of 2024) update to SP 800-161, you can find NIST’s explanation of the FARM in Appendix G. The three referenced levels in the quote below are the enterprise, mission, and operations levels.

The first approach is known as FARM and consists of four steps: Frame, Assess, Respond, and Monitor. FARM is primarily used at Level 1 and Level 2 to establish the enterprise’s risk context and inherent exposure to risk. Then, the risk context from Level 1 and Level 2 iteratively informs the activities performed as part of the second approach described in The Risk Management Framework (RMF). The RMF predominantly operates at Level 3 [SP80037], – the operational level – and consists of seven process steps: Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor.

Briefly:

Frame establishes the context.
Assess is the risk assessment itself.
Respond is where the assessors communicate the results of the assessment and propose mitigations and controls.
Monitor is compliance verification and continuous monitoring.

Section G.2 of the document includes much, much more detailed definitions of the FARM elements, should you be interested. I’d provide those details myself, but then I fear I’d have to say to you, “Sorry if I’ve stayed too long.”

Earthquake Phone Alerts Work

Back when AOL keywords roamed the earth, you didn’t learn about an earthquake until you felt it. Now, sensors and smartphones attempt to provide advanced notice.

A little while ago my phone started beeping loudly. By the time I figured out why, I felt a strong jolt.

Luckily it was 90 miles away from me, and it was NOT a 6.0 as initially reported. (Helpful hint: an earthquake’s magnitude is never as initially reported.)

But it appears that many of us received advance warning.

Now if everyone can agree on the magnitude…

Replacing Underage Age Estimation With Underage Age Verification

Why do we have both age verification and age estimation? And how do we overcome the restrictions that force us to choose one over the other?

Why age verification?

As I’ve mentioned before, there are certain products and services that are ONLY provided to people who have attained a certain age. These include alcohol, tobacco, firearms, cannabis, driver’s licenses, gambling, “mature” adult content, and car rentals.

There’s also social media access, which I’ll get to in a minute.

So how do you know that someone purchasing one of these controlled products or services has attained the required age?

One way is to ask the purchaser to provide their government identification (driver’s license, passport, whatever) with their birthdate to prove their age.

This is known as age verification. Provided that the ID was issued by a legitimate government authority, and provided that the ID is not fraudulent, this ID provides ironclad assurance that you are 18 years old or 21 years old or whatever the requirement is.

But let’s return to social media.

Why age estimation?

If you’re Australian, sit down for a moment before I share the following fact.

There are jurisdictions in the world that allow kids as young as 13 years old to access social media.

However, these wild uncontrolled jurisdictions face a problem when trying to determine the ages of their social media users. As I noted almost two years ago:

How many 13 year olds do you know that have driver’s licenses? Probably none.

How many 13 year olds do you know that have government-issued REAL IDs? Probably very few.

How many 13 year olds do you know that have passports? Maybe a few more (especially after 9/11), but not that many.

So how can you figure out whether Bobby or Julie is old enough to open that social media account?

One way to do so is by using a technique called age estimation, which looks at facial features and classifies people by their estimated ages.

The only problem is that while age verification is accurate (assuming the ID is legitimate), age estimation is not:

So if a minor does not have a government ID, and the social media firm has to use age estimation to determine a minor’s age for purposes of the New York Child Data Protection Act, the following two scenarios are possible:

An 11 year old may be incorrectly allowed to give informed consent for purposes of the Act.

A 14 year old may be incorrectly denied the ability to give informed consent for purposes of the Act.

So what do you do?

How to perform underage age verification

Biometric Update points out that there is an free alternative for underage people ages 13-15 in the United Kingdom—the CitizenCard. These cards are issued in four categories:

’18+’ for adults
’16-17′ for those aged 16 to 17
’13-15′ for children aged 13 to 15
‘Under 13’ for younger children

“OK,” you may say, “but so what? Anybody can print a card that says anything they want, like Alabama’s John Wahl did. Why should anyone accept the CitizenCard?”

Well…people, um, trust it.

CitizenCard is the only non-profit, UK-wide issuer of police-approved proof of age & ID cards….

CitizenCard was founded in 1999 and is governed by representatives from the National Lottery operator Allwyn, the Co-op, Ladbrokes & Coral owner Entain and the TMA.

CitizenCard…is the longest-established and the largest issuer of Home Office-endorsed PASS-hologram ID cards in the UK with more than 2.5 million issued.

[CitizenCard] is audited by members of the Age Check Certification Scheme on behalf of PASS to ensure that the highest standards of UK data protection, privacy and security are upheld and rigorous identity verification is carried out.

So one could argue that you don’t need age estimation in the UK, because there is a well-established way to VERIFY ages in the UK.

However, there are other benefits to age estimation, including the fact that estimation is frictionless and doesn’t require you to pull out a card (or a smartphone) at all.

How Do You Maximize Impact For the RIGHT Awareness?

It’s not enough for your company’s prospects to know who you are, but it helps. But you can do more than that…with Bredemarket’s help.

Who are you?

I just searched for the leading software providers in a particular category. This isn’t unusual. If someone wants to purchase software, they will often conduct their own research before letting themselves be pestered by salespeople.

My category search turned up several software packages.

It DIDN’T turn up numerous others in that category.

So a whole bunch of companies are already at a disadvantage, and there’s a good chance that their competitors are going to take their money because the software buyer won’t even think of purchasing from them.

The software buyer has no AWARENESS of these other software packages.

The Bredemarket website has an entire page on awareness, in which I make the following point:

“Two discussions of this three-step sales funnel are provided by Venn Marketing and Walker Sands (the latter of whom throws in things that happen AFTER the purchase, engagement and advocacy).

“Both sources define awareness as the first step in the funnel, and its purpose is to (drumroll) simply make prospects, um, aware that you and your product/service exist.”

Obviously there are other things you need to do to end up with a happy customer, but you’ll never get a happy customer if it doesn’t even know about you during the prospect stage.

Awareness of what?

Now there are all sorts of ways to raise awareness, but some are better than others.

I previously linked to the story of Beatrice’s rise and fall, in which the fall was illustrated by the infamous “We’re Beatrice” campaign. The tagline? “We’re Beatrice.” What did the tagline mean to prospects? Absolutely nothing.
I knew of another company that was slightly more successful, but not much. Instead of saying “We’re (COMPANY NAME),” they loudly proclaimed “We’re a Unicorn.” This was back during one of the periods of heated market acquisitions. But what difference did the company’s unicorn status mean for its prospects? Not much. If you’ve raised a billion dollars, I only care if you promise to give me a couple of million of it.
Here in Southern California, Honda car dealers have banded together to produce ads about the “helpful Honda people.” Unfortunately, the ads have nothing to do with cars, the products these commercials are supposed to be selling. What difference does a Honda dealer’s helpfulness make? Unless your cat is stuck in a tree, not much.

It’s not enough for your company’s prospects to have awareness about you. They need to have awareness about how you can solve their problems.

Only then will you make an impact.

Raising awareness

Perhaps your company needs to raise awareness of your solutions to your prospects’ problems.

Bredemarket can work with you on this, asking questions and even engaging in…um…WOMBAT to produce impactful content for your company and its products and services.

So that your prospects know about you.

Then we can work on the next steps, consideration and conversation.

Book a free appointment to talk to me: https://bredemarket.com/cpa/

(All pictures from Imagen 3)

FinCEN Domestic BOI Changes: Terrorists Have Not Already Won

A Bredemarket message about financial identity and anti-money laundering (AML) enforcement.

A huge loophole?

Tell your firm’s fraud-fighting story: https://bredemarket.com/cpa/

(Money laundering picture from Imagen 3)

Don’t Know Your Business and Corporate Transparency Act Limited Enforcement (Oh BOI Again)

AuthenticID shared the following:

“In March, the U.S. Treasury Department announced it would no longer enforce the Corporate Transparency Act, the anti-money-laundering law that requires millions of businesses to disclose the identity of their real beneficial owners.”

Not entirely accurate as we will see, but the details are gated. But not at JD Supra:

“On March 26, 2025, FinCEN issued an interim final rule and request for comments, removing the requirement under the Corporate Transparency Act (CTA) for both U.S. companies and U.S. persons to report beneficial ownership information to FinCEN. The rule is effective March 26, 2025. Thus, subject to additional rule changes, U.S. companies and U.S. individuals no longer have to file an initial Beneficial Ownership Information Report (BOIR) or otherwise update or correct a previously filed BOIR.”

As the interim rule itself clarifies, foreign companies still have to report.

“On March 2, 2025, Treasury announced the suspension of enforcement of the CTA against U.S. citizens, domestic reporting companies, and their beneficial owners, and Treasury further announced its intent to engage in a rulemaking to narrow the Reporting Rule to foreign reporting companies only.”

The interim rule itself addresses the convoluted history (one, two, three) of FinCEN’s attempts to enforce anti-money laundering (AML) laws as court challenges persist.

I will let you judge whether this is welcome relief from bureaucracy for American companies, or a huge FinCEN loophole that facilitates AML financial identity evasion by simply letting companies represent themselves as domestic, allowing them to launder as much money as they please for terrorists, drug dealers, and others.

Not that I have an opinion on that.

(Business terrorist image Imagen 3/Google Gemini)

Know Your Political Influencer

In an article with a clickbait title, Newsweek reported on the indictment of Massachusetts state Representative Christopher Flanagan on various fraud charges. One of the allegations:

“Beyond the five wire fraud counts, the grand jury also indicted him on one count of falsifying documents related to a campaign flier. The mailer from “Conservatives for Dennis” endorsed Flanagan….[He attributed] “the source of the Mailer to a false persona, ‘Jeanne Louise,'” whom he created for the endorsement….In October 2023, he admitted to OCPF that Jeanne Louise “was fake” and he was the source of the mailer.”

There is so much effort to identify voters. What about identifying the sources of political endorsements?

Does your company have a solution to this? I can help you tell your story. Go to https://bredemarket.com/cpa/.

(Picture from Imagen 3)

Pay No Attention to That Man Behind the Curtain

H/T Donal Greene for this story of non-person entities that were really people.

“The nate app purported to take care of the remainder of the checkout process through AI: selecting the appropriate size, entering billing and shipping information, and confirming the purchase….In truth, nate relied heavily on teams of human workers—primarily located overseas—to manually process transactions in secret, mimicking what users believed was being done by automation.”

From https://www.justice.gov/usao-sdny/pr/tech-ceo-charged-artificial-intelligence-investment-fraud-scheme

Now the DOJ is indicting Albert Saniger for defrauding investors: https://www.justice.gov/usao-sdny/pr/tech-ceo-charged-artificial-intelligence-investment-fraud-scheme

(Picture from Imagen 3)

Revisiting Amazon One

Because my local Amazon Fresh post is taking off, it’s a good time to revisit the “one” thing Uplanders will encounter when they get there.

I’ve talked about Amazon One palm/vein biometrics several times in the past.

The August 2021 post about Amazon paying $10 for your biometrics, long before World (Worldcoin) did something similar. Hmm…wonder if the $10 deal is still on?
Later that month, I talked about some Senators who had some questions.
More recently (a month ago) I mentioned Amazon One’s internal accuracy claims, which are (literally) incredible.

Meanwhile, Amazon One is available at over 400 U.S. locations, with more on the way.

And it’s also available (or soon will be) on TP-Link door locks. But the How-To Geek writer is confused:

“TP-Link says that these palm vein patterns are so unique that they can even tell the difference between identical twins, making them safer than regular fingerprint or facial recognition methods.”

Um…fingerprints? Must be a Columbia University grad.

And the TP-Link page for the product has no sales restrictions. Even Illinois residents can buy it. Presumably there’s an ironclad consent agreement with every enrollment to prevent BIPA lawsuits.

(Picture from Imagen 3)

Are Your Competitors Stealing From You? The Ultimate Guide to Increasing Prospect Awareness

Technology marketers, do your prospects know who you are?

If they don’t, then your competitors are taking your rightful revenue.

Don’t let your competitors steal your money.

Before I tell you how Bredemarket can solve your technology company’s awareness problem, let me spill the secret of why I’m asking the question in the first place.

The wildebeest’s friend

Normally I don’t let non-person entities write Bredemarket content, but today I’m making an exception.

My usual generative AI tool is Google Gemini, so I sent this prompt:

“What are the five most important types of marketing content to create for a technology software company?”

A little secret: if you want generative AI to supply you with 3 things, ask for more than that. Some of the responses will suck, but maybe the related ones are insightful.

In this case I only wanted ONE type of marketing content, but I reserve the right to “co-author” four more posts based upon the other responses.

Of the 5 responses from Google Gemini, this was the first:

“In-depth Problem-Solving Content (Think Blog Posts, White Papers, Ebooks): Your potential customers are likely facing specific challenges. Content that dives deep into those problems and offers insightful solutions (even if it doesn’t directly pitch your product) builds trust and positions you as a thought leader. Think “The Ultimate Guide to [Industry Challenge]” or a white paper on “Navigating [Complex Technical Issue].””

Now you see where I got the idea for the title of this post. Normally I shy away from bombastic words like “ultimate,” but this sage is going a little wild.

So the bot tells me that the most important type of marketing content for a technology software company is short-form or long-form problem-solving content.

Going meta

Let’s get a little meta (small m) here.

If your prospects don’t know who you are, create customer-focused content that explains how your company can solve their problems.

Now let’s get meta meta.

If you need help creating this content, whether it’s blog posts, articles, white papers, case studies, proposals, or something else, Bredemarket can help you solve your problem.

Let’s talk about your problem and how we can work together to solve it. Book a free meeting via the https://bredemarket.com/cpa/ URL.

(All AI illustrations from Imagen 3 via Google Gemini, of course)