What we’re talking about
DoD Acquisition nominee Michael Duffy plans to review Cybersecurity Maturity Model Certification (CMMC) implementation in an effort to balance a need for security and excessive regulation. Duffy also recognized the need for affordability for the Defense Industrial Base (DIB) to maintain cybersecurity best practices to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Duffy
Recent studies have shown that organizations are not ready for CMMC. The Aware but not Prepared report from Redspin states that only half of the Defense Industrial Base (DIB) are even moderately prepared for a Level 2 certification. Despite a five year roll out for the final rule from the Department of Defense (DoD) DIB
Integrated business management systems provide more effective solutions to the challenges facing organizations today. This approach consolidates business processes and systems across teams and unifies objectives. It can effectively address requirements for quality management, export compliance, information security management, and other concerns, ensuring compliance without gaps, duplication of efforts, or teams working at cross purposes.
The Department of Defense (DoD) has released its Cybersecurity Maturity Model Certification (CMMC) final rule. This rule will now require contractors to verify that required security measures have been implemented for Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). These requirements will are to be implemented in early to mid-2025 when verification of security
The Bureau of Industry and Security (BIS) has expanded its Validated End User (VEU) Program to include controls for data centers in an effort to create a trusted ecosystem for artificial intelligence (AI) development. The VEU will now review applicants data centers to ensure application of appropriate safeguards and security measures. This update to the
Ransomware may have been the possible cause of death of a patient in Dusseldorf. A ransomware attack on thirty servers at the Dusseldorf University hospital on September 9, 2020 prevented immediate emergency treatment and resulted in the patient having to be transported to a facility 20 miles away where she died from a delay of
The Department of Defense (DoD) has proposed a Defense Federal Acquisition Regulation Supplement (DFAR) amendment for contractor implementation of Cybersecurity Maturity Model Certification (CMMC). DFARS case 2019-D041 was first published in September 2020 with an effective date of November 20, 2020 to allow for the development of CMMC 2.0. CMMC 2.0 establishes a framework for
A suit filed against Georgia Tech by the United States Government alleges that the university’s affiliate, Georgia Tech Research Corporation (GTRC) knowingly failed to meet its cybersecurity requirements for the Department of Defense (DoD). The suit was initiated by a whistleblower complaint from members of Georgia Tech’s Cybersecurity team. The lawsuit alleges that the Georgia
Integrating physical security requirements is an area of growing concern for organizations of all sizes. Aside from insuring basic safety for personnel and physical assets, businesses are faced with security requirements for cybersecurity and export compliance. This necessitates a non-siloed approach to an often overlooked management function. Basic Physical Security Measures Every organization should ensure
NIST Special Publication 800-53 is a catalog of security and privacy controls released by the National Institute of Standards and Technology for U.S. federal information systems. It includes key steps in the Risk Management Framework for the selection of appropriate security controls for information systems. This framework standards and guidelines is a requirement for federal
Cyber-intrusion and data exfiltration are subjects of increased concern for the Bureau of Industry and Security (BIS). In its March 2024 release of Don’t Let This Happen to You!, BIS reiterates its growing role in export enforcement to protect U.S. national security and foreign policy concerns. It emphasizes the importance of developing effective export compliance programs
Global challenges for cybersecurity resilience were outlined in a recent report from the World Economic Forum. The report, Global Cybersecurity Outlook 2024, analyzes the state of inequity in achieving cyber security, the impacts of geopolitics on the cyber risk landscape, the effects of emerging technologies such as Artificial Intelligence (AI), and the shortage of qualified people
A secure software development attestation form has been approved by the Federal Government in an attempt to ensure that contracted developers of software assume responsibility for the security risks in the protection of federal information. The form was released by the Cybersecurity and Infrastructure Security Agency (CISA) Office of Management and Budget (OMB) on April
The Lockbit extorsion operation was taken down by an international law enforcement effort called “Operation Cronos”. This action included participation of the FBI, the National Crime Agency of the UK (NCA), and Europol among other organizations. Actions taken include the UK,s National Crime Agency taking control of the ransomware’s site and the arrest of at
The FBI has disrupted a KV botnet malware infection instigated by Volt Typhoon, a state sponsored threat actor affiliated with the People’s Republic of China (PRC). The KV botnet was first identified in December of 2023. It targeted Cisco and NetGear routers that were were no longer supported by manufacturer software updates. The court-authorized operation, conducted
The Washington Post reported that China is targeting U.S. infrastructure with cyberattacks in a continuing effort to increase its ability to disable critical systems. The Cybersecurity and Infrastructure Security Agency (CISA) first announced these attacks in May of 2023. CISA identified the source as Volt Typhoon, a state sponsored hacking group affiliated with China. Chinese
