Alissa Starzak

This webinar is for State lawmakers and their staff, and should be a good one!

6

A bipartisan group of lawmakers has put forth new legislation aimed at promoting more competition for the Pentagon’s cloud and artificial intelligence contracts. The Protecting AI and Cloud Competition in Defense Act, introduced by Sens. Elizabeth Warren, D-Mass., and Eric Schmitt, R-Mo., strives for “meaningful regulation to limit Big Tech monopolies from elbowing out competitors in the AI and cloud computing markets,” according to a press release issued Thursday by Warren’s office. https://lnkd.in/ebynWkGW

13

A bipartisan group of lawmakers has put forth new legislation aimed at promoting more competition for the Pentagon’s cloud and artificial intelligence contracts. The Protecting AI and Cloud Competition in Defense Act, introduced by Sens. Elizabeth Warren, D-Mass., and Eric Schmitt, R-Mo., strives for “meaningful regulation to limit Big Tech monopolies from elbowing out competitors in the AI and cloud computing markets,” according to a press release issued Thursday by Warren’s office. https://lnkd.in/esEmX_Xi

1

The Supreme Court's recent rulings in Loper Bright Enterprises v. Raimondo and Relentless v. Department of Commerce have overturned the "Chevron doctrine." This change will lead to greater judicial scrutiny over regulatory decisions, including those affecting cybersecurity rules and enforcement actions by agencies like the Federal Trade Commission (FTC) and critical infrastructure regulators. Effects on Business Compliance: * Legal challenges in various courts may lead to inconsistent decisions. Companies should prepare for frequent changes in security regulations as lawsuits progress. * Businesses must adjust their compliance strategies to handle inconsistencies in cybersecurity law application across different jurisdictions. * Staying updated on litigation and potential regulatory changes is essential. Businesses should also be adaptable in their risk management strategies. Effects on Legislation and Regulation: * Lawmakers will need to work to reduce ambiguity in laws to avoid judicial intervention. Federal agencies will need to create more narrowly defined cybersecurity regulations with clear legal backing. * Companies should collaborate with legal counsel to ensure laws and regulations align with statutory authority and congressional intent. Legal Challenges to Cybersecurity Regulations: * Current cybersecurity regulations are more open to legal challenges, especially when agencies adapt vague or outdated laws to new security practices and threats. Lawsuits against agency cybersecurity rules and enforcement actions are expected to increase. * New rules, such as those under CIRCIA, face a higher risk of litigation if they lack clear legal support. This could result in fewer, narrower, or less effective regulations. * Congress must clearly express its intent when delegating agency actions. Although critical infrastructure cybersecurity and harmonizing security rules across sectors are priorities, Congress has yet to act decisively. * The legal landscape may shift towards less regulation in cybersecurity, even as cyber threats continue to grow. Implications for FTC and CFPB: * The rulings also affect the FTC and the Consumer Financial Protection Bureau (CFPB), both of which have broad interpretations of their regulatory authority, including in privacy matters. * The FTC has been active in rulemaking since 2020, including the Health Breach Notification Rule and proposed changes to the Children's Online Privacy Protection rule. Legal challenges, such as Ryan, LLC v. Federal Trade Commission, claim the FTC lacks the legal authority to enforce the Non-Compete Rule and that the rulemaking process was arbitrary. The FTC will face more difficulties defending its rules without judicial deference. This is highlighted by a court order preliminarily blocking the Non-Compete Rule on July 3. * The CFPB similarly has made broad policy statements and issued "circulars" which may be affected post Loper. #cybersecurity #law #SCOTUS

1

1 Comment

DoD took another step on the path toward implementing the Cybersecurity Maturity Model Certification (CMMC) Program when it issued a proposed rule amending the Defense Federal Acquisition Regulation Supplement (DFARS). The proposed DFARS Rule includes solicitation and contract clauses that will apply CMMC to individual procurements and obligate defense contractors and subcontractors to store, process and transmit Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) only on information systems that have achieved the CMMC level required by the contract. There is also a significant new provision establishing a 72-hour notice period for “any lapses in information security.” The proposed rule neglects to define what would be considered a "lapse" sufficient to trigger the notice period. This ambiguity (not to mention another reporting obligation) is likely to present compliance challenges for the DIB.

1

🔒New blog from SIA's Jake Parker! Latest Federal #DataPrivacy Proposal Stalls in Committee: What It Means for the #SecurityIndustry 📜Prior to the planned markup, SIA and 21 other national trade associations expressed concerns about this latest #APRA proposal and the problematic changes to its #biometric provisions. 🔗Learn more at the link in the comments!

2

1 Comment

The increasing relevance of data sanitization in classified data environments...

23

1 Comment

If you're a defense contractor or subcontractor, this article is for you. With DoD issuing the final rule for the Cybersecurity Maturity Model Certification 2.0 program, it means new cybersecurity standards are right around the corner for the DIB community (likely in early 2025). The time to get CMMC compliant is now.   

2

Classical MFA (multi factor such as OTP and authenticator apps) was easily bypassed by these "Attacker in the middle" Phishing kits. Upgrade to Phishing resistant MFA is no longer an option but must be a top priority for any CISO serious about their security. Remember 90% of cyber attacks start with phishing!

6

I highly recommend First Breakfast - insightful analysis of topics critically important to our future. Shyam Sankar Nadia Schadlow I would add one topic to this analysis and that's DATA. So much of what we must build and deploy relies on data and we live with a data management model that hasn't changed in over 20 years - centralized mass storage of dumb data. This model is critically inefficient and we suffer from a chronic lack of data security and dat integrity. Furthermore, we struggle with interoperability of data and an inability to acquire the "right data, at the right time and in the right format", a problem exacerbated by technical debt that costs us $trillions / year (Accenture). A radically new data management approach is needed, one that stores, manages and secures intelligent data where it is needed across the millions, if not billions, of devices. Intelligent data knows everything about itself including its provenance, lineage and chain of custody, is directly findable and is stored in a manner that makes it accessible by all authorized and trusted systems. Security, control, interoperability and rights enforcement are pushed into the data management system itself, eliminating the need for much of the infrastructure (ETL, MDM etc.). In summary, we must address the critical data issues and inefficiencies to take full advantage of the re-industrialization that I agree is sorely needed. Brian "Maddog" Maddocks

3

Global conversations and coordination global action to stop threats to public safety due to #GPS and #GNSS jamming and spoofing is long overdue. Read GPSIA Exec Dir Lisa Dyer's Op-Ed in SpaceNews to learn more about a WRC resolution and FAA Safety Alert for Operators that spotlight these threats. She also highlights a model to for the GPS Community: the National IPR Coordination Center, which brings together global law enforcement, regulators, retailers, and other industry reps to address public safety and illicit trade. https://bit.ly/4d6oP77

8

Baltimore, Maryland: Last week, on the fringe of the AFCEA TechNet Cyber Conference, Mike Walsh sat down with Francis Rose to chat about the DoD's Comply-To-Connect (C2C) program and how this investment made by Congress creates a net-positive wrt -- ✍ Executive Order 14028: 1️⃣ "It is the policy of my Administration that the prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security. The Federal Government must lead by example. All Federal Information Systems should meet or exceed the standards and requirements for cybersecurity set forth in and issued pursuant to this order." 2️⃣ "To keep pace with today’s dynamic and increasingly sophisticated cyber threat environment, the Federal Government must take decisive steps to modernize its approach to cybersecurity." Which requires the Federal Government to invest in and secure both Information Technology (IT) and Operational Technology (OT) systems. BL: The continuous monitoring, assessment, and security of all IT, IoT, and OT endpoints are both necessary and achievable to "build secure systems in untrusted networks" #ZeroTrust. ☠ 🌀 Volt Typhoon: 1️⃣ The discovery of Chinese malicious code embedded in the telecommunications systems used by the U.S. military in Guam, home to three strategic U.S. bases, sent waves through the national security community. The Chinese Communist Party (CCP) currently uses cyberspace to achieve espionage and intellectual property theft objectives. 2️⃣ However, they aspire to use malware hidden in our critical networks to disrupt our response to a future CCP invasion of Taiwan. BL: This cannot be overstated: denying the availability of weapon systems in the garrison is as effective as destroying them on the battlefield.

32

Last week, Permiso Security released groundbreaking research on LLMjacking in collaboration with Brian Krebs (https://lnkd.in/gUcS_Feu). Our research dove into the exploitation of compromised non-human identities (NHI), specifically AWS access keys, resulting in illicit content. Read the full report here: https://lnkd.in/gQdCrAd6 Attackers have increasingly targeted services like SES, EC2, and IAM by leveraging compromised NHIs for various malicious activities. Our research sheds light on a new target - AWS Bedrock. As security leaders focus on AI security, addressing non-human identity security is paramount. It's essential to recognize that non-human identities are created and managed by human identities, there is no immaculate conception. But who created it? who used it last? Has a particular identity ever assumed this shared credential? To bolster the security of digital enterprises, a comprehensive approach is crucial. Robust prevention and detection capabilities are vital to protect human and non-human identities across IDaaS, IaaS, and SaaS environments. Overcoming challenges like siloed security controls, fragmented environments, and identity sprawl is key to effectively managing identity risks and threats. Reach out for guidance on preventive and detective measures to take now and to learn how Permiso enables comprehensive real-time identity risk visibility and threat detection for all your identities across all environments.

17

1 Comment

DOD issues class deviation, effective immediately, for its safeguarding covered defense information #cyber rule under DFARS 252.204-7012. This deviation amends the #defense regulation to specifically require compliance with NIST SP 800-171 rev. 2 until the deviation is rescinded. Because the pre-deviation language required compliance with the version of NIST SP 800-171 "in effect at the time the solicitation is issued," the deviation provides needed clarity as contractors not only prepare for DOD's upcoming #CMMC rule but also to avoid a compliance headache when NIST publishes rev 3 to #nist800171. #govcon

4

The RSA Conference's call for submissions has been extended through 10/06. Based on my experience of presenting two talks at RSAC 2024, several colleagues reached out for advice on writing abstracts that could improve their chances of selection. I recently shared some insights with a private group of security leaders; sharing the same here for the benefit of a broader audience: 𝗜𝘁'𝘀 𝗻𝗼𝘁 𝗮𝗯𝗼𝘂𝘁 𝘆𝗼𝘂 Many presenters struggle to understand that the talk is for the audience, not for them. As the presenter, you are already a SME on the topic, that’s why you are presenting. The focus should be on what the audience will learn and how they can apply it after your session, not how knowledgeable you are in the subject matter. 𝗧𝗲𝗹𝗹 𝘆𝗼𝘂𝗿 𝘀𝘁𝗼𝗿𝘆 𝘄𝗶𝘁𝗵 𝘁𝗵𝗲 𝗮𝗯𝘀𝘁𝗿𝗮𝗰𝘁 Don’t assume the panel reviewing your abstract submission is familiar with the specific technologies or internal projects you led. Engage them with your narrative. Explain your "why." Why did you start the project to begin with? What key metrics did you track throughout? What insights did you gain, and what will be the takeaways for the audience after the talk? 𝗛𝗶𝗴𝗵𝗹𝗶𝗴𝗵𝘁 𝘆𝗼𝘂𝗿 𝗲𝘅𝗽𝗲𝗿𝘁𝗶𝘀𝗲 𝗮𝗻𝗱 𝗰𝗿𝗲𝗱𝗲𝗻𝘁𝗶𝗮𝗹𝘀 Explain what qualifies you as an expert on the topic. Have you tackled these challenges in your current or past role? Can you demonstrate the significance and innovation of your project? Have you presented similar content at other conferences and how was it received? Do you have the relevant credentials to speak about the subject? 𝗔𝘀𝗸 𝘆𝗼𝘂𝗿𝘀𝗲𝗹𝗳 - 𝘄𝗵𝗮𝘁’𝘀 𝗻𝗲𝘄 𝗶𝗻 𝘁𝗵𝗶𝘀 𝘀𝘂𝗯𝗺𝗶𝘀𝘀𝗶𝗼𝗻 𝘁𝗵𝗮𝘁 𝗶𝘀 𝗻𝗼𝘁 𝗮𝗹𝗿𝗲𝗮𝗱𝘆 𝗶𝗻 𝘁𝗵𝗲 𝗼𝘁𝗵𝗲𝗿 𝗰𝗼𝗻𝗳𝗲𝗿𝗲𝗻𝗰𝗲 𝘁𝗮𝗹𝗸𝘀 𝗼𝗿 𝘀𝘂𝗯𝗺𝗶𝘀𝘀𝗶𝗼𝗻𝘀? If your talk covers common topics like "Threat Hunting with AI" or "Privacy Modeling with AI," your chances of selection are fairly slim. With so many talks on the same subject, your submission needs to offer something unique. What new angle or insight does your presentation provide? Highlight that. 𝗠𝗮𝗸𝗲 𝘁𝗵𝗲 𝘁𝗶𝘁𝗹𝗲 𝗰𝗮𝘁𝗰𝗵𝘆 𝗮𝗻𝗱 𝗽𝗿𝗼𝘃𝗼𝗰𝗮𝘁𝗶𝘃𝗲 The title and 50 word description of the abstract are crucial. These are the first few sentences the selection panel will read. Is your title catchy enough to grab their attention in the first 30 seconds? For example - one of my last years' talk was titled “What Compliance Automation Tools Don’t Automate” - a little provocative, but it worked. Compare that to the more generic “Limitations of Compliance Automation Tools,” which doesn't have the same punch as the former. Please reach out if you are submitting the abstract this year and need a second pair of eyes. #rsac #privacy #security #grc

52

Beth Burgin Waller, Tony Mazzeo, and Patrick Austin discuss the United States Department of Defense's updated #cybersecurity requirements for #defensecontractors in NYU Program on Corporate Compliance and Enforcement's blog: https://lnkd.in/eqWS2ZXB Jennifer Arlen, Carolyn R Pautz, PhD, Florencia Fuentealba Baraona

7