Jacob Horne’s Post

Remember back in 2016 when the DoD responded to concerns about small businesses being looped into DFARS 252.204-7012 cyber requirements? "𝘛𝘩𝘦 𝘷𝘢𝘭𝘶𝘦 𝘰𝘧 𝘵𝘩𝘦 𝘪𝘯𝘧𝘰𝘳𝘮𝘢𝘵𝘪𝘰𝘯 (𝘢𝘯𝘥 𝘪𝘮𝘱𝘢𝘤𝘵 𝘰𝘧 𝘪𝘵𝘴 𝘭𝘰𝘴𝘴) 𝘥𝘰𝘦𝘴 𝘯𝘰𝘵 𝘥𝘪𝘮𝘪𝘯𝘪𝘴𝘩 𝘸𝘩𝘦𝘯 𝘪��� 𝘮𝘰𝘷𝘦𝘴 𝘵𝘰 𝘤𝘰𝘯𝘵𝘳𝘢𝘤𝘵𝘰𝘳𝘴 (𝘱𝘳𝘪𝘮𝘦 𝘰𝘳 𝘴𝘶𝘣, 𝘭𝘢𝘳𝘨𝘦 𝘰𝘳 𝘴𝘮𝘢𝘭𝘭)." That's really just DoD following orders. NARA made things very clear in their CUI rule in 2016: "𝘛𝘩𝘦 𝘥𝘪𝘴𝘱𝘰𝘴𝘪𝘵𝘪𝘷𝘦 𝘪𝘴𝘴𝘶𝘦𝘴 𝘢𝘳𝘦 𝘯𝘰𝘵 𝘸𝘩𝘰 𝘱𝘳𝘰𝘵𝘦𝘤𝘵𝘴 𝘵𝘩𝘦 𝘪𝘯𝘧𝘰𝘳𝘮𝘢𝘵𝘪𝘰𝘯, 𝘸𝘩𝘦𝘵𝘩𝘦𝘳 𝘪𝘵 𝘪𝘴 𝘥𝘪𝘧𝘧𝘪𝘤𝘶𝘭𝘵 𝘰𝘳 𝘤𝘰𝘴𝘵𝘭𝘺 𝘵𝘰 𝘱𝘳𝘰𝘵𝘦𝘤𝘵 𝘪𝘵, 𝘰𝘳 𝘦𝘷𝘦𝘯 𝘩𝘰𝘸 𝘰𝘯𝘦 𝘨𝘰𝘦𝘴 𝘢𝘣𝘰𝘶𝘵 𝘱𝘳𝘰𝘵𝘦𝘤𝘵𝘪𝘯𝘨 𝘪𝘵; 𝘛𝘩𝘦 𝘥𝘪𝘴𝘱𝘰𝘴𝘪𝘵𝘪𝘷𝘦 𝘪𝘴𝘴𝘶𝘦 𝘪𝘴 𝘵𝘩𝘢𝘵 𝘤𝘦𝘳𝘵𝘢𝘪𝘯 𝘭𝘢𝘸𝘴 𝘰𝘳 𝘴𝘪𝘮𝘪𝘭𝘢𝘳 𝘢𝘶𝘵𝘩𝘰𝘳𝘪𝘵𝘺 𝘳𝘦𝘲𝘶𝘪𝘳𝘦 𝘵𝘩𝘦 𝘎𝘰𝘷𝘦𝘳𝘯𝘮𝘦𝘯𝘵, 𝘢𝘯𝘥 𝘣𝘺 𝘦𝘹𝘵𝘦𝘯𝘴𝘪𝘰𝘯, 𝘵𝘩𝘰𝘴𝘦 𝘸𝘩𝘰 𝘩𝘢𝘯𝘥𝘭𝘦 𝘰𝘳 𝘳𝘦𝘤𝘦𝘪𝘷𝘦 𝘪𝘵, 𝘵𝘰 𝘱𝘳𝘰𝘵𝘦𝘤𝘵 𝘵𝘩𝘪𝘴 𝘪𝘯𝘧𝘰𝘳𝘮𝘢𝘵𝘪𝘰𝘯." Well thanks to that policy small business defense contractors 𝗮𝗿𝗲 𝗶𝗻𝗰𝗹𝘂𝗱𝗲𝗱 in the proposed CIRCIA requirements. In the proposed CIRCIA rule §226.2 𝘈𝘱𝘱𝘭𝘪𝘤𝘢𝘣𝘪𝘭𝘪𝘵𝘺 is an either/or test. Entities are covered by the rule if they either: - Exceed the small business size standard or; - Meet a sector-based criterion When it comes to the DIB sector: "In developing the final rule requiring these contractors to report cyber incidents to DOD, DOD specifically addressed the need to include small businesses in the regulated population... Consideration of the factors enumerated in 6 U.S.C. 681b(c)(1) supports the inclusion of these entities within the description of covered entity." (p. 153) Think the rule affects too many companies? Here's a fun fact: CISA considered increasing the affected population to all critical infrastructure entities: "Under this alternative, the affected population would increase from 316,244 covered entities to 𝟭𝟯,𝟭𝟴𝟬,𝟰𝟴𝟯 𝗰𝗼𝘃𝗲𝗿𝗲𝗱 𝗲𝗻𝘁𝗶𝘁𝗶𝗲𝘀" (p. 390) The more you know.

The more I think about it the reason the CMMC Proposed Rule pinged so hard to NIST-SP-800-171 rev 2 has to be modeling out costs over seven years You can't reasonably model out cyber costs that far already. But when you calculate down to hour per headcount per security requirements. You can't have the number and types of security requirements change to an unknown and then predict cost. They had to pick one version for the rule change. This is the same reason we got a selected body of controls from NIST-SP-800-172. Cost estimations. You just can't switch measures and do estimates when the next measure is unknown. Does this proposed rule change to CFR 32 also include CFR 48 given that is where the proposed rule changes occur? Or will we see a CFR 48 revision pinging the security requirements to the version of NIST-SP-800-171 at time of award after CFR 32 is done? Wasn't that the OG plan? 32 then 48? Do people know? Paul N. Vincent Scott Scott Edwards Tara Lemieux Jacob Horne

Tomorrow is a key date for the SEC’s new cybersecurity disclosure requirements! Are you building the processes that you need to meet your disclosure obligations? From the SEC’s press release: ⏺ The Form 10-K and Form 20-F disclosures concerning cybersecurity risk management and governance will be due beginning with annual reports for fiscal years ending on or after December 15, 2023. ⏺ The Form 8-K and Form 6-K disclosures concerning material cybersecurity incidents will be due beginning the later of 90 days after the date of publication in the Federal Register or December 18, 2023. ⬆ NOTE: The DoJ issued guidance earlier this week about how to request delays for reporting security incident disclosures in Form 8-K: https://lnkd.in/guEaNt9Q ⏺ Smaller reporting companies will have an additional 180 days before they must begin providing the Form 8-K disclosure. Read the SEC’s press release here: https://lnkd.in/gqbg6rPf #privacy #security #sec

Routine security tests play a pivotal role in shielding your business against potential breaches and financial losses. In a world where businesses can’t afford to make mistakes, fortifying defenses through consistent and strategic security measures is crucial. Learn how to fortify your defenses by getting in touch for a no-obligation consultation. #RoutineTesting #CyberDefense #USCC

After reading this article, I’m not sure f there’s any actual value CMMC. Self attestation is still a thing, MSPs and security tool manufacturers bear no burden to comply. Many are focused on the cost associated with maintaining appropriate security versus the ongoing cost of intellectual property theft.Jacob Horne, I would love your take on this article.

This new rule requires that CISOs get a good grasp of what a “material” cyberattack would be, and begin to apply that standard to how they label incidents. The information security industry has been known for using fear, uncertainty, and doubt (FUD) rather than numbers to advocate for budgets or to sell products, but this recent ruling is going to force better risk measurement and communication in order to determine what constitutes “material” risk to the information security posture of public companies. Many believe that this rule is going to do for public companies what Sarbanes Oxley did for financial reporting. Some CISOs are cheering this rule because it’s going to bring into sharp relief their requests and pleas for budget and resources; others are terrified that they’ll be measured on a metric they don’t comprehend.

CISA released the Notice of Proposed Rulemaking on CIRCIA, Cyber Incident Reporting for Critical Infrastructure Act of 2022. We are now at the next stage in the very long period to get the implementation over the finish line. Another 18 months. The NPRM is 447 pages, so grab a cup of coffee. And be sure to stay awake for provision at end that talks about CRIMINAL LIABILITY for false statements in the report. Reporting deadlines are 72 hour from a substantial incident and 24 hours from a ransom payment. That's not new, given that NYDFS has similar timelines. But the proposed reporting requirement includes details the likes of which I have not seen in any other reporting requirement. This includes physical location of affected devices, and tremendous technical detail about the incident impact. But there's more! It also includes enforcement mechanisms for CISA to obtain additional information about incidents, including through the use of an RFI or Subpoena and court order. With the threat of criminal prosecution for false statements. Sounds like CISA believes the carrot approach has failed. The stick is out. There are many protections for the reporting, including that the reports will not waive privilege and would not be discoverable. More to come in the Debevoise Data Blog, but everyone should comment on this as it will lay the groundwork for future reporting requirements.

This is definitely a Christmas present for many #CISOs. We need to understand the material impact, and delaying is not something we want but likely will need. Sometimes, telling the world about a breach in progress may harm public safety or national security. So this rule was created to allow the Dept. of Justice (#DOJ) to delay incident disclosures. It will be interesting to see how many companies request the delay using this process. Either way, a good step.

💡 Seeking expert analysis on the latest CISA advisory AA23-352A? Look no further! AttackIQ has published a detailed response, outlining our strategic insights and practical recommendations. Read it now to enhance your threat intelligence capabilities and protect your organization effectively! #cyberthreats #securityintelligence