Wednesday, June 22 2022

In one look.

  • CMMC issues.
  • CISA’s upcoming Incident Reporting Rules.
  • FTC blogging policy in the United States.

US government small contractors struggle with CMMC.

READ ME discuss the US Cybersecurity Maturity Model (CMMC) Certification Program and the challenges it poses for small defense contractors. The program means that around 80,000 companies that sell to the US military will need to pass a cybersecurity audit before they can bid, and many are unprepared for the bureaucracy and high costs that CMMC compliance will likely entail. Michael Dunbar, president of a small fuels and lubricants company that works with the DOD, said of the new requirements, “We were going to have to comply with this stuff, but they kept using all these different acronyms , and I had no idea what it all meant.

Initially stalled by a wave of criticism from industry advocates who felt the program was unnecessarily complicated and restrictive, the CMMC was overhauled by the Biden administration in late 2021. Under CMMC 2.0, approximately the majority of defense contractors will be defined as being at “CMMC Level One”, where the only requirement will be a self-assessment. However, even a self-assessment is likely to be too overwhelming for smaller contractors like Dunbar who are ill-equipped to navigate the level of cybersecurity knowledge required by CMMC. And for tier two companies, the cost of required compliance assessments could be crippling.

What to expect from CISA’s incident reporting rules.

When the US Congress passed the Cyber ​​Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) in March, the Cybersecurity & Infrastructure Security Agency (CISA) was given two years to craft the proposed rules. Although CISA has not yet finalized CIRCIA, on April 7 the agency provided guidance to stakeholders on reporting cyber incidents, and JDSupra offers an overview of CISA’s priorities. The guidance describes what to share, who to share, and how to share information about unusual cyber activity. CISA has three mechanisms for sharing information about cyber events: filling out an incident report form in the CISA Incident Reporting System, sending an email to [email protected], or sending details of security operations. phishing at [email protected] Although CISA has two years to finalize the rules, it is expected that it will issue additional guidance in an NRPM before that date.

Informal FTC Breach Reporting Guidelines.

Still on the subject of incident reporting requirements, last week the Federal Trade Commission (FTC) CTO team and the Privacy and Identity Protection Division published a blog post highlighting the Importance of Disclosure of Violations. Despite the fact that there is currently no section of the Federal Trade Commission Act that imposes an EXPRESS data breach notification requirement, the FTC advises that in some cases there may be a de facto breach notification requirement. of data and encourages companies to take this into account. when designing their incident response plans. In fact, the message states: “Regardless of whether breach notification law is enforced, a breached entity that fails to disclose information to assist parties in mitigating reasonably foreseeable harm may be in violation of Section 5 of the FTC. As National Law Review Explainthe post goes on to describe recent real-life incidents in which reporting failures were deemed unfair or deceptive business practices and led to enforcement action.


Source link

Previous

Katie Maloney shares an update on her love life amid her divorce from Tom Schwartz

Next

Florida man scammed women on dating apps out of $1.3 million, prosecutors say

Check Also