Richard (Dick) Brooks

Our community-driven Software Bill of Materials (SBOM) working group published SBOM Sharing Primer which provides organizations with examples of how SBOM can be shared between different actors across the software supply chain. https://go.dhs.gov/3ky The SBOM sharing method examples are listed in order of sophistication for each SBOM lifecycle phase, however sophistication does not imply maturity or preferability. The SBOM sharing lifecycle includes discovery, access, and transport phases, and examples are listed by sophistication level to allow readers to identify similar SBOM-sharing mechanisms and consider additional methods. Innovators, builders, and standardizers are invited to join our community-driven efforts to create infrastructure and tools that all stakeholders can use. Learn more about streamlining your SBOM process and enhance your security strategy today! https://go.dhs.gov/3ky

49

1 Comment

CISA delivers #SBOM sharing primer. The community behind it put in the time to break down sharing methods by sophistication and sharing lifecycle. Each method comes with real-world examples, plus a rundown of the risks and benefits. It's a must-read!

5

If I created software (or firmware) to sell to DoD or Critical Infrastructure customers, I’d be learning how to share it’s Bill of Materials, just sayin ~ Security Industry Association (SIA)

2

The U.S. Department of Health and Human Services (HHS), through its Advanced Research Projects Agency for Health (ARPA-H), has introduced the Universal PatchinG and Remediation for Autonomous DEfense (UPGRADE) program. The move works to bring together equipment manufacturers, #cybersecurity experts, and hospital staff to develop a tailored and scalable software suite for hospital #cyberresilience. The UPGRADE program effort intends to secure whole systems and networks of #medical #equipment to ensure mitigations can be deployed at scale. The UPGRADE platform will proactively assess potential vulnerabilities by examining digital models of hospital environments to identify software weaknesses. Upon detecting a threat, an automated remediation process, such as applying a patch, can be initiated. The remediation is then tested within the model environment and deployed seamlessly to the devices in use within a hospital, minimizing disruptions. With a commitment of over US$50 million, this cybersecurity initiative aims to develop tools that safeguard operations and ensure uninterrupted patient care. #Healthcare #Cybersecurity #Threatlandscape #Cyberattack #Cyberthreat https://lnkd.in/dYDBDPRk

7

According to Phil Englert of the Health-ISAC, Information Sharing and Analysis Centers for critical infrastructure sectors can play a key role in distributing Software Bill of Materials information across the supply chain to boost transparency. “ISACs, in particular, can be very useful as a distributor of SBOMs. They are a trusted source, and so we want to explore exactly what we could do there,” Englert said in a Wednesday presentation at the Cybersecurity and Infrastructure Security Agency’s “SBOM-a-Rama” https://lnkd.in/eCdYw_pv #sbom #healthit #medicaldevices

12

2 Comments

OpenID Connect specifications published as ISO standards I’m thrilled to report that the OpenID Connect specifications have now been published as ISO/IEC standards. I submitted the OpenID Connect specifications for publication by ISO as Publicly Available Specifications (PAS) for the OpenID Foundation in December 2023. Following the ISO approval vote, they are now published. This should foster even broader adoption of OpenID Connect by enabling deployments in jurisdictions around the world that have legal requirements to use specifications from standards bodies recognized by international treaties, of which ISO is one. See https://lnkd.in/g5aZF8CJ for links to the ISO specifications and more details. OpenID Foundation #OpenID #OpenIDConnect #ISO

220

8 Comments

Major #cybersecurity mandates are coming to the #transportation industry with the release of TSA's long awaited Notice of Proposed Rulemaking (NPRM) for permanent cybersecurity requirements and mandates on the surface transportation industry, which are broader than the existing Security Directives and covers public transportation agencies, #OTRB, #rail, #transit, #freightrail and #pipelines. In 2022, TSA released an Advanced Notice of Proposed Rulemaking (ANPRM) to lay out its vision for what permanent cybersecurity mandates should be fore #rail, #transit, #freightrail and #pipelines. The goal was to to replace the emergency security directives that were issued in 2021 as a result of the Colonial pipeline incident with a permanent structure. Today, the House Homeland Security held a hearing on the topic as well. The transportation industry will also be regulated by CISA with the upcoming CIRCIA rule as well. The new TSA rule has massive impacts across the industry and I strongly encourage everyone to review it: https://lnkd.in/eYSxYqy8 #criticalinfrastructure #nationalcriticalfunctions #cybersecurity #nationstateattacks #SLTT #

6

#CMMC requirements stand in the way of future #dod revenue making #CUI boundaries and audit navigation mission critical for #defensecontractors. Learn everything you need to know to stay competitive by registering now at > https://ow.ly/1CI450RggX9

6

Weekend reading ... Great summary article on the recent "secure by design" guidance provided by CISA and the FBI. The jointly issued Product Security Bad Practices report warns software manufacturers about bad practices such as using memory-unsafe programming languages like C/C++, and calls for wider adoption memory-safe languages; e.g. Rust: “The development of new product lines for use in service of critical infrastructure or [national critical functions] NCFs in a memory-unsafe language (e.g., C or C++) where there are readily available alternative memory-safe languages that could be used is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety,” the report says. Companies contributing products and solutions to national critical Infrastructure projects have until 1 January 2026 to develop memory safety roadmaps. Other risky practices called out include: - Default passwords. - Direct SQL injection vulnerabilities. - Lack of basic intrusion detection. - Missing multifactor authentication. I've long been a fan of "secure by design" practices ... take a read. https://lnkd.in/ghbXy5e8

5

Thomas Marsland offered me an opportunity to provide an early review of his new book, link below! My Amazon feedback; I'm including it here, as I was more than pleased with how he took such a joyless topic and breathed life into it. "I am not one to blow smoke and told him I'd give genuine feedback... Tom takes a topic as dry as the desert & and gives it life as lush as an oasis. Ok, that might be over the top, but you really can't understand how well Tom has woven in enough personality, so you can truly enjoy reading about this incredibly rigid material. He dissects the Risk Management Framework in a way that facilitates easy digestion and retainment of the material. As an Adjunct Professor of Cybersecurity curriculum, I would absolutely adopt this as required text for several of my courses. Seriously, Tom "break[s] down the framework into easy-to-understand topics..." He doesn't, "go into every detail, or provide every possible way you could implement the framework..." So it gets to the weeds, just not deep in them. I don't know if this will go live with graphics, attachments, or templates (not that it needs them) but there are no images currently in the text (just for those visual learners). But I assure you, Tom nailed it. The right info with just enough detail." https://lnkd.in/eJxu_da6

7

1 Comment

A step towards supply chain inventory and traceability.

3

The Advanced Research Projects Agency for Health (ARPA-H), a Department of Health and Human Services (HHS) agency, announced in a news release on May 20 the launch of the Universal PatchinG and Remediation for Autonomous DEfence (UPGRADE) program. This effort will invest over $50 million in tool creation for cybersecurity in healthcare systems. According to the press release, UPGRADE will “enable proactive evaluation of potential vulnerabilities by probing models of digital hospital environments for weaknesses in software.” Once a threat is identified, a patch can be tested and implemented with minimum interruption. https://lnkd.in/gd9Y-gYD

9

3 Comments

https://lnkd.in/eR5-_w6X Brad Flanagan, ENP, RPL, MPA thought I might share this one with you as well "In the rapidly evolving technology landscape, a significant shift is occurring — one that redefines our interaction with machines. The emergence of natural language commanding (NLC) is at the forefront of this revolution, becoming the primary interface for human-machine interactions." #HMI #HumanMachineInterface #NaturalLanguageCommanding #NLC #ConversationalAI #AI #ArtificialIntelligence

4

1 Comment

This is groundbreaking news. Within cimt ag, we help organizations improve their data quality and build lightweight MDM solutions for the benefit of #digitaltransformations and #AI initiatives, using the #DAMA framework and applying various #ISO standards for data standardization. The collaboration between Global Legal Entity Identifier Foundation (GLEIF) and ISO was a link we have long awaited and one that further embeds enterprise identification in the value chain of organizations. If you want to know more about how cimt ag can help your organization with your data quality and embedding this Global Legal Entity Identifier Foundation (GLEIF) API please send a short message to [email protected] #cimt-ag #LEI #ISO17442 #vLEI #GLEIF #DAMA

10

State the obvious: The $8 Billion CDM investment made thus far by CISA has a major technical problem to face. By incorporating several commercial products into an API meshed security framework, The Booz-Produced CDM has become incapable of delivering continuous rapid inquiries because the products selected and integrated have all been built using disparaging programming languages. So, just imagine the "Chaos" when a critical artifact cannot be cross-correlated in real time! We need to make CDM (Continuous Diagnostics & Mitigation) better, and there is a solution and you can get it today! Enter Anamo, the CDM solution! Anamo is the patented SaaS CDM that solves the critical problem and dilemma of disparaging programming languages. Anamo achieves this functional logic while at the same time automating data collection without End-User data entry for product enablement.  Hold-on now.... and imagine that... no data entry! Anamo is affordable, easy to install, it delivers “Never-Before-Seen” cybersecurity capabilities, and it's commercially available today! The newest version of Anamo will be available this October 1st!

1

The Health Sector Cybersecurity Coordination Center (HC3) in the U.S. Department of Health and Human Services (HHS) published an analyst note detailing that a distributed-denial-of-service (DDoS) attack as a type of cyber attack in which an attacker uses multiple systems, often referred to as a botnet, to send a high volume of traffic or requests to a targeted network or system, overwhelming it and making it unavailable to legitimate users. With the number of #DDoS attacks increasing every year, they can come at any time, impact any part of a website’s operations or resources, and lead to massive amounts of service interruptions and huge financial losses.   “In the #health and #publichealth (HPH) sector, they have the potential to deny #healthcare organizations and providers access to vital resources that can have detrimental impact on the ability to provide care,” the HC3 said in the Wednesday note. “Disruptions due to a cyberattack may interrupt business continuity by keeping patients or healthcare personnel from accessing critical #healthcare assets such as electronic health records, software-based #medical equipment, and websites to coordinate critical tasks.” https://lnkd.in/gccFTUfe

7

Honored to have my article published by CDO Magazine. I think it's an extremely important topic and it's also a requirement of ISO/IEC 27001:2022 #iso27001 #climatechange #CISO #CRO #CIO #cybersecurity #collaborationforum #CDO #PECB

6