Daniel Pereira’s Post

Following up on its request for information (RFI) on cybersecurity regulatory harmonization and regulatory reciprocity, the Office of the National Cyber Director, The White House (ONCD) released a summary on Tuesday of the 86 responses received and the key findings. These came from representatives of 11 out of 16 #criticalinfrastructure sectors, alongside trade associations, nonprofits, and research bodies. Collectively, these respondents, many of whom are membership organizations, represent more than 15,000 businesses, state entities, and other organizations. Three key findings from the responses include that lack of #harmonization and #reciprocity harms cybersecurity outcomes while increasing compliance costs through additional administrative burdens. Many respondents noted that compliance spending drew resources from cybersecurity programs. It also found that challenges with #cybersecurity regulatory harmonization and reciprocity extend to businesses of all sectors and sizes and that they cross jurisdictional boundaries. Respondents highlighted inconsistent or duplicative requirements across international and state regulatory regimes. https://lnkd.in/gJjV_KKW

NASCIO has been tirelessly advocating for harmonizing federal #cybersecurity regulations to streamline processes, reduce costs and enhance security outcomes for state governments. Here's a look at some of our journey through the years: 2015: NASCIO members met with Federal CIO Tony Scott to discuss updating and harmonizing federal agency rules impacting state IT. Our goal was to address outdated technology rules and inconsistent application by federal agencies, which hinder state innovation and modernization efforts. 2016: At our 2016 Fly-In, we emphasized the need for a strong federal-state partnership in cybersecurity, engaging with DHS, IRS, and FirstNet. This collaboration aimed to leverage federal cybersecurity resources and address regulations like IRS Publication 1075, often impeding state IT optimization. 2017: NASCIO and the National Governors Association (NGA) sought the engagement of the Office of Management and Budget (OMB) to harmonize disparate federal cybersecurity regulations and normalize the audit process. This effort aimed to alleviate the regulatory burden on states and promote IT consolidation and optimization. 2020: A GAO report affirmed NASCIO's call for harmonizing federal cybersecurity regulations, recommending that federal agencies collaborate on requirements and assessments of state agencies. This report underscored the importance of reducing audit burdens and fostering a more collaborative regulatory environment. As we look ahead, we remain committed to working with our federal partners to secure citizen data, optimize state IT, and achieve cost savings through unified and efficient cybersecurity regulations.

Join us for the #ACCNCR Cybersecurity in Government Contracting Conference, Tues., April 16, 8:30 AM to 1:30 PM, Maggiano's Little Italy, 2001 International Dr., Mclean, VA 22102. Presented by Sheppard Mullin, Venable, and Crowell and Moring. Join us for our first-ever conference focused on educating in-house counsel working for government contractors on the myriad of cybersecurity regulations that continue to evolve and impact contractors across their enterprises. Attendees will gain insights into the latest cybersecurity developments and trends specific to government contracting, learn best practices and strategies when faced with a cyber incident, understand proactive strategies for mitigating these risks, stay current on regulatory enforcement activity, and network with fellow government contracting professionals, all while exploring innovative solutions to address cybersecurity challenges. Session 1: Who's Afraid of the Big Bad Wolf: The Latest on Cybersecurity Regulatory Updates, 9 AM - 10 AM, Presented by Sheppard Mullin Richter & Hampton LLP The session will cover the latest rulemaking developments for federal contractors and best practices regarding cyber compliance, secure software development, and security incident reporting and information sharing including: - The current status of rulemaking stemming from the Biden Administration’s Executive Order 14028 on Improving the Nation’s Cybersecurity - Open FAR cases and proposed rules on cybersecurity, including Cyber Threat Incident Reporting and Information Sharing (FAR Case 2021-017), Standardizing Cybersecurity Requirements for Unclassified Federal Information Systems (FAR Case 2021-019), and Open FAR cases on secure software development and protection of Controlled Unclassified Information (CUI) - Latest updates on the Cybersecurity Maturity Model Certification program and proposed rules from Department of Defense - New agency regulations, including those from the Department of Homeland Security and the Department of Veterans Affairs - CISA regulations stemming from the Cyber Incident Reporting for Critical Infrastructure Act (due March 2024) - The 2023 SEC cybersecurity disclosure rule The panel will provide practical advice regarding steps businesses can take TODAY to prepare for future final cyber regulations. The discussion will also uncover common themes in these cybersecurity regulations and how companies can use them to develop a holistic and mature cybersecurity program. Presented by Townsend Bourne, Partner and Government Business Group Co-Leader and Scot Huntsberry, Investigations Specialist and retired FBI Supervisory Special Agent at Sheppard Mullin and Christine Ricci, General Counsel, Global Security & Digital Technology and Chief Privacy Officer at GE Aerospace. Find a detailed agenda with session summaries and registration details here: https://lnkd.in/eTgbVn2B

The requirement for the Cybersecurity and Infrastructure Security Agency (CISA) to publish a final rule by October 2025 will have significant impacts on information security and businesses in the US: What are the Implications for Information Security? 1. Regulatory Standards: Establishes clear cybersecurity standards and practices. 2. Enhanced Measures: Businesses must adopt more stringent security protocols. 3. Compliance: Increased enforcement and accountability. What are the Implications for Businesses? 1. Operational Adjustments: Updates to cybersecurity policies and infrastructure. 2. Cost Implications: Investment in new tools, expertise, and compliance audits. 3. Risk Management: Proactive assessment and mitigation of cybersecurity risks. 4. Legal/Financial Impact: Penalties for non-compliance. 5. Competitive Edge: Businesses with strong cybersecurity may gain an advantage. What are some Preparation Steps for Businesses? 1. Stay Informed: Follow updates from CISA. 2. Gap Analysis: Identify and address deficiencies in current practices. 3. Training: Educate employees on new requirements. 4. Seek Expertise: Use consultants to ensure compliance. 5. Update Policies: Regularly review and revise cybersecurity policies. 6. Preparing for the final rule will enhance security, ensure compliance, and protect businesses from threats and penalties. https://lnkd.in/eYzMCyJ6

CMMC for all? In a recent blog post from the cyber security czar, Harry Coker, the White House is calling on congress to streamline the cybersecurity regulations for all government contractors. Why you might ask? Well think about a firm that works with multiple agencies. Compliance spending costs money…. A lot of money. If a small firm works for a number of agencies and they require that one firm to meet different requirements AND submit to multiple compliance assessments, well the cost might be too much to bear. “It was overwhelmingly evident that respondents believe that there was a lack of cybersecurity regulatory harmonization and reciprocity and that this posed a challenge to both cybersecurity outcomes and to business competitiveness. This was true for businesses of all sectors and of all sizes,” Coker wrote. By streamlining cybersecurity, it can reduce costs significantly, and more importantly lower the barrier to entry for new firms looking to stay safe while supporting the US government. Which brings us back to the top question could this mean CMMC is coming for everyone? CMMC or the Cybersecurity Maturity Model Certification, in short, is a cybersecurity certification process that focuses on the cybersecurity requirements of the Department of Defense based of a standard by National Institute of Standards and Technology or NIST called NIST 800-171. While it will only be q requirement to bid on contracts for the Department of Defense, a number of agencies like DHS, HHS, and GSA, to name a few have been closely watching the roll out and potentially putting the same requirement into their contracts. If this comes to fruition, it only makes sense that the rest of the governmental agencies follow suit. So what do you think? Is streamlining the process good and if so what are your thoughts on CMMC being the gold standard for all government contracts? Comment below with your thoughts. https://loom.ly/KZfg-MY

CMMC for all? In a recent blog post from the cyber security czar, Harry Coker, the White House is calling on congress to streamline the cybersecurity regulations for all government contractors. Why you might ask? Well think about a firm that works with multiple agencies. Compliance spending costs money…. A lot of money. If a small firm works for a number of agencies and they require that one firm to meet different requirements AND submit to multiple compliance assessments, well the cost might be too much to bear. “It was overwhelmingly evident that respondents believe that there was a lack of cybersecurity regulatory harmonization and reciprocity and that this posed a challenge to both cybersecurity outcomes and to business competitiveness. This was true for businesses of all sectors and of all sizes,” Coker wrote. By streamlining cybersecurity, it can reduce costs significantly, and more importantly lower the barrier to entry for new firms looking to stay safe while supporting the US government. Which brings us back to the top question could this mean CMMC is coming for everyone? CMMC or the Cybersecurity Maturity Model Certification, in short, is a cybersecurity certification process that focuses on the cybersecurity requirements of the Department of Defense based of a standard by National Institute of Standards and Technology or NIST called NIST 800-171. While it will only be q requirement to bid on contracts for the Department of Defense, a number of agencies like DHS, HHS, and GSA, to name a few have been closely watching the roll out and potentially putting the same requirement into their contracts. If this comes to fruition, it only makes sense that the rest of the governmental agencies follow suit. So what do you think? Is streamlining the process good and if so what are your thoughts on CMMC being the gold standard for all government contracts? Comment below with your thoughts. https://loom.ly/KZfg-MY

"It was overwhelmingly evident that respondents believe that there was a lack of cybersecurity regulatory harmonization and reciprocity and that this posed a challenge to both cybersecurity outcomes and to business competitiveness. This was true for businesses of all sectors and of all sizes. Partners raised concerns not only about a lack of harmonization and reciprocity across Federal agencies, but also between state and Federal regulators and across international borders. In a world in which there is increasing fragmentation of cybersecurity regulations, what we have been hearing from our international partners and multi-national companies is they are looking to the United States government to lead. Many of those who responded lamented a lack of reciprocity to date, noting that investments in compliance across multiple regulatory regimes intended to control the same risk resulted in a net reduction in actual programmatic cybersecurity spending. These responses have confirmed the scope of the challenge and helped us chart a path forward." https://lnkd.in/eZgdbKFW

Compliance and cybersecurity professionals know all too well the challenges of navigating increasingly complex and varied cybersecurity regulations mandated at the federal and state level. This challenge has finally been recognized by lawmakers who have recently introduced bipartisan legislation to establish a comprehensive framework for harmonizing cybersecurity regulations across the federal government. The intent is to establish a system for coordinating cyber regulations to enhance consistency and understanding across federal contractors to better address evolving cyber threats. This effort recognizes that regulations released in agency silos increases regulatory burden and impairs contractors’ ability to effectively implement cybersecurity programs, as one metric of note states - “By some estimates, cybersecurity teams are spending 40 to 70% of their time on compliance rather than improvements to their cybersecurity”.   As the bill is still in its initial stages, it is unclear how it may be amended or if it will ultimately be passed. But its introduction is a welcomed effort for contractors looking to secure their networks and information while complying with contractual requirements.   https://lnkd.in/e8y66m6S

Great practical org security baseline implementation guide from the Center for Internet Security 🛡️ A Guide to Defining Reasonable Cybersecurity reflects the expertise of recognized technical cybersecurity and legal experts that partnered with the Center for Internet Security® (CIS® ) to define reasonable cybersecurity. In a digital era where cyber threats have become increasingly potent and pervasive, the concept of reasonable cybersecurity is assuming greater significance. "Reasonable cybersecurity" is a phrase that has broad implications across various sectors, especially for businesses that handle sensitive data. Yet the definition lacks clarity and fails to specify what an organization must do to meet the standard of reasonable cybersecurity. A Guide to Defining Reasonable Cybersecurity v1.1 updates the initial release by clarifying details about a reasonable security test, includes further details about risk methodologies, and provides updated information regarding states that are leading the way to achieve reasonable cybersecurity. It also includes minor revisions to maintain consistency with the current version of the CIS Critical Security Controls (CIS Controls). https://lnkd.in/gAh3E69m