73 matches found
Hearing on the Federal Government and AI
On Thursday I testified before the House Committee on Oversight and Government Reform at a hearing titled "The Federal Government in the Age of Artificial Intelligence." The other speakers mostly talked about how cool AI was--and sometimes about how cool their own company was--but I was asked by...
A new alert system from CISA seems to be effective — now we just need companies to sign up
One of the great cybersecurity challenges organizations currently face, especially smaller ones, is that they dont know what they dont know. Its tough to have your eyes on everything all the time, especially with so many pieces of software running and IoT devices extending the reach of networks...
The private sector probably isn’t coming to save the NVD
I wrote last week about the problems arising from the massive backlog of vulnerabilities at the U.S. National Vulnerability Database. Thousands of CVEs are still without analysis data, and the once-reliable database of every single vulnerability thats disclosed and/or patched is now so far behind...
A Cyber Insurance Backstop
In the first week of January, the pharmaceutical giant Merck quietly settled its years-long lawsuit over whether or not its property and casualty insurers would cover a $700 million claim filed after the devastating NotPetya cyberattack in 2017. The malware ultimately infected more than 40,000 of...
Navigating the AI security landscape: The federal push for responsible AI adoption
This blog post discusses the U.S. government's commitment to responsible AI through the Executive Order and proposed legislation, outlines key provisions for AI risk management, highlights efforts to strengthen federal AI governance, and emphasizes Coalfire's role in promoting responsible AI...
CISA Requests Comment on Draft Secure Software Development Attestation Form
CISA has opened a 30-day Federal Register notice to receive public comment on the draft Secure Software Development Attestation Form. CISA developed this form in coordination with the Office of Management and Budget. With the Secure Software Development Attestation Form, federal departments and...
CISA Releases its Open Source Software Security Roadmap
Today, CISA released an Open Source Software Security Roadmap to lay out—in alignment with the National Cybersecurity Strategy and the CISA Cybersecurity Strategic Plan—how we will partner with federal agencies, open source software OSS consumers, and the OSS community, to secure OSS...
US dangles $10 million reward for information about Cl0p ransomware gang
The US Department of States national security rewards program, Rewards for Justice RFJ, is offering a reward of up to $10 million for information linking the Cl0p ransomware gang, or any other malicious cyber actors targeting US critical infrastructure, to a foreign government. Advisory from...
Adopting an Effective and Easy To Implement Zero Trust Architecture
Security professionals employed by a federal agency, supplier, or regulated private sector firm are often challenged by long lists of required cybersecurity rules that can seem endless and unchanging. White House Executive Orders, FedRAMP requirements, CISA Binding Operational Directives, NIST...
To Keep Up With Cybersecurity Laws, Go 'Federal First'
With new cybersecurity laws and regulations rolling out, the best way to maintain broad compliance is to align with the most stringent frameworks. In the U.S., that means taking a ‘federal first’ approach—conforming to the highest security requirements of the United States federal government...
President Biden Signs Executive Order Restricting Use of Commercial Spyware
U.S. President Joe Biden on Monday signed an executive order that restricts the use of commercial spyware by federal government agencies. The order said the spyware ecosystem "poses significant counterintelligence or security risks to the United States Government or significant risks of improper...
President Biden Signs Executive Order Restricting Use of Commercial Spyware
U.S. President Joe Biden on Monday signed an executive order that restricts the use of commercial spyware by federal government agencies. The order said the spyware ecosystem "poses significant counterintelligence or security risks to the United States Government or significant risks of improper...
Goodbye SHA-1: NIST Retires 27-Year-Old Widely Used Cryptographic Algorithm
The U.S. National Institute of Standards and Technology NIST, an agency within the Department of Commerce, announced Thursday that it's formally retiring the SHA-1 cryptographic algorithm. SHA-1, short for Secure Hash Algorithm 1, is a 27-year-old hash function used in cryptography and has since...
CISA Requests Public Comment on CISA’s TIC 3.0 Cloud Use Case
CISA has released Trusted Internet Connections TIC 3.0 Cloud Use Case for public comment. TIC is a federal cybersecurity initiative intended to secure federal data, networks, and boundaries while providing visibility into agency traffic, including cloud communications. TIC use cases provide...
CISA Releases Secure Cloud Business Applications (SCuBA) Guidance Documents for Public Comment
CISA has released draft versions of two guidance documents—along with a request for comment RFC—that are a part of the recently launched Secure Cloud Business Applications SCuBA project: Secure Cloud Business Applications SCuBA Technical Reference Architecture TRA Extensible Visibility Reference...
The federal Zero Trust strategy and Microsoft’s deployment guidance for all
You’d be forgiven for missing the White House announcement on federal Zero Trust strategy on January 26, 2022.1 After all, on that day alone a Supreme Court Justice announced his intention to retire, the Federal Reserve announced its plan to raise interest rates, and the State Department was busy...
CISA Releases Final Version of Guidance: IPv6 Considerations for TIC 3.0
CISA has released the final version of Internet Protocol version 6 IPv6 Considerations for Trusted Internet Connections TIC 3.0. This guidance supports the federal government-wide deployment and use of the modernized network protocol. The final version includes feedback provided during the public...
The 2021 Naughty and Nice Lists: Cybersecurity Edition
Editor’s note: We had planned to publish our Hacky Holidays blog series throughout December 2021 – but then Log4Shell happened, and we dropped everything to focus on this major vulnerability that impacted the entire cybersecurity community worldwide. Now that it’s 2022, we’re feeling in need of...
New Federal Government Cybersecurity Incident and Vulnerability Response Playbooks
The White House, via Executive Order EO 14028: Improving the Nation’s Cybersecurity, tasked CISA, as the operational lead for federal cybersecurity, to “develop a standard set of operational procedures i.e., playbook to be used in planning and conducting cybersecurity vulnerability and incident...
The critical role of Zero Trust in securing our world
We are operating in the most complex cybersecurity landscape that we’ve ever seen. While our current ability to detect and respond to attacks has matured incredibly quickly in recent years, bad actors haven’t been standing still. Large-scale attacks like those pursued by Nobelium1 and Hafnium,...