Information Technology Navigator

Tips, Advice & Insights from Technology Pros

Public Company CISOs Beware: The SEC Is No Longer Playing Nice


On October 30, 2023, the US Securities and Exchange Commission (SEC) announced fraud charges against SolarWinds and its former chief information security officer (CISO), alleging that “SolarWinds’ public statements about its cybersecurity practices and risks were at odds with its internal assessments.” This comes on the heels of the SEC’s newly implemented rules for disclosures relating to cyber risk. Publicly traded companies (along with pre-IPO and foreign private issuers) must now adhere to new and prescriptive rules requiring the disclosure of “material cybersecurity incidents” as well as annual disclosures relating to “cybersecurity risk management, strategy, and governance.”

There is a lot going on with all the recent SEC and cyber headlines, so let’s break it down piece by piece. This blog outlines several high-level calls to action that CISOs and their stakeholders should consider as they work through their cyber risk strategy and their cyber and/or directors and officers (D&O) insurance renewals.

Read More
Tue, Dec 05, 2023

CMMC 2.0 Timeline — Where Are We Now?

It’s been almost a year since we wrote about the risks of delaying CMMC (Cybersecurity Maturity Model Certification) compliance. The only thing that has remained constant since then is that CMMC is not going away. There have been many noteworthy recent developments in the DoD supply chain news space related to updates for DIB contractors to comply with the DFARS 7012 requirements to safeguard CUI (controlled unclassified information) data. The CMMC 2.0 final rulemaking timeline continues to shift from over the horizon to right around the corner, and the recently released NIST 800-171 revision 3 draft amplifies concerns about upcoming changes to the framework requiring additional protections for prime and subprime organizations supplying the DoD.

Read More
Thu, Aug 24, 2023

A Primer on the CMMC Ecosystem

An Introduction to Cybersecurity for the Defense Industrial Base:

In today's digital age, cybersecurity is of paramount importance, particularly for organizations within the Defense Industrial Base (DIB). In January 2020, the United States Department of Defense (DoD) introduced the Cybersecurity Maturity Model Certification (CMMC) framework, building upon established cybersecurity standards from National Institute of Standards and Technology (NIST) Special Publication 800-53 and NIST Special Publication 800-171. These publications are closely aligned with the CMMC 2.0 requirements, providing essential guidelines for protecting Controlled Unclassified Information (CUI) in non-federal systems and organizations. In addition, DFARS 252.204-7020 clause requires contractors to undergo an assessment of their implementation of NIST SP 800-171 controls by an accredited third-party assessment organization to evaluate a DIB contractor's compliance with the security requirements outlined in NIST SP 800-171 and provide assurance that adequate safeguards are in place to protect CUI.

Read More
Tue, Jun 13, 2023