Tag Archives: NIST

Tracking the Rollout of CMMC

Posted on by

The Cybersecurity Maturity Model Certification (CMMC) is a framework that requires companies contracting with the Department of Defense (DoD) to meet security standards based on the sensitivity of the data they manage. These standards, based on the National Institute of Standards and Technology's (NIST) SP 800-171 standard, have been in place for eight years, but CMMC further formalizes compliance.

As of November 10, 2025, Defense agencies now require at least a Level 1 certification to award any new contract. To meet this requirement, companies must self-certify that they comply with 15 controls--specified by 800-171--that cover basic cyber hygiene. Next November 10 (in 2026), DoD will require that Level 2 status for contracts dealing with Controlled Unclassified Information (CUI), which currently can be self-assessed, be verified through a third-party assessment of compliance with all 110 controls in the NIST standard. Then in 2027, contracting officers can start requiring those seeking Level 3 certification to undergo an assessment by the Defense Industrial Base Cybersecurity Assessment Center. A Level 3 requirement would apply to technology dealing with highly sensitive data or systems, where a breach could have far-reaching impact. Continue reading

Strengthening the National Focus on Cybersecurity

Posted on by

The latest cybersecurity executive order, issued in June of 2025, aims to streamline past administrations' cybersecurity executive actions and strip mandates seen as overly prescriptive or ideological. It also introduces new guidelines and mandates to strengthen cyber practices within the government and private sector.

Key Updates to Historical Guidance

The order updates sanctioning policies from the Obama administration that allow the government to financially punish people involved in hacking activities that harm U.S. national security. This latest order "limits the application of cyber sanctions only to foreign malicious actors" to prevent the "misuse against domestic political opponents."

Cyber guidance issued in the waning days of the Biden administration encouraged government agencies to ramp up use of digital ID technologies. The latest EO strikes this mandate based on the belief that digital ID could lead to greater fraud and abuse. Continue reading

Balancing AI’s Power with Privacy

Posted on by

Artificial Intelligence (AI) has incredible potential to speed decision-making and unearth connections between data to inform government services and programs. AI is being implemented across government and private industry with very little policy or regulation as to its development or use. In many ways, this lack of oversight is driving exciting innovation, but as this innovation leads to new uses, the risks of infringing on citizen rights and privacy increase.

Peter Parker (Spiderman) was warned, "with great power comes great responsibility." Similarly, AI developers need a voice providing gentle guidance as they figure out how best to use AI's power for good. In the fall of 2022, the White House released the AI Bill of Rights, designed to address concerns about how, without some oversight, AI could lead to discrimination against minority groups and further systemic inequality. Continue reading

Schools Have to Learn the ABCs of Ransomware

Posted on by

Ransomware has traditionally been a practice where cybercriminals encrypt data and demand ransom in exchange for a decryption key. More recently, a growing number of these bad actors threaten to make this information public if they do not get paid. This shift in the practice of ransomware has increased the "attractiveness" of K-12 schools for cyber criminals. Information about children is among the most highly protected data there is, making it more likely ransoms will be paid to keep it private. For this and other reasons, K-12 schools are seeing an increase in ransomware activity. In 2021, there were at least 62 reported ransomware cases as compared to only 11 in 2018. 2021 also saw ransomware as the most common cyber incident for K-12 schools for the first time ever.

What Gets Compromised in a Ransomware Attack?

An incident in 2020 involving Fairfax County, VA Public Schools resulted in employee social security numbers being posted online. Hackers targeting a school district in Allen, Texas emailed parents with threats to expose their childs' personal information if educators did not pay a ransom. Showing the full swing of ransomware impacts from the serious to the mundane, a 2022 attack on the Griggsville-Perry School District in Indiana had many records compromised and leaked including a detention slip from December 2014 for a student who would not stop interrupting his health class. This shows the breadth of access that hackers had to documents and has led many schools to reexamine their file retention policy to reduce the amount of data accessible to bad actors. Continue reading

Security Takes a Leading Role in Acquisition

Posted on by

Recent security breaches via software have made supply chain security a priority across government. No longer is it enough to build security into a solution; now every product that is part of that solution is being examined for its security and risk. In response, the Biden Administration issued a Cybersecurity Executive Order that aims to provide more control over the content of code that comes in contact with government systems and infrastructure.

Continue reading