Policy & Regulation: Page 2

CISA explains why it doesn’t call out tech vendors by name

Federal officials rarely criticize tech companies when their mistakes result in attacks. The stinging conclusions CSRB levied at Microsoft are an exception, not the norm.

By Matt Kapko • May 9, 2024

The US really wants to improve critical infrastructure cyber resilience

A report from the Office of the National Cyber Director highlights persistent threats targeting healthcare and water, echoing warnings from cyber officials earlier this year.

By David Jones • May 8, 2024

CISA, FBI urge software companies to eliminate directory traversal vulnerabilities

The software defects are linked to recent exploitation campaigns against critical infrastructure providers, including healthcare and schools.

By David Jones • May 7, 2024

How can AI companies navigate a complex regulatory framework? — Compliance Labels

The rapid unregulated growth in the field of artificial Intelligence has given rise to Large Language Models (LLM’s) such as GPT-4 and Gemini which has contributed to major technical advancements but has also been coupled with legal and ethical issues.

By Sai Prasad, Security Analyst, CyberProof, MS Cyber Security Risk Management '22 • May 6, 2024

Congress grills UnitedHealth CEO over Change cyberattack

Legislators slammed Andrew Witty over the company’s lack of cybersecurity practices and the impact of the breach, which may have compromised the data of a third of Americans.

By Emily Olsen • May 2, 2024

CISA warned 1,750 organizations of ransomware vulnerabilities last year. Only half took action.

More than half of CISA's ransomware vulnerability warning pilot alerts were sent to government facilities, healthcare and public health organizations.

By Matt Kapko • May 1, 2024

Hacktivists exploiting poor cyber hygiene at critical infrastructure providers

CISA, the FBI and international partner agencies want water, energy, agriculture and other sectors to immediately reset passwords and apply multifactor authentication.

By David Jones • May 1, 2024

FTC broadens health breach notification rule

Regulators have been pursuing more enforcement actions against health applications sharing consumers’ data. Friday’s final rule should give those actions more heft.

By Rebecca Pifer • April 29, 2024

CISA director pushes for vendor accountability and less emphasis on victims’ errors

Stakeholders need to address why vendors are delivering products with common vulnerabilities, which account for the majority of attacks, Jen Easterly said.

By Matt Kapko • April 25, 2024

Preparing for CISA’s Secure Software Development Attestation and PCI compliance updates with ASPM

With increased expectations and a prime position in the spotlight, AppSec teams need reliable tools that can act as a force multiplier for their AppSec programs.

April 22, 2024

Fears rise of social engineering campaign as open source community spots another threat

Federal officials are said to be investigating potential links between the recent XZ Utils campaign and new threat activity against JavaScript project maintainers.

By David Jones • April 16, 2024

Top officials again push back on ransom payment ban

In lieu of a ban, the Institute for Security and Technology advises governments to achieve 16 milestones, most of which are already in place or in the works.

By Matt Kapko • April 15, 2024

CISA to big tech: After XZ Utils, open source needs your support

The attempted malicious backdoor may have been part of a wider campaign using social engineering techniques, the open source community warned.

By David Jones • April 15, 2024

FBI director echoes past warnings, as critical infrastructure hacking threat festers

Chris Wray says adversaries from China, Russia and Iran are ramping up cyber, espionage and other threat activity against key sectors, including water, energy and telecommunications.

By David Jones • April 11, 2024

What’s going on with the National Vulnerability Database?

CVE overload and a lengthy backlog has meant the federal government’s repository of vulnerability data can’t keep up with today’s threat landscape.

By Matt Kapko • April 10, 2024

Industry stakeholders seek 30-day delay for CIRCIA comments deadline

Industry officials are asking for additional time to comb through hundreds of pages of detailed rules about disclosure of covered cyber incidents and ransom payments.

By David Jones • April 8, 2024

CISA assessing threat to federal agencies from Microsoft adversary Midnight Blizzard

Microsoft previously warned that the Russia-linked threat group was expanding malicious activity following the hack of senior company executives, which it disclosed in January.

By David Jones • April 5, 2024

What CISA wants to see in CIRCIA reports

The most consequential federal critical infrastructure cyber incident regulation will be on the books in 18 months. Here are some of CIRCIA's main asks.

By Matt Kapko • April 4, 2024

Microsoft Exchange state-linked hack entirely preventable, cyber review board finds

The technology giant’s corporate culture fell short on security investments and risk management, and needs significant reforms, according to a damning report by the U.S. Cyber Safety Review Board.

By David Jones • April 3, 2024

Progress Software continues to cooperate with SEC probe into MOVEit exploitation

The company said it still cannot quantify the potential impact of multiple government agency inquiries.

By David Jones • March 29, 2024

Boards need to brush up on cybersecurity governance, survey finds

SEC cyber disclosure rules are calling attention to corporate boards’ need to enhance their approach to cybersecurity oversight and compliance.

By Rosalyn Page • March 29, 2024

Water woes: A federal push for cyber mitigation is highlighting the sector’s fault lines

The water utility industry says they recognize the heightened threat environment, but the current federal push fails to account for their resource constraints.

By David Jones • March 28, 2024

CISA issues notice for long-awaited critical infrastructure reporting requirements

CIRCIA will require covered entities to promptly disclose major cyber incidents and ransomware payments.

By David Jones • March 27, 2024

Senior lawmaker questions UnitedHealth over Change cyberattack

Rep. Jamie Raskin, D-Md., said UnitedHealth’s “rapid consolidation and vertical integration” has major consequences for the healthcare sector, including increased control of the health IT market.

By Emily Olsen • March 27, 2024

The nation’s first academic space cybersecurity program welcomes the 2nd cohort

IU’s new Space Governance Lab is breaking new grounds (or spaces) again.

March 25, 2024