The FISMA Focus IPD

From: National Retail Federation

J. Craig Shearman

From: Princeton University

by Kathryn Lopez, Woodrow Wilson School of Public and International Affairs

“Cybersecurity” has been in the American lexicon for decades. The U.S. has typically taken a defensive approach to cyberwarfare, responding to attacks as they occur but leaving preventative strategy to private companies. But recent extensive invasions like the Sony Pictures Entertainment hack, the Target data breach and an attack on the White House network have called national attention to the sharp rise in cyberattacks, exposing the vulnerabilities of millions of Americans.

From: Lawfare

By Dan Geer

Science tends to take us places where policy cannot follow. Policy tends to take us places where science cannot follow. Yet neither science nor policy can be unmindful of the other. Here I will confine myself to six points where I see science, including applied science, asking us to look ahead (The following is necessarily short; for a longer treatment of the science of security, per se, see “T.S. Kuhn Revisited,” keynote to biennial meeting of NSF Principal Investigators, February 6, 2015.):

1. Identity
2. Ownership as perimeter
3. Control diffusion
4. Communications provenance

From: Silicon Republic

by John Kennedy

The damage to both reputation and finances caused by a security breach or cyberattack would put fear into the heart of any business owner — even before thinking about the potential lawsuits and fines that could follow.

Yes, failure to secure your systems means irate customers whose finances were compromised or identities stolen are well within their rights to sue you. And if you are a US-based company, class actions by angry shareholders are an ever-increasing reality.

***

From: Lexology

Alexander W. Major |  Sheppard Mullin Richter & Hampton LLP

Government contractors should take note of a proposed new rule that could impose significant new data storage obligations when finalized. The Federal Government is taking another baby-step towards cybersecurity regulation with a proposed rule intended to standardize protocols relating to designating and safeguarding unclassified information that is to be withheld from public disclosure (also known as “controlled unclassified information” (“CUI”)). See 80 Fed. Reg. 26501 (proposing amendments to 32 CFR Part 2002). On May 8, 2015, the National Archives and Records Administration (“NARA”) published a proposed new rule that goes a long way in creating a standardized system intended to replace the litany of improvised CUI control markings that have been used by various Federal agencies and, unintentionally, hindered inter-governmental information sharing for decades. The effort, however, is more than a simple housekeeping exercise, the re-designation of CUI will also bring changes to the manner in which contractor-generated information residing on contractor-owned systems is stored and secured.