Photo of Jonathan E. Meyer

Jonathan Meyer is a partner in the Government Contracts, Investigations and International Trade Practice Group in the firm's Washington, D.C. office.

NIST has now finalized its guidance providing important information on selecting both security and privacy control baselines for the Federal Government. The guidance is available here: Special Publication 800-53B, Control Baselines for Information Systems and Organizations. As we previously discussed when the draft version was released, these control baselines are from NIST Special Publication 800-53, and have been moved to this separate publication as a consolidated catalog of privacy and security controls. While the implementation of a minimum set of controls is required for protecting federal information systems, NIST envisions that these control baselines can be implemented by any organization that processes, stores, or transmits information.
Continue Reading NIST Finalizes Guidance on Security and Privacy Control Baselines – SP 800-53B

Israel’s Privacy Protection Authority recently announced that Privacy Shield can no longer be relied on for data transfers between Israel and the United States. Israel did not have a direct Privacy Shield arrangement with the U.S., instead permitting the many Israeli companies that exchange data with their American counterparts to rely on a provision of its Privacy Protection Regulations that allows for transfers of data to any country that receives data from the EU under the same terms of such transfer.
Continue Reading Israel Follows Europe’s Lead on Privacy Shield

After many years of being in draft form, NIST recently released its final version of Revision 5 of Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations to address a need for a more proactive and systematic approach to cybersecurity. With the release of Revision 5, NIST hopes to provide updated security and privacy controls that will make information systems more penetration resistant, limit damages from cyber-attacks, make systems more cyber-resilient, and protect individuals’ privacy. NIST intends this update to be usable by a more diverse set of consumer groups than previous iterations of the document permitted.
Continue Reading NIST Issues Long-Awaited Final Guidance on Security and Privacy Controls – SP 800-53

NIST’s new draft guidance, Special Publication 800-53B, Control Baselines for Information Systems and Organizations, provides important information on selecting both security and privacy control baselines for the Federal Government. These control baselines are from NIST Special Publication 800-53 and have been moved to this separate publication “so the SP 800-53 [can] serve as a consolidated catalog of security and privacy controls regardless of how those controls [are] used by different communities of interest.”   The new guidance addresses federal information systems and is applicable to information systems used or operated by an agency, a contractor on behalf of an agency, or another organization on behalf of an agency.
Continue Reading NIST Issues Draft Guidance on Security and Privacy Control Baselines – SP 800-53B

NIST recently released the final public draft of SP 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (formerly Draft NIST SP 800-171B). NIST is proposing additional security requirements for certain CUI in non-federal systems that is associated with critical programs or high value assets and is soliciting public comments through August 21, 2020.
Continue Reading NIST Proposes Draft Enhanced Security Requirements for Protecting CUI

On Friday, May 29, the Cybersecurity and Infrastructure Security Agency (CISA) issued the first in a series of six Cyber Essentials Toolkits.  These toolkits are described as “bite-sized actions for IT and C-suite leadership to work toward full implementation of each Cyber Essential,” focused on building a company’s cyber readiness.
Continue Reading CISA Issues First Installment of Cyber Essentials

The FTC recently issued comments on how companies can use artificial intelligence tools without engaging in deceptive or unfair trade practices or running afoul of the Fair Credit Reporting Act. The FTC pointed to enforcement it has brought in this area, and recommended that companies keep in mind four key principles when using AI tools. While much of their advice draws on requirements for those that are subject to the Fair Credit Reporting Act (FCRA), there are lessons that may be useful for many.
Continue Reading FTC Provides Direction on AI Technology

Cybersecurity Maturity Model Certification (“CMMC”) v.1.0, after releasing several draft versions of the document over the past year. In an effort to enhance supply chain security, the CMMC sets forth unified cybersecurity standards that DOD contractors and suppliers (at all tiers, regardless of size or function) must meet to participate in future DOD acquisitions. Through the CMMC, DOD adds cybersecurity as a foundational element to the current DOD acquisition criteria of cost, schedule, and performance. We have previously discussed CMMC on our Government Contracts & Investigations Blog.
Continue Reading CMMC Version 1.0: Enhancing DOD’s Supply Chain Cybersecurity

In response to the killing of Major General Qassim Suleimani, the government of Iran and its supreme leader, Ayatollah Ali Khamenei, have declared the country’s intention to strike back at the United States. According to reports, their desire is to respond proportionally, but not start a war, and they are contemplating multiple options, any subset of which they may implement.
Continue Reading Iran’s Imminent Cybersecurity Threat

The Department of Homeland Security Cybersecurity & Infrastructure Security Agency recently released its Cyber Essentials guide. Consistent with the NIST Cybersecurity Framework, these Cyber Essentials provide “a starting point to cyber readiness,” and are specifically aimed at small businesses and local government agencies that may have fewer resources to dedicate to cybersecurity.  The guide suggests a holistic approach for managing cyber risks, and is broken down into six “Essential Elements of a Culture of Cyber Readiness:” (1) Yourself; (2) Your Staff; (3) Your Systems; (4) Your Surroundings; (5) Your Data; and (6) Your Actions Under Stress. The final section of the guide provides a list of steps that can be taken immediately to increase organizational preparedness against cyber risks. These include backing up data, implementing multi-factor authentication, enabling automatic updates, and deploying patches quickly.
Continue Reading CISA Releases “Cyber Essentials” to Assist Small Businesses

In an ironic twist, the British Information Commissioner’s Office (ICO) recently fined a Brexit advocacy group for violating regulations issued under an EU directive.  The fines, totaling £120,000,  were levied against Leave.EU and a related insurance company, Eldon Insurance, for sending marketing emails to each other’s subscribers without sufficient consent.  Leave.EU had sent marketing emails to over 300,000 of Eldon’s customers, and the two entities had carried out unlawful joint marketing campaigns through Leave. EU’s mailing list. 
Continue Reading Talk About Ironic: Brexit Group Fined Under EU-Related Privacy Regulations