NIST’s new draft guidance, Special Publication 800-53B, Control Baselines for Information Systems and Organizations, provides important information on selecting both security and privacy control baselines for the Federal Government. These control baselines are from NIST Special Publication 800-53 and have been moved to this separate publication “so the SP 800-53 [can] serve as a consolidated catalog of security and privacy controls regardless of how those controls [are] used by different communities of interest.”   The new guidance addresses federal information systems and is applicable to information systems used or operated by an agency, a contractor on behalf of an agency, or another organization on behalf of an agency.
Continue Reading NIST Issues Draft Guidance on Security and Privacy Control Baselines – SP 800-53B

NIST recently released the final public draft of SP 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (formerly Draft NIST SP 800-171B). NIST is proposing additional security requirements for certain CUI in non-federal systems that is associated with critical programs or high value assets and is soliciting public comments through August 21, 2020.
Continue Reading NIST Proposes Draft Enhanced Security Requirements for Protecting CUI

As a part of its Cybersecurity for IoT Program, NIST recently released two publications with the goal of providing cybersecurity guidance and best practices specific for companies manufacturing IoT devices. These publications were developed as a part of NIST’s implementation of the 2017 Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. With these publications, NIST provides a set of recommended activities that manufacturers should consider to improve the securability of IoT devices, as well as a baseline level of security requirements for these devices.

Continue Reading NIST Releases Cybersecurity Guidance for Manufacturers of IoT Devices

On Friday, May 29, the Cybersecurity and Infrastructure Security Agency (CISA) issued the first in a series of six Cyber Essentials Toolkits.  These toolkits are described as “bite-sized actions for IT and C-suite leadership to work toward full implementation of each Cyber Essential,” focused on building a company’s cyber readiness.
Continue Reading CISA Issues First Installment of Cyber Essentials

The FTC recently settled with smart lock maker Tapplock, Inc., a Canadian company, over allegations that it deceived consumers with false claims about its product’s security practices. These allegations arose based on vulnerabilities that a security researcher demonstrated – not in the aftermath of a data security breach where these complaints often originate.
Continue Reading FTC Settles with Company Over Alleged Deceptive Security Practices

During their COVID-19 preparations, companies are dusting off -and deploying- their business continuity plans. Also worth revisiting are incident response plans. Teams working remotely, if faced with a data breach, will still face privilege issues. For this reason simply moving to asynchronous forms of communication (email, chat, etc.) may not suffice, or may increase legal risk and exposure. Teams will thus need to be prepared for coming together virtually. Turning on the camera to converse remotely with video can be an impactful and important way to effectively handle a breach situation. To prepare, here are three key questions companies can consider:
Continue Reading Turn on the Camera Part Two: Are You Prepared to Handle a Breach Remotely and Do You Know Your Legal Security Obligations?

Businesses collecting personal information from New York residents will soon be expected to apply enhanced data security requirements. The New York SHIELD Act, signed into law in July 2019, expanded breach notice requirements in October 2019. Now, On March 21, 2020, the remaining provisions related to data security will also come into effect. As we wrote previously, businesses subject to the law must implement data security programs that include at least the following:
Continue Reading NY SHIELD Act Data Security Requirements Effective This Month

The Securities and Exchange Commission recently published a set of observations designed to assist financial market participants. While not legally binding, the observations are guideposts for investment companies, securities issuers, and others. They outline steps to improve cyber preparedness and to protect against well-known and evolving cybersecurity threats faced by companies in the United States and worldwide.
Continue Reading Buyers (And Sellers) Beware!: SEC Observations on Cybersecurity and Resiliency

The FTC recently summarized three major changes it made to its orders in data security cases. In a blog signaling these changes, the FTC Indicated that some of the things it has been requiring of companies in 2019 are here to stay.
Continue Reading New Trends Emerge in FTC Data Security Orders, Including Emphasis on C-Suite Involvement

In response to the killing of Major General Qassim Suleimani, the government of Iran and its supreme leader, Ayatollah Ali Khamenei, have declared the country’s intention to strike back at the United States. According to reports, their desire is to respond proportionally, but not start a war, and they are contemplating multiple options, any subset of which they may implement.
Continue Reading Iran’s Imminent Cybersecurity Threat