NYDFS Issues Supply Chain Management Guidance

The New York State Department of Financial Services recently issued recommendations to financial institutions in the aftermath of the SolarWinds cyberattack. In that attack, hackers inserted malware into SolarWinds software which was then distributed to SolarWinds’ customers (many of which were financial institutions). After discovery, SolarWinds released a series of hot fixes to address vulnerabilities in their software associated with the attack. Although NYDFS found that most companies responded quickly to patch the vulnerabilities, it did identify additional steps to reduce supply chain risk:
Continue Reading NYDFS Issues Supply Chain Management Guidance

NIST has now finalized its guidance providing important information on selecting both security and privacy control baselines for the Federal Government. The guidance is available here: Special Publication 800-53B, Control Baselines for Information Systems and Organizations. As we previously discussed when the draft version was released, these control baselines are from NIST Special Publication 800-53, and have been moved to this separate publication as a consolidated catalog of privacy and security controls. While the implementation of a minimum set of controls is required for protecting federal information systems, NIST envisions that these control baselines can be implemented by any organization that processes, stores, or transmits information.
Continue Reading NIST Finalizes Guidance on Security and Privacy Control Baselines – SP 800-53B

The Department of Defense (DoD) recently published an interim rule that sets forth its Cybersecurity Maturity Model Certification (CMMC) program plan, as well as new requirements for a “NIST SP 800-171 DoD Assessment Methodology.” NIST SP 800-171 relates to protection of sensitive, but unclassified information (within a company’s system.) The interim rule will be effective November 30, 2020, and comments are due the same day. You can read our in-depth breakdown of the key provisions here.
Continue Reading Interim Rule Solidifies Cybersecurity Requirements for Defense Industrial Base

On Friday, May 29, the Cybersecurity and Infrastructure Security Agency (CISA) issued the first in a series of six Cyber Essentials Toolkits.  These toolkits are described as “bite-sized actions for IT and C-suite leadership to work toward full implementation of each Cyber Essential,” focused on building a company’s cyber readiness.
Continue Reading CISA Issues First Installment of Cyber Essentials

Cybersecurity Maturity Model Certification (“CMMC”) v.1.0, after releasing several draft versions of the document over the past year. In an effort to enhance supply chain security, the CMMC sets forth unified cybersecurity standards that DOD contractors and suppliers (at all tiers, regardless of size or function) must meet to participate in future DOD acquisitions. Through the CMMC, DOD adds cybersecurity as a foundational element to the current DOD acquisition criteria of cost, schedule, and performance. We have previously discussed CMMC on our Government Contracts & Investigations Blog.
Continue Reading CMMC Version 1.0: Enhancing DOD’s Supply Chain Cybersecurity

In May, the U.S. Supreme Court issued its opinion in Spokeo v. Robins, providing guidance on the “injury-in-fact” aspect of the constitutional standing requirement for putative class action plaintiffs.  136 S. Ct. 1540 (2016), as revised (May 24, 2016).  Spokeo was quickly hailed by both plaintiff- and defense-side lawyers as a major victory, but in truth provided something for everyone.  It requires, for example, that a plaintiff allege “a concrete injury even in the context of a statutory violation . . .” and not merely a “bare procedural violation, divorced from any concrete harm.”  Id. at 1543, 1549.  Further, a “concrete” injury must “actually exist” and be “real, and not abstract.”  Id. at 1548.  On the other hand, a “concrete” injury is not “necessarily synonymous with ‘tangible.’”  Id. at 1549.  Ways to determine whether “intangible” harm qualifies as “concrete” include: (1) evaluating whether the alleged harm “has a close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit” and (2) looking to the judgment of Congress which “has the power to define injuries and articulate chains of causation that will give rise to a case or controversy where none existed before.”  Id.
Continue Reading Update on Data Breach and Data Privacy Class Actions Post-Spokeo

Last week, researchers at Citizen Lab uncovered sophisticated new spyware that allowed hackers to take complete control of anyone’s iPhone, turning the phone into a pocket-spy to intercept communications, track movements and harvest personal data. The malicious software, codenamed “Pegasus,” is believed to have been developed by the NSO Group, an Israeli company (whose majority shareholder is a San Francisco based private equity firm) that describes itself as a “leader in cyber warfare” and sells its software — with a price tag of $1 million – primarily to foreign governments. The software apparently took advantage of three previously unknown security flaws in Apple’s iOS software, and was described by experts as “the most sophisticated” ever seen on the market. Apple quickly released a patch of its software, iOS 9.3.5, and urged users to download it immediately.


Continue Reading Espionage and Export Controls: The iPhone Hack Highlights The New World of Warfare

On April 6, 2016, National Telecommunications and Information Administration (NTIA) issued a federal notice to request public comment on the benefits, challenges, and potential roles for the government in fostering the advancement of the Internet of Things (IoT).  (RFC at http://www.ntia.doc.gov/files/ntia/publications/fr_rfc_iot_04062016.pdf).

Comments are due on May 23, 2016.


Continue Reading NTIA Issues Request for Comments on Policies Related to Cyber Threats Surrounding Internet of Things