Alex Major is a contributing author to the Nuix 2018 Black Report: Decoding the Minds of Hackers, a unique report that engages professional hackers, penetration testers, and incident responders to understand the security threat landscape companies face. Alex, a former intelligence officer, focuses his chapter on why companies need to properly select and structure their

If your company sells products or services to the U.S. Government, there’s a substantial likelihood that you’ve read or heard the acronym “NIST” in connection with various cybersecurity related obligations that the Government is imposing on contractors with a seemingly unceasing vengeance. NIST refers to the National Institute of Standards and Technology, which is a

On April 18, 2017, at the headquarters of Snap-On Incorporated, a Wisconsin-based manufacturer, Donald J. Trump signed an Executive Order titled “Buy American, Hire American”. The Hire American portion, explained in all of two paragraphs in Section 5, requires the Attorney General and Secretaries of State, Labor, and Homeland Security to “consistent with applicable law, propose new rules and issue new guidance, to supersede or revise previous rules and guidance if appropriate, to protect the interests of United States workers in the administration of our immigration system”. The second paragraph is a bit more specific inasmuch as it states that these folks ought to “suggest reforms to help ensure that H-1B visas are awarded to the most-skilled or highest-paid petition beneficiaries.” Among those in attendance were likely Snap-On’s H-1B employees, since the company is a perennial petitioner for H-1B workers at its Kenosha, Wisconsin location.[1]
Continue Reading Buy and Hire American, to the Extent Possible – Federal Publications Seminars

It’s surprising how often the simplest phrases can provide the most salient advice. The 6 P’s,for example: Proper prior planning prevents poor performance. While the phrase may be a bit of a tortured alliteration, the truth and simplicity of its sentiment can’t be denied: When you want a good outcome, you have to think it through. Simple.

Continue Reading Your Biggest Cybersecurity Threat: Failing to Plan

If you are aware of German Christmas folklore (and really, who isn’t?), you know that Belsnickel is a legendary companion of St. Nick who carries a switch with which to punish naughty children and a pocketful of sweets to reward good ones. This holiday season, many are feeling the sting of a switch of another kind, this one involving the December 20, 2016, issuing by the National Institute of Standards and Technology (NIST) of a preholiday revision of Special Publication 800-171 (SP 800-171), Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations. If SP 800-171 sounds familiar, it is because the publication is the source of the cybersecurity controls that defense contractors must follow and flow down to subcontractors pursuant to DFARS Subpart 204.73 and its operative clauses (e.g., DFARS 252.204-7008 and DFARS 252.204-7012). Essentially accompanying St. Nick (perhaps Santa Clause may be more appropriate) this season, the NIST’s revised publication may resemble Belsnickel’s switch (pun intended) to contractors who already have existing SP 800-171 controls in place (as the controls have been required, in various forms, since November 2013) or who have started down the road toward SP 800-171 adherence in advance of the DFARS-directed December 2017 deadline. With that in mind, let’s take a quick look at the implications that switch (pun still intended) brings to the security requirements for protecting the confidentiality of CUI in nonfederal systems and organizations:

Continue Reading Switches and Sweets: Belsnickel Brings Defense Contractors and Subcontractors New Cybersecurity Controls in Preholiday Revisions of NIST Cybersecurity Publication

Etymology, particularly the Greek or Latin roots of words, aids our understanding in much the same way as root cause analysis does. The Greek word for disclosure is αποκάλυψη, transliterated to apokálypsi, or “apocalypse.” Nomen est omen. This came to mind while reading the pronouncements proffered by various agencies this year – each of which influences voluntary disclosures of export control violations.

Continue Reading Apocalypse Soon? Permanent Disqualification From Department of Defense Contracts May Result From Voluntary Disclosures of Export Violations