WPI Cyber Newsletter

Events

Blog

Client Dashboard

April 2026

NEWS & UPDATES

Welcome to the WPI Cyber Newsletter, a monthly publication from the Wisconsin Procurement Institute (WPI), Wisconsin's Apex Accelerator

If your organization needs assistance meeting Federal or Department of Defense cyber security requirements, contact Marc Violante, Director of Federal Market Strategies at marcv@wispro.org, or Matt Frost, Government Contract Specialist at mattf@wispro.org

NEWS & UPDATES

CMMC – For Department of Defense Contractors, CMMC is here!

On November 10, 2025, Phase I of DoD’s implementation plan began.

Phase I key requirements include:

Plans of Action are not allowed; all requirements implemented
SPRS updated to reflect current score
Affirmation entered by designated company official
CMMC requirements apply to subcontractors and suppliers who handle either FCI or CUI. Verify the appropriate status before sharing sensitive information information.

Other CMMC News

Solicitations posted to SAM are reflecting CMMC requirements. This includes CMMC Level 1, CMMC Level 2 (C3PAO) and CMMC Level 2 (self). CMMC Level 1 requirements are associated with a solicitation for Office Furniture - 337214 - Office Furniture (except Wood) Manufacturing and CMMC Level 2 (Self) is being required for a US ACE HVAC upgrade for a Dam NAICS is 238220 - Plumbing, Heating, and Air-Conditioning Contractors.

Identifying CMMC Level 1 requirements for office furniture and Level 2 (self) for an HVAC upgrade to a DAM implies that CMMC requirements may be applicable to a much broader range of work that initially expected. Consequently, they could reasonably be applied to other seemingly common opportunities. In today’s cyber environment, it is unlikely that requesting their removal will have any impact.

There is only one way to say this – it’s time for all contractors to become – Cyber-Ready. At a minimum, all businesses should be able to legitimately state that they are CMMC Level 1. Businesses looking to be an active member of the DIB need to redouble their efforts toward cybersecurity.

Additionally, CUI information is not public and therefore companies must specifically request pertinent information. One solicitation which identified the CMMC requirement as CMMC Level 2 (C3PAO) also has the following requirement – “the offeror must provide their CMMC Unique Identifier (UID) upon request for drawings.”

CMMC Phase 1 will end on November 9, 2026. CMMC Phase 2 will begin on November 10, 2026.

Companies or individuals who have questions about the CMMC program and compliance requirements are welcome to call WPI (414) 270-3600 for assistance.

PIEE Use increasing.

There are currently 1,016 SAM notices that reference PIEE. Of course, there may be duplicates – modifications, amendments, etc.

The following is language used in one SAM notice: “Proposals must be submitted and uploaded through the Procurement Integrated Enterprise Environment (PIEE) Solicitation Module.”

The following are two PIEE related references:

Government Can’t Win the Cyber War Without the Private Sector

Securing national resilience now depends on faster, deeper partnerships with the private sector.

Cybersecurity is a contest between attackers and defenders. For far too long, governments have been defending their turf alone while attackers frequently target public-sector entities with little to no resistance, launching attacks with national ramifications. Despite rules and regulations meant to establish baseline controls, attacks continue to define a growing threat landscape. The harsh reality is that the threat surface has grown wildly beyond what governments can realistically defend.

The digital infrastructure that governments aim to secure is a product of private companies. There are limits to what the state can secure on its own, which means the focus must shift to closer collaboration with the private sector.

Read the full article to see the impact of AI and other issues that should be considered - https://www.securityweek.com/government-cant-win-the-cyber-war-without-the-private-sector/

Cybersecurity is a big thing. Are you taking advantage of free government cyber-tools?

Spotlight - NSA

NSA offers cybersecurity services to any company that contracts with DoW (sub or prime) or has access to non-public DoW information. NSA's services help protect against some of the most common nation-state exploitation vectors and are powered by unique, non-public indicators of known malicious activity derived from NSA's signals intelligence, cybersecurity analytic expertise, and engagements with partners.

These services include Protective DNS (a DNS filter), attack surface management, and access to non-public, DIB-specific NSA threat intelligence.

https://www.nsa.gov/About/Cybersecurity-Collaboration-Center/DIB-Cybersecurity-Services/

For more information see: https://media.defense.gov/2026/Mar/10/2003897018/-1/-1/0/DIB-SLICKSHEET_2026.PDF

To participate, Click “GET STARTED” on nsa.gov/ccc

https://www.nsa.gov/Cybersecurity/Cybersecurity-Products-Services/

Passwords Are Now a Material Cyber Risk

Cyberattacks today rarely start with sophisticated exploits. More often, they begin with a password.

Despite years of security investment, passwords remain the most common point of failure in enterprise environments—and one of the easiest ways for attackers to gain access. As phishing, credential reuse, and identity-based attacks continue to rise, relying on passwords as the primary gatekeeper is no longer just outdated. It is a business risk.

This matters because the conditions passwords were designed for no longer exist.

https://www.cyberdefensemagazine.com/passwords-are-now-a-material-cyber-risk/

The False Claims Act Is Quietly Becoming A Cybersecurity Enforcement Engine

“The FSA operates most effectively in environments where documentation exists and where discrepancies between representation and reality can be demonstrated. Cybersecurity, and CMMC specifically, now fits that model with increasing precision. The combination of SPRS scores, written affirmations and supporting documentation creates a clear evidentiary trail.

In parallel, the statute’s qui tam provisions continue to incentivize whistleblowers. In an environment where internal teams, consultants or former employees often have direct visibility into gaps between stated and actual security posture, this creates a steady and scalable pipeline of potential cases.”

What about GSA’s changes/efforts? – “While these efforts are not branded in the same way as DOD programs, they are moving in a similar direction. “

“Organizations should ensure that statements made in proposals, certifications and ongoing contract performance are grounded in verifiable evidence.”

https://www.forbes.com/sites/emilsayegh/2026/04/01/the-false-claims-act-is-quietly-becoming-a-cybersecurity-enforcement-engine/

Security awareness is not a control: Rethinking human risk in enterprise security

Awareness, and training are not Security Controls. Security Controls operate independently of whether a person is having a good or bad day. Awareness and training may help, but even so, companies continue to have major issues.

https://www.csoonline.com/article/4152631/security-awareness-is-not-a-control-rethinking-human-risk-in-enterprise-security.html

Cybersecurity in the age of instant software

As AI advances, the rise of instant, customized, and often ephemeral software solutions will alter the dynamics of vulnerability hunting and patching, and thus the battle between attackers and defenders.

https://www.csoonline.com/article/4152133/cybersecurity-in-the-age-of-instant-software.html

MITRE releases its Fight Fraud Network – MITRE (F3)

As stated on its website “this is a curated database of techniques and tactics “used by financial fraud actors, derived from real-world observations of cyber fraud incidents. The framework includes behaviors that characterize known fraud TTPs and references existing MITRE ATT&CK® cyber techniques as applicable to financial fraud. F3 provides a common structure and taxonomy to consistently describe and enumerate the material events of a cyber fraud incident, enabling stronger collaboration on fraud prevention, detection, and response across organizational teams. The knowledge base is globally accessible, open, and available at no charge to any person or organization.”

Learn more: https://ctid.mitre.org/fraud#/

The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust

Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue.

There is a perceptible shift in how risk is seen across the organization. Data integrity is no longer only about keeping data safe; it’s also about data trust. Organizations are asking themselves, “Can we trust our data?”

As mentioned, this also creates questions about what data sources can be trusted, who owns the data, who has access to data but who can make changes and having audit trails.

“Trust, therefore, becomes a key differentiator between organizations that can grow, innovate, and compete confidently and those that cannot.”

https://www.securityweek.com/the-next-cybersecurity-crisis-isnt-breaches-its-data-you-cant-trust/

Gmail Brings End-to-End Encryption to Android and iOS for Enterprise Users

The feature allows enterprise users to compose and read end-to-end encrypted messages natively on their mobile devices.

https://www.securityweek.com/gmail-brings-end-to-end-encryption-to-android-and-ios-for-enterprise-users/

Why is the timeline to quantum-proof everything constantly shrinking?

Experts say advancements in hardware, mathematics and growing fear of Chinese scientific breakthroughs are pushing Google and others to call for speedier migration.

https://cyberscoop.com/quantum-computing-industry-timeline-threat-accelerating/

Prepping for 'Q-Day': Why Quantum Risk Management Should Start Now

Quantum computers are coming and may impact systems in unexpected ways, and it will "take years to be fully quantum-safe, if ever," cryptography expert warns.

https://www.darkreading.com/cyber-risk/preparing-q-day-quantum-risk-management

NIST Post Quantum Computing

Quantum is coming – what’s the answer? The answer is to switch to Post Quantum Algorithms. See NIST Post Quantum Computing page.

https://www.nist.gov/pqc

Your Next Breach Will Look Like Business as Usual

These are the fundamental detection model shifts cybersecurity teams need to make to keep up with the rising number of credential-based attacks.

OPINION

Your perimeter is hardened, your SOC is on high alert for zero-days, and your firewalls are pristine. But while you're watching the fences, the adversary is walking through the front door with a smile and a valid employee ID.

In the modern threat landscape, attackers aren't always "breaking in" — they're simply logging in. Nearly one in three cyber intrusions now involve valid employee credentials, making this a leading attack vector.

OTHER NEWS

Announcing New Sessions

Previously Cyber Fridays, Now Thursdays

If you are currently, or are planning to be, a contractor or subcontractor supporting the Defense Industrial Base (DIB) you are required to comply with the newly finalized CMMC requirements.

April 30, 2026 – CMMC: Control Set Series: 3.3 Audit and Accountability
May 28, 2026 – CMMC: Control Set Series: 3.4 Configuration Management

Registration and more information can be found at wispro.org/wpi-events/featured-webinars

Be sure to follow WPI on social media (Facebook, LinkedIn, X) for regular updates on events, news and opportunities.

WPI 10437 Innovation Dr. Suite 320, Milwaukee, WI 53226 414-270-3600

Newsletter Editor: Doug Clemons, dougc@wispro.org

Not currently a subscriber to WPI's Newsletters?

Click Here to Subscribe