|
Welcome to the WPI Cyber Newsletter, a monthly publication from the Wisconsin Procurement Institute (WPI), Wisconsin's Apex Accelerator
If your organization needs assistance meeting Federal or Department of Defense cyber security requirements, contact Marc Violante, Director of Federal Market Strategies at marcv@wispro.org, or Matt Frost, Government Contract Specialist at mattf@wispro.org
| | |
CMMC status
It is expected that the Title 48 CFR rule will become effective in FY 2025. When that happens, the CMMC program will be fully implemented from a regulatory perspective. Then DFARS 252.204-7021 will be added to contracts as needed. For more information on CMMC status see – CMMC Reg Hurdles below.
| |
|
The following is copied from a Department of Justice press release dated Wednesday, March 26, 2025.
As listed in its SAM registration, this company is identified as a small business for 13 NAICS codes. While this company may have more employees than your company or had more success, the issue is compliance with the requirements related to DFARS 252.204-7012, and DFARS 252.204-7019/7020. These requirements were not followed.
As stated in the first bullet point, a company cannot avoid contractual responsibilities by handing off requirements to a third party. Certainly, third party service providers can be used. That is not the issue. The issue is the use of a third party service provider without proper vetting. It is also noteworthy that the findings stated in this paragraph are related to DFARS 252.204-7012. These are not issues related to NIST 800-171 r2 compliance.
The remaining three bullet points identify issues related to the requirements of DFARS 252.204-7019, DFARS 252.204-7020 and NIST 800-171 r2.
As indicated by DOJ’s actions, greater attention is being given to contractor cyber security. Many contractors are provided with DoD Controlled Unclassified Information (CUI). Having access to this information is required for contract performance. Consequently, it is required that when a company is in possession of CUI it will comply with the referenced regulations in order to provide – adequate security.
Details from DOJ’s press release are below.
| | |
Defense Contractor MORSECORP Inc. Agrees to Pay $4.6 Million to Settle Cybersecurity Fraud Allegations
MORSECORP Inc. (MORSE), of Cambridge, Massachusetts, has agreed to pay $4.6 million to resolve allegations that MORSE violated the False Claims Act by failing to comply with cybersecurity requirements in its contracts with the Departments of the Army and Air Force.
The settlement resolves allegations that MORSE submitted false or fraudulent claims for payment on contracts with the Departments of the Army and Air Force, and that those claims were false or fraudulent because Morse knew it had not complied with those contracts’ cybersecurity requirements. As part of the settlement, MORSE admitted, acknowledged and accepted responsibility for the following facts:
- From January 2018 to September 2022, MORSE used a third-party company to host MORSE’s emails without requiring and ensuring that the third party met security requirements equivalent to the Federal Risk and Authorization Management Program Moderate baseline and complied with the Department of Defense’s requirements for cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis and cyber incident damage assessment;
- The contracts required that MORSE implement all cybersecurity controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, but from January 2018 to February 2023, MORSE had not fully implemented all those controls, including controls that, if not implemented, could lead to significant exploitation of the network or exfiltration of controlled defense information and controls that could have a specific and confined effect on the security of the network and its data;
- From January 2018 to January 2021, despite the contracts’ system security plan requirement, MORSE did not have a consolidated written plan for each of its covered information systems describing system boundaries, system environments of operation, how security requirements are implemented and the relationships with or connections to other systems;
- In January 2021, MORSE submitted to the Department of Defense a score of 104 for its implementation of the NIST SP 800-171 security controls. That score was near the top of the possible score range from -203 to 110. In July 2022, a third-party cybersecurity consultant notified MORSE that its score was actually -142. MORSE did not update its score in the Department of Defense reporting system until June 2023 — three months after the United States served MORSE with a subpoena concerning its cybersecurity practices.
Full article at: https://www.justice.gov/opa/pr/defense-contractor-morsecorp-inc-agrees-pay-46-million-settle-cybersecurity-fraud
| | |
CMMC Reg Hurdles
The Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) rule – which puts new security regulations on defense contractors and is set to kick in this year – is wading through the broader anti-regulation landscape created by the Trump administration but is still expected to make it through. That was the news on Tuesday afternoon at the Zscaler Public Sector Summit from Stacy Bostjanick, director of DIB cybersecurity in DoD’s Office of the Chief Information Officer, who said she views CMMC as a solution to the DoD’s current regulatory process, which she argued “does not help us keep pace with current [cybersecurity] threats.” She explained: “I view CMMC as the roll, before the crawl, before the walk, before the broader implementation.” The CMMC rule is set to take effect in fiscal year 2025, but a 60-day regulatory freeze imposed by the Trump administration has delayed it. Though the freeze was recently lifted, an executive order also requires agencies to repeal 10 existing rules for every new one. However, Bostjanick said she remains confident that the Trump administration will ultimately back the necessity of CMMC. “We’re working through that … to make sure that we are protecting ourselves, we’re going to have to work our way through that,” she said
Copied from Meritalk Newsletter, dated 3/26/2025
| | |
11 ways cybercriminals are making phishing more potent than ever
Cybercriminals are switching up tactics for their social engineering trickery to increase authenticity, better bypass filters, and more intentionally target potential victims.
Phishing has long been a primary source for security breaches — a major issue that, despite years of security awareness training, remains a top cybersecurity concern today.
But thanks to refinements of tactics alongside malign repurposing of AI technologies, the longstanding social engineering technique continues to evolve, and cybercriminals are finding new ways to try to trick users into clicking on bad links. The game’s (essentially) the same; it just got more fierce.
Attackers no longer just copy logos and spoof domains; they hijack legitimate email threads, embed malicious links in ongoing conversations, and even use compromised business emails to make their phishing attempts look more authentic.
https://www.csoonline.com/article/3850783/11-ways-cybercriminals-are-making-phishing-more-potent-than-ever.html
| | |
DARPA’s AI Cyber Challenge releases scoring guide for $8.5 million final competition
Open source software underpins the nation’s critical infrastructure systems, such as bridges, highways, hospitals, power plants, and utilities, making it a top target for cyberattacks by actors around the world. Through DARPA’s AI Cyber Challenge (AIxCC), in collaboration with the Advanced Research Projects Agency for Health (ARPA-H), seven finalist teams composed of experts across academia and industry are designing novel cyber reasoning systems (CRSs) incorporating cutting-edge large language models to automatically find and patch vulnerabilities in open source software.
The AI Cyber Challenge final competition will kick off this spring and culminate at DEF CON 33 in August 2025. Guided by the newly-released AIxCC Final Competition Procedures and Scoring Guide, the Final Competition will take place over a series of four rounds in 2025. Three rounds will be unscored exhibition rounds and one round – the final round – will be scored. In each round, each team’s CRS will have limited time to find and patch vulnerabilities in software challenges based on real-world software that is critical to industry, national security, and the public.
See: https://www.darpa.mil/news/2025/ai-cyber-challenge-scoring
| | |
New Open Source Bugs Leave Thousands of iOS Apps Vulnerable to Hijacking
The Cocoapods vulnerabilities could threaten TikTok, Snapchat, LinkedIn, Netflix, Microsoft Teams, Facebook Messenger, and many others.
“A series of newly discovered vulnerabilities in a widely used open source software utility could spell big trouble for large parts of the iOS and MacOS ecosystems. The bugs in question could impact thousands of widely used apps, including popular programs like TikTok, Snapchat, LinkedIn, Netflix, Microsoft Teams, Facebook Messenger, and many others, according to associated security research.”
https://gizmodo.com/new-open-source-bugs-leave-thousands-of-ios-apps-vulner-1851573395
| | |
The Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025
In addition to implementing requirements mandated by current and future cybersecurity requirements, federal contractors may have additional requirements to follow. Earlier this month The Federal Contractor Cybersecurity Vulnerability Reduction Act of 2025 passed the house.
“Under the bill, covered contractors with the federal government would have to implement vulnerability disclosure policies (VDPs) that are consistent with National Institute of Standards and Technology guidelines. The Office of Management and Budget and the Defense Department would be required to update federal acquisition policies accordingly.” CyberScoop
See: https://cyberscoop.com/house-passes-federal-contractors-vdp-bill/
The NIST publication that addresses vulnerability Disclosure Guidelines is NIST 800-216 Recommendations for Federal Vulnerability Disclosure Guidelines.
| | |
The differences between non-disclosure, exfiltration and notice - a court’s view
Although there is scant case law on the question, it is generally accepted that it is not a violation of one’s duty not to disclose information if it is stolen from you. Put another way, disclosure is an affirmative act, and, absent an affirmative duty to protect information from unauthorized access, theft of information is not a violation of a duty not to disclose.
This question, however, was at the heart of the decision in Gerber v. Twitter, Inc., case no. 4:23-cv-00186-KAW (N.D. Cal. Dec. 18, 2024) (2024 WL 5173313). Judge Kandis Westmore ruled that a social media platform’s duty not to disclose personal information is not the same as the duty to protect that information against theft. Further, the duty not to disclose does mean the social media platform has a duty to notify individuals if the social media platform is breached. As a result, the court granted in part and denied in part the defendant’s motion to dismiss the plaintiffs’ complaint. (Id.)
See: https://www.lexology.com/library/detail.aspx?g=225e1477-f6ab-4597-897d-d2ac421b7b16
| | If your organization needs assistance meeting Federal or Department of Defense cyber security requirements, contact Marc Violante, Director of Federal Market Strategies at marcv@wispro.org, or Matt Frost, Government Contract Specialist at mattf@wispro.org | | |
Winning Government Business: Navigating Compliance Risks to Drive Strategic Advantage
May 14, 2025
8:00 am - 7:00 pm
Brookfield Conference Center
325 South Moorland Road Brookfield, WI 53005
Registration now available HERE
| | |
11th Annual DOD Contract Management Update
May 15, 2025
8:00 am - 5:00 pm
Registration now available HERE
| | -
Be sure to follow WPI on social media (Facebook, LinkedIn, X) for regular updates on events, news and opportunities.
| |
WPI 10437 Innovation Dr. Suite 320, Milwaukee, WI 53226 414-270-3600
| | | | |
