|
Welcome to the WPI Cyber Newsletter, a monthly publication from the Wisconsin Procurement Institute (WPI), Wisconsin's Apex Accelerator
If your organization needs assistance meeting Federal or Department of Defense cyber security requirements, contact Marc Violante, Director of Federal Market Strategies at marcv@wispro.org, or Matt Frost, Government Contract Specialist at mattf@wispro.org
| | |
Several days ago on January 10, 2026, CMMC turned two months old.
The rules have changed and it is important for all companies to be aware of the current requirements – regulations defining eligibility for both Prime and Subcontract awards.
- POA&M are no longer authorized.
- All security requirements must be met: Level 1 – self; Level 2 – self
- SPRS scores must reflect this status.
- Affirmations are required
Please contact WPI for assistance or if you have any questions: 414-270-3600
| | |
It’s a new year and there are many commercials advertising how Virtual Private Networks (VPN) can keep you safe when online. They can!
Users of federal websites, especially users of DIBBS and cFolders review the terms and conditions for use. DIBBS and cFolders expressly prohibits the use of VPNs and similar technologies. The following is copied from item 8 of the DIBBS Super User agreement:
“8. I agree that no user account will use any means to mask their internet usage/access to DIBBS (for example, a Virtual Private Network (VPN)).”
Also for US based companies do not access DIBBS from outside the country. See item 11 of the DIBBS Super User agreement.
| | |
Microsoft Starts 2026 With a Bang: A Freshly Exploited Zero-Day
The vendor's first Patch Tuesday of the year also contains fixes for 112 CVEs, nearly double the amount from last month.
“Among them is a zero-day vulnerability in Desktop Window Manager (DWM) designated as CVE-2026-20805 (CVSS score: 5.5), which attackers are already exploiting to leak memory address information that could weaken system protections and enable follow-on attacks.”
https://www.darkreading.com/application-security/microsofts-starts-2026-bang-zero-day
DoD/DoW contractors should pay particular attention to these notifications and updates. SYSTEM AND INFORMATION INTEGRITY is one of the 14 NIST Security Families listed in NIST 800-171 r2. Maintaining your systems and all assets covered in your SCOPE are critical actions to take and not ignore. As stated in the article, some of these vulnerabilities are being actively exploited. The following are two NIST 800-171 r2 security requirements that apply.
- 3.14.1 Identify, report, and correct system flaws in a timely manner.
- 3.14.3 Monitor system security alerts and advisories and take action in response.
| | |
Think you can beat ransomware? RansomHouse just made it a lot harder
Ransomware continues to evolve making recovery without paying the ransom more difficult.
Researchers confirmed that RansomHouse, a type of ransomware, is moving away from “linear encryption model toward a multi-stage, dual-key process, which materially complicates decryption or key recovery.” This ransomware also targets virtual machines and backups.
Pressure to pay the ransom is increased by threatening public disclosure of the data in addition to the encrypting the data.
Start the new year by revisiting training on ransomware prevention, updating the System Security Plan, and validating other security measures.
Think you can beat ransomware? RansomHouse just made it a lot harder | CSO Online
If dealing with Ransomware isn’t bad enough, now Cyber Fraud is a growing concern.
Cyber Fraud Overtakes Ransomware as Top CEO Concern: WEF
Ransomware remains the biggest concern for CISOs in 2026, according to WEF’s Global Cybersecurity Outlook 2026 report.
“Cyber-enabled fraud has overtaken ransomware as the primary concern for CEOs, marking a major shift in how business leaders perceive digital risk, according to the Global Cybersecurity Outlook 2026 report published by the World Economic Forum (WEF) on Monday.”
Cyber Fraud Overtakes Ransomware as Top CEO Concern: WEF - SecurityWeek
Cyber threats can originate from both inside the US as well as outside its borders. Cybercriminals do not respect geographic boundaries and criminals may be US citizen or not. Credentials and line of work cannot be relied upon to identify cybercriminals from trustworthy cyber professionals.
The following Justice press release shows and reaffirms that companies need to maintain their vigilance. “We see what we want to see” is one way of looking at the issue. If we believe that someone is trustworthy, we look for evidence supporting this belief – in the following case – line of work, and nationality. Looking at this issue from the bad actors perspective, will a bad actor try to provide the types of information to a potential customer that supports and strengthens a particular decision – the contractors, the caller, the applicant is trustworthy.
| | |
Two Americans Plead Guilty to Targeting Multiple U.S. Victims Using ALPHV BlackCat Ransomware
“On Monday, December 29, 2025 “a federal district court in the Southern District of Florida accepted the guilty pleas of two men to conspiring to obstruct, delay or affect commerce through extortion in connection with ransomware attacks occurring in 2023.
“These defendants used their sophisticated cybersecurity training and experience to commit ransomware attacks — the very type of crime that they should have been working to stop,” said Assistant Attorney General A. Tysen Duva of the Justice Department’s Criminal Division.
“Extortion via the internet victimizes innocent citizens every bit as much as taking money directly out of their pockets. The Department of Justice is committed to using all tools available to identify and arrest perpetrators of ransomware attacks wherever we have jurisdiction.””
See: https://www.justice.gov/opa/pr/two-americans-plead-guilty-targeting-multiple-us-victims-using-alphv-blackcat-ransomware
| | |
Stop Ransomware is the federal government’s official website –
https://www.cisa.gov/stopransomware
For more information, see - StopRansomware Guide
This document is a one-stop resource to help organizations reduce the risk of ransomware incidents through best practices to detect, prevent, respond, and recover, including step-by-step approaches to address potential attacks. This publication was developed through the Joint Ransomware Task Force (JRTF), an interagency body established by Congress in the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) to ensure unity of effort in combating the growing threat of ransomware attacks.
Part 1 provides guidance for all organizations to reduce the impact and likelihood of ransomware incidents and data extortion, including best practices to prepare for, prevent, and mitigate these incidents. Prevention best practices are grouped by common initial access vectors. Part 2 includes a checklist of best practices for responding to these incidents.
See: https://www.cisa.gov/resources-tools/resources/stopransomware-guide
| | |
Cybersecurity skills matter more than headcount in the AI era
AI remains one of the top skills needed for the second consecutive year, with 41% of respondents of the 2025 study citing it as a critical skill, followed by cloud security at 36%. According to the report, 48% of respondents are already working to gain generalized AI knowledge and skills, while “35% are educating themselves on AI solutions at risk to better understand vulnerabilities and exploits.”
“The use of AI tools and the perception that AI will be a career-booster in the cybersecurity industry are prompting professionals to take proactive steps to develop and expand their knowledge and skill base to future-proof their careers,” Marks says. “They see it as a driver of new and more specialized skills, more strategic responsibilities, and broader career pathways.”
https://www.csoonline.com/article/4108270/cybersecurity-skills-matter-more-than-headcount-in-the-ai-era.html
| | |
A company’s External Attack Surface and Scope as defined by NIST 800-171 r2 do not always represent the same assets.
External Attack Surface are those externally facing assets – those assets that connect to the internet and that can be directly attacked. Scope defines the assets which store, transmit, or process CUI. In many instances Scope is located internal to assets which define the External Attack Surface.
However, whether the above is true or not is dependent upon the network’s design and whether or not all assets are known. It is possible that some External Attack Surface assets also are part of a company’s CUI scope. It is also possible that an unknown asset and therefore one which is not being actively managed may provide an unprotected path to in-scope assets.
If an asset is overlooked and is in scope how does that affect the System Security Plan (SSP) and system security? Additionally, if the SSP does not address all assets, has the company fully implemented all controls required by NIST 800-171 r2?
The following article begins with – “Shadows are dark and dangerous places where bad guys attack anything or anyone they find. In 2026, AI will increase the number and size of shadows, together with the entire external attack surface.”
For all companies and especially those pursuing Defense contracts, the logical question is - what does this mean for me? Has my external attack surface been totally defined, is there an unknown/unmanaged asset and what about my System Security Plan?
Needless to say, the External Attack Surface is critical to cybersecurity.
Cyber Insights 2026: External Attack Surface Management
AI will assist companies in finding their external attack surface, but it will also assist bad actors in locating and attacking the weak points.
https://www.securityweek.com/cyber-insights-2026-external-attack-surface-management/
| | If your organization needs assistance meeting Federal or Department of Defense cyber security requirements, contact Marc Violante, Director of Federal Market Strategies at marcv@wispro.org, or Matt Frost, Government Contract Specialist at mattf@wispro.org | | |
Announcing New Sessions
Previously Cyber Fridays, Now Thursdays
If you are currently, or are planning to be, a contractor or subcontractor supporting the Defense Industrial Base (DIB) you are required to comply with the newly finalized CMMC requirements.
Registration and more information can be found at wispro.org/wpi-events/featured-webinars
| | |
Announcing New Virtual Sessions
6:30-7:30 pm
This 8 part series is designed specifically for current Federal contractors. In addition, these sessions will help you prepare for the NCMA CFCM certification exam.
Click on the below dates for more registration and more information
| | |
NDIA CMMC Academy
January 28, 2026
Pewaukee, WI
Are you CMMC ready?
The NDIA CMMC Academy is your roadmap to staying eligible for federal and Department of War (DoW) contracts. Phase 1 implementation is underway, and new clauses are moving into prime and subcontractor agreements. If you touch federal work in any part of the supply chain, now is the moment to act.
Join NDIA’s Cybersecurity Division and the Great Lakes’ Chapter for a practical briefing on what the regulation includes and what you must do to bid, win, and perform under DoW solicitations.
What you’ll learn:
- The evolution of CMMC and why it matters now
- The three certification levels and which one fits your business
- FCI vs. CUI: how to identify the data you handle
- What a C3PAO is and how to select one
- When a self-assessment is sufficient versus when a C3PAO certification is required
- How DoW and federal agencies are enforcing the new requirements
- Trusted resources to accelerate your CMMC journey
Get clear on the requirements. Protect your eligibility. Move forward with confidence.
Registration & More Information
| | |
18th Annual
End of Year Federal Contractor Update
January 29, 2026
Pewaukee, WI
Join Wisconsin’s Federal Government contractors and subcontractors for this annual event. Briefings during the event will provide an overview of the current Federal contracting environment as well as highlight up and coming trends for future business opportunities.
SCHEDULE
8:00 AM – Light Breakfast and Registration
8:30 AM – Welcome and Introductions
9:00 AM – Program
12 NOON – Lunch
4:00 PM – End of Program
4:30 PM – End of Event
CONFIRMED PARTICIPANTS
- David Zvenyach – Founder, Tandem – CEO, MakeGov
- Nathaniel Millsap – Vice President, Security & Compliance, Fincantieri Marinette Marine
- Baly Ambegaoker – CEO and Corporate Director, BTMS Breakthrough Technologies for Mission Success
- Brian Waagner – Partner, Husch Blackwell
- Jason Rathsack – NCMA WI Chapter Board Member
- Samuel Jack – Senior Counsel, Husch Blackwell
- Shane Mahaffy – Lead Business Opportunity Specialist, U.S. Small Business Administration (SBA)
- James Pitcher – Director of Strategic Contracts, Gallatin AI
- Daryl Zahn – Sr. Manager, Contracts & Compliance, DRS Naval Power Systems, Inc.
- Ben Blanc – Government Contracts Specialist, Wisconsin Procurement Institute (WPI)
- Aina Vilumsons – President-Executive Director, Wisconsin Procurement Institute (WPI)
Registration & More Information
| | -
Be sure to follow WPI on social media (Facebook, LinkedIn, X) for regular updates on events, news and opportunities.
| |
WPI 10437 Innovation Dr. Suite 320, Milwaukee, WI 53226 414-270-3600
| | | | |
