Andrew Howard

DFARS 7012 requires contractors to implement NIST SP 800-171 to protect Covered Defense Information (CDI). DFARS 7019/7020 requires contractors to perform a basic assurance self-assessment and submit a score to SPRS that is within 3 years of contract award. DFARS 7021 specifies the CMMC level required to be awarded a DoD contract. CMMC levels require either self-assessment or third-party assessment. When making the determination of the level required for a contract, there is a memo that outlines the process that must be followed by the DoD program manager to obtain a waiver to "CMMC assessment requirements" for that contract. "Program Managers and requiring activities should identify information security requirements for the types of information most likely to be associated with the planned contract effort. When market research indicates that including a CMMC assessment requirement may impede ability to generate robust competition or delay delivery of mission critical capabilities, the SAE, CAE, or DAE may approve requests to waive inclusion of CMMC assessment requirements. SAEs and CAEs must carefully weigh the risk of potential loss of CUI associated with mission critical capabilities before granting a waiver." Level 1 - "There are no circumstances likely to warrant approval of requests to waive CMMC Level 1 requirements." Level 2 - "In rare circumstances. such as when seeking competition from non-traditional DoD sources. waivers may be warranted for CMMC Level 2 third-party assessment requirements. Such waivers are not appropriate for contracts requiring performance by a cleared defense contractor. Approved waivers on a class basis must include a planned expiration date and guidance for requiring CMMC certification in subsequent solicitations." Level 3 - "In rare circumstances, waivers may be warranted for CMMC Level 3 third-party assessment requirements: such waivers, however, are not appropriate for contracts or work statements requiring access to both unclassified and classified DoD information." Full memo on the process found here, starting on page 6: https://lnkd.in/eeBCW53n #cmmc #dib #dfars

57

12 Comments

Unified Financial Attribution System (UFAS) ​I am officially announcing the availability for strategic acquisition of the Unified Financial Attribution System (UFAS). ​This proprietary U.S. Patent-Pending logic (Provisional #63/990,253) is specifically engineered to bridge the transparency gaps created by the latest 1099-DA regulatory shifts. ​The Solution: ​Money Laundering & Hacker Tracking: Enhances existing AML protocols by identifying "structuring" behavior and high-velocity transfers. It bypasses unhosted wallet anonymity to identify Ultimate Beneficial Ownership (UBO). ​Recursive De-anonymization: Links clustered unhosted wallets to 1099-DA identity anchors, maintaining a continuous audit trail through multiple "hops." ​Cross-Silo Attribution: Seamlessly bridges the gap between digital TXIDs and traditional banking (Routing/Account numbers) for real-time asset tracking and forensic reporting. Interested parties: UFASPATENTED@GMAIL.COM

1

1 Comment

Looking forward to the finalization of the new FedRAMP 20x Key Security Indicators (KSIs) later this week. Starting on Friday, FedRAMP will begin accepting 20x Low submissions, most likely with the draft SBOM requirement in place. https://lnkd.in/eD5i-Bsm

44

4 Comments

The DVMS Institute has partnered with Navvia to deliver next-gen cyber governance, resilience, and training via Navvia’s NIST CSF assessment and process modeling platform. We are thrilled to partner with Navvia to bring a truly operationalized approach to digital value governance and cyber resilience. The combination of DVMS Institute’s cyber resilience overlay system and Navvia’s powerful NIST-CSF assessment and process design and management platform provides organizations with a comprehensive solution for aligning governance, risk, and performance assurance with their digital risk and value management strategy.” David Mainville, CEO of Navvia, shared similar enthusiasm: “Our mission has always been to simplify and accelerate an organizational ability to assess and document its governance, compliance, and service improvement initiatives. With the introduction of our new Cybersecurity Framework assessment tool - combining NIST CSF with ITSM Processes, and our partnership with the DVMS Institute, we offer clients a best-in-class solution to assess, build, measure, and sustain cyber resilience and governance excellence. We are helping organizations turn cybersecurity from a reactive technical problem into a strategic business advantage.” For more information about Navvia’s NIST CSF assessment solution and the DVMS Institute’s digital value management frameworks, visit www.navvia.com and www.dvmsinstitute.com . https://lnkd.in/gKKQMBju

13

2 Comments

Navigating NIST 800-171 Compliance: A Guide for SMBs As cyber risks increase, it's crucial for Small and Medium-sized Businesses (SMBs) in the Defense Industrial Base (DIB) to protect sensitive information. Safeguarding Controlled Unclassified Information (CUI) is essential for their survival. Understanding NIST 800-171 and CMMC Compliance: NIST Special Publication 800-171 provides the framework for protecting this information, while the Cybersecurity Maturity Model Certification (CMMC) 2.0 builds upon it. For SMBs in the DIB, compliance isn't just a regulatory requirement—it's a strategic necessity for accessing Department of Defense (DoD) contracts and ensuring long-term business viability. Adhering to NIST SP 800-171 is a contractual obligation for organizations that handle CUI. https://lnkd.in/eshRftvJ

12

2 Comments

After lengthy late-night discussions with Cédric Bonhomme on sightings and KEV formats, we produced a first draft of a generic format for Known Exploited Vulnerabilities (KEV).  Initially, we considered extending GCVE BCP-05 using the CVE Record format. However, we ultimately concluded that it may be more appropriate to define a standalone format, allowing sources to publish their KEV data independently. Feel free to comment on the discourse link below. KEV Assertion Format – Draft Specification (potential BCP?) This format describes a generic KEV (Known Exploited Vulnerability) assertion format. The goal is to express who claims exploitation, when, based on what, where it was observed, and with which level of confidence, without turning KEV into full threat intelligence. A KEV assertion is usually very binary and lacking some meta-information. The format adds some information which could better capture details about the exploitation. A majority of the fields are optional except vulnerability, status and evidence.[].source which are recommended. 🔗 https://lnkd.in/eaBUFXie GCVE-EU CIRCL (Computer Incident Response Center Luxembourg) CVE Program

145

11 Comments

TeleMessage Hack Exposes Government and Corporate Messaging Vulnerabilities Modified Signal App Used by U.S. Officials Breached—Revealing Critical Security Gaps A major breach of TeleMessage, a government- and enterprise-grade messaging service based on modified versions of apps like Signal, Telegram, and WhatsApp, has exposed sensitive data linked to U.S. government officials and private sector clients. The hack, reported by 404 Media on May 5, 2025, highlights the security risks of archiving encrypted communications—especially when modified apps are involved. What Happened • Exploit Uncovered: A hacker exploited a vulnerability in TeleMessage’s infrastructure to gain access to archived messages and back-end systems. • Partial Breach Scope: While messages from high-profile users such as cabinet members and former national security adviser Mike Waltz were not compromised, the hack still yielded: • Archived message content from other users • Contact details of U.S. government personnel • Backend login credentials • Data from U.S. Customs and Border Protection, Coinbase, and Scotiabank Why This Is Alarming • No End-to-End Encryption: The attack revealed that archived messages routed through TeleMessage’s modded version of Signal were not end-to-end encrypted during storage. • Sensitive Use Cases: TeleMessage is marketed for secure communication by regulators, banks, and federal agencies—making it a critical target for cyber threats. • Trusted Platform Compromised: Clients used TeleMessage under the assumption of enhanced compliance and security, but the hack exposed fundamental weaknesses in how archived data is protected. Broader Implications • Erosion of Trust: This breach could shake confidence in third-party encrypted messaging services, particularly those that modify open-source platforms. • Regulatory Ramifications: Organizations required to archive communications for compliance may now face scrutiny over how securely that data is stored. • Cybersecurity Wake-Up Call: The breach underscores the importance of evaluating not just the encryption of a messaging app—but also the security of any archiving or middleware systems it connects to. Conclusion The TeleMessage hack is a stark reminder that even apps built on secure platforms like Signal can become vulnerable when modified for enterprise use. As governments and businesses increasingly rely on encrypted communications, the weakest link—often the archiving layer—must be treated as a frontline security priority. Keith King https://lnkd.in/gHPvUttw

4

Remember my post on vibe-coding is a trap! Fyi: watch-out “value sharing” / outcome-based deals: OpenAI has signaled that for high-impact, IP-creating use cases (e.g., drug discovery, materials, finance/trading), they may push for bespoke contracts that include profit-share or upside participation, not just usage fees.

3

1 Comment