John Waller

CMMC Compliance Deadline: Are You Ready for October 1st?   The DoD’s latest update to 48 CFR Part 204.75 makes it official: CMMC certification is mandatory for contractors starting October 1, 2025. If your organization handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), you must be certified to bid, renew, or extend DoD contracts. 🎯 Don’t risk disqualification. As a CMMC Registered Practitioner Organization (RPO), Concertium helps defense contractors like you: * Assess and close compliance gaps * Build cybersecurity policies and procedures * Train your team and prepare for certification ⏳ Time is running out. Let’s get you ready before Phase 1 begins. 📅 Book your free consultation today: concertium.com/cmmc-rpo

10

Anybody interested in Cybersecurity Risk Management? In hashtag#NIST's latest blog post celebrating 1-year of hashtag#CSF 2.0, they highlighted updates to their IR 8286 Series defining the relationship between hashtag#cybersecurity and hashtag#ERM. NIST has been updating this series, giving organizations guidance on weaving cybersecurity (leveraging the hashtag#NISTCSF) into ERM so if you're looking for ways to connect cybersecurity and business risk, these resources are definitely worth a read! 👇 ◾NIST IR 8286, Integrating Cybersecurity and Enterprise Risk Management (open for public comment through April 14, 2025) https://lnkd.in/eNM59FZX ◾NIST IR 8286A, Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management (open for public comment through April 14, 2025) https://lnkd.in/e4A-X96J ◾NIST IR 8286B, Prioritizing Cybersecurity Risk for Enterprise Risk Management https://lnkd.in/e8exv7Jm ◾NIST IR 8286C, Staging Cybersecurity Risks for Enterprise Risk Management and Governance Oversight (open for public comment through April 14, 2025) https://lnkd.in/ecTdQrke ◾NIST IR 8286D, Using Business Impact Analysis to Inform Risk Prioritization and Response https://lnkd.in/e2Hw894C Stay connected to Anuj Arora for content related to Cybersecurity.   #LinkedIn #Cybersecurity #Cloudsecurity #AWS #GoogleCloud #Trends #informationprotection #Cyberthreats #CEH #ethicalhacker #hacking #cloudsecurity #productmanagement #cybersecurity #appsec #devsecops #Cloudstrategy #cloudgovernance #ITIL #Azure #Datasecurity                                                                  

1

Quote from Article: Policy-as-Code is not merely a temporary trend but a fundamental shift in how organizations approach GRC. Soon, federal contracts may require delivery of not only human-readable SSPs but also machine-verifiable compliance packages. Audits may involve running scripts instead of reviewing PDFs. And AI-powered governance engines will cross-check deployments against codified policies in real time. #GRC #Federal #infosec

2

CISA just released updated guidance for its Software Bill of Materials (SBOM) Minimum Elements, and they're looking for public comment! ✍️ This is a great opportunity to help shape the future of cybersecurity. An SBOM is a critical tool for identifying vulnerabilities and managing risks in software. Key Details: What: Updated guidance on SBOM Minimum Elements. Why: To reflect advancements in tooling and implementation since 2021. What's new: Refined data fields, automation support, and operational practices. How to contribute: Provide your feedback via the Federal Register or CISA's anonymous survey by October 3, 2025. https://lnkd.in/d58ts98t Sharing your expertise can help make SBOMs more scalable, interoperable, and comprehensive for everyone. Let's contribute to a more secure digital world! 🌎 #cybersecurity #CISA #SBOM #infosec #riskmanagement

1

"The threat actor behind the exploitation of vulnerable Craft Content Management System (CMS) instances has shifted its tactics to target Magento CMS and misconfigured Docker instances. The activity has been attributed to a threat actor tracked as Mimo (aka Hezb), which has a long history of leveraging N-day security flaws in various web applications to deploy cryptocurrency miners. "Although Mimo's primary motivation remains financial, through cryptocurrency mining and bandwidth monetization, the sophistication of their recent operations suggests potential preparation for more lucrative criminal activities," Datadog Security Labs said in a report published this week. Mimo's exploitation of CVE-2025-32432, a critical security flaw in Craft CMS, for cryptojacking and proxyjacking was documented by Sekoia in May 2025." https://lnkd.in/d-j33inX

1

Do you truly know the meaning behind the data your team is collecting? Guardians of the Data’s guest this week is Derek Fisher, Director of the Cybersecurity Defense and Information Assurance Program at Temple University. Together, Derek and Ward Balcerzak, CISSP covered: - Why the ‘why’ behind the data is important  - How every piece of data you collect increases your attack surface (and why you should only collect what you need) - The importance of always thinking like an attacker to stay ahead of the game - How showing your relevant work will help you stand out in the cybersecurity community 🔗 Catch the full episode now with the links in the comments!

24

2 Comments

NJ's first student run SOC is paving the way for other colleges and universities to follow, thanks to a partnership between Splunk, TekStream Solutions and New Jersey Institute of Technology. #cybersecurity #computerscience https://lnkd.in/egj585HU

44

MITRE ATT&CK v18 lands today with a groundbreaking update to ATT&CK's threat detection taxonomy. This restructuring—announced during ATT&CKcon by MITRE ATT&CK defense lead Lex Crumpton—will help cybersecurity teams better connect the dots across adversary behaviors, enabling more effective and informed defenses. Read more on Inside Cybersecurity: http://spklr.io/6047BzpN3 #ATTACKcon #Cybersecurity #ThreatInformedDefense #MITREattack

328

6 Comments

In my professional opinion every school district in #NYS should be submitting an application to strengthen their security posture. The distribution of Multi-Factor Authentication (MFA) tokens should be prioritized to key stakeholders who manage critical access and sensitive data. This includes the IT department, business office personnel, application administrators, individuals in roles handling significant amounts of Personally Identifiable Information (PII), Protected Health Information (PHI), and Nonpublic Personal Information (NPI), as well as all administrators across the district. Implementing MFA across these groups will significantly strengthen the district’s overall security defenses and protect sensitive information. Key information from the article links below: 1. New York State is releasing $13.9 million in combined FY2022 and FY2023 federal grant funding under the State and Local Cybersecurity Grant Program (SLCGP) to procure Multi-Factor Authentication (MFA) tokens for eligible local public entities, including governments and schools, to reduce cyber risk and improve resiliency statewide. 2. The State’s Office of Information Technology Services will manage the direct procurement, distribution, training, and support for the MFA tokens to ensure effective implementation across local governments and public sector organizations. 3. Educational institutions are now eligible for these grants, reflecting an acknowledgment of the growing digitalization of schools and their rising exposure to cyber threats, emphasizing the need to protect sensitive student and staff data. Sources: https://lnkd.in/etBRsdvd https://lnkd.in/e5jCPKff #NYS #publiceducation #NYschools #cybersecurity #MFA

5

1 Comment

Everyone is waiting for D.C. Washingtonto start issuing rules and regulations around AI. But the truth is that existing federal law already applies to AI, and many companies miss this shift. ❌ D.C. is not waiting for one mega AI statute. Federal pressure is showing up through enforcement, procurement, and copyright rules. Below are 3 federal legal insights every AI company should understand: 1️⃣ If you market AI capabilities, “trust us” is not a compliance strategy and the FTC may come knocking: 🔹 The FTC has already brought cases over unsupported AI performance claims. In the Workado matter, the agency alleged the company lacked evidence for claims that its AI detector was 98% accurate. That is the practical rule for operators: 🔺 If you say your AI is "accurate", "secure", or "enterprise-ready", you need evidence. 2️⃣ High-stakes AI decisions still trigger old laws: 🔹 Federal agencies have made it clear that existing laws apply when AI is used in employment, lending, housing, and other consequential decisions. DOJ, EEOC, CFPB, and FTC jointly warned in (way back in) 2023 that automated systems can violate laws that those agencies enforce. DOJ and EEOC have also specifically warned that AI hiring tools can create disability-discrimination risk, and CFPB has said lenders using complex algorithms still must provide specific reasons for adverse actions. 🔺 If your product touches one of these consequential decisions, your “fairness + explainability + documentation” story matters now, not later. 3️⃣ Federal copyright risk is no longer academic for AI companies. 🔹 The U.S. Copyright Office’s 2025 AI reports reiterate that purely AI-generated material is not copyrightable, and the Office has continued examining the legal implications of using copyrighted works in AI training. That means ownership, registrability, licensing, and training-data provenance are now real diligence questions for AI builders and buyers. 🔺 If a customer asks who owns the output, what trained the model, or what rights support the dataset, you need a real answer. ‼️ So what is the takeaway? ✳️ For AI companies, the federal trend is clear: The market is moving from “we use AI” to “show us how it works, what supports your claims, and what rights you have.” ⁉️ So, if asked tomorrow, “Can you substantiate your AI claims, explain your risk controls, and defend your data and output rights?” could you answer? If you want a quick read on how federal AI trends could affect your business, comment “FED AI” or reach out. And follow Aletheia Advising for practical legal guidance on AI, privacy, and commercial contracting. #AI #GenerativeAI #AICompliance #AIGovernance #FTC #Copyright #DataPrivacy #LegalOps #Founders #Startups #RiskManagement

1