Martin Voelk

New GSA CUI rules caught you off guard? You’re not alone. With almost no announcement, GSA quietly updated its IT security procedural guide in January, rolling out new requirements for protecting Controlled Unclassified Information (CUI) in nonfederal systems. Any contractor handling CUI for GSA will be expected to follow this guide. Here’s the issue: cyber policy experts and industry advocates are already flagging key differences between these GSA requirements and DoD’s CMMC. For contractors working with both agencies, that misalignment could mean added complexity, cost, and compliance risk. If you’re a government or defense contractor, now is the time to: - Review how GSA’s CUI expectations differ from your current CMMC/NIST 800-171 posture - Identify gaps across policies, controls, and documentation - Plan for a unified compliance strategy that won’t slow down contract opportunities Need help assessing where you stand and how to streamline overlapping requirements? Idenhaus can support you with targeted cybersecurity and compliance assessments tailored for federal contractors. https://hubs.ly/Q046DgsK0

2

Audits and forensics aren’t witch-hunts to “name the hacker.” They’re how you stop the next breach. A good audit/forensic review will: Expose misconfigurations and control gaps Surface broken processes (people • tech • vendors) Produce a clear timeline to improve response Provide evidence for insurance claims and regulators Demonstrate senior management intent and due diligence One breach costs more—in money, trust, and time—than doing the work properly up front. At Tylers, we turn incidents into hardening plans: fixes, owners, deadlines. Not blame—better security. #CyberSecurity #DigitalTrust #Forensics #Audit #IncidentResponse #Tylers

17

2 Comments

Things Texas Takes Seriously: 1. Cowboy Hats 🤠 2. Not messing with it 🗑 3. Cybersecurity 🔒 Texas’s very own TX-RAMP Certification is becoming increasingly in-demand. Why? Well, Texas has done a few things right to make the cert stick: 1️⃣ It created an achievable standard based on the NIST SP 800-53 framework and provided clear use-cases. 2️⃣ It significantly reduced the audit burden on private companies. The Texas Department of Information Resources performs the certifying assessment – NOT an auditor. 3️⃣ It passed legislation requiring all vendors providing cloud-based services to Texas state agencies and higher education institutions to become TX-RAMP certified. It turns out that, when required by law to get certified or risk losing a big customer, vendors tend to get certified! We have helped a number of customers with TX-RAMP. But, we regularly get smaller companies asking us for help. We can't economically service them. Well, we couldn't... until now! We are announcing TX-RAMP Champ. TX-RAMP Champ allows small companies to get TX-RAMP certified with half the effort. We provide the templates needed, video to explain how to use the templates and access to our experts to help. Rob, that sounds amazing but I want to try it out without having to pay. Imaginary person, that's why we have a 45-day trial option to try out the tool. You can sign up from this link: https://lnkd.in/eFgAQfkx Don't want to sign up? We have a bunch of free resources for learning about TX-RAMP on our TX-RAMP Champ page. Of course, you could sign up for our TX-RAMP Complete and get all of the TX-RAMP resources including: - TX-RAMP Security Plan Workbook with Sample Answers for all Controls - Complete TX-RAMP Documentation Template Library - Complete Training Video Library - Access to one-on-one chats with U.S.-based TX-RAMP efforts - 2 live session reviews of TX-RAMP deliverables What do you think about a solution for helping with TX-RAMP? Do you know someone who is struggling with TX-RAMP and would like a speed boost? Tag them, please!!!

31

19 Comments

CISA is sounding the alarm over a critical vulnerability in GeoServer that is being actively exploited in the wild, ordering federal agencies to patch immediately. The flaw, tracked as CVE-2025-58360, is an unauthenticated XML External Entity (XXE) vulnerability affecting GeoServer versions 2.26.1 and earlier. When exploited, the bug lets attackers retrieve arbitrary files from vulnerable servers, allowing data theft, denial-of-service attacks, or server-side request forgery (SSRF) that can expose internal systems. GeoServer, an open-source platform for publishing and sharing geospatial data, is widely used across civilian, scientific, and defense-linked federal environments. “GeoServer is widely used across federal agencies that manage land, water, and geoscience data,” said Louis Eichenbaum, federal CTO of ColorTokens, noting that it often runs alongside ArcGIS and remains connected back to enterprise GIS systems, even in otherwise segmented or air-gapped deployments. CISA added CVE-2025-58360 to its Known Exploited Vulnerabilities (KEV) catalog this week, citing active exploitation. Advisories from Wiz and the Canadian Centre for Cyber Security indicate that exploit code has circulated since late November, giving attackers a head start before coordinated patching could happen. https://lnkd.in/gRqEs5Dg

7

This new tool called Villager is changing the game. The dev work has been attributed to Chinese devs(Cyberspike) via a firm called Changchun Anshnyuan Technology Co., Ltd. But appears to be a coverup. Word is, it's a suite of tools now api connected via their FastApi interface. We are at another pivotal point in Offensive and Defensive evolution. Those fixed TTPS you look for in the Mitre Att&CK and include-other-frameworks-here are getting a shakeup. The timing of your thermostat iOT device getting hacked along with the unsolicited delivery of a package could all have been perfectly orchestrated. This new tool is widespread and available as part of the official Python Package Index. Multipronged attacks no longer require the same length of time to craft. This tool has browser automation and direct code execution through pyeval() and some os level command execution.

4

This recent WhatsApp issue is a useful case study because it demonstrates what unsophisticated attacks actually look like in practice. No exploit development, no heavy reverse engineering, just persistent querying of an endpoint that never said no combined with a platform team that never noticed.

34

2 Comments

Good morning! Here is this week's ICS Advisory, Other CERT, & Vendor Vulnerability Advisories Weekly Summary for 10 – 14 November 2025. Attached are the slides for this week's ICS Advisories summary. Link to Weekly Summary Slides: https://lnkd.in/eJnSKMF2 This past week, CISA released 17 new CISA ICS Advisories for the following vendors: Mitsubishi Electric, AVEVA, Brightpick AI, Rockwell Automation, General Industrial Controls, and Siemens. One updated CISA ICS Advisory was released for Festo. Based on the new CISA advisories, Critical Manufacturing, Commercial Facilities, Energy, Transportation Systems, Chemical, and Healthcare and Public Health are the potentially affected critical infrastructure (CI) sectors. The ICS Advisory Project identified 9 new and 4 updates ICS Advisories for Eaton [Power management software], Philips [Patient monitoring Software, Cardiology Information System (CVIS)], Sony Network Communications Inc. [Cellular and WLAN Model for AI home gateway routers or IoT gateway devices], Rockwell Automation [Simulation Software for Modeling & Analyzing], Crestron [Audio, Video, Environmental Controls], Jumo [Programmable Logic Controller (PLC) / Process Controller], Schneider Electric [HMI and SCADA] and Schneider Electric [HMI, PLC, and Multiple Other Products]. For a more comprehensive understanding, you can view the summary details of other CERT & Vendor product advisories identified last week (10 – 14 November 2025) and read the vendor advisory using the links provided at: https://lnkd.in/eMQ86J4F This past week, CISA added Five new Known Exploited Vulnerability (KEV) Catalog. None correlated to CISA ICS Advisories or other CERT and Vendor ICS Advisories this past week. Visit the ICS[AP] CISA KEV Catalog Dashboards: https://lnkd.in/emzXBbBw This past week, Siemens released 24 Security advisories (8 new and 17 updated), each with a corresponding CISA ICS Advisory. View previous ICS Advisory Project weekly summaries: https://lnkd.in/eQKxhAEi To view the updated ICS Advisory Project Dashboards, visit: icsadvisoryproject.com. Sign up to receive ICS[AP] Weekly Summary Slides and Other CERT and Vendor Advisory Summaries via email every Monday https://lnkd.in/eUwQrrj4           I appreciate everyone's comments & support. Have a great week! #CISA #ot #ics #otsecurity #icssecurity  #cybersecurity #cybersecuritythreats #industrialautomation #IoT #buildingautomation #healthcare #publichealth #manufacturing #chemical #energy #food #agriculture #oilandgas #renewables #transportationsystems #waterandwastewater Disclaimer: The views expressed in my LinkedIn posts and profiles are my own, not those of my employers or LinkedIn.

32

DFARS 7012 requires contractors to implement NIST SP 800-171 to protect Covered Defense Information (CDI). DFARS 7019/7020 requires contractors to perform a basic assurance self-assessment and submit a score to SPRS that is within 3 years of contract award. DFARS 7021 specifies the CMMC level required to be awarded a DoD contract. CMMC levels require either self-assessment or third-party assessment. When making the determination of the level required for a contract, there is a memo that outlines the process that must be followed by the DoD program manager to obtain a waiver to "CMMC assessment requirements" for that contract. "Program Managers and requiring activities should identify information security requirements for the types of information most likely to be associated with the planned contract effort. When market research indicates that including a CMMC assessment requirement may impede ability to generate robust competition or delay delivery of mission critical capabilities, the SAE, CAE, or DAE may approve requests to waive inclusion of CMMC assessment requirements. SAEs and CAEs must carefully weigh the risk of potential loss of CUI associated with mission critical capabilities before granting a waiver." Level 1 - "There are no circumstances likely to warrant approval of requests to waive CMMC Level 1 requirements." Level 2 - "In rare circumstances. such as when seeking competition from non-traditional DoD sources. waivers may be warranted for CMMC Level 2 third-party assessment requirements. Such waivers are not appropriate for contracts requiring performance by a cleared defense contractor. Approved waivers on a class basis must include a planned expiration date and guidance for requiring CMMC certification in subsequent solicitations." Level 3 - "In rare circumstances, waivers may be warranted for CMMC Level 3 third-party assessment requirements: such waivers, however, are not appropriate for contracts or work statements requiring access to both unclassified and classified DoD information." Full memo on the process found here, starting on page 6: https://lnkd.in/eeBCW53n #cmmc #dib #dfars

58

12 Comments