What do you think will be the most important predictions for 2025?

Here’s what I think. My top three.

Artificial intelligence

In the world of cyber defense, AI in defense is clumsily integrated (today), fraught with false positives, but today is just the beginning. In both attack and defense, integration and usefulness of AI will get SO much better in 2025; transformative, a disrupter. There will be a gap between attack and defense. There always is. Attackers have already taken the early lead in adoption: deepfakes and dead accurate social engineering. BEC scams dwarf ransomware attacks. Why? How? AI-generated social engineering is used to convince someone to send them a check. Capabilities in attack and defend will level out, likely not in 2025 but soon after. 

What’s coming next? Here's some speculation. Remember Bees with Machine Guns? Bees with Machine Guns uses numerous micro EC2 instances (the bees) to load test web applications. Think about hundreds of AI-driven self-learning micro EC2 instances attacking an entire infrastructure all at the same time. Think cyber swarms using AI to guide multi-vector high volume attack – not just DDoS; high speed overwhelming attacks. Defenses are going to need to keep up. The volley of attack and defense will be carried out at speeds no human could imagine, analyze, and correlate. Long gone are the days of dumping packet captures and running them manually. 2025 will be a significant year for AI.

Next, AI-driven Information Warfare (an old term but still accurate) against the masses is coming. “I read it on the Internet, it must be right, right?” How many times have each of us said this?! Think about that! LLMs are taught by feeding data from the Internet. Could the output of an LLM be shaped by feeding it volumes of data?

Have you noticed any of the LLMs giving you answers containing slanted product information? I asked Gemini (I love Gemini!) about correlating cyber security data. It gives me Microsoft Azure as an answer. I had to tell Gemini to answer but without Azure!

I can’t wait to see how AI shapes marketing and news. I refuse to hire analysts who use only AI (and we’ve had a few). Keep thinking independently.

What about Quantum computing? 

There’s been speculation about quantum computing for years. 2025 will be the year that we see risks to existing encryption methods. Interestingly enough, we’ve seen (heard) vendors hawking “quantum-resistant cryptography” based on NIST standards. [1]. 

Many companies (around the world) are busy developing and offering Quantum computing, offering various levels of access: IBM, Google, Microsoft, Intel, Amazon, plus IONQ and the Chinese, Origin Wukong.

Much of this is still marketeer noise. NIST says they believe quantum computers will break encryption within the next decade. Me? We’re more than inching toward it; we’re marching, and the footsteps are growing louder.

Ransomware attacks 

Ransomware is by far the biggest threat to cyber today. It will continue to be a major threat, evolving with new techniques and becoming more disruptive incorporating AI and automation, making them more sophisticated and harder to detect. This is a no-brainer. Lockbit 4 is coming out in the spring (February? March?) and others are standing in line directly behind them.

Ransomware operators will take advantage of AI. It’s cheap and easy to use. Ransomware operators building AI into their operations is a no-brainer. A stop sign could have predicted that. But what about Quantum? When Quantum is as cheap to use as AI, expect it. My guess? We’re going to measure intent by monitoring bad guys hoarding encrypted data. When we see that, we’ll know they likely intend to use Quantum computing to break encryption on previously protected data, and ransome owners. I don’t expect this in 2025, but it will come.

2025 is going to be awesome. the tech is changing so fast (again). I can't wait to see how this unfolds!

[1] https://www.federalregister.gov/documents/2024/08/14/2024-17956/announcing-issuance-of-federal-information-processing-standards-fips-fips-203-module-lattice-based

An introduction to CMMC for the small and medium-size contractor (CORRECTED COPY)

I was published this morning in the NH Business Review regarding CMMC for small- and Medium-sized defense contractors. Within minutes of its publish, I received LinkedIn feedback that some of my facts were mixed. Upon further review (and a telephone conversation), he was right. And I figured If this confuses me, I can't even imagine what others must be thinking. The contractor base has been listening to the cacophony of marketing and communications for years, undated with LinkedIn messaging by many, who've never been more than editors and/or self-promoted pundits.

So let's put CMMC aside for a moment. Here's the bottom line: This is directly from the source.

SPRS is required today… 15 controls for FCI and 110 (NIST 800-171) for DoD contracts. 

 

•  ANY contractor, not just defense contractors, who handle FCI “requires compliance with 15 security requirements” in NIST 800-171.
• Defense contracts have a special bonus. They need to meet “110 security requirements specified in NIST SP 800-171”

This, according to the Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations (shown below).

So what about CMMC? CMMC was described to me today, by a Cyber AB board member, as a two-step process. The first just happened. On 12/16 CMMC was announced as final in the Federal Register. The next announcement (which hasn't happened yet) will spell out timelines. This is expected sometime in 2025.

Federal contracts (including defense contracts) involving the transfer of FCI to a non-Government organizations follow the requirements specified in 48 CFR 52.204-21 (Federal Acquisition Regulation (FAR) clause 52.204-21), Basic Safeguarding of Covered Contractor Information Systems. 13 FAR clause 52.204-21 requires compliance with 15 security requirements, FAR clause 52.204-21 (b)(1), items (i) through (xv). These requirements are the minimum necessary for any entity wishing to receive FCI from the US Government Defense contracts involving the development or transfer of CUI to a non-Government organization require applicable requirements of DFARS clause 252.204-7012. This clause requires defense contractors to provide adequate security on all covered contractor information systems by implementing the 110 security requirements specified in NIST SP 800-171.

 

Defense contracts involving the development or transfer of CUI to a non-Government organization require applicable requirements of DFAR clause 252.204-7012. This clause requires defense contractors to provide adequate security on all covered contractor information systems by implementing the 110 security requirements specified in NIST SP 800-171.

"To comply with DFARS clause 252.204-7012, contractors are required to develop a SSP ^[15] detailing the policies and procedures their organization has in place to comply with NIST SP 800-171. The SSP serves as a foundational document for the required NIST SP 800-171 self-assessment. To comply with 48 CFR 252.204-7019 (DFARS provision 252.204-7019) and DFARS clause 252.204-7020, self-assessment scores must be submitted.^[16] The highest score is 110, meaning all 110 NIST SP 800-171 security requirements have been fully implemented. If a contractor's Supplier Performance Risk System (SPRS) score is less than 110, indicating security gaps exist, then the contractor must create a plan of action ^[17] identifying security tasks that still need to be accomplished. In essence, an SSP describes the cybersecurity plan the contractor has in place to protect CUI. The SSP needs to address each NIST SP 800-171 security requirement and explain how the requirement is implemented. This can be through policy, technology, or a combination of both."

BREAK BREAK: What's the difference between FCI and CUI?  click here to fine out. That's another blog.

This is all very confusing. SPRS and the use of NIST 800-171 are very real. CMMC audits are coming, but for now, SPRS is required by FAR.

Need help? Reach out... staysafeonline@trustedinternet.io.

A Stutzman Rant on Marketeer FUD messaging and a lack of Contracting speficity on CMMC requirements

Someone just sent me an article about the new CMMC 2.0 regulations and another article about the basics of conducting an audit and figuring out where your data is. They're talking about privacy information and CMMC. The article was less than a page long. It was horribly light and very generic.

CMMC is going to become law on December 16th. The time for review and discussion is over. It's time for marketeers to turn off the fear, uncertainty, and doubt marketing tactics and start being helpful. Like it or not, it's time to line up and make our contractor community cyber-safe. I'm growing tired of watching publishers, pundits, and influencers (and wanna-be influencers), many of whom have never been operational security, architects, or incident responders, repeatedly trying to sell you things through fear, uncertainty, and doubt in CMMC marketing. It's making me a little crazy.

I've talked to dozens and dozens of companies about CMMC. Here's what I know:

• No CEO doubts that cyber requirements are a good thing. Most just don't know where to start.
• The idea that they would have to swallow the entire cost of 110 controls to go straight to level 2 is daunting. They're looking at easily $100,000 plus audits for even some of the smallest companies.

So there's an opportunity to go to level 1 now and then level 2 as long as the contracting officers don't screw this up. The one consistent comment I've received in nearly every conversation? This worries me: Government contracting officers have yet to learn what CUI is. This was the concern in 2009 when we started having these conversations across the tables in big conference rooms: What exactly is CUI? There is a list: https://www.archives.gov/cui/registry/category-list. It's pretty generic. There's a boatload of room for interpretation, and it's easy to see why a CO might not want to try and label something CUI. It's much easier to simply overclassify.

This list can't be genericized. Not every contract requires CMMC Level 2 or a perfect SPRS score.  

If the COs do start blanket requiring everything to be CMMC level 2 (and I'm hearing that it is becoming normal to do so) because contracting officers have little or no training for what's a requirement for level 1 and level 2, you're going to drive a lot of small businesses out of work.

My recommendation for any defense contractor is, and will continue to be:

• Get level 1,
• Go to level 2 when required,
• Be able to show your work.

Don't cheat. Don't cut corners. DOJ will get you. They're making it advantageous for whistleblowers to let them know that you've got a problem, and real cash prizes are involved.

If you need help, contact us. We've been working in this space. My leadership team consists of serial senior chief information security officers. We know how to write policies and procedures. We've been tracking on CMMC for a long time, and we can make this much easier for you. Better yet, we can just tell you how to get started. 

Drop us a note. staysafeonline@trustedinternet.io

https://trustedinternet.io/compliance

CMMC: Level 1 May be a Game Changer!

When the Fedtraderags start publishing on CMMC showing up in the Federal Register, you 
know it's time. Today, it showed up on the Federal News Network. 

Defense contracts everywhere are being hacked. Cyber espionage is very real and has been for long enough for foreign adversaries to steal nearly every piece of US (and other) military tech that will come to life in the next 20 years. 

Alliances have formed, and espionage actors are targeting defense everywhere. Heck, I can even buy games today with accurate controls and flight patterns. 

Here's the deal: CMMC is now offering three levels of certification instead of that all-or-nothing 110 SPRS score for Level 2. And let me tell you, this is big news for many of you out there.

The FCI and CUI handling requirements under CMMC seem strict, but they're better than they may seem. The graphic above shows what CUI is and isn't. FCI is a bit more broad, and this is from the horse's mouth (blogs.archives.gov). It's still confusing to me, but the bottom line is, of you don't handle CUI, you may still have to comply with FCI requirements, which are significantly lower than CUI. Think CMMC Level 1. 

And CMMC Level 1 is a Game-Changer

Unless the government screws this up (by calling everything CUI, which they may very well do), is could be a real lifesaver for many of you. 

Here's why:

1. Level 1 is all about the basics. It's like cyber kindergarten - you learn to wash your hands before you start performing surgery, if you catch my drift.
2. Self-Assessment: You can assess yourself for Level 1. That's right; there is no need to call the cavalry for this. It's like grading your own homework, but don't get any crazy ideas—it needs to be done annually and be right. And Uncle Sam's still watching and making it potentially profitable for whistleblowers to turn you in for gun decking your self-assessment. 
3. 17 Controls: Instead of that intimidating perfect 110 SPRS score, Level 1 only requires you to implement 17 controls. It's like going from a marathon to a 5K - still a challenge, but a lot more manageable.

"Jeff, why should I care?" 

Let me break it down for you:

1. Easier Entry: This lower level means more businesses can get their foot in the DoD contract door. It's like they've lowered the height requirement for the cyber rollercoaster.
2. Focus on Basics: Starting with Level 1, you build a solid foundation. It's like learning to walk before you run. In fact, much of the basic cyber blocking and tackling comes in at Level 1! 
3. Scalability: As you grow and handle more sensitive info, you can move up to Level 2 or 3. It's a cybersecurity growth plan, folks.

Remember, with cybersecurity, something is always better than nothing. Level 1 might seem basic, but it's significantly better than leaving your digital door open with a "Hackers Welcome" mat.

So, to all you contractors out there, especially the smaller fish in this big DoD pond, take a good hard look at CMMC Level 1. It might just be your ticket to the big leagues without breaking the bank or your sanity.

Alright, folks, let's talk about CMMC. It's not just some fancy acronym anymore - it's the law. That's right, CMMC has hit the federal register, bringing some changes that'll make you sit up and take notice.

Here's the big news: Not all defense contractors must submit a perfect 110 SPRS score!

And now, you might not have to. 

Need more information? Contact Trusted Internet for a 30 minute consult with one of our CISOs. 

https://www.trustedinternet.io/contact.