A PubKGroup Product
PubKCyber is the go-to source for the most critical regulatory, policy, and oversight developments related to federal cybersecurity. Our coverage includes federal cyber regulations and policy, local and state activity, international law and agreements, federal regulatory body activity, congressional and agency oversight, and industry standards, as well as legal actions and court decisions related to cybersecurity, privacy, and fallout from security breaches.
Ability to subscribe and post job announcements and advertisements online
A daily email summarizing the day’s top cyber developments relevant to contractors
PubK Event Board
A weekly community calendar emailed to your inbox
Coming in 2017:
A bimonthly update collecting critical developments, with added insight and context, and links to important resources
Senator Marco Rubio (R-FL), chair of the Committee on Small Business and Entrepreneurship, has introduced two pieces of legislation intended to help protect America’s small businesses from cyber crime:
The SBA Cyber Awareness Act – Cosponsored by committee ranking member Ben Cardin (D-MD), this bill would require the Small Business Administration to develop a cyber strategy, examine its IT system components’ country of origin, and report on breaches and threats to the Small Business Committees.
The Small Business Cyber Training Act – Cosponsored by Jeanne Shaheen (D-NH), this bill would create a training program for Small Business Development Centers to prepare counselors in cyber planning assistance. Specifically, the bill would require SBDCs to employees certified in cyber strategy counseling for small businesses.
The Federal Trade Commission has requested comment on proposed amendments to two key rules under the Gramm-Leach-Bliley Act. Most significantly, the FTC is proposing to add more detailed requirements to the Safeguards Rule, which governs the information security programs financial institutions must implement to protect customer data.
It is also proposing to expand the definition of “financial institution” under the Safeguards Rule and the Privacy Rule to include “finders,” who “charge a fee to connect consumers who are looking for a loan to a lender.” And it is proposing to amend the Privacy Rule to make technical and conforming changes resulting from legislative amendments to GLBA in the Dodd-Frank Act and FAST Act of 2015.
Frank Ready writes that businesses are turning to their legal counsel for help figuring what – if anything – they need to do to prepare for the California Consumer Protection Act before it goes into effect in January, but that’s complicated by ambiguities in the law itself.
The law is not yet set in stone. It was passed rather quickly, leaving many details to be worked out between enactment and enforcement. It has already been amended several times since then, and is likely to undergo more changes in the coming months.
Many businesses – including their in-house counsel – are unfamiliar with the law, and the scope of its application. Despite being a state law, it potentially applies to any company that does business with California residents.
The law introduces some ideas found in the EU’s GDPR but are new to the U.S., such as the “right to be forgotten”. Businesses will need to develop new procedures for the deletion of customer data upon request. The preparations that many businesses made for the GDPR will help, but won’t be enough for CCPA compliance.
DCMA’s Cybersecurity Oversight Takes Shape: Revised CPSR Guidebook Outlines DFARS Safeguarding Clause Audit Standards
The Defense Contract Management Agency has revised its Contractor Purchasing System Review Guidebook to incorporate new standards its auditors will use to assess contractor supply chain management under DFARS.
Contractors are now required to “validate” that their subcontractors have information systems “that can receive and protect” Covered Defense Information and to “determine” whether subcontractor systems are “acceptable.” Contractors must also demonstrate:
- How CDI is properly marked and securely transferred to subcontractors;
- How they manage and document subcontractor notifications regarding requests to vary from the NIST requirements and the submission of cyber incident reports.
These requirements only apply where the subcontractor will be utilized for operationally critical support or performing duties that involve CDI.
The program hasn’t begun yet, but agencies are already interested in hiring the first graduates of the federal Cyber Reskilling Academy, making requests of how many they would like, according to federal CIO Suzette Kent. The program was announced in November, to provide a crash course in cyber skills for people who already work for the federal government.
Of 1,500 initial applicants, the 25 who are chosen could serve in cyber defense roles within agencies, an area the government is eager to fill, due to a large number of unfilled openings.
Kent said the preliminary application and assessment results are promising. Applicants will be selected in April and training will last through mid-July.