Since the beginning of 2024, FedRAMP Revision 5 has mandated that organizations not only perform traditional penetration tests, but also undergo comprehensive red team engagements. This new requirement reflects a broader emphasis on assessing not just technical vulnerabilities, but also the effectiveness of an organization’s overall security posture, including it’s response to sophisticated and realistic threats. Over the past year, we’ve conducted many red team exercises, each tailored to different organizational environments and threat landscapes. These engagements have varied significantly in scope and complexity, offering us a wealth of insights into both our successes and the challenges we’ve faced.

As artificial intelligence continues to become widely embedded in critical business decisions, strategies, and processes, it increasingly faces growing scrutiny from regulators, customers, and the public. While AI offers unprecedented opportunities for operational enhancements and innovation, it also introduces new risks.

Colorado is leading the charge of U.S. AI policy with the Consumer Protections for Artificial Intelligence (SB24-205) law. This law, commonly referred to as the Colorado AI Act (CO AI Act), is the first enacted comprehensive state law regulating high-risk AI systems. Signed in May 2024, it sets a precedent for balancing innovation with consumer protection through requirements on transparency, accountability, and fairness.

Though servers have typically been the norm among organizations since the inception of the computer, there’s been a slow transition through different architecture since then. Though going serverless has been the latest trend within the last decade, many still have plenty of questions regarding this potential option.

Effective May 16, 2024, Version 2 of the Health Data Host (HDS) Referential went into force with a two-year transition period. This means if you are currently HDS certified, you’ll have to transition to the new version before May 16, 2026. This transition brings many positive changes, including a clarification of the applicable hosting activities, removal of distinction between physical hosting and IT managed services providers, removal of references to controls within the ISO 20000-1 and ISO 27018 standards, requirement for data localization within the European Economic Area (EEA), and more. However, we have noticed particular challenges that companies pursuing HDS certification tend to struggle with. In this article, we’ll break down those trends faced by organizations within the new HDS framework so that you can focus on those areas that may take more time for implementation or remediation in your own compliance journey.

TL;DR Schellman’s core value of "quality above all" means understanding your business and comprehending why you need any given compliance service. In the case of penetration tests, it's not just about counting how many vulnerabilities we find. Good pen testing gives you risk ratings that fit your actual setup, shows we understand your specific business and technology, keeps communication clear throughout the project, and provides advice you can actually use. We focus on being your security partner and helping you understand real business risk instead of just checking compliance boxes.

The S&P study on Generative AI asserts that, “The percentage of companies abandoning the majority of their AI initiatives before they reach production has surged from 17% to 42% year over year, with organizations on average reporting that 46% of projects are scrapped between proof of concept and broad adoption.”

The EU Cyber Resilience Act (CRA) sets a new regulatory benchmark for product cybersecurity, impacting manufacturers, importers, and distributors worldwide. In this article, we’ll explain the Act’s scope, key requirements, and timeline to help your organization understand what’s changing and how to prepare with a readiness assessment.