The Schellman Blog

TAMPA, Fla. – October 28, 2025 – Schellman, a leading provider of attestation and compliance services and a top 50 CPA firm, is proud to announce the appointment of Abhi S. Visuvasam as its new Chief Technology Officer. Visuvasam brings over three decades of experience leading enterprise architecture, software engineering, data engineering, platform modernization, and AI/ML initiatives for Fortune 500 companies and high-growth SaaS firms.

Many suppliers working with Microsoft are now required to complete the Microsoft Supplier Data Protection Requirements (MSDPR) Independent Assessment each year to maintain Supplier Security and Privacy Assurance (SSPA) compliance. In practice, we continue to see organizations misinformed about what’s actually required, which often leads to unnecessary costs, re-tests, or delays.

People interact with Artificial Intelligence (AI) in many ways, but most commonly through written prompts, which is the method that's also the most familiar avenue for basic prompt-hacking techniques. However, the real concern for organizations lies beyond these simple exploits, with sophisticated attacks targeting enterprise AI systems. In this article, we'll explain how an attacker can weaponize AI assistants to extract proprietary data, manipulate decision-making, and even infiltrate corporate networks.

FedRAMP 20x is progressing quickly, with phase 2 just around the corner. Designed to modernize and streamline the authorization process, FedRAMP 20x is reshaping how cloud service providers (CSPs) achieve and maintain authorization to operate (ATO) in the federal marketplace.

The California Consumer Privacy Act (CCPA) is reminiscent of Michael Meyers, Freddie Krueger, or Ghostface in that no matter how many times you think its presence is done, it keeps coming back with more. While privacy professionals have been tracking the slow rulemaking process for some time, the newly approved regulations may have startled others, fittingly just in time for spooky season.

As organizations continue to transition to PCI DSS v.4.x, they encounter updated requirements for authentication, especially considering the emerging phishing-resistant technologies like passkeys. To help clarify these changes, the PCI Security Standards Council has released two key FAQs: FAQ 1595 and FAQ 1596, offering valuable insights into the use of passkeys, FIDO2-based authentication, and their alignment with multi-factor authentication (MFA) and phishing-resistant protocols.

If you thought developing and implementing your AI system was a challenge, just wait until you attempt to ensure your AI system complies with conflicting international laws simultaneously.

Since the beginning of 2024, FedRAMP Revision 5 has mandated that organizations not only perform traditional penetration tests, but also undergo comprehensive red team engagements. This new requirement reflects a broader emphasis on assessing not just technical vulnerabilities, but also the effectiveness of an organization’s overall security posture, including it’s response to sophisticated and realistic threats. Over the past year, we’ve conducted many red team exercises, each tailored to different organizational environments and threat landscapes. These engagements have varied significantly in scope and complexity, offering us a wealth of insights into both our successes and the challenges we’ve faced.