The Schellman Blog

With the introduction of the Cybersecurity Maturity Model Certification (CMMC) program, contractors working with the U.S. Department of Defense (DoD) will be required to meet a certain level of cybersecurity maturity ensuring the protection of the involved sensitive information and data, specifically controlled unclassified information (CUI) and federal contract information (FCI).

Having now grown into one of the world’s leading international security standards, ISO 27001 lays out the required criteria for taking a holistic approach to information security through the implementation and ongoing maintenance of an information security management system (ISMS).

With over two decades of HIPAA history behind us, more than a decade of mandatory compliance and federal compliance enforcement, and a shortage of resources to help hospitals achieve compliance, the healthcare industry is still plagued by non-compliance issues every year—particularly regarding risk and access management.

When considering cybersecurity, many may first think of cutting-edge tech companies. Healthcare providers may spring to mind for others and government agencies for still others. But strong cybersecurity—if it’s not already—is becoming paramount in every sector, and if the recent attacks tell us anything, it’s now paramount for universities as well.

On October 27, 2023, the Office of Management and Budget (OMB) released a draft memorandum titled Modernizing the Federal Risk Authorization Management Program (FedRAMP). Savvy readers may have noticed the parallelism of the 2011 and 2023 FedRAMP memorandums to those for FISMA in 2002 and FISMA 2014—for FISMA, the latter memo focused on "Modernization" in comparison with the former one regarding "Management."

Back in August 2022—while rulemaking for the Cybersecurity Maturity Model Certification (CMMC) was ongoing (as it still is)—the Joint Surveillance Program (JSP) was sanctioned by the DoD and CyberAB as an interim step in the CMMC program that allowed organizations to pursue a formal DIBCAC High (NIST 800-171) assessment.

To accommodate the ever-evolving cybersecurity threat landscape, HITRUST has released HITRUST CSF v11.2.0, updating its framework to include more pertinent concepts—one of the most notable additions is artificial intelligence (AI) risk management content.

The need for responsible, trustworthy, and ethical use of artificial intelligence (AI) has been a hot topic over the past couple of years, prompting the release of regulations such as NIST's AI Risk Management Framework to help organizations secure the evolving tech. Additional standards have emerged to address the need to implement safeguards addressing the security, safety, privacy, fairness, transparency, and data quality of AI systems throughout their life cycle—including ISO/IEC 42001.