š” CMMC Compliance: Updates from the April Townhall Meeting
āļø Understanding the False Claims Act and Its Implications
The False Claims Act is a federal law that imposes liability on individuals and companies that defraud the government. This law allows the government to sue individuals or companies that knowingly submit false claims for government funds or property. The law also allows private individuals to sue on behalf of the government, known as qui tam lawsuits.
The Department of Justice has settled its first False Claim Act liability case from its Civil Cyber-Fraud Initiative for nearly $300k. Jelly Bean Communication Design LLC created, maintained, and provided hosting for a Florida Medicaid enrollment website that was required to comply with the protections for personal information imposed by HIPAA. However, Jelly Bean made representations, both in the contract and in its invoices, that such protections had been implemented and were being maintained. In or around December 2020, their platform was breached and over 500,000 Medicaid applications were compromised. The incident revealed that Jelly Bean had failed to properly maintain, patch, and update the software systems within their platform. The settlement was for $293,771. This case shows how the False Claims Act can be used to recover funds from companies that defraud the government.
To highlight a bigger case, Cisco was charged 8.6 million in 2019 for selling video surveillance technology that had significant security flaws. Hereās a link to the NY Times Article.
š¢ DoD CIO John Sherman on CMMC: Making Cybersecurity Implementable for Small and Medium Companies
DoD's Chief Information Officer, John Sherman testified before the Senate Armed Services Committee on March 30, discussing the importance of making cybersecurity understandable and usable for small and medium-sized companies in the defense industrial base. The DoD is committed to not compromising cybersecurity but making it implementable. Although the certification process for the Cybersecurity Maturity Model Certification (CMMC) has taken longer than expected, the DoD is working to make the CMMC requirements achievable for contractors. The certification process consists of five levels, with each level building on the previous one, and companies must meet the requirements of the specified level in their contract to be eligible for DoD contracts. The DoD is providing resources and support to help small and medium-sized companies achieve certification, as well as clarifying the requirements to make them more understandable and less burdensome for contractors.
āMeasure twice, cut onceā was the takeaway comment from this highlight. The delays in the rule-making process comes from the DoDās efforts to ensure businesses have ample time and guidance to adapt to the upcoming security requirements. Businesses are urged to take action now.
š¤š» RSA Conference: Highlights and Headlines
Thatās a wrap! RSAC 2023 came to a close on April 27, 2023 with over 50,000 attendees in itās downtown San Fransisco venue. Over 740 speakers, 50+ keynote speakers including Chris Krebs of the Krebs Stamos Group, Cisco Security Business Group SVP Tom Gillis, VMWare President Sumit Dhawan. The conference, which began as a user conference for customers of RSA, it is where the world's leadership in cybersecurity gathers, advances, and emerges.
The RSA 2023 Conference covered a range of interesting topics, including the secure-by-design concept, the National Cyber Strategy as a roadmap for a secure cyber future, and the importance of coordinating and collaborating with the private sector.
Secure-by-design isnāt a technical problem, rather a business problem
Jack Cable, CISA Senior Technical Advisor
This yearās RSAC Innovation Sandbox Winner was awarded to HiddenLayer beating out 9 other finalists with their Artificial Intelligence and Machine Learning protection systems. This is no doubt the hottest topic in tech as explained in his 3 minute presentation
The conference ended on a positive note with the theme of "Stronger Together." Attendees left with a better understanding of current and future concerns, ideas, and solutions to improve cybersecurity and protect sensitive information.
Resources:
