Chinese-sponsored groups are using the popular Brickstorm backdoor to access and gain persistence in government and tech firm networks, part of the ongoing effort by the PRC to establish long-term footholds in agency and critical infrastructure IT environments, according to a report by U.S. and Canadian security offices.

The post China Hackers Using Brickstorm Backdoor to Target Government, IT Entities appeared first on Security Boulevard.

Hackers sponsored by China are targeting federal agencies, technology companies and critical infrastructure sector organizations with a new type of malware affecting Linux, VMWare kernel and Windows environments that may be difficult to detect and eradicate.

The Cybersecurity and Infrastructure Security Agency, the National Security Agency and the Canadian Centre for Cyber Security are strongly advising organizations take steps to scan systems for BRICKSTORM using detection signatures and rules; inventory all network edge devices; monitor edge devices for suspicious network connectivity and ensure proper network segmentation. The organizations released a malware analysis report to help organizations combat the threat.

“BRICKSTORM underscores the grave threats that are posed by the People’s Republic of China to our nation’s critical infrastructure. State sponsored actors are not just infiltrating networks, they are embedding themselves to enable long term access, disruption and potential sabotage. That’s why we’re urging every organization to treat this threat with the seriousness that it demands,” said Nick Andersen, CISA’s executive assistant director for cybersecurity, during a call with reporters today. “The advisory we issued today provides indicators of compromise (IOCs) and detection signatures to assist critical infrastructure owners and operators in determining whether they have been compromised. It also gives recommended mitigation actions to protect against what is truly pervasive PRC activity.”

CISA says BRICKSTORM features advanced functionality to conceal communications, move laterally and tunnel into victim networks and automatically reinstall or restart the malware if disrupted. Andersen said CISA became aware of the threat in mid-August and it’s part of a “persistent, long-term campaigns of nation state threat actors, in particular those that are sponsored by the People’s Republic of China, to hold at risk our nation’s critical infrastructure through cyber means.”

The malware has impacted at least eight organizations, including one where CISA provided incident response services to. Andersen wouldn’t say how many of those eight were federal agencies or which ones have been impacted.

“This is a terribly sophisticated piece of malware that’s being used, and that’s why we’re encouraging all organizations to take action to protect themselves, and if they do become victims of it or other malicious activity, to report it to CISA, so we can have a better understanding of the full picture of not just where this malware is being employed, but the more robust picture of the wider cyber threat landscape,” Andersen said.

New way to interact with industry

Since January, CISA has issued 20 joint cybersecurity advisories and threat intelligence guidance documents with U.S. allies, including the United Kingdom, Canada, Australia and New Zealand, as well as with our other international partners.

“Together, we’ve exposed nation-state sponsored intrusions, AI enabled ransomware operations and the ever evolving threats to critical infrastructure,” Andersen said.

Along with the warnings and analysis about BRICKSTORM, CISA also launched a new Industry Engagement Platform (IEP). CISA says it’s designed to let the agency and companies share information and develop innovative and security technologies.

“The IEP enables CISA to better understand emerging solutions across the technology ecosystem while giving industry a clear, transparent pathway to engage with the agency,” CISA said in a release. “The IEP allows organizations – including industry, non-profits, academia, government partners … and the research community – with a structured process to request conversations with CISA subject matter experts to describe new technologies and capabilities. These engagements give innovators the opportunity to present solutions that may strengthen our nation’s cyber and infrastructure security.”

CISA says while participation in the IEP does not provide preferential consideration for future federal contracts, it serves as a channel for the government to gain insight into new capabilities and market trends.

Current areas of interest include:

• Information technology and security controls

• Data, analytics, storage, and data management

• Communications technologies

• Any emerging technologies that advance CISA’s mission, including post-quantum cryptography and other next-generation capabilities

Andersen said while the IEP and related work is separate from the BRICKSTORM analysis, it’s all part of how CISA is trying to ensure all organizations protect themselves from the ever-changing cyber threat.

“The threat here is not theoretical, and BRICKSTORM underscores the grave threats that are posed by the People’s Republic of China to our nation’s critical infrastructure,” he said  “We know that state sponsored actors are not just infiltrating networks. They’re embedding themselves to enable the long term access disruption and potential sabotage that enables their strategic objectives, and that’s why we continue to urge every organization to treat this threat with serious demands.”

The post Agencies, IT companies impacted by latest malware from China first appeared on Federal News Network.

© The Associated Press

Former Environmental Protection Agency employees who were fired after signing a letter criticizing the Trump administration are now appealing their dismissals before the Merit Systems Protection Board.

The six former EPA employees, who were among roughly 140 workers who signed a “declaration of dissent” in June, argued their firings were not only an illegal response to exercising their First Amendment rights, but also a form of retaliation for “perceived political affiliation,” and executed without cause.

The former employees are represented by attorneys at several law firms in the MSPB case, including the Public Employees for Environmental Responsibility (PEER).

“Federal employees have the right to speak out on matters of public concern in their personal capacities, even when they do so in dissent,” Joanna Citron Day, general counsel for PEER, said Wednesday. “EPA is not only undermining the First Amendment’s free speech protections by trying to silence its own workforce, it is also placing U.S. citizens in peril by removing experienced employees who are tasked with carrying out EPA’s critical mission.”

An EPA spokesperson declined to comment, stating that the agency has a longstanding practice of not commenting on pending litigation.

The June dissent letter from EPA employees warned that the Trump administration and EPA Administrator Lee Zeldin were “recklessly undermining” the agency’s mission, and criticized the administration’s policies on public health and the environment. The letter led EPA to launch an investigation into employees who signed the letter, resulting in at least eight probationary employees and nine tenured career employees receiving termination notices. Dozens more who signed the declaration were suspended without pay for two weeks, according to the American Federation of Government Employees.

Justin Chen, president of AFGE Council 238, which represents EPA employees, said the firings of these employees added to a “brain drain” at EPA, on top of other workforce losses stemming from the deferred resignation program (DRP) and other actions from the Trump administration this year.

“These were subject matter experts — extremely talented people who were working on behalf of the American public to protect them,” Chen said in an interview. “The loss of these people will be felt for quite some time. And honestly, the intent of this action is to put a chilling effect on the rest of the civil service.”

A termination notice delivered to one of the EPA employees shows that in response to concerns of free speech and whistleblower protection violations, the agency’s general counsel office stated that it believed the issues raised “do not outweigh the seriousness of your offense.”

“The Agency is not required to tolerate actions from its employees that undermine the Agency’s decisions, interfere with the Agency’s operations and mission, and the efficient fulfillment of the Agency’s responsibilities to the public,” the termination letter reads. “You hold a trust-sensitive position that requires sound judgement and alignment with the Agency’s communication strategies.”

Despite the employee having a high performance rating and a lack of disciplinary history, the termination letter stated that “the serious nature of your misconduct outweighs all mitigating factors.”

“I also considered that you took no responsibility for your conduct, which reflects a lack of acknowledgment of the seriousness of your actions and raises concerns about your ability to exercise sound judgment and undermines your potential for rehabilitation,” the letter reads.

In August, EPA leadership also canceled all its collective bargaining agreements and told its unions it would no longer recognize them. The decision came after an appeals court allowed agencies to move forward with implementing President Donald Trump’s March executive order to terminate union contracts at a majority of federal agencies.

“If we still had our collective bargaining rights, none of this would have happened in the first place. We would have immediately filed grievances,” Chen said. “[With the MSPB appeal] our hope is that these employees get everything back — that they will have full reinstatement and full back pay.”

The post Fired EPA employees challenge agency, alleging free speech violations first appeared on Federal News Network.

© AP Photo/Pablo Martinez Monsivais

The Cybersecurity Coalition, an industry group of almost a dozen vendors, is urging the Trump Administration and Congress now that the government shutdown is over to take a number of steps to strengthen the country's cybersecurity posture as China, Russia, and other foreign adversaries accelerate their attacks.

The post Cybersecurity Coalition to Government: Shutdown is Over, Get to Work appeared first on Security Boulevard.

The Trump administration’s plans to shutter four small agencies are indefinitely on hold, following a court’s recent ruling.

A federal judge in Rhode Island issued a permanent injunction on Nov. 21, blocking the administration from taking any further action to eliminate the Institute of Museum and Library Services, the Minority Business and Development Agency, the Federal Mediation and Conciliation Service, and the Interagency Council on Homelessness.

President Donald Trump signed an executive order in March, eliminating these agencies — and three others — “to the maximum extent consistent with applicable law.” But attorneys general in 21 states sued the administration, arguing that these agency closures would have downstream effects on state-level operations.

The permanent injunction ordered by U.S. District Court Judge John J. McConnell, Jr. prevents the four agencies from “taking any future action to implement, give effect to, comply with, or carry out the directives contained in the Reduction EO.”

McConnell determined that the Trump administration’s decision to conduct widespread layoffs, terminate grants and eliminate programs at these agencies “undermined their ability to perform functions mandated by statute.”

“By now, the question presented in this case is a familiar one: may the executive branch undertake such actions in circumvention of the will of the legislative branch? In recent months, this court — along with other courts across the country — has concluded that it may not. That answer remains the same here,” he wrote.

The agencies targeted for elimination are responsible for funding museums and libraries, mediating labor disputes, supporting minority-owned businesses, and preventing and ending homelessness.

Over the course of several months, the Trump administration fired, placed on administrative leave, or reassigned nearly all employees in these four agencies. The administration cancelled a wide range of grants to the agencies, and cancelled public programs and services that the agencies provided.

McConnell said these decisions left the agencies unable to carry out their statutorily mandated functions, and unable to spend their congressionally appropriated funds.

The court issued a preliminary injunction in May. The Trump administration appealed the district court’s preliminary injunction, but dropped its appeal on Nov. 21, following the judge’s permanent injunction. Federal News Network has reached out to the White House and the Justice Department for comment.

The Supreme Court and federal appeals courts have mostly allowed the Trump administration to proceed with plans to shutter agencies and conduct mass layoffs across the federal workforce.

The Trump administration argued that a preliminary injunction in this case prevented agencies from implementing the president’s priorities.  McConnell, however, said he ruled in favor of the states, given a “plethora of injuries” that would arise, if the court did not intervene.

States told the court that closing IMLS would force the closure of public libraries, force them to implement hiring freezes and stop providing services that support literacy and learning. State universities said they would be forced to lay off employees, eliminate student programming and default on contracts without continued funding for MBDA.

In other cases, states said some of their agencies and programs are at risk of work stoppages and negotiation impasses, without FMCS around to resolve labor disputes. States also told the court they would lose expert assistance on how to reduce homelessness without the Interagency Council on Homelessness.

“All this to say: the injuries alleged are to the States themselves and are far more than merely economic or speculative,” McConnell wrote.

New York State Attorney General Letitia James called the ruling a “major victory in our ongoing work to defend important services.”

“The federal government’s illegal attack on these agencies threatened vital resources for workers, small businesses, and the most vulnerable in our communities,” James said.

The American Library Association said the court’s decision “restores everything that the executive order tried to take away.”

“Convincing a federal judge that shuttering a supposedly obscure agency would have an immediate and devastating impact on millions of Americans is no small feat,” ALA President Sam Helmick said. “Libraries also strengthen local economies by supporting jobseekers, small businesses and community learning. Protecting these resources matters.”

The post Federal court blocks Trump administration’s plan to scrap 4 small agencies first appeared on Federal News Network.

© AP Photo/Jacquelyn Martin

 

Interview transcript:

 

Terry Gerton EPA enforcement cases have plummeted, even as noncompliance rates climb. Now, a major staffing cut at the Justice Department’s environmental section and a federal shutdown that paused inspections leave enforcement at a crossroads. Federal News Network’s Eric White spoke with former EPA Deputy Assistant Administrator Stacey Geis about the resource drain crippling environmental enforcement and whether states can fill the widening gap.

Eric White You know, as far as EPA enforcement, environmental enforcement from a federal perspective, things were kind of on a downward trend already and then with a slight bump. And now the first few months of the Trump administration, DOGE came in, the EPA was certainly on the list of agencies that they felt they could take some action against. What is the state of federal environmental enforcement right now? Let’s begin there.

Stacey Geis I think it’s important to understand the context of your question, meaning what is the state of environmental enforcement been, say, for the last 15 years generally and the landscape we are in right now? Back in, I think it was 2019, but there was a report that was done by Cynthia Giles, who was head of the office of enforcement and compliance assurance at EPA back in the Obama administration. And she went off to Harvard and did a report that showed that the level of significant noncompliance in the United States is surprising. And the numbers are that generally most facilities that have permits to pollute are 25% out of compliance, 25% of those companies are out of compliance with existing laws, regs or permits. And that for the facilities that emit the most hazardous air pollutants, the numbers were up to 50%, 75% noncompliance. So I say it because you’re starting from a place where we have more noncompliance than I think we would all expect. And of course, there could be a lot of reasons for that, including it could be laws that are tough to know how to comply with. So there’s a host of reasons. But I say that because it’s important to then put that into context of where we are now. Back during the Bush administration, Bush II, EPA was doing up to 6,000 enforcement cases a year. And then there was a very big decrease starting in the Obama years, and it just kind of kept going down, where they really decreased resources EPA’s enforcement. And now, you know, when the last administration came in and tried to revitalize EPA, hired hundreds of people, including in the enforcement division, and the numbers started going back up. But still, so in 2024, there were about 1,800 cases, civil enforcement cases that were concluded. So now we are in this, in the last 2025. What we’ve seen is two things. One, a reprioritization of this administration when it comes to what type of enforcement they want to do. And so a lot of folks, including the Department of Justice and the Environmental and Natural Resources Division were, on day one, reassigned to do other things, including immigration. And then of course, there was a whole host of terminations, administrative leaves, people who resigned, and then I think thousands who took the “fork in the road.” So we have an incredible resource drain right now at EPA. We also have it at the Department of Justice, which is obviously the partner that does a lot of the enforcement. So I would say where we are right now is that we will see in December, that’s when EPA has to announce, or generally for the last 10 years has announced, its enforcement results, its annual enforcement results. Meaning: how many civil cases were done, how many criminal cases, how many hundreds of millions of pounds of pollution were removed in the United States because of those enforcement actions? Those numbers will come out in December and it will be very interesting to see what those numbers are compared to prior years.

Eric White Let’s talk a little bit about the manpower aspect of this. What does proper environmental enforcement require? Does it need a lot of attorneys, investigators? I imagine that these aren’t easy cases to make, proving causation and whether or not who is to blame for environmental pollution, that can probably be tough given that it can be hard to obtain hard evidence. Can you just expand upon how, you know, just having workforce cuts in general to environmental enforcement, whether it is EPA or DOJ, and the effect that that just has on environmental enforcement in general.

Stacey Geis There’s federal enforcement, EPA does enforcement, DOJ does. There’s also states that do that, and we can talk about that later in terms of how potentially whether we will see the states gap-filling because of what we think will be a lack of federal enforcement. But going to your question, it is a whole team that exists to put together an enforcement case, and it starts with the inspectors. And those are also part of the Office of Enforcement. So you have inspectors who just routinely go out — like with any regulation, whether it’s OSHA, they go and they inspect the facilities for compliance. It starts there. And that’s one thing, for example, that’s paused during the shutdown, inspections are paused. But it’s the inspections that then are one of the key ways that an agency finds out that a facility may not be in compliance. And then that starts — you may have investigators who come in and start investigating further. You have to have scientists. You have to have hydrologists. You have to have people who know air regulations, who can come in and ascertain whether or not this really non-compliance. What level? Is this something that rises to the level of an enforcement action? And if so, what kind of enforcement action? Is it something that it should be a minor fine and they’re going to fix it? Or is it’s something that’s lying, cheating, stealing, and they are being deceptive, bypassing the pollution scrubber, and you could be looking at a criminal case. So you have inspectors, you have investigators, and then you have all the attorneys both at EPA and the Department of Justice. EPA has its own enforcement program where they do kind of those more minor, what we call administrative enforcement actions, where it’s going to be a fine and course-correcting and getting the company back into compliance. And then if it turns out the violations require a more serious enforcement, whether civil or criminal, it’ll be referred to the Department of Justice. And those Department of Justice attorneys then bring the cases to court. So that’s why the incredible drain we’re seeing in resources at DOJ as well — and I can give you numbers on that, but the environmental section is down, I think 50% to 60% of what it was in January — means understandably less resources to develop the case and less resources prosecute.

Eric White We’re speaking with Stacey Geis. She is a senior counsel with Crowell and Moring, also former deputy assistant administrator at the Environmental Protection Agency. You mentioned something in your first answer regarding how compliance could be tied to … it’s really, really hard to be in compliance, right? Especially when you’re operating a facility that is dealing with a lot of different chemicals. I mean, you know, just forming compliance, sometimes the drain comes from the people that you’re trying to enforce the regulations on, just because they need that expertise in order to reach compliance. Are there enough compliance experts to go around and also, how tough are these regulations to be in compliance? Are certain industries just going to always be having to deal with this?

Stacey Geis That is a question that we could have a whole day on that, in terms of how to craft good regulations that both are easy for the company to understand and comply with and easy to enforce. What I will say, though, is one of the challenges with the shutdown — because people are asking, what is the impact of the shutdown? I mean, the industry is facing incredible uncertainty. With the shutdown, what is paused, both at EPA and DOJ, are most enforcement actions. Criminal enforcement actions continue under their various shutdown plans, and it’s always been that way. And there’ll still be enforcement when it comes down to imminent and substantial threats to public harm or the environment. That is a very small subset. One thing that the Office of Enforcement does — it’s called the Office of Enforcement and Compliance Assurance, because not only does it enforce the laws, it’s there to provide compliance assistance to the companies, to help them. We want them to comply you, we as a public want companies to comply, right? And we want to have agencies, federal or state, that are assisting them in helping understand those regulations so they can comply. Right now, I don’t know if they called up EPA or one of the regions if they’re going to get the person, because they’re furloughed, to answer those questions. So one thing with this shutdown is not only does it mean that enforcement’s not going forward, but there’s a real uncertainty that the industry is facing right now, too, in terms of their cases aren’t moving forward, they can’t get in touch, they may have compliance questions they cannot get answered. So it actually impacts anyone who is affected by environmental regulations, meaning affected by pollution.

Eric White When you were in your position at EPA, how often were you all paying attention to those numbers? I’m just wondering about, you now, sometimes we can get caught up in, “well, the numbers increase that must mean that everything is on the up and up,” or you know, numbers are down as you had mentioned, when they’re severely down, something is definitely going on. What was the push and pull between quality versus quantity there, as far as the number of enforcement cases that you all were actually pursuing? And how did that factor into your analysis of whether or not you felt you were doing a good enough job or not?

Stacey Geis The question you want to address whenever you’re doing enforcement is going after the most harm, right? And you have limited resources. And then any unlawful violation, but certainly one of like a public and health and safety regulation, which is what pollution regulations really are, is how do you take these limited resources and best use them to enforce laws in a way that will alter behavior going forward, not just that company that may be out of compliance, but the entire industry? And so that is the challenge and always the work you’re doing is, how do you use those resources effectively and efficiently? And so while numbers matter to some extent in terms of showing like exactly what, what cases are being done, how many inspections are being done, there’s certainly a metric by which you want to use it to assess how your programs are going. You also are always looking and doing a harm analysis. Focusing on which of the cases rise to the level of the greatest harm, that maybe a federal response could be needed versus maybe the state could handle it. So that is always the calculus, it’s sort of this balance, right? So it’s never that the numbers mean everything, but that’s why you combine those numbers with, okay, so this is how many cases you prosecuted, this is many civil cases you did … that’s why when they bring the numbers, and that’s why the December numbers will be so important, is they do things like the on the ground metrics. How much pollution was reduced, was cleaned up, because of those enforcement actions? That’s a good metric. And one we’re going to want to look at. Because again, the goal is to abate the harm.

Eric White I don’t want to get you in any trouble, and you can talk as vague as you’d like, but I was wondering if we could maybe get some insight on a particular case. Who was your Al Capone? Who is your white whale that you were able to get one time? Like I said, you don’t have to mention any specifics, but is there anything that you can recall, an insight into what you saw one time and you were to successfully get them either in compliance or successfully prosecute any sort of criminal malfeasance?

Stacey Geis I mean, I can certainly talk about the defeat devices and the sort of “VW-gate” matters — that was where the company was intentionally altering the emissions control to allow the trucks or the vehicles to pollute more than the laws, regulations and permits allowed. And that was a billion-dollar criminal civil case. VW was not the only one. So those cases were still going forward while in the last couple of years. And even in the last year, there was one against Cummins, and this is public, it’s huge, they made all the Ram trucks. I think they paid over $1 billion. And then there was once against Hino, that’s public, that was a criminal-civil matter — they were called the subsidiary of Toyota. But again, those are really big cases where you’re really addressing a systemic issue. And again, bringing those cases, having very high fines, and even some of those cases being criminal is hopefully a deterrent and a message to other companies of, hey, if you’re going to try to unlawfully alter the systems of your software and your cars to pollute beyond what is allowed, that there will be enforcement there. So I think that was almost like a bigger effort that went over years, but that was something that happened in the last couple of years that I think were significant cases.

Eric White  And finishing up here, we’ve seen the Trump administration decrease the resources in areas that they feel have too much government oversight in them; CFPB comes to mind. And what I’m feeling is, is that a major Supreme Court case is probably in our future of determining what an executive branch can do and what the threshold is. You know there are environmental laws that say the federal government is responsible for enforcement in this area; at what point do you deplete enough resources where a reasonable person can feel the government is not fulfilling that law? I just was curious about getting your thoughts on that, and if that is in fact in our future of some major case that may set the precedent for that.

Stacey Geis That’s a great question. And you hit on an important point, which is, again, as I noted earlier, a lot our environmental laws that are federal laws have been delegated to the states to implement and enforce. Clean Water Act, Clean Air Act, hazardous waste laws. And there’s still a very vital role for the federal enforcement program, and there’s a big reason for that. There’s three things that need to happen. A lot of the question has been, well, if federal environmental enforcement decreases, how, if at all, will the states step in to gap-fill where there’s noncompliance in their states and there’s not an enforcement action? But there’s three issues with that. One, you have a state that has the resources to actually do those cases, including maybe the bigger ones. You need to have a state that prioritizes environmental enforcement. A lot of states are dealing with so many other big issues; it could be housing, it could be healthcare, or it could be a lot of things, right? So you need to have a state that actually is putting resources and prioritizing environmental enforcement in their state. And then, like you said, there’s several threats to the environment and public health that are not enforced by the states, and only EPA can do those, like pesticide registration, most enforcement in Indian country. And then there’s certain Clean Air Act and Clean Water Act and hazardous waste laws that only implemented by EPA and DOJ. Coal ash contamination is a big one, that’s a place where we see a lot of noncompliance. And so as a result in 2024, EPA came out with national enforcement initiatives, which is really to look at what are the biggest serious threats to the country that there’s so much significant noncompliance that it really could use federal assistance, or it’s in an area that only EPA enforces, not the states. Coal ash contamination was one of those. So you’re right, we very well will get to a place — I think these numbers in December will be really helpful to see what’s happening. I think what we all care about is, what’s the on-the-ground impact to the people? We have tens of millions of Americans who can’t drink their tap water. And that was another enforcement initiative, was really focusing on the community water systems throughout the country, thousands of which are often violating at least one health-based standard. And what are the efforts? NEPA had a whole program, to not just enforce but really provide compliance assistance to help those community water systems be able to provide safe drinking water to Americans. That’s where we’ll want to look and see, what are the impacts of this reduction, this serious reduction in workforce, reduction in priorities? And then obviously some of these things the states can’t do because they’re not delegated to do it. And even if they did, do they have the resources and will?

The post When a quarter of polluting facilities ignore the law, who’s left to enforce it? first appeared on Federal News Network.

© The Associated Press

The Defense Logistics Agency may have solved two problems every agency tends to struggle with — attracting new and innovative companies and changing the culture of its workforce to work with those firms.

DLA’s Tech Accelerator Team has shown it can do just that. Over the last several years it has been using what are considered traditional private sector methods to attract up-and-coming firms and take an agile approach to solving problems using interviews, data and market research.

David Koch, the director of research and development at DLA, said the agency launched the Tech Accelerator Team about six years ago with the idea of finding commercial technologies from non-traditional companies to solve their most pressing problems.

“We don’t go into a problem with a solution in mind. We go into it solution agnostic,” Koch said in an interview with Federal News Network. “What is the problem that you want to solve? Then, let’s pull in a bunch of commercial folks that have tackled similar type of problems before. We usually do that through a request for information (RFI) that goes out to companies. We bring them in and we see what kind of solutions they throw up. We don’t go into it with a preconceived idea of how to solve this problem.”

Part of the challenge with this approach led by the Tech Accelerator Team was changing the way DLA leaders approached problems. Koch said they have done a lot of training around innovation to help DLA leaders and employees bring good ideas to fruition.

“It was more about, let’s interview senior leaders and let’s find a problem that we need to go solve. Now it’s really grown into a life of its own to where the program managers reach out and say, ‘Hey, I need a commercial solution for the problem that I have,’” he said. “I think a lot of times now it’s more internally focused, where we reach out to commercial solutions based on a problem that we know exists. We’ve become more aware of what’s going on across the organization. We know where those problem areas are, where there’s commercial opportunities to solve them.”

Koch pointed to an example of this approach in action with RGBSI Aerospace and Defense, a company providing engineering and technical support, around using digital twins differently. Koch said DLA had used digital twins for parts and for processes, but through this approach, the agency is using digital twins to improve its digital threads.

“You can pull in things like acquisition data, logistics data and manufacturing data, along with that thread so that you can pull in more industry partners and more people are available to make that part,” he said. “Now, what we do is we use a computer program to go in and follow where the data flows, and it maps the process for you. Sometimes you’re surprised when you find out how your process really works.”

The Tech Accelerator Team calls themselves “DLA’s innovation broker,” which works with other DoD and federal offices as part of a broad-based innovation ecosystem.

DLA spent $135 million in research and development in fiscal 2025 across three main portfolios:

• Logistics
• Manufacturing technology
• Its small business innovation program

Koch said about $53 million went to manufacturing technology and about $17 million was for DLA business processes or logistics research and development. Additionally, DLA received about $44 million from Congress, most of which went into R&D for rare earth elements and other strategic materials.

Testing an automated inventory platform

Koch said heading into 2026, DLA will focus on four specific areas.

“The first one is strategic material recovery. We hosted [in September] our kickoff event for that being our newest manufacturing technology project. But that doesn’t mean that we’re just now starting strategic materials research. We’ve been doing it out of our SBIR for now for our last few years. It’s very timely, it supports the stockpile and we’ve had some really good success stories,” he said. “[The second one is] additive manufacturing and it’s really about mainstreaming. We call it the joint additive manufacturing acceptability. But mainstreaming additive manufacturing is part of the normal supply chain process that the military can use when they order parts from DLA.”

The two other areas are artificial intelligence transformation and automated inventory management. Koch said DLA is testing the Marine Corps Platform Integration Center (MCPIC) and also adding new technology to the platform to help improve how they manage products across 25 distribution centers.

“We have a lot of stuff that’s outside, think big strikers and tanks and stuff like that that are just out there in the open. So you need something like a drone that’s going to go around and capture that inventory. Then you have a lot of small things, think firearms and stuff like that that we have to do inventory. So that’s the backbone that we’re building it upon,” he said. “The idea is you walk down the aisle and your inventory populates on your laptop or your iPad. We think we can get there.”

He added that DLA is piloting the integrated technology platform at its distribution center in Anniston, Alabama.

“We spend tens of millions of dollars a year doing inventory, and it’s very people intensive. Our automated inventory project is all about automating that process,” Koch said. “The goal is that we can do 100% audit, totally automated, and save a lot of that funding, and then have that information feed into our warehouse management system. We’re definitely excited about the possibility.”

The post DLA’s Tech Accelerator Team showing how to spur innovation first appeared on Federal News Network.

© Getty Images/iStockphoto/ipopba

The Federal Communications Commission is set this week to vote on reversing cybersecurity rules for telecommunications providers that were put forward following the sweeping “Salt Typhoon” hacks.

The FCC’s meeting on Thursday includes plans to consider an order to rescind a ruling and proposed rules published in the waning days of the Biden administration. The January ruling requires telecom operators to secure their networks under Section 105 of the Communications Assistance for Law Enforcement Act.

But current FCC Chairman Brendan Carr argues that ruling “exceeded the agency’s authority and did not present an effective or agile response to the relevant cybersecurity threats.”

The proposed order would rescind the January ruling and withdraw proposed cybersecurity rules for telecom operators.

Instead, the FCC “should instead continue to pursue an agile and collaborative approach to cybersecurity through federal-private partnerships that protect and secure communications networks and more targeted, legally sound rulemaking and enforcement,” according to a factsheet on the order of reconsideration.

‘Worst’ hack ever

The Salt Typhoon campaign was revealed in 2024. It involved penetrating hacks into U.S. telecom networks and others across the globe. The hackers were reportedly able to target the communications of political figures and government officials, including then-candidate Donald Trump and running mate JD Vance.

U.S. officials have said Chinese-government sponsored hackers are behind the campaign. Senate Intelligence Committee Ranking Member Mark Warner (D-Va.) has described it as “the worst telecommunications hack in our nation’s history.”

The Cybersecurity and Infrastructure Security Agency has since said the Salt Typhoon campaign overlapped with global threat activities targeting multiple sectors, including telecommunications, government, transportation, lodging, and military infrastructure networks.

“While these actors focus on large backbone routers of major telecommunications providers, as well as provider edge (PE) and customer edge (CE) routers, they also leverage compromised devices and trusted connections to pivot into other networks,” CISA wrote in a September advisory. “These actors often modify routers to maintain persistent, long-term access to networks.”

In rolling out the January rules, Biden administration officials argued they represented a “critical step to require U.S. telecoms to improve cybersecurity to meet today’s nation state threats, including those from China’s well-resourced and sophisticated offensive cyber program.”

However, the FCC’s current leadership says the rules misinterpreted the law and “unnecessarily raised and purported to resolve issues that were not appropriate for consideration in the absence of public input.” The FCC’s factsheet also references the commission’s “recent engagement with providers and their agreement to take extensive steps to protect national security interests.”

In an October letter to the FCC, lawyers representing several telecom associations argued that the January ruling “would significantly undermine” public-private partnerships. They argued that telecom providers had voluntarily collaborated with federal agencies to investigate Salt Typhoon and adopted stronger cybersecurity measures.

Warner and Sen. Ron Wyden (D-Ore.) are also pressing the Department of Homeland Security to release an unclassified 2022 report on security vulnerabilities in the U.S. telecom sector. They argue that by not releasing the report, DHS is undermining public debate over how to best secure telecom networks in the wake of Salt Typhoon.

“The Salt Typhoon compromise represents one of the most serious espionage campaigns against the communications of U.S. government leaders in history, and highlighted important gaps in our nation’s communications security – in some cases, with providers ignoring basic security precautions such as credential re-use across network appliances and failure to adopt multi-factor authentication for highly privileged network administrator accounts,” Warner and Wyden wrote in a recent letter to DHS and the Office of the Director of National Intelligence.

Meanwhile, the House on Monday passed the “Strengthening Cyber Resilience Against State-Sponsored Threats Act.” The bill would establish a joint interagency task force to address China-linked cyber threats, including Salt Typhoon. The task force would be led by CISA, with involvement from the Justice Department, the FBI and several sector-risk management agencies.

The post FCC to vote on reversing cyber rules adopted after Salt Typhoon hack first appeared on Federal News Network.

© AP Photo/Andrew Harnik

Even though the American cannabis industry became a multi-billion-dollar industry years ago, a decent number of insurance companies are still hesitant to work with cannabis businesses. Whether it’s due to the federally prohibited status surrounding cannabis or certain internal policies among the larger insurance providers that dictate which risks will be insured, the process of finding a quality and reliable insurance provider for licensed cannabis businesses can be quite arduous.   

Especially with the multimillion-dollar cultivation and manufacturing operation setups and subsequent wholesale transactions that are equally lucrative and costly, having dedicated and thorough insurance policies in place is now beyond necessity.       

Luckily for those cannabis businesses, Guardians of Ganja is a top-tier insurance agency with a memorable name whose operations and robust policies are created and tailored specifically to the very necessary and precise requirements of those cannabis businesses.   

“One of the best things about cannabis is its ability to free your mind from the constraints of life,” says Jason Ascheman, co-owner of the agency solely focused on the cannabis industry. “After some research, we found the industry was grossly underserved. Guardians of Ganja started with the desire to find something no one else was doing, something that was equally unique, challenging and something that we wholeheartedly believe in.” 

The agency’s primary location of Billings, Montana, is certainly a preferable one from both a cannabis and agricultural standpoint. The state legalized adult-use cannabis back in 2020 (for a second time) and has had a vibrant adult-use market for well over 3 years, surpassing $1 billion in total sales at the end of 2024. Similarly, the state’s agricultural industry is nothing short of massive, being a major producer of cattle and several varieties of wheat.   

A Specialty Cannabis Insurance Company 

Prior to entering the insurance industry, Guardians of Ganja’s second co-owner, Dalton Knutson, held a variety of interesting and honorable positions, including everything from selling solar panels to bravely serving as a firefighter. Unfortunately, his diagnosis of Crohn’s Disease from his childhood worsened, and after major surgery, he had to resign from his role as a firefighter.    

“But it was after this that my belief in cannabis became stronger, the more I experimented with different treatment methods,” Knutson says. “It became something I wholeheartedly believed in and supported.” 

Knutson soon teamed up with Ascheman, who has over 8 years of experience in the insurance industry. While they both share a passion for the plant, Ascheman’s hands-on insurance experience combined with Knutson’s entrepreneurial and service-oriented nature gave them an edge. “We both realized the market was underserved,” Knutson explains, expressing how they truly have a desire to help cannabis-related companies protect what they have built.  

With the clever tagline of “Covering Your Grass for a Greener Tomorrow”, the services offered by Guardians of Ganja include policies that have been uniquely designed for every different plant-touching sector of the cannabis industry, along with ancillary businesses—everything from cultivation to manufacturing to retail to vital testing labs, even Lessors Risk policies for landlords with cannabis exposures. From the intricacies and detailed coverage options provided by their policies, it’s clear that the team at Guardians of Ganja has several years of experience working directly in this nascent yet heavily regulated industry. 

With liability coverages alone, so many common circumstances and situations that arise in compliant cannabis operations would be insured. A full spectrum of services is offered, from general liability to product liability and the very crucial professional liability.  

What’s Covered by Guardians of Ganja 

Some other very worthwhile sectors of successful cannabis operations covered through Guardian of Ganja’s policies are product deliveries of all varieties, as well as the transportation vehicles themselves. All types of deliveries, from individual home deliveries to large-scale deliveries, from cultivation facilities to dispensaries. Given how heavily monitored and documented every single cannabis delivery is via platforms like METRC by state regulators, regardless of size, the Guardians of Ganja team ensures that every element of the delivery process is diligently insured is of utmost importance.     

Even crop insurance—a vital safeguard that protects farmers’ investments from unexpected disasters—is available through Guardians of Ganja. Every single stage in the cultivation process is covered, from vegetation and harvest to the pivotal drying and curing stages.     

“We pride ourselves in creating personal connections and relationships with our clients to not only be their agent, but a trusted confidant and partner that has their best interest at heart,” Knutson says with pride.  

As the American cannabis industry evolves and expands at a more rapid pace than just about any other industry, the experienced team at Guardians of Ganja is committed to staying up to date on all those constant changes.   

“Along with this, we are continuously educating ourselves on the intricacies of the industry to ensure our recommendations are well-informed and knowledge-based. It’s our belief that putting the needs of the clients over anything else is always a win in the end,” Knutson explains. “To sum things up, GOG means so much more than just insurance. It’s real people with real experiences with cannabis that want to genuinely make a difference both personally and business-wise.” 

The post Guardians of Ganja: The Cannabis Insurance Company Covering Your Grass  appeared first on Cannabis Now.

Congress has temporarily extended a landmark cyber information sharing law, but industry representatives and cyber experts are urging lawmakers to act quickly to enact a more long-term solution.

The continuing resolution signed into law Wednesday night extends the provisions of the Cybersecurity Information Sharing Act of 2015 through the end of January. The law had expired Oct. 1.

CISA 2015 provides privacy and liability protections to encourage companies to share data about cyber vulnerabilities and threats. Cybersecurity leaders say those protections provide a critical underpinning to facilitate collaboration across government and industry.

Despite the temporary reprieve, the path forward for a long-term CISA 2015 extension in Congress remains unclear, with divergent reauthorization bills in the House and the Senate.

The White House has called for a “clean” 10-year reauthorization of CISA 2015. But Senate Homeland Security and Governmental Affairs Committee Chairman Rand Paul (R-Ky.) has opposed efforts to move forward such a bill in the Senate.

The long-term extension of the information sharing law, meanwhile, remains a chief concern for the technology industry.

Mike Flynn, senior vice president of government affairs for the Information Technology Industry Council, called the short-term extension “a step in the right direction.”

“Without a long-term CISA 2015 fix, cybersecurity stakeholders will continue to face uncertainty and questions that will undermine the network of information-sharing organizations and programs that have been built over the last decade,” Flynn said in a statement.

Henry Young, senior director of policy at BSA The Software Alliance, said he hopes to see a “sense of urgency” in Congress to extend the law long term.

“While we’re pleased that the law is hopefully going to be extended, we remain concerned that if the CR lapses, we’ll return to a world where cybersecurity information sharing is slowed or stopped, and that really leaves everyone at risk,” Young told Federal News Network.

CISA 2015 lapses

When the law lapsed Oct. 1, some cyber policy experts worried industry would stop sharing information about cyber threats affecting their products or networks.

But Nick Andersen, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency, said information sharing between government and industry was “holding steady” through the end of October.

The cooperation “is a testament to CISA’s reputation that it’s built up and our ability to have long-term collaboration tools,” Andersen told reporters at the Palo Alto Networks public sector conference in Tysons Corner, Va., on Oct. 30.

“I hate to see what’s going to continue to happen, though, after we get past the shutdown and we start having these longer conversations with the vendor ecosystem,” Andersen added.

While companies continued to share information during the lapse, Young said the process slowed down.

“It started to slowly reintroduce the legal review into each one of these individual decisions, which isn’t going to necessarily stop all information sharing, but is going to slow it, and it also might reduce it in increments,” Young said.

“People wanted to work together and continue to share information, and they did, to some extent, but it also created more risk for them to do,” he added.

Cynthia Kaiser, former deputy director of the FBI’s cyber division and now senior vice president of Halycon’s Ransomware Research Center, said the lapse showed the need for a long-term solution to reauthorizing the law.

“It’s critical that protecting cybersecurity information sharing is considered a priority in Congress upon the government’s reopening in order to maintain a strong national security posture,” Kaiser said.

Debate in Congress

While Congress has just over two months to extend the law, the path forward for reauthorization remains murky.

In September, the House Homeland Security Committee passed the Widespread Information Management for the Welfare of Infrastructure and Government Act. The bill was led by Homeland Security Committee Chairman Andrew Garbarino (R-N.Y.).

Garbarino’s bill would extend the CISA 2015 protections for another 10 years, while updating definitions to account for advances in artificial intelligence. It would also require the Department of Homeland Security to improve its outreach on emerging cyber threats.

In a statement released after the House passed the CR, Garbarino called for reauthorizing multiple expired DHS authorities, including CISA 2015.

“With the federal government reopening, I look forward to continuing this Committee’s important work alongside our colleagues in both the House and Senate to find long-term solutions for reauthorizing these vital DHS authorities, bolster our nation’s cyber defenses, maintain President Trump’s secure borders, and ensure the safety of America’s skies and the traveling public,” Garbarino said.

It’s unclear, however, if and when Garbarino’s bill will be called for a vote on the House floor.

In the Senate, meanwhile, Homeland Security and Governmental Affairs Committee Ranking Member Gary Peters (D-Mich.) and Sen. Mike Rounds (R-S.D) have put forward a bill that would extend CISA 2015 for an additional 10 years without modifying the provisions in the law.

“This short-term extension is an important stopgap, but it is set to expire in just two months unless we pass bipartisan legislation to provide more long-term certainty,” Peters said in a statement. “That’s why I’m pushing to pass my Protecting America from Cyber Threats Act with Senator Rounds, which would renew these critical protections for a full decade so that companies know they can count on them in the event of a cyberattack.”

A HSGAC aide said Peters “remains committed to getting this across the finish line and will continue working with colleagues across the aisle to make sure these protections are fully restored.”

However, Paul has blocked efforts to pass a “clean” CISA 2015 extension. He has pledged to oppose any efforts to reauthorize the law unless it prohibits the Cybersecurity and Infrastructure Security Agency from working on future disinformation efforts.

Paul has said the agency’s work in that area infringed on free speech rights. Cyber experts counter that reauthorizing the CISA 2015 law has nothing to do with CISA the agency’s work on disinformation. The cyber agency does rely on the law to undergird its collaboration with industry on cyber threats.

Officials have also lamented how the shared names between the information-sharing law and the cyber agency has muddied the waters in the debate over reauthorizing the law.

“They happen to share that same acronym, which is a fluke,” White House National Cyber Director Sean Cairncross said at the Palo Alto Networks conference last month.

A key question is whether the White House will throw its weight more forcefully behind any congressional efforts to reauthorize the bill. In public comments, Trump administration officials have advocated for a 10-year reauthorization without further modifications to the law.

“It’s a common-sense law,” Cairncross said. “The White House is pushing for a 10-year, clean reauthorization of this authority. It’s something that we want to see done. It’s important to national security and it fosters the sort of collaboration, not only amongst the private sector, but between the public and private sector that’s vital.”

The post Congress extends CISA 2015, but path to long-term reauthorization remains murky first appeared on Federal News Network.

© Federal News Network

Following the longest shutdown in U.S. history, the federal workforce is now trying to get back to at least some sense of normalcy.

While federal employees who have been furloughed for the last 43 days return to work Thursday, the Office of Personnel Management is setting expectations for agencies as they begin to update pay, leave and benefits for those impacted by the lapse in appropriations.

In new guidance, OPM said it is “is committed to ensuring that retroactive pay is provided as soon as possible.” Compensation will be provided for both furloughed and excepted federal employees, as the spending agreement that was enacted Wednesday evening reaffirmed. A 2019 law previously called for retroactive compensation for all federal employees impacted by a shutdown.

A senior Trump administration official said the White House “has urged agencies to get employee paychecks out expeditiously and accurately to not leave anyone waiting longer than necessary.”

But the timing of employees receiving their back pay varies, depending on what payroll provider an agency uses, and the different pay schedules across the federal workforce.

Sending out retroactive payments to employees involves working across agency HR offices, federal payroll providers and shared service centers. Agency HR offices, for instance, have to submit timecards for federal employees, which are then processed by the government’s various payroll providers.

According to the senior administration official, employees from the General Services Administration and OPM will be among the first to receive their retroactive paychecks, with an expected deposit date set for Saturday.

Employees at the departments of Veterans Affairs, Energy, and Health and Human Services, as well as civilian employees from the Defense Department, will receive their deposits shortly after that — this Sunday.

On Monday, affected employees from the departments of Education, State, Interior and Transportation, as well as the Environmental Protection Agency, National Science Foundation, Nuclear Regulatory Commission, Social Security Administration and NASA, are all expected to receive their back pay.

Then on Wednesday, employees from the departments of Agriculture, Commerce, Treasury, Labor and Justice, along with the Department of Homeland Security, the Department of Housing and Urban Development and the Small Business Administration, are projected to get their paychecks. The timing of the retroactive payments for feds was first reported by Semafor.

The National Finance Center, a payroll provider housed under the Agriculture Department, confirmed that employees at agencies using NFC’s services should expect a payroll deposit by the middle of next week.

“In order to provide backpay for employees as quickly as possible, the National Finance Center will be expediting pay processing for pay period 22 and backpay for pay periods 19 (October 1-4), 20 (October 5-18), and 21 (October 19-November 1),” USDA wrote in an all-staff email Wednesday evening, obtained by Federal News Network.

Federal News Network has reached out to several other federal payroll providers requesting details on the timeline for processing retroactive payments.

The National Treasury Employees Union urged immediate back pay for all federal employees who have been going without compensation for the last six weeks.

“This is an emergency for federal employees across the country, and they should not have to wait another minute longer for the paychecks they lost during the longest government shutdown in history,” NTEU National President Doreen Greenwald said. “We call on all federal agencies to process the back pay immediately.”

In its new guidance, OPM also noted that to make payments as quickly as possible, payroll providers may need to “make some adjustments.” That could mean, for instance, that the initial retroactive payments employees receive might not reflect the exact calculations of their pay and leave hours.

“Payroll providers will work with agencies to make any necessary adjustments as soon as practicable,” OPM said.

Who receives back pay, and how much?

Furloughed employees will receive their “standard rate of pay” for the hours they would have worked if the government shutdown hadn’t occurred, OPM said in its guidance Wednesday evening.

But there are some exceptions to that. If a furloughed employee, for example, had been scheduled for overtime hours that would have occurred during the shutdown, OPM said they should be paid their premium rate for those hours.

Additionally, OPM said that allowances, differentials and other types of payments, like administratively uncontrollable overtime pay or law enforcement availability pay, should be paid as if the furloughed employee continued to work.

Although most employees impacted by the shutdown are ensured back pay, there are some smaller exceptions carved out where employees may not receive retroactive pay, OPM added.

If a furloughed employee was in a non-pay status before the shutdown began, for instance, then they are not entitled to receive back pay.

Excepted employees who were considered “absent without leave” (AWOL) — or in other words, took unapproved time off — will also not receive back pay for that time.

Guidance on leave, post-shutdown

Although excepted employees are not required to use paid leave for taking time off during the shutdown — and can instead enter a “furlough” period — there may still have been some instances where excepted employees took leave during the funding lapse, OPM wrote in its guidance.

In those cases, excepted employees who were approved to take paid leave during the shutdown will be charged for the hours from their leave bank, OPM said.

Agencies are also expected to begin adjusting leave accrual for furloughed employees. Now that the shutdown is over, furloughed employees should be placed in a “pay status” for the time they would have otherwise spent working during the funding lapse. That means accrual of annual and sick leave will be retroactively adjusted as if the employees were in a pay status, OPM said.

Excepted employees continued to accrue leave during the shutdown, which should be reflected in their leave banks, OPM said.

What happens to RIFs of federal employees?

On top of reaffirming back pay, the spending bill that was enacted Wednesday evening also rescinds the roughly 4,000 reductions in force that have occurred since Oct. 1. Federal employees will be temporarily protected from additional RIFs, at least until the end of January.

Agencies have five days to inform federal employees who received RIF notices in October that those actions are rescinded.

“Agencies should issue those notices and confirm to OPM the rescissions have been issued,” OPM’s guidance states.

At least 670,000 federal employees have been furloughed, and 730,000 employees have been working without pay during the shutdown. Agencies have been putting plans in the works to return all furloughed federal employees to their duties as of Thursday.

OPM also said agencies “may consider” providing flexibility for employees who might not be able to return to work immediately, such as by approving personal leave or adjusting individual work schedules.

The post Post-shutdown, here’s how soon federal employees can expect back pay first appeared on Federal News Network.

© AP Photo/Mark Schiefelbein

Interview transcript: 

Terry Gerton You, I’m sure, paid very close attention to Secretary Hegseth’s speech last Friday on the arsenals of democracy. What was your takeaway?

Stephanie Kostro Thanks so much for asking, Terry. And not only was I listening with bated breath, I was actually in the room. And for any Hamilton fans out there, it was the room where it happened. There were roughly 250 folks in an auditorium on Fort McNair when Secretary of War Hegseth rolled out his ideas for transforming acquisition. And there was a lot to be said, Terry, he spoke for well over an hour, nonstop, no questions, just kept going. I would say it’s fair to characterize the audience as a rapt. We were waiting for everything he had to say. There were three main topics he wanted to talk about. One was reforming or transforming the requirements process. The second was transforming the acquisition process. And the third was reforming foreign sales processes, and that’s including both foreign military sales and direct commercial sales. So all of that were key topics for everyone in that room.

Terry Gerton Well, let’s take those one by one and the requirements topic, of course, came up first. He talked about the end of the JCIDS and a realignment of the JROC. What did you take away?

Stephanie Kostro So the requirements process has long been an issue of great concern to industry, as well as from my time as a congressional committee staffer on House Armed Services Committee, talking about by the time you go through the several years to validate a requirement, it may actually be obsolete by the end time you roll out of that process. And so the idea of transforming the requirements process has been long anticipated. And I really appreciate what the secretary said regarding being flexible. Going for combining the requirements process with the acquisitions process so that it’s modular, that it does leverage available commercial technologies and products, that it really looks forward to getting a faster delivery times and getting weapons both developed and then deployed and in the hands of the warfighters who need them. So that was very much appreciated. No one, I think, will cry over the demise of JCIDS, but the question becomes, what rises to replace it. And, of course, the under secretary of war for acquisition and sustainment owes guidance on this issue to be released 45 days from the date of that directive, and then the military services have to come up with plans of action within 60 days. So the next two months are going to be very, very busy.

Terry Gerton All right. Part two was a reform of the acquisition process itself. The headline here is the elimination of PEOs and the replacement of them with program acquisition executives, right?

Stephanie Kostro PAEs, that is correct. So I think the other piece of this that goes hand in hand with requirements transformation is the reform and the transformation of the war fighting acquisition system, as they call it now, not the defense acquisition system. And it really focuses on the war-fighting piece of it. I think what I took away, and he said this a few times, Secretary Hegseth, and I’m going to quote him here, they want to increase acquisition risk in order to reduce operational risk. And for me that means putting flexibility in the hands of contracting officers and those in the programs to pursue modular, multi-source solutions throughout the development of a requirement, or rather the development, of a capability. And then actually to get it into the hands of the warfighter. They want to reward and incentivize speed and performance over bureaucratic processes. And that is music to a lot of industry’s ears.

Terry Gerton So a big part of that speed increases buying commercial first. Secretary Hegseth said they are willing to settle for 85% functionality and work toward 100%.

Stephanie Kostro So that was, I think, an interesting turn of phrase for him, mostly because he did say a few times to increase acquisition risk to reduce operational risk. And of course, you’re going to have to have a balance there of what is that 85% and what 15% are you going to be missing? And so I think as they move forward with embracing modularity, fostering competition and pursuing multi-source procurement, that you do want to move fast to contract. He also did mention not over-relying on the testing element. And so we’ve seen that in previous memos, particularly back in May, where Secretary Hegseth signed some memos about operational test and evaluation and streamlining that process in those offices. And so what I also found interesting is talking about putting contracting officers within the program offices too, so they can sit alongside the requirements developers and the folks who are responsible for fielding the capability, so they get a better sense of what the requirements are and how to incorporate those into contracts, leveraging commercial technologies as much as they are available.

Terry Gerton I’m speaking with Stephanie Kostro. She’s the president of the Professional Services Council. Stephanie, let’s touch on topic number three quickly, the foreign military sales reform.

Stephanie Kostro Part of this reform, or they keep saying transformation, not reformation, so I’ll key into that, transforming what military sales looks like. We’ve had lots of conversations, and I was at the Pentagon, in particularly the European office, talking with our allies and partners about how they could access U.S. solutions, and it always was a multi-year process to go from all of that pre-work where we talk about requirements to a letter of offer and acceptance at the end of it, and actually delivering the materials. It’s multi-year and it is so frustrating, particularly when companies want to compete with non-U.S. companies who don’t have the layers of bureaucracy. And so I look at the reorganization that the secretary laid out, that is to move the Defense Security Corporation Agency and the Defense Technology Security Administration, so I’ll say DSCA and DITSA, which is how we call them, over to the acquisition undersecretary. I think those are smart moves if in fact you want to speed up the fielding of compatible and interoperable equipment with our friends and allies. That said, I think it’s important to note that we need to incentivize folks in order to speed those situations up. And one thing that works really well, and it’s something that PSC has talked about in the past, is if you’re going to have an assistant secretary in a military service responsible for acquisition, and each of the military services has that individual, you need to put into their performance metrics foreign sales. They need to be measured on how well they are doing on that front as well. And that is something that I will be talking to the Pentagon folks and our CEO at PSC, Jim Carroll, will be taking to his Pentagon friends as well regarding how to actually incentivize this behavior.

Terry Gerton So this speech on Friday was the tip of the iceberg, much remains to follow in terms of detail, right? What will you be watching for there?

Stephanie Kostro I will be watching for the number of times and the depth of availability of Department of War individuals to speak with industry. This needs to be a collaboration. When you’re talking about speeding up requirements and speeding up contracting and speeding up foreign sales, you really need to talk to the industry that will be responsible for that. One thing that I did take away from the speech on Friday was an openness for profit. And I say that because a lot of times industry gets demonized for making a profit. But what happens is when you have profits, you can actually turn them back into the company and then make investments in future opportunities. And so if companies are allowed to make a profit, then they can have more money to invest in their companies and their technologies and actually move the ball forward faster. And so as we go through this, I will be looking at opportunities not only to comment formally through written comments, whether that’s through the Federal Register or the System of Acquisition Management, or SAM.gov, but also having round tables. We’ve offered to Department of War individuals, we at PSC are happy to schedule and facilitate a round table to have industry speak candidly with their government partners about how to make this happen faster, better and more efficiently.

Terry Gerton So you’d say that the speech was pretty well received by the folks in the room, then.

Stephanie Kostro I would say it was very well received as a rhetorical device. The proof is always in the pudding. The devil is always in the details. I think as we move forward, there will be more enthusiasm. Enthusiasm will grow, but it really depends on what those reports look like, that guidance from the undersecretary in 45 days, the military service plans of actions in 60 days, and how much input it reflects from industry. I think there is generally a recognition across the board, industry, executive branch and Congress, that something needs to change here. And in fact, a lot of what was in the speech reflected things that are under negotiation in the National Defense Authorization Act conference right now. And I think we are all rowing in the same direction. And I hope we stay doing that.

The post The Pentagon wants faster weapons and it’s giving industry just 60 days to help make it happen first appeared on Federal News Network.

© Andrew Harnik/Pool via AP

The longstanding CyberCorps program is at a crossroads, as scholars struggle to find internships, jobs and support during the Trump administration’s governmentwide hiring freeze.

The CyberCorps: Scholarship for Service program is funded by the National Science Foundation and administered through the Office of Personnel Management. The program provides scholarships for up to three years to support an undergraduate or graduate student. In return, CyberCorps students agree to serve in government for a period of time equal to their scholarship.

The program has provided federal agencies with a steady pipeline of much-needed cyber talent since it was established in 2000.

But this year, CyberCorps scholars are struggling to find any open opportunities after the Trump administration instituted a governmentwide hiring freeze for most positions in February. The White House recently extended that freeze indefinitely.

Some CyberCorps scholars had received tentative job or internship offers that were revoked or paused with little explanation. Cyber-related opportunities at federal agencies have largely dried up, especially for entry-level positions, amid the hiring freeze and downsizing at agencies like the Cybersecurity and Infrastructure Security Agency.

Several students are now staring down the possibility of having to pay back their scholarships if they can’t find qualified work. CyberCorps participants are typically required to start a qualifying job within 18 months of graduating.

More than 250 current students and CyberCorps alumni have now organized to share information and press the administration for more information on the future of the program and their job prospects, according to multiple scholars involved in the group. Multiple scholars said that OPM has had little communication with them about the major changes in the federal hiring landscape.

“Many scholars feel we are being strongly armed into unwillingly owing the government hundreds of thousands of dollars for failing to find work with them, when the government is the one cutting jobs, slashing budgets, and eliminating roles we were intended to fill,” one student told Federal News Network.

In a statement, OPM Director Scott Kupor said “bringing top cybersecurity and AI talent into the federal government are critical to our national security.”

“OPM is committed to the success of SFS and is working closely with the National Science Foundation to ensure CyberCorps participants are supported during this challenging time,” Kupor said. “Once the shutdown ends, we will issue guidance to agencies encouraging them to fully leverage the program to bring these highly skilled professionals into public service.”

A spokeswoman for OPM added that “no scholars have been sent to repayment.”

“After the shutdown ends, OPM will collaborate with NSF on a mass deferment to give graduates more time to secure qualifying positions and further guidance to encourage agencies to make use of the SFS program for their hiring needs,” the spokeswoman said.

But CyberCorps scholars say they have a lot of questions about the plan for deferring their post-scholarship employment requirements, given that few federal jobs are available beyond those geared toward immigration enforcement and other Trump administration priorities.

Federal News Network spoke with five CyberCorps scholars about their experience with the program and the challenges they’ve encountered this year. They were granted anonymity because they fear retaliation for speaking out.

Scholar 1 is graduating with a master’s degree in 2026; Scholar 2 is graduating with a bachelor’s degree in December 2025; Scholar 3 is graduating with a master’s degree in December 2025; Scholar 4 graduated in May 2024 with a cybersecurity degree; and Scholar 5 is graduating with a master’s degree in August 2026.

(These conversations were edited for length and clarity.)

FNN: Why did you join CyberCorps, and what do you hope to do as far as government service?

Scholar 1: “The principal investigator of CyberCorps at my school told me about CyberCorps while I was finishing my undergrad degree. I wanted to pursue cybersecurity and data privacy. My PI pitched it to me as, get a free degree and get excellent work experience, and actually do stuff I think is valuable, rather than just working in industry. . . .

I wanted to work with CISA. I’m really interested in critical infrastructure and passionate about securing rural infrastructure, making people conscious of cybersecurity and how it affects them.”

Scholar 2: “I have experience working with the government. I served in the Air National Guard in a technical role. . . . I also had the opportunity to work in an internship with the federal government, and that’s when I discovered programs like CyberCorps.

Having that familiarity with the hands-on experience inspires me and encourages me to keep learning . . . I’m not specifically interested in any particular agency, but anywhere there’s an opportunity in the federal government . . . more or less keeping the bad guys out. I view it as a puzzle.”

Scholar 3: “I chose my entire university based on this scholarship. . . . I’ve been looking for ways to break into cybersecurity for a few years. The CyberCorps program was heavily recommended online. And I also had relatives who worked in government. I just wanted to give back to my community.

I worked an internship at CISA in the summer of 2024.  . . . I wanted to work at CISA. I had verbal offers to come back. In my internship, I got full marks. . . .  I wanted to find work in protecting critical infrastructure and just wanted to serve my country.”

Scholar 4: “For me it was a chance to serve my country outside of active duty service. I was consistently encouraged to apply by another military-affiliated student. . . I did research while I was in the program. I’m interested in secure software engineering and embedded systems security. I appreciate the ability to blend two different fields together.

I went in with the mindset of, I’m going to be open to all the possibilities that are coming my way. I didn’t want to pigeonhole myself with a specific agency. I wanted to get an interview with an agency and see how their culture worked. I was open to computer science roles, as well as cybersecurity roles.”

Scholar 5: “Initially, I had entered college with medical school in mind. . . . Ultimately, I was able to finish a bachelor’s in computer science, and helping people was still at the forefront of my mind. At the end of the day, that’s why I joined CyberCorps – I thought it would be a gateway to a fulfilling, lifelong career in public service.

I’ve had my eyes set on a position with the Air Force Civilian Service. To me, there isn’t a job in this field that would be more meaningful than working alongside our troops to protect American interests.”

FNN: What challenges have you encountered with the CyberCorps program over the past year?

Scholar 1: “I had interviews with CISA and MITRE for internships. . . Everything was looking fantastic from my perspective. This all happened prior to the January 2025 job fair.  That was the first week of January, right before the inauguration.

Afterward, there was no contact. Most of my applications and things I had applied for, they still say it’s in processing or being reviewed. They haven’t been rejected. They’ve been permanently paused.”

(OPM in a recent email told CyberCorps scholars to “get creative” with their job search.)

Scholar 1: “The NSF doesn’t really communicate. It’s mostly through OPM – they just said keep trying, keep looking. They’ve even encouraged us to look out for non-federal agencies. In the ‘get creative’ email, they specifically say to widen our search to state and local governments and nonprofits, when just months prior, they were all but forbidding us from doing that.”

Scholar 2: “Everybody is suffering, because not only are there barely any jobs … but if there are any, we now have to compete with people who are displaced from the shutdown or got let go. All that has made it hard.

It’s very sad to me, because when people are curious about this program, I’m telling them to not do it, because I don’t want to feel like I’m screwing them over by having them sign a contract and then if they can’t find a job, they’re on the hook for hundreds of thousands of dollars in debt.”

Scholar 3: “Getting any kind of response at all has been difficult, even before the government shutdown. When the hiring freeze went into action, the 250 to 300 of us now in same situation couldn’t get any responses. We were emailing OPM and SFS – we either got no response, or a response that said, ‘get scrappy.’

I got two tentative offers. I had the first offer come in just before the freeze, and I accepted it. When freeze started, my would-be supervisor at CISA said, ‘Hey, hold on.’ . . . But then the supervisor told me they were probably leaving CISA. The other offer was with another agency. That tentative offer is still there, for an internship last summer.”

Scholar 4: “I had been proactive in securing two tentative job offers before I graduated. I made my choice and got started on the clearance process as soon as I could. . . . I kept checking in with the agency for updates. When I asked for guidance on the timeline with OPM, they told me it could take up to a year. . . . I was told by sponsoring agency that they wouldn’t send a firm job offer or interim until my clearance was fully determined.

Around January of this year, they ceased all communications with me.”

Scholar 5: “Communication has been infrequent, lackluster and untimely. . . . Historically, OPM has not allowed private internships to count towards our summer internship requirement. They decided to bend the rules this summer. Sounds great, but my cohort wasn’t informed until late spring. By that time, it was entirely too late to secure an internship with a private company for that summer.”

FNN: How have those challenges changed your career outlook and view of public service? And with OPM recently announcing plans for a ‘mass deferment’ of SFS deadlines, what questions or concerns do you continue to have about the future of CyberCorps and your prospects for finding approved work after graduation?

Scholar 1: “We appreciate the rapid response, especially in light of the shutdown, and are thankful for the first piece of substantial information that’s come out of the SFS office in months. Although we are grateful for the acknowledgement from OPM, their statement has still left hundreds of people concerned about their future. Post-shutdown deferments will do little to help our situation – our biggest blocker is the crusade against federal hiring and public sector cybersecurity overall. We have legitimate concerns and reservations, that are validated by the lack of communication and support that’s been received over the past ten months. Thank you for the response. Please, let’s keep this conversation going.”

Scholar 2: “We would be more comfortable if there were more flexibility. There are a lot more opportunities working the same role, but as a private contractor working for the government. In the past, they’d say no, you can’t be a private contractor. They’d want you to be a federal employee. But with the job freeze, it feels like that’s the only way.

If there are no jobs, they’re not upholding their end of the contract. . . The general consensus is that there needs to be more transparency. We just want to have a simple conversation with OPM to see what they can do, not just with the deferment but with flexibility.”

Scholar 3: “We should be doing everything we can to encourage and attract talent. I’ve met some of the smartest people I had ever met in my life through this program, who don’t know what to do and are looking at going private rather than doing what they originally intended.”

(Federal job applications now include essay questions asking how candidates would “advance the President’s executive orders and policy priorities.”  Federal employee unions are suing the Trump administration over those questions.)

Scholar 3: “I used to say I don’t care what administration I serve. I wanted to serve my neighbors. But these questions aren’t framed around serving the country. It’s serving a person.

I saw one role I wanted to apply to two weeks ago. When I saw those loyalty questions, I sat there and thought, I don’t have the ability to go through this right now. I didn’t want to put that on my plate.”

Scholar 4: “The first question a lot of us would have is, what’s the time frame? How much time are they actually allotting us? Even if we’re given additional time, if I can’t get a clearance or we get another freeze and they’re not able to process that, it further puts a halt on this process, and I’m left in the same situation.

Even once you secure a job, you have to maintain the job. That goes for a new hire when you’re in the probation period, assuming you don’t get laid off then. I think it just puts additional stress and strain on us mentally.

I don’t think people are considering that factor and OPM hasn’t provided any true reassurance.”

Scholar 5: “I have now started the process of commissioning as an officer with the Navy. My family worries that I’m choosing this path because I feel like I have no other way out — and truthfully, it’s hard for me to parse through my own thoughts on the matter; however, I am choosing to remain excited about the prospect.”

The post How CyberCorps scholars are navigating a fractured federal job landscape first appeared on Federal News Network.

© Getty Images/iStockphoto/LeoWolfert

by Gary Miliefsky, Publisher, Cyber Defense Magazine Every year, Black Hat showcases not just the latest innovations and products from the cybersecurity industry but also the presence of major government...

The post Federal Agency Makes Steampunk Appearance at Black Hat 2025 appeared first on Cyber Defense Magazine.

I wanted to be a food blogger and I don’t know how to become one. I did some research and I found out many people were earning a lot via food blogging. According to Semrush, food bloggers make a median monthly income of $9,169 which is approximately 7 lakh rupees in India. Is it not astonishing? I was also amazed! But getting that much income is not an easy task. In this blog, I will tell you how I started my journey as a food blogger in India and started making money.

Why did I want to be a Food Blogger?

I was interested in cooking that too with our native Indian recipes from my childhood. Cooking was a hobby for me in which I spent my time more happily than anything. My friends really liked my cooking and suggested that food blogging can help me monetize my cooking skills. I was also interested in that idea.

Food blogging excited me because I can do the cooking which I loved and also earn from it. A profession related to cooking that I always wanted to have. I was so confident that I will make my food blog and start earning from it.

Starting a Food Blog without any knowledge of a Website

I wanted to start my food blog now out of my passion for cooking, but I had a lot of doubts. So, Google was a safe haven for me where I asked my confused questions. Surely it did clear my doubts to some extent but not completely. I got a lot of information like website development, website hosting, SEO, video blogging, etc. I was so confused about how I can proceed with food blogging.

All the processes I found out about food blogging made me feel so complicated. I thought why don’t I search for a service provider who could help me with the idea of food blogging. I searched on google again for website development and digital marketing companies in India and enquired about the charges to a lot of them.

Finally, I found Repute Digital Business Agency located in Coimbatore, Tamilnadu. Out of all the service providers I enquired about, Repute was the one to solve my doubts on the first call. Reviews

How to earn via Food Blogging 

Repute stood first in my mind after enquiring about a lot of other websites and digital marketing service providers. I decided to proceed with them to do my food blogging website.

Services provided by Repute for the development of my food blogging website:

Website Development
Social media Marketing
SEO services
Website Maintenance Services
Ad placements on the website

These were the processes they have promised me to do in the first phase. They explained to me each and every process. Let me now explain how my food blog website Famous India Recipe was created from the scratch.

Website Development

They suggested to go with WordPress to build my website. They developed my Famous Indian Recipes website from nothing to a good colourful website with a proper structure and theme. They did logo creation with branding.

Social media Marketing

• Facebook @FamousIndianrecipes
• Instagram @logurecipes
• Linkedin
• Twitter @logurecipes
• Pinterest @Indianrecipes4u

Food Blog Content Suggestions

Repute gave me topics for the recipes after doing keyword research. I gave them the recipes accordingly so that we could post food recipes in the blog for what the people search for. This is one of the best SEO practices in food blogging, which can increase your website visibility easily. When you write for what people search, your food blog becomes a hit in less time.

SEO Services

Repute provided me with affordable SEO services. All other service providers cost a huge sum for their SEO services.

They did good On-Page SEO by creating proper internal linking in my website which provides a proper structure and hierarchy. They also did the best Off-Page SEO bringing back legit backlinks which increased my Domain Authority. All these SEO processes followed brought me many visitors and increased my website ranking.

Ad placements on the website

After bringing in good visitors through top SEO strategies, Repute started placing Ads on my Famous Indian Recipes Website. When the posting of my food recipes on my website increased, the money I earned via google ads also increased

Website Maintenance Services

Just creating and developing the website is alone not enough. You need to maintain the website and check whether many criteria are technically working properly such as the website loading time. If there is any problem with the website, it will directly hit the website’s ranking.

Consistent update of food blogs is required for proper ranking of the website. The ranking of my website was improving day by day because of proper maintenance.

Analytical Report

Repute provides me with an Analytic report every month. They explain to me the developments that happened on the website, the number of blogs uploaded, improvement in earnings from Ads, social media activities, increase in the subscribers and followers, etc. Analytics Report was clear cut and legit. I could see the development of my food blog every month statistically.

Future Food Blogging Strategies

All the above-said things are active on my website now. I have planned many strategies to develop my food blogging via digital marketing to increase my income. Some of the future food blogging strategies planned are,

Video Food Blogging
Affiliate Marketing
Email Marketing
Increase more subscribers
Plan to make me an influencer
Ebook with my Recipes
Guest Blogging

All these strategies are yet to be executed. Though I didn’t start earning 7 lakhs in a month, I started to earn a very good sum. I am looking forward to earning more.

This is my story of how I developed my food blog and started earning from it. If you want to avail the best SEO services along with Digital Marketing, Website, and Social media Marketing Services from Repute you can contact them via support@irepute.in. You can also visit their website https://irepute.in/. 

The post How to make money from Food Blogging in India? appeared first on Famous Indian Recipes.

The post Why agencies should work with security (Part 3) appeared first on Detectify Blog.

The post Why agencies should work with security (Part 2) appeared first on Detectify Blog.

The post Why agencies should work with security (Part 1) appeared first on Detectify Blog.

The U.S. Department of Health and Human Services (HHS) draws on Synack’s trusted security researchers and smart pentesting platform to stay nimble in the face of fast-moving cyberthreats. 

With 84,000 federal employees, the agency’s sheer size poses challenges when it comes to addressing the cyber talent gap or pentesting its most critical networks. It’s the largest U.S. civilian agency by spending.

“We have an enormous footprint on the internet,” said Matthew Shallbetter, director of security design and innovation at HHS, during a webinar Wednesday hosted by Synack. “Across the board, HHS is both vast and well-known – and so a good target for troublemakers and hackers.” 

He cited constant cyberthreats to the National Institutes of Health, HealthCare.gov and the Centers for Disease Control and Prevention – some of the most recognizable federal research centers and government services. All those resources fall under HHS’s purview.

So how does the agency hire for mission-critical cybersecurity roles, stay on top of shifting zero-trust requirements and satisfy the need for continuous security testing?

Shallbetter shared his insights with Synack’s Scott Ormiston, a federal solutions architect who’s no stranger to the challenges facing public sector organizations globally.

With an estimated 2.72 million unfilled cybersecurity jobs worldwide, government agencies are struggling more than ever to meet diverse infosec hiring needs.  

“Attackers are responding so much faster today than they were even five years ago,” Ormiston pointed out. “In the time that a vulnerability is released to the public, within minutes of that release, attackers are out scanning your systems. If you don’t have enough skilled personnel to run a continuous testing program and to continuously be looking at your assets, how do you address that challenge?”

Here are a few themes and highlights from the webinar:

Continuous pentesting is a must

It can take weeks to spin up a traditional pentest to find and fix urgent software bugs. Meanwhile, bad actors almost immediately start scanning to exploit those same vulnerabilities, whether they’re blockbuster flaws like Log4j or lesser-known CVEs.

Against that backdrop, traditional pentesting clearly falls short. But is continuous pentesting realistic?

“The short answer is yes, because your adversaries are doing it every day: They’re continuously testing your environment,” Ormiston said.

Shallbetter noted that HHS has its own set of pentesting teams that are centrally located and focus on high-value assets. But there isn’t enough in-house talent to keep up with regular testing, scanning and patching.

“If we could focus on what’s really, really important and test those [assets], we might have enough bodies,” he said. “But it’s really a challenge to try to patch vulnerabilities… The footprint never shrinks; it’s always expanding.” 

To augment his own agency’s workforce capabilities, Shallbetter pulls from Synack’s community of world-class researchers. The diverse members of the Synack Red Team (SRT) allow HHS security testing to keep up with rapid software development cycles and the unrelenting pace of digital transformation.

HHS led 196 assessments using Synack’s platform, adding up to over 45,000 hours of testing on its perimeter services as part of an established vulnerability disclosure process.

There’s no match for human insight

That adds up to a lot of actionable data.

“We really couldn’t have done the VDP the way we did… without using a centralized platform like Synack,” Shallbetter said. “The human insight was key.”

He pointed out that HHS has automated tools across the board to help developers weed out vulnerabilities and drive down risk.  

But over and over, SRT members would find more.

Shallbetter said his favorite examples are when a system owner engages the Synack Platform to validate that HHS has really fixed a vulnerability. “They ask for a retest and the researcher says, ‘Oh, I did X, Y, and Z, but I did it again…’ And the system owner says, ‘Wow, that’s really cool.’”

Those exchanges also build trust between the SRT community and HHS developers who appreciate researchers’ ability to find the vulnerabilities that matter, cutting through the background noise of automation. An average of 30 SRT members contribute their expertise to each HHS assessment, according to Shallbetter.

“When you put a bunch of humans on a target, even if it’s been scanned and pentested by an automated tool, you will find new problems and new issues,” he said.

Zero trust is no longer just a buzzword

The White House early this year unveiled its highly anticipated zero trust strategy, M-22-09, which set federal agencies on a path to achieve a slate of zero-trust principles.

Those five security pillars include identity, devices, applications and workloads, networks and data.

“It’s great to have this architecture,” Ormiston said of M-22-09. “But this also means additional stress on a cyber workforce that’s under pressure.”

Zero trust is a “hot topic” at HHS, as Shallbetter noted.

“It doesn’t feel like a marketing term; people are really beginning to understand what it means and how to implement it in certain ways,” he said.

And pentesting has emerged as “a significant part” of meeting HHS’s zero trust goals. 

“I do think the scope and scale of technology now means the real vision for zero trust is possible,” he said. “For HHS, penetration testing has been an important part of speeding our deployment processes.”

Agencies have until the end of fiscal 2024 to reach the pillars of the zero trust paradigm described in the White House memo.

In the meantime, Synack will continue working as a trusted partner with HHS, delivering on-demand security expertise and a premier pentesting experience.

“I love being able to sort of toss the schedule over the fence and say, ‘hey, Synack, we need four more [assessments], what are we going to do?’—and have it happen,” Shallbetter said.

Access the recording of the webinar here. To learn more about why the public sector deserves a better way to pentest, click here or schedule a demo with Synack here.

The post Inside the Biggest U.S. Civilian Agency’s Pentesting Strategy appeared first on Synack.

Government cybersecurity leaders know all too well that traditional pentesting is complex and doesn’t scale. The need to quickly resource up in order to effectively identify, triage and remediate vulnerabilities has become increasingly critical and, for most, a compliance requirement. 

Synack empowers government agencies with on-demand, continuous pentesting, pairing the platform’s vulnerability management and reporting capabilities with a diverse community of vetted and trusted researchers to find the vulnerabilities that matter. 

Synack also helps government security teams achieve the most effective vulnerability management possible to satisfy Binding Operational Directive (BOD) 22-01’s identification, evaluation and mitigation/remediation steps. The Synack approach also facilitates detailed vulnerability reporting that the agency can easily hand off to CISA if desired. 

Let’s quickly review what BOD 22-01 mandates, and how federal agencies can achieve compliance with help from Synack. 

CISA Binding Operational Directive 22-01—Reducing the Significant Risk of Known Exploited Vulnerabilities

Recent data breaches, most notably the 2020 cyber attack by Russian hackers that penetrated multiple U.S. government systems, have prompted the federal government to improve its efforts to protect the computer systems in its agencies and in third-party providers doing business with the government. As part of the process to improve the security of government systems, the Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive 22-01. 

CISA Directive 22-01 directs federal agencies and contractors to what they are required to do regarding the detection of and remediation for known exploitable vulnerabilities. The scope of this directive includes all software and hardware found on federal information systems managed on agency premises or hosted by third parties on the agency’s behalf. Required actions apply to any federal information system, including an information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information.

Directive 22-01 Compliance Requirements

In addition to establishing a catalog of known exploited vulnerabilities, Directive 22-01 establishes requirements for agencies to remediate these vulnerabilities. Required actions include: 

• Establishment of 1) a process for ongoing remediation of vulnerabilities and 2) internal validation and enforcement procedures
• Setting up of internal tracking and reporting
• Remediation of each vulnerability within specified timelines
• Reporting on vulnerability status to CISA

CISA’s Cybersecurity Incident & Vulnerability Response Playbooks describe a standard program for vulnerability management. The program steps are identification, evaluation, remediation and reporting.

1. Identify reports on vulnerabilities that are actively exploited in the wild.
2. Evaluate the system to determine if the vulnerability exists in the system, and if it does, how critical it is. If the vulnerability exists, determine if it has been exploited by said system.
3. Mitigate and Remediate all exploited vulnerabilities in a timely manner. Mitigation refers to the steps the organization takes to stop a vulnerability from being exploited (e.g. taking systems offline, etc.) and Remediation refers to the steps taken to fix or remove the vulnerability (e.g. patch the system, etc.).
4. Report to CISA. Reporting how vulnerabilities are being exploited can help the government understand which vulnerabilities are most critical to fix.

Evaluating Vulnerabilities with Synack

Synack finds exploitable vulnerabilities for customers through its unique blend of the best ethical hackers in the world, specialized researchers, a managed VDP, and the integration of its SmartScan product. SmartScan uses a combination of the latest tools, tactics and procedures to continuously scan your environment and watch for changes. It identifies potential vulnerabilities and engages the Synack Red Team (SRT) and Synack Operations to review suspected vulnerabilities. The SRT is a private and diverse community of vetted and trusted security researchers, bringing human ingenuity to the table and pairing it with the scalability of an automated vulnerability intelligence platform. 

If a suspected vulnerability is confirmed as exploitable, the SRT generates a detailed vulnerability report, with steps to reproduce and fix the vulnerability. Vulnerabilities are then triaged so that only actionable, exploitable vulnerabilities are presented – with severity information and priority information.

Mitigating and Remediating Vulnerabilities with Synack

Once the Synack team of researchers has verified the exploitability of the vulnerability, it leverages its expertise in understanding your applications and infrastructure. From that point, and in many cases, the SRT is able to recommend a fix with accompanying remediation guidance for addressing the vulnerability. And Synack goes one step further, verifying that the remediation, mitigation, or patch was implemented correctly and is effective.

Reporting to CISA

Synack’s detailed vulnerability reporting and analytics offer insight and coverage into the penetration testing process with clear metrics that convey vulnerability remediation and improved security posture. 

Comply with CISA Directive 22-01 with Help from Synack

CISA continues to add exploited vulnerabilities to its Known Exploited Vulnerabilities Catalog, and federal agencies are expecting urgent CVEs to pop up in the not-too-distant future. The recent rush to address the log4j vulnerability will come to mind for many. The Synack Red Team can aid organizations by rapidly responding to such situations.

To secure your agency’s attack surface and comply with the CISA Directive 22-01, a strong vulnerability management strategy is essential. The Synack solution combines the human ingenuity of the Synack Red Team (SRT) with Disclose (the Synack-managed VDP), along with the scalable nature of SmartScan, to continuously identify and triage exploitable vulnerabilities across web applications, mobile applications, and host-based infrastructure. Synack takes an adversarial approach to exploitation intelligence to show the enterprise where their most business-critical vulnerabilities are and how those vulnerabilities can be exploited by adversaries.

 

The post How Synack Helps Organizations Comply with Directive 22-01 appeared first on Synack.