At a glance.
- MI5 gets a new director.
- Defense contractors have reservations about Pentagon's CMMC.
- COVID-19 pandemic will delay REAL ID implementation by one year.
- Business groups ask for CCPA delays during coronavirus emergency.
Ken McCallum becomes Director General of MI5.
Britain's Home Secretary announced today that Ken McCallum will succeed Sir Andrew Parker this coming month as Director General of the UK's security service. It's an internal appointment: McCallum is an MI5 veteran with nearly twenty-five years of service in the organization. He brings a strong background in counter-terrorism to the post.
Contractors express reservations about the Pentagon's CMMC program.
After the US Department of Defense last week indicated that it was moving forward with its Cybersecurity Maturity Model Certification (CMMC), six industry groups (the Alliance for Digital Innovation, BSA: The Software Alliance, the Cybersecurity Coalition, the Information Technology Industry Council (ITI), the Internet Association, and the Computing Technology Industry Association (CompTIA)) have signed a letter to the Under Secretary of Defense for Acquisition and Sustainment in which they express reservations about the program's implementation. The associations argue that "current plans for implementing CMMC lack sufficient clarity and predictability in key areas, and as a result may unnecessarily generate confusion, delay and associated costs." The signatories' concerns fall under four heads:
- "Enhance Clarity about CMMC’s Scope, Applicability, and Implementation Timeline." They're skeptical that a new third-part auditing process will be available for enterprise-scale audits in 2020. They think the flow-down requirements remain unclear, as is the scope of the certification requirements, and they believe that without clarification it will be difficult to achieve consistency across the program.
- "Certification and Recertification." The signatories would like to know "whether contractors covered by this year’s RFIs and RFPs will need to recertify in three years," and they would like clarification on how companies not presently part of the Defense Industrial Base are to participate. They also ask for technical details about certification in complex environments.
- "Streamlining Federal Cybersecurity Requirements." Industry would like CMMC to "align the CMMC with the DoD Cloud Computing Security Requirements Guide (SRG), DFARS 252.204-7012 and FEDRAMP."
- "Ensure No New Risks are Created." The signatories are concerned that vulnerabilities identified during audits are communicated in ways that don't increase the risk to companies. And they question the extent to which the CMMC appears designed for traditional models that progress and innovation may render obsolete.
The pandemic emergency will delay REAL ID implementation by one year.
Homeland Security Today reports that the US Department of Homeland Security finds that the pressures of the current state of emergency surrounding COVID-19 will require REAL ID to be delayed by a year, with the new target date for enforcement now being October 1, 2021.
California under pressure to relax CCPA requirements during the state of emergency.
California is pressing ahead with enforcement of the California Consumer Privacy Act (CCPA), but business groups are asking the state to hold back on rigorous enforcement as companies deal with the consequences of the COVID-19 pandemic. Law360 writes that "the California Chamber of Commerce, UPS, the Association of National Advertisers and others" have asked for a delay. Consumer advocates, including the Electronic Frontier Foundation and Consumer Reports, want the state to stay the course, and hold to its schedule.