At a glance.
- DISA discusses the future of its zero-trust prototype.
- A shift in the weather for NSA’s Wild and Story cloud procurement program.
- Updates in US state privacy legislation.
DISA discusses the future of its zero-trust prototype.
Signal reports that the US Defense Information Systems Agency’s (DISA) will be shifting gears when it comes to Thunderdome, the agency’s zero-trust prototype. Speaking at the AFCEA TechNet Cyber 2022 conference yesterday, DISA senior enterprise and security architect Julian Bryer explained that while DISA initially decided to focus on its Non-classified Internet Protocol Router Network, or NIPRNet, the agency will now also look toward implementing zero-trust on its secret network, SIPRNet. Bryer stated, “We went into this thinking that the biggest benefits to be realized would be on NIPRNET, and we still stand behind that…And current events have proven us, maybe not wrong, but have shown us that we have to double down and really invest on SIPRNET as well, to make sure we can protect the assets there from any sort of compromise or from any adversarial treatments, increased adversarial activity.” Breaking Defense notes that in January, DISA awarded Booz Allen Hamilton a six-month, $6.8 million prototype contract to work on Thunderdome, and Bryer went on to say that there’s room for other organizations to join the fray. “There are countless opportunities for other companies to participate. We have a lot of adjacent efforts that are going to link up with Thunderdome,” Bryer explained. Those other endeavors include an endpoint and device management front, container security, API security and identity, credential and access management (ICAM). Bryer added that input from industry partners would help DISA determine what avenues to take, stating, “the more you [industry] talk to us, the more solutions we see and the more interesting technologies we see, the more we can refine our picture and figure out what the zero-trust architecture eventually should look like for the department.”
A shift in the weather for NSA’s Wild and Story cloud procurement program.
The National Security Agency (NSA) re-awarded its cloud procurement contract, cleverly dubbed Wild and Stormy, to Amazon Web Services back in February, but details about the shift have only recently come to light. The contract was initially awarded to Microsoft, but NSA fought to have the decision overturned by the Government Accountability Office (GAO). Last July Microsoft protested NSA’s attempt to pull out of the contract, claiming NSA misevaluated proposals, and GAO sustained the protest, allowing Microsoft to maintain the contract but advising that NSA “reevaluate technical proposals, consistent with this decision, and based on that reevaluation, perform a best value tradeoff and make a new source selection decision.” Details about how NSA arrived at this final decision to re-award the contract to Amazon have not been disclosed, but an NSA spokesperson explained to Federal News Network, “This contract is a continuation of NSA’s Hybrid Compute Initiative to modernize and address the robust processing and analytical requirements of the agency. Consistent with the decision in [the GAO protest] case, the agency has reevaluated the proposals and made a new best value decision.”
Updates in US state privacy legislation.
Avast offers a brief overview of recent developments in state-level privacy law. The Utah Consumer Privacy Act, signed last month but going into effect at the end of 2023, give users the right to delete some of their personal data, opt out of data collection (depending on the circumstances), and more knowledge about what data is being collected. It’s notable, though, that unlike other states, Utah’s law does not provide consumers with any legal recourse if their rights are violated, and though they can opt-out, users are not required to provide consent before their data is collected. In Virginia, several amendments to its Consumer Data Protection Act will go into effect this July. The users’ “right to delete” will now exclude data that is not directly provided by consumers, and the Consumer Privacy Fund will be replaced with a new collections entity for any fines. As well, modification of non-profit exemptions will include all 501(c)(4) organizations and other political bodies.
Meanwhile, in New York, State Senator Kevin Thomas this week introduced a bill that would add several cryptocurrency-related crimes to the fraud section of the state’s penal code. The Record by Recorded Future lists the crimes in question: virtual token fraud, illegal rug pulls, private key fraud, and fraudulent failure to disclose interest in virtual tokens. “It’s crucial that we properly balance consumer protection with creating an environment that is ripe for investment and innovation. This future-forward legislation will protect consumers, enhance the security and reliability of the crypto ecosystem, and provide clearer guidance to allow companies to innovate and thrive in the crypto economy,” explained Thomas, who chairs the Senate Consumer Protection Committee.