Singapore Academy of Law Publishes ERM/privacy/cyber research co-authored by James Goepel

The Singapore Academy of Law Journal has published an article authored by Bridget Mead, Jared Paul Miller, Paul Flanagan, and Fathom Cyber’s own James Goepel on establishing “reasonableness” under the #law in the context of #cybersecurity and #data #privacy. In the article, the authors explore a variety of concepts, including:

  • the need for federal-level privacy laws in the United States;
  • how to integrate cybersecurity and data privacy risks into an organization’s Enterprise Risk Management program;
  • the important role industry standards such as NIST SP 800-171, the NIST Cybersecurity Framework (“NIST CSF”), and the US Department of Defense’s Cybersecurity Maturity Model Certification (“CMMC”) play in defining reasonableness;
  • the critical role compliance plays in establishing reasonableness and the overall defensibility of an organization’s cybersecurity program; and,
  • supply chain cybersecurity issues.

Although published in Singapore, the article has applicability worldwide. The article should be very useful to judges, litigators, policy makers, and others as they wrestle with the concepts of whether a particular cybersecurity or data privacy program is “reasonable”. The article can be viewed here:

Department of Defense CMMC Update

American Flag

We attended a presentation in early August by Katie Arrington, who is spearheading the Department of Defense’s (“DoD”) efforts to increase the role cybersecurity plays in acquisitions. At that time, Ms. Arrington mentioned that Version 0.4 of the DoD’s Cybersecurity Maturity Model Certification (“CMMC”) would be released on August 30, just before the long Labor Day weekend. The DoD’s Office of the Under Secretary of Defense for Acquisition & Sustainment announced late last week that “Due to the impending holiday [the office] will release the Draft CMMC 0.4 once it clears review by DoD Public Affairs”. This is disappointing for the hundreds of thousands of Defense Industrial Base (“DIB”) contractors who are waiting for additional clarity from the DoD before kick-starting their maturity assessment and improvement processes. DoD is currently targeting a January, 2020 release date for CMMC Version 1.0, with June and September roll-outs for mandatory inclusion of the CMMC in all RFIs and acquisitions, respectively. We recommend that all contractors perform a pre-assessment now so that they have as much lead time as possible to make any necessary changes or improvements.