Does the Government's Cybersecurity Mouth Have Any Teeth in It?

What are the cybersecurity goals of the Biden administration? What are the different attestation models that could be used in verifying compliance with current and emerging cybersecurity regulation? How does NIST tow its fine line between effecting change in cybersecurity and overwhelming the resources of security practitioners and compliance personnel?  

On this episode of the IoT: The Internet of Threats podcast, we met with Mariam Baksh, Staff Reporter at Nextgov, a Washington, DC-based publication that reports on federal IT and tech policy through journalism, podcasts, and more. We explored the recent issuance of the OMB's M-22-18, how that memorandum builds on last year's Executive Order 14028, the challenge involved in measuring and evaluating cybersecurity compliance, and the fine line that NIST walks between effecting change in cybersecurity and overwhelming company resources.

On this episode of the podcast, Mariam Baksh joins host Eric Greenwald to discuss:

• Why the Biden administration issued last year's EO
• NIST's balancing act between improving cybersecurity and avoiding the imposition of costly requirements on companies 
• The challenges involved in measuring cybersecurity performance
• The implications of a first-party vs. third-party attestation model
• The value of an SBOM and its growing role in cybersecurity regulation
• Whether the EO or the OMB memo will deliver any enforcement on the requirements they impose
  
  

Who determines if a company complies with government regulations? 

How do we measure cybersecurity performance? How do we evaluate compliance with prevailing and emerging regulation? 

When the Biden Administration's Executive Order 14028 was issued last year, discussion quickly turned to whether the self-attestation model would push aside earlier attempts that suggested third-party attestation models were coming.

Check out this podcast episode and hear Mariam Baksh explore an option between first- and third-party attestation, where she looks at the direct-customer review model. In this model, she posits, the government could go in, look at the environment and the artifacts, examine the artifacts, and audit these entities for themselves.   

Why Bother with SBOM?

Can customers look to SBOM as an artifact that offers greater visibility into what's inside a product? Can SBOM help them begin to understand its components?

Listen in to our latest episode of the IoT: The Internet of Threats podcast, and hear Mariam Baksh, Staff Correspondent at Nextgov, explore the value of SBOM and the increasingly important role it plays in cybersecurity regulation.

Episode Details

Mariam Baksh is a staff reporter for Nextgov, a Washington, DC-based publication that reports on federal IT and tech policy through journalism, podcasts, and more. In her role at Nextgov, Mariam reports on the development of federal cybersecurity policy. Mariam has been covering technology governance since 2014 and earned her master's degree in journalism and public affairs from American University.

Episode Links

All episodes of Finite State’s “The Internet of Threats” podcast can be heard on Spotify, Apple Podcasts, and Google Podcasts.

Listen to this episode in its entirety below!