Matthew Devost

Ex-NSA Chief Paul Nakasone Warns Tech Industry of Looming Cybersecurity Shifts Introduction At the Defcon security conference in Las Vegas, former NSA chief Paul Nakasone addressed the tech community during a time of sweeping changes in U.S. cybersecurity policy under the Trump administration. His remarks, while measured, hinted at significant adjustments that could soon reshape how the private sector engages with federal cyber defense efforts. Key Points • Policy and Leadership Upheaval • The Trump administration is reshaping fiscal policy, foreign relations, and cybersecurity priorities. • Widespread federal dismissals include intelligence and cybersecurity leaders perceived as disloyal. • Former cybersecurity officials face increased hostility, with security clearances revoked, including that of ex-CISA director Chris Krebs. • Impact on Cybersecurity Agencies • The Cybersecurity and Infrastructure Security Agency (CISA) is adjusting to new strategic directives. • CISA CIO Robert Costello emphasized the administration’s stance: “We are not retreating, we’re advancing in a new direction.” • Changes suggest a shift toward more politically aligned leadership and potentially altered collaboration models with private industry. • Nakasone’s Forward-Looking Warning • While avoiding direct criticism, Nakasone cautioned that the tech sector must prepare for operational and policy turbulence. • He implied that upcoming shifts will require companies to reassess partnerships, compliance frameworks, and intelligence-sharing arrangements. Why This Matters The evolving cybersecurity landscape—driven by political reshuffling and strategic reorientation—could redefine the boundaries between public and private cyber defense responsibilities. For the tech community, the warning is clear: adapt quickly to maintain resilience, secure federal contracts, and safeguard critical infrastructure in an environment where political alignment may increasingly influence cybersecurity collaboration. I share daily insights with 22,000+ followers and 8,000+ professional contacts across defense, tech, and policy. If this topic resonates, I invite you to connect and continue the conversation. Keith King https://lnkd.in/gHPvUttw

264

17 Comments

The defense community is driving once-in-a-generation acquisition reforms. Security processes must keep pace. MITRE’s Fast-tracking Acquisition Security Transformation (FAST) Study, funded by Office of the Under Secretary of War for Intelligence & Security, found that outdated industrial security practices are slowing acquisition timelines and limiting participation from small and nontraditional contractors. Based on input from 6,734 security leaders and practitioners across 105 organizations, the FAST Study identifies systemic challenges and offers practical actions to streamline and modernize security—maintaining strong protection while accelerating delivery to the warfighter. Read the study ➡️ http://spklr.io/6045DnyGl

121

2 Comments

From Covert Ops to Corporate Wins: A Modern Spy’s Guide to Beating Decision Fatigue As a former intelligence operative, I learned one truth in the field: every decision drains your mental reserves. Today’s spies - navigating digital surveillance, real-time intel, and high-stakes operations - master mental endurance by cutting choices to stay sharp. In the corporate world, you’re fighting the same battle. Every call, email, internal memo or unnecessary meeting saps your clarity, leaving you reacting, not leading. Decision fatigue isn’t just burnout, it’s the silent killer of your focus and impact. Visualize each decision as an action that spends your mental energy like currency. Each time you're presented with an option and make a choice, you've just spent some of that currency. But here's the kicker, the more of this mental currency you spend, the more tired your brain becomes. The result? You might find yourself in position where you've used your mental currency on minor low priority decisions and when it comes to making the more important decisions, your mental currency balance is low. Leaving you vulnerable to making inaccurate choices when it comes to the important stuff. Here’s how to channel a modern operative’s playbook to stay at peak performance: Filter ruthlessly: Ignore unproven advice like a spy ignores unverified sources. You can be aware of it but focus only on what drives your operation. Prioritize on what is going to deliver. Automate choices: Use decision frameworks - think pre-set operation protocols - to handle low-stakes tasks fast. Pass it on or remove it from you diary if it's not going to keep you moving toward your goals. Cut noise: Cancel meetings without clear ROI. If it doesn’t show a path which brings you closer to your desired outcome, it’s a distraction. Guard your mind: Protect thinking time like classified data. Your clarity is your edge. Every small choice should be minimized, even your lunch should be one less choice you have to make. Recalibrate: Schedule brief resets - 'switch off time' spent alone or a walk - to recharge like an operative prepping for the next op. Unplug for a brief interval and give yourself a few minutes to reset. In covert ops or the C-suite, a cluttered mind means failure. Streamline decisions, prioritize what matters, and lead with precision. How many decisions do you think you make in a day? Share below then log them in average day to see if you're close. When quantified, you can then look at a system to reduce the number. #Leadership #DecisionMaking #Productivity #Mindset

47

9 Comments

DFARS 7012 requires contractors to implement NIST SP 800-171 to protect Covered Defense Information (CDI). DFARS 7019/7020 requires contractors to perform a basic assurance self-assessment and submit a score to SPRS that is within 3 years of contract award. DFARS 7021 specifies the CMMC level required to be awarded a DoD contract. CMMC levels require either self-assessment or third-party assessment. When making the determination of the level required for a contract, there is a memo that outlines the process that must be followed by the DoD program manager to obtain a waiver to "CMMC assessment requirements" for that contract. "Program Managers and requiring activities should identify information security requirements for the types of information most likely to be associated with the planned contract effort. When market research indicates that including a CMMC assessment requirement may impede ability to generate robust competition or delay delivery of mission critical capabilities, the SAE, CAE, or DAE may approve requests to waive inclusion of CMMC assessment requirements. SAEs and CAEs must carefully weigh the risk of potential loss of CUI associated with mission critical capabilities before granting a waiver." Level 1 - "There are no circumstances likely to warrant approval of requests to waive CMMC Level 1 requirements." Level 2 - "In rare circumstances. such as when seeking competition from non-traditional DoD sources. waivers may be warranted for CMMC Level 2 third-party assessment requirements. Such waivers are not appropriate for contracts requiring performance by a cleared defense contractor. Approved waivers on a class basis must include a planned expiration date and guidance for requiring CMMC certification in subsequent solicitations." Level 3 - "In rare circumstances, waivers may be warranted for CMMC Level 3 third-party assessment requirements: such waivers, however, are not appropriate for contracts or work statements requiring access to both unclassified and classified DoD information." Full memo on the process found here, starting on page 6: https://lnkd.in/eeBCW53n #cmmc #dib #dfars

58

12 Comments

My latest article - The U.S. National Guard is well positioned to help asset owners and operators in OT defense. Investing in them and coordinating across federal agencies for a national cyber response plan will ensure the right private-public partnership for a national and local security threat: https://lnkd.in/eDZ_TpHu

166

10 Comments

𝗧𝗵𝗲 𝗗𝗼𝗗 𝗜𝘀 𝗢𝘃𝗲𝗿𝗵𝗮𝘂𝗹𝗶𝗻𝗴 𝗜𝘁𝘀 𝗥𝗶𝘀𝗸 𝗠𝗮𝗻𝗮𝗴𝗲𝗺𝗲𝗻𝘁 𝗙𝗿𝗮𝗺𝗲𝘄𝗼𝗿𝗸 Last week's RFI from the US Department of Defense marks the beginning of its "blow up" of its current Risk Management Framework (RMF). 𝗪𝗵𝗮𝘁'𝘀 𝘁𝗵𝗲 𝗶𝘀𝘀𝘂𝗲? The RMF (as it stands) is slow, redundant, and overly compliance-driven. It burdens cyber and acquisition teams with overwhelming amounts of paperwork and static checklists, often producing risk outputs that obscure actual mission readiness. 𝗜𝗻 𝘀𝗵𝗼𝗿𝘁: It's a dated framework built for an obsolete era in which software deployments don't happen weekly and adversaries don't exploit zero-day vulnerabilities at an industrial scale. 𝗪𝗵𝘆 𝗻𝗼𝘄? The operational environment has shifted and is continuing to do so at a dramatic pace. The volume of vulnerabilities is skyrocketing, threat actors are faster and more adaptive and mission systems, especially those built on modern DevSecOps pipelines, require near real-time visibility into cyber risk. 𝗜𝗻 𝘀𝗵𝗼𝗿𝘁: The current RMF isn't keeping up, and the toll that this is taking has become too much for leadership to bear. 𝗪𝗵𝗮𝘁'𝘀 𝘁𝗵𝗲 𝗽𝗹𝗮𝗻? The DoD is exploring a much-needed streamlined approach with fewer control redundancies, greater automation, and continuous security assessments embedded in the software development lifecycle. Rather than certifying systems and solutions at a single point in time, the new approach would rely on control inheritance, platform security baselines, and threat-informed updates. 𝗜𝗻 𝘀𝗵𝗼𝗿𝘁: Adopt an assessment approach that's designed from the beginning to reduce overhead and move faster. 𝗧𝗵𝗲 𝗯𝗲𝗻𝗲𝗳𝗶𝘁𝘀? - More timely insights into rapidly evolving cyber risks - Fewer bottlenecks for innovation and implementation - Better alignment between security assurance and operational needs 𝗧𝗵𝗲 𝘂𝗹𝘁𝗶𝗺𝗮𝘁𝗲 𝗴𝗼𝗮𝗹: Help commanders understand how cyber risks could directly impact mission readiness and operational outcomes. 𝗕𝗿𝗼𝗮𝗱𝗲𝗿 𝘀𝗼𝗰𝗶𝗲𝘁𝗮𝗹 𝗶𝗺𝗽𝗹𝗶𝗰𝗮𝘁𝗶𝗼𝗻𝘀? This shift isn't only about the DoD. It signals a more widespread truth for any organization that needs to manage cyber risk at scale (so, nearly all entities). Nowadays, we need frameworks and assessment processes that can reflect the swiftly evolving cyber risk landscape. Static approaches won't cut it. Stakeholders need real-time visibility and credible, contextualized quantification that helps them make decisions based on impact. That's the future the DoD is trying to build: an environment where cyber risk is continuously assessed and directly tied to business outcomes. 𝘐𝘵'𝘴 𝘵𝘩𝘦 𝘴𝘢𝘮𝘦 𝘧𝘶𝘵𝘶𝘳𝘦 𝘵𝘩𝘢𝘵 𝘮𝘰𝘥𝘦𝘳𝘯, 𝘰𝘯-𝘥𝘦𝘮𝘢𝘯𝘥 𝘤𝘺𝘣𝘦𝘳 𝘳𝘪𝘴𝘬 𝘱𝘭𝘢𝘵𝘧𝘰𝘳𝘮𝘴 𝘢𝘳𝘦 𝘦𝘯𝘢𝘣𝘭𝘪𝘯𝘨. https://lnkd.in/dGCPWgd6 

27

4 Comments

Group-IB has released a new report on the threat actor #UNC2891, which has been targeting financial institutions and compromising their infrastructure to conduct coordinated #ATM cash-out operations. In previous publications, we have shared findings on the group’s various campaigns, malware, and emerging techniques. This new report consolidates all currently known information about their activity, including their money mule operations. The group carried out highly organized money mule-recruitment efforts, often through Google ads or Telegram channels. Recruited mules were provided with cloned card equipment and step-by-step instructions via TeamViewer. Attackers remotely guided them through the process of using cloned cards at ATMs, enabling large-scale cash-outs while minimizing the attackers’ direct exposure. With Cyber Fraud Fusion approach, we can build a complete picture of the group’s operations and support joint investigations. Read the full report here: https://lnkd.in/g8yqs5WG

107

Hey #cyberops fam! BLUF: Pentagon readies revamp of #RMF process for industry feedback Action Item to Consider: Vendors will be asked for input on DoD's forthcoming replacement for the #RiskManagementFramework as soon as next month. The Office of the DoD Chief Information Officer is shaking things up with a major overhaul of its Risk Management Framework (RMF)! They're aiming for a simpler, more continuous, and less redundant approach to security assessments. This is huge news for anyone working with the DoD. Key takeaways: Industry Input Requested: The DoD will be seeking feedback on a draft outline by the end of July. This is YOUR opportunity to shape the future of DoD security. Focus on Continuous Monitoring: Moving away from static "point-in-time" ATOs to a more dynamic, real-time assessment model. Streamlined Controls: Aiming to reduce the number of security controls and eliminate redundancies. Software Fast Track (#SWFT): A parallel initiative to accelerate software deployment with enhanced security visibility. SBOMs and Third-Party Risk Assessments: Emphasis on understanding the software supply chain and vendor risk. My advice: Stay Informed: Keep an eye out for the RFI release in late July and make sure your organization is ready to respond. Prepare Your Feedback: Think critically about your experiences with the current RMF and identify areas for improvement, focusing on practicality, efficiency, and continuous security. Embrace Continuous Monitoring: Start exploring and implementing continuous monitoring solutions and red teaming exercises to prepare for the shift. Understand SBOMs: Get familiar with software bill of materials and how they can be used to improve software supply chain security. Collaborate: Share your insights and experiences with others in the community to develop a strong, unified response to the DoD. This is a chance to make a real difference in how the DoD approaches cybersecurity. Let's work together to ensure the new RMF is effective, efficient, and truly enhances our national security. #cybersecurity #cyber #ATO #CIO #RMF #NIST #FISMA #SoftwareSecurity #IA #InfoSec #SoftwareFastTrack #CSSP https://lnkd.in/gcf7VGtk

47

34 Comments

During The Cyber AB Town Hall yesterday, there was significant discussion around the status of 48 CFR, the rule that will enable the DoD to include #CMMC requirements in contracts. In case you missed it, the rule was recently returned to OIRA for final review before publication. Given the current pace, many expect it to be released around October or November of this year. With the rule potentially just months away, the question remains: is the CMMC ecosystem ready to assess the #DIB for compliance? As has become customary during the town halls, Matt Travis shared the latest ecosystem metrics. As of July 29, 2025, there were 77 authorized C3PAOs and 258 OSCs that had achieved final CMMC certification. This is a significant increase over last month which was reported at 168 OCS reporting as being certified. The growth in certified organizations, as well as authorized C3PAOs, reflects a real commitment across the CMMC community to protect the sensitive data within the DIB. Do you think the ecosystem is ready to meet the anticipated surge in demand? If you're preparing for CMMC, or ready to move forward with an assessment, I'm always happy to talk through where you are and how to make real progress. Let's get it done right. #OpticCyber

23

11 Comments