On July 13th, 2026, the DoW CIO released a statement mandating a pause in the Phase 2 rollout of the Cybersecurity Maturity Model Certification (CMMC) program, which was scheduled to go into effect on November 10th of 2026. Additionally, the article announced a 60-day review period of the program aimed at reducing red tape and barriers to entry for SMBs, along with a public Request for Information (RFI). Further public memos have been published outlining clarifications and implementation specifics for the statement, including outlines for interim actions for Department contractors and requirements for necessary contract revisions.
CMMC Phase 2 is Paused - The Homework is Still Due.
Topics: Government & Public Sector, Manufacturing, Compliance & Governance
Russia's FSB is scanning routers this week - Get faster than the bear.
If you run security for a hospital system, a bank, a college, or a manufacturer, a new government advisory deserves ten minutes this week.
On July 13, NSA, CISA, FBI, and DC3, joined by partners across the Five Eyes and Europe, released "Improve Router Hygiene to Protect Against Russian State-Sponsored Targeting" (AA26-194A). It documents a decade-plus campaign by Russia's FSB Center 16 against networking devices. The sectors it names as most at risk are financial services, healthcare and public health, energy, communications, the defense industrial base, and government, especially at the state and local levels.
Topics: Vulnerabilities, Penetration Testing, Monitoring & Detection, Security Advisory
Many of you have seen the headlines about the breach at Instructure, the company behind the Canvas learning management system used by 41% of higher education institutions in North America and thousands of K-12 districts. Here's what's known, and what your institution should be doing about it.
Topics: Incident Response, Ransomware, Compliance & Governance, AI & Emerging Technology
Shadow AI: The Risk Your Security Tools Can’t See
What shadow AI really looks like inside a normal workday
Shadow AI is any AI tool, feature, or integration your organization uses without clear approval, security review, or monitoring, but it still touches real business data. It’s the AI sidebar in your CRM, the browser extension a manager added, or an “assist” feature turned on by a vendor.
Topics: Hospitals & Health Care Systems, Compliance & Governance, AI & Emerging Technology
Mythos & Glasswing are complicated and new. Jim is going to help us understand...
Two weeks ago, Anthropic announced that its newest AI model was too dangerous to release to the public. The Claude Mythos Preview reportedly found critical software vulnerabilities, including some that had gone undetected for over twenty years. In response, Anthropic launched Project Glasswing, a $100 million coalition that includes Apple, Microsoft, Google, AWS, JPMorgan Chase, CrowdStrike, the Linux Foundation, and about fifty other major industry players. Their goal is to find and fix the most serious issues before attackers do. That was the main story.
