Secureframe

The 2026 Verizon Data Breach Investigations Report analyzed more than 22,000 confirmed breaches across 145 countries, the largest dataset in the report's 19-year history. We broke down the report's key takeaways and what they mean practically for SMBs and organizations in the DIB. One stat that stood out: Ransomware appeared in nearly half (48%) of all breaches this year, up from 44% the year prior. And 96% of ransomware victims were small organizations. These attacks rarely make national headlines. But they're happening constantly, and SMBs are bearing the brunt of it. Read our analysis👇 https://hubs.li/Q04jnJ7-0

The FBI is warning about a new AI-powered phishing platform that's enabling unskilled attackers to bypass MFA and hijack Microsoft 365 accounts in real time. It's exactly the kind of threat Retired Gen. Paul M. Nakasone was describing at the Secureframe National Cybersecurity Summit earlier this month. "We've got to operate at a different speed than we have in the past and we've got to think differently. What we've done in the past isn't measuring up to where our nation needs to be." When he took over at NSA in 2018, the average adversary breakout time was around 9 hours. When he left in 2024, it was under a minute. Attackers are using AI to move faster, target smarter, and scale more than ever before—and our defenses haven't kept pace. His advice to security leaders: 🔍 Assume the threat is already inside. ⚡ Strengthen your incident response muscle. 🤖 Start using AI the way adversaries already are. Find more actionable takeaways in his full session recap  👇 https://lnkd.in/eH2_Nvc9

Is your MSP actually a CSP? It sounds like a simple question, but The Cyber AB May Town Hall last night suggested that a lot of DIB contractors can't answer it with confidence. And getting it wrong could mean trouble for your CMMC Level 2 assessment. Here's some highlights: 5️⃣ If your provider meets all five NIST SP 800-145 criteria for cloud computing, FedRAMP or FedRAMP Moderate Equivalency is the bar. Not CMMC Level 2.  📶 Almost 1,400 Final Level 2 certifications have been issued 🔄 More guidance on "significant changes" coming soon in next month's Town Hall + future FAQ updates Check out our full Town Hall recap: https://lnkd.in/eWVvv2rU

Achieving CMMC certification is a huge milestone, but it's not the finish line. Maintaining it is an ongoing obligation and the stakes keep rising. This month's Secureframe Insights covers: 👩🔧 What counts as a "significant change" 🔁 What the latest CMMC FAQ revision clarifies about scoping ✳️ Why getting and staying certified is so important Hint: it's not only contract-eligibility.

Excited to join my friends at Redspin, a division of Clearwater and Red Sentry to help share what I have learned helping scope and prepare many DIB contractors and sub-contractors for CMMC. Please join us and ask questions!

FedRAMP authorization is out. FedRAMP certification is in. Last week at the Secureframe National Cybersecurity Summit 2026, Dan Chandler from the GSA explained why they made the word change. It isn’t just a rebrand. The shift in language reflects a deliberate shift in philosophy under 20x. In his words, getting a FedRAMP certification “is not a blanket approval that this service is secure enough for the entire federal government to use for whatever they want.” The certification tells agencies what security capabilities have been validated, and then each agency decides whether that risk profile fits their needs. That’s a meaningful change from how many vendors (and agencies) previously interpreted FedRAMP Authorization. What else has changed under 20x: 📌 Low / Moderate / High Authorization are now Class B / Class C / Class D Certification 📌 No agency sponsor is required  📌 New Class A certification (basically SOC 2 + couple other requirements) can be achieved in weeks, at minimal cost 📌 For Class B and Class C, a FedRAMP-recognized assessor is still required but it no longer has to be a 3PAO, and the relationship can be far more collaborative 📌 You can work more collaboratively with your 3PAO so you no longer need to hire two separate firms for documentation and assessment Here’s how Chandler summed up the purpose of 20x certification: “It makes sure that an agency has access to the information they need to make an informed, risk-based authorization decision.” See how 20x is designed to reduce barriers without reducing rigor: https://lnkd.in/eFDS8UfP

Former CISA CIO Robert C. delivered a powerful message at the Secureframe National Cybersecurity Summit last week: The 3-year ATO cycle isn't just inefficient. It's a gift to U.S. adversaries. Costello spent nearly five years at CISA rebuilding the authorization process from the ground up, cutting ATO timelines from over a year to roughly 35 days and piloting AI-assisted pen testing in active production environments. What he found along the way was that the compliance model most organizations rely on had quietly diverged from actual security posture, sometimes by years. Meanwhile, adversaries are using AI to operate continuously, adapt in real time, and live undetected inside critical systems for months. His take: defenders need to use AI to make their own operations continuously and at the same speed as threats. The organizations that get this right won't be the ones generating documents faster. They'll be the ones building tighter connections between compliance requirements, operational visibility, and actual security outcomes. Full recap of his session here 👇 https://lnkd.in/drZ2VVpt

One topic kept coming up across multiple sessions at our National Cybersecurity Summit last week: what actually counts as a "significant change" under CMMC? And honestly, the confusion and anxiety around it is warranted. A significant change to your assessed environment can affect your CMMC compliance, trigger a reassessment, and create False Claims Act exposure for the individual who signed your annual affirmation. The problem is the regulatory definition is vague, there's no formal process to flag a change or get a ruling (like with FedRAMP), and guidance is still being written and released this late in the rollout. To fill this gap, we took insights from assessors, C3PAOs, and former government officials who spoke at our Summit and combined them with the latest DoD FAQ Revision 2.3 to give DIB organizations the clearest definition and plan for handling changes currently available. Read the guide👇 https://lnkd.in/efF3uTRU

Federal News Network's recent coverage of new debates around how quickly organizations should patch software vulnerabilities included remarks from former NSA Cybersecurity Director Rob Joyce's keynote at the Secureframe National Cybersecurity Summit. AI systems are finding software vulnerabilities at "industrial scale," Joyce said. Known vulnerabilities will be exploited. And the CISA KEV catalog is "a big red flashing light that stuff's coming for you." His recommendation: patch faster, decommission end-of-life systems, and stop treating legacy technology as someone else's problem. Read the full Federal News Network piece: https://lnkd.in/eqD2bCC5

On the last day of the Secureframe National Cybersecurity Summit, Katie Arrington had a direct answer when asked when DIB organizations should think about getting CMMC compliant: "About a year ago or, I don’t know, 2017 when it was required by law." Having helped develop CMMC when performing the duties of DoD CIO and now implementing it as CIO at IonQ, a DIB vendor, Arrington knows the program from both sides. Her main message: CMMC is here and actively being enforced, but still fundamentally misunderstood by the organizations treating it as a compliance checkbox. "We have to realize this is not a compliance issue. This is about business survivability and national security." On why organizations should stop delaying CMMC or treating it as someone else's problem, she provided many reasons: adversaries are already in defense contractor networks, primes are actively seeking compliant subs, tools and government resources exist for all org types, and CMMC is showing up in contracts right now for the Army, Navy, SDA, and beyond the DoD. "CMMC is a business enabler, not a business hindrance," she stressed. "Why wouldn't you want to say, I'm CMMC Level 2 certified?" Full recap of her session: https://lnkd.in/enFNJE-U