Daniel Shuler, CISSP, PMP

The Environmental Protection Agency is working with water and wastewater utilities to identify critical devices that may be exposed to cybersecurity threats. The efforts come as the EPA warns utilities may not be fully aware of their risk exposures stemming from a reliance on third-party vendors. The EPA last week released a new “cybersecurity procurement checklist” and several other cyber guides geared toward water and wastewater utilities. The EPA is responsible for overseeing cybersecurity in the water and wastewater sector. In the last year, the EPA began searching for and identifying internet-exposed operational technology devices used by water and wastewater systems, the EPA’s Cole Dutton said on a recent webinar hosted by Censys. Dutton is a water and wastewater cybersecurity analyst in the water infrastructure and cyber resilience division at the EPA’s Office of Ground Water and Drinking Water. “What I have found in this year of discovery, and as we get into our next year in this platform, is there is a general lack of asset awareness across the water sector,” Dutton said during the Oct. 21 webinar. “Many of the times when we’ve performed outreach and notifications, the systems just did not know that they had those devices internet-exposed.” The Cybersecurity and Infrastructure Security Agency has warned that hackers could take advantage of exposed human-machine interfaces in the water sector to potentially disrupt water treatment processes, posing a major safety concern. https://lnkd.in/gj4bCZnj

10

ISO/IEC 27001 ISMS provides an excellent framework standard for information governance. I created the ISMS Reference Architecture to map 140 program management control points to seven critical program management procedures, governance, risk management, continual improvement, internal audit, program communications, training and awareness, information handling.

27

CMMC Level 2 Assessment Objective: External Connections (Controlled Unclassified Information [CUI] Data) PRACTICE: Organizations must verify and control/limit connections to and use of external systems. ASSESSMENT: External systems are systems or components of systems for which organizations typically have no direct supervision and authority over the application of security requirements and controls, or the determination of the effectiveness of implemented controls on those systems. Organizations have to control and manage connections between the company network and outside networks as well as access to corporate networks from personally owned devices. Be prepared! Your assessor could ask to 🔍 EXAMINE access control policy. 🗣 INTERVIEW personnel with responsibilities for defining terms and conditions for use of external systems to access organizational systems. 📝 TEST mechanisms implementing terms and conditions on use of external systems. (CMMC Assessment Guide: Level 2 Version 2.13, page 58) #CMMC #DoD #cybersecurity #NIST #InformationSecurity #assessment #defense

65

A foreign threat actor infiltrated the Kansas City National Security Campus (KCNSC), a key manufacturing site within the National Nuclear Security Administration (NNSA), exploiting unpatched Microsoft SharePoint vulnerabilities, according to a source involved in an August incident response at the facility. The breach targeted a plant that produces the vast majority of critical non-nuclear components for US nuclear weapons under the NNSA, a semi-autonomous agency within the Department of Energy (DOE) that oversees the design, production, and maintenance of the nation’s nuclear weapons. Honeywell Federal Manufacturing & Technologies (FM&T) manages the Kansas City campus under contract to the NNSA. https://lnkd.in/giNSG9P5

22

1 Comment

CISA has published a draft of the new CISA SBOM Minimum Elements! The 2021 NTIA Minimum Elements were an important step to help create a common specification of what should be in an SBOM. CISA is proposing an updated, clarified version that can be aligned with existing tools and support use cases. They are actively seeking feedback, so please share, review, and send them your thoughts! https://lnkd.in/eRm_zxT2

201

13 Comments

🚨 NIST releases updated guidance on cybersecurity incident response! The new NIST SP 800-61 Revision 3, published in April 2025, introduces significant updates and is now aligned with the NIST Cybersecurity Framework (CSF) 2.0. 📌 Key highlights: - Integration of incident response into overall cybersecurity risk management (CSF 2.0); - Greater emphasis on preparation, detection, and effective recovery; - Support for automation (SOAR) and cyber threat intelligence (CTI); - Encourages collaboration across internal teams and external partners; - Adds focus on performance metrics, compliance, and continuous improvement; - Addresses modern threats like APTs, ransomware, and deepfakes. This release positions incident response as a strategic organizational capability, not just a technical function—strengthening cyber resilience. 📄 Read more: https://lnkd.in/dKdNw47W

16

5 Comments

🚨 Breaking into GRC Cybersecurity? This 2025 guidebook is a must-read for aspiring professionals in Governance, Risk, and Compliance (GRC). Whether you're just starting out or pivoting into the cybersecurity field, this personalized guide by A.S. covers: ✅ Key GRC components ✅ Roles & skills for GRC pros ✅ Risk management strategies ✅ Compliance frameworks like GDPR, HIPAA, PCI DSS, NIST ✅ Tools like Splunk, LogicManager, OneTrust, and RSA Archer ✅ Best practices to stay compliant and resilient Perfect for students, entry-level professionals, and career changers in cybersecurity. 📘Credits @A.S. 🔁Recommended by CyberMaterial #Cybersecurity #GRC #RiskManagement #Compliance #Infosec #NIST #HIPAA #GDPR #SecurityCareers #CyberTalent #Governance #CyberJobs #CyberSkills

27

CISA just told federal agencies to remove end-of-support edge devices from their networks. Firewalls. VPNs. Routers. Anything unsupported and exposed. Good! But here’s the real question, what happens between now and replacement? - Procurement takes months. - ATO cycles take longer. - Production environments cannot always swap hardware overnight. Let's be honest, Inventory is not control. Policy is not containment. If a vulnerable edge device is still reachable, it is still an entry point. The stronger question is not: “Is it patched?” It is: “Is it reachable right now?” There is only one way to truly eliminate exposure during transition windows. Physically remove reachability. If you are navigating BOD 26-02 and need a way to eliminate exposure immediately while replacement plans catch up, message me.

19

1 Comment

In my new article published by ICIT, Executing the RMF as an Engineering Discipline, not a Paperwork Exercise, I discuss how the Risk Management Framework must function as part of engineering, not as a compliance process. RMF was created to align design, implementation, and operations so that control performance is demonstrated through verified system behavior rather than documentation. The article explains how integrating RMF into development pipelines, architecture decisions, and operational telemetry allows authorization decisions to reflect real conditions in production. When security is designed, tested, and monitored as part of engineering, the framework delivers what it was meant to provide. Systems maintain authorization by demonstrating continued security in operation. Read the full article on ICIT: https://lnkd.in/eup93tvi #cybersecurity #technology

19

Cyber Attack Impacting Oregon Environmental Department The Oregon Department of Environmental Quality has reported a cyber attack that is affecting communications and operations including vehicle inspections. Some services will be shuttered through the weekend. #Oregon #cyber #cybersecurity #cyberattack #government https://lnkd.in/exc6as2w

14

3 Comments

I’ve been thinking about exposure management less as a tooling problem and more as a systems problem. When discovery grows faster than mobilization capacity, exposure doesn’t just increase — it compounds. That accumulation is exposure debt.

16

2 Comments

Your #EDR Healthcheck doesn’t end with findings — it drives measurable outcomes. ✔️ Maximize ROI: Benchmark performance before renewals or migrations. ⚡ Accelerate response: Correlate attacks with logs for faster tuning. 🧾 Prove compliance: Map real evidence to SOC 2, NIST, and CIS frameworks. That’s how leading teams transform EDR validation into business value. 🔗 Turn validation into outcomes: https://lnkd.in/g--XVzre #EndpointSecurity #OffensiveSecurity #pentesting

14

Encryption has become the new compliance frontier. HIPAA, PCI DSS 4.0, GDPR, and NIS2 all now require encryption across clouds and hybrid environments. If your security still stops at the perimeter, it’s time to rethink your architecture. See how frameworks are converging around Zero Trust Maturity Model 2.0 and what that means for your architecture. 👉 https://loom.ly/3Wh7sLg Benson George #ZeroTrust #Encryption #Compliance #Aviatrix

7