August Dispatch

A Message from Our CEO - Andy Sauer

+++Follow Andy Sauer

Summer Fades, But Things Are Heating Up

In January 2018, I was asked to lead an effort to implement a cybersecurity compliance program called "NIST 800-171". Thinking "sure, what's another compliance program; they're all functionally the same", I accepted the challenge. Coming up on 7 years later, and with a major milestone for the evolution of the cybersecurity requirements for the DIB on the horizon, it's a good time to reflect; err, it would be a good time to reflect, if we had the time.

See, things are starting to heat up. For the last 4+ years, a small fire has been growing called "CMMC". Consider it to have been a small fire consisting of a small pile of sticks, whose smoke you could only see from a close distance. Now, I'm not going to claim it's a raging firestorm at this point, but if you can't see the pillar of smoke it's producing now, I think you're at risk of getting burned. Where there's smoke, there's fire, and we see plenty of smoke indicating the CMMC program is imminent, and real.?

But let's go back to reflecting for a moment, while we still can, before things get entirely out of hand.

It's been 7 years that defense contractors (at least those handling CUI) have been required to implement the cybersecurity requirements of 800-171. How do we feel about our progress? Have we made a reasonable amount of progress for having been at it 7 years as an industry, as a public-private partnership between industry and DoD?? If implementing 800-171 was a nuclear power plant, we'd be close to a ribbon-cutting ceremony. Is that not an indictment on the entire approach to how we intended to achieve improved cybersecurity maturity in the DIB? Have these 7 years been well spent? Or would there have been a better way? And would there still be a better way?

I have very little doubt that CMMC is coming - I see all the indicators it's happening. But I can't help but feel like we really lost the plot in getting to this point, and it makes me wonder if it's the best path forward. I still wonder if we'd be much further along had we prioritized rapidly ensuring implementation of fundamental security requirements like MFA, vs. taking 7 years to enforce a more robust program. But then I wonder if it would even have been possible given the constraints around government regulation and the organization of the CUI program. It leaves me feeling somewhat unsure, and a bit apprehensive.

Time will tell what quality of a program we end up with. In the meantime, all we can do is keep moving forward, with just a moment here and there to reflect.

Have a great Labor Day weekend!

Shields Up,

Andy Sauer

Let's Connect on LinkedIn: https://sblu.us/Andy?

Check out the Watchers on YouTube: https://thewatchers.io/YouTube

CMMC UPDATE

The DoD is proposing amendments to the Defense Federal Acquisition Regulation Supplement (DFARS) that show forward progress for in the eventual "go live" for CMMC. The revisions include adding references to CMMC 2.0 requirements and the proposed 32 CFR proposed revisions that would make CMMC "real".

The proposed revisions also define controlled unclassified information (CUI) and DoD unique identifiers (DoD UID), and update solicitation and contract clauses. During the proposed phase-in period, CMMC requirements will be included in solicitations based on the sensitivity of the information; there aren't super clear indicators yet of what this will mean, so it's hard to give guidance on whether any one contract or contractor will be prioritized. After the phase-in, as proposed, CMMC will apply to all relevant DoD contracts, with certification or self-assessment required for contract awards, options, or performance extensions.

So we see the train continues moving.

COMPLIANCE UPDATES

Azure OpenAI Service is FedRAMP High?

Agencies requiring FedRAMP High Authorization can now access these leading AI capabilities within their Azure Government tenant, enabling secure and responsible access to the latest AI technologies while maintaining strict security and compliance requirements.

GPT-4o is now available as part of Azure OpenAI Service for Azure Government and included as part of this latest FedRAMP High Authorization?

• FedRAMP High Authorization: Azure OpenAI Service is now approved under FedRAMP High for Azure Government, ensuring secure access to AI technologies for government agencies.?

• GPT-4o Availability: The service includes GPT-4o, a multimodal AI model that integrates text, vision, and audio, enabling more natural and engaging user experiences

Microsoft Copilot for Microsoft 365 GCC High and DOD targeting Summer 2025?

Microsoft Copilot for Microsoft 365 GCC High and DOD environments have a target General Availability (GA) date of Summer 2025. This target date is contingent on US Government authorization. Copilot for Microsoft 365 will bring the power of AI to our GCC High and DOD environments, enabling public sector leaders to use advanced AI capabilities to enhance their productivity and mission outcomes. Copilot provides a range of features designed to meet the unique needs of our government customers, including advanced data analysis, automated document generation, and intelligent task management.?

By leveraging the power of AI, Copilot for Microsoft 365 will help our government customers achieve their mission objectives more efficiently and effectively.?

Potential Use Cases:?

• Enhanced Decision Making: Provides actionable insights from large data sets.?

• Streamlined Operations: Automates routine tasks and workflows.?

• Improved Collaboration: Facilitates better communication and project management.?

Get started with Azure OpenAI Service today in Azure Government by contacting your Microsoft account team or channel partner and discussing how you can start implementing Azure OpenAI Service in your environment workflows. By making Azure OpenAI Service available in the Azure Government cloud, Microsoft remains committed to enabling government transformation with AI. Along with delivering innovations that help drive missions forward, we make AI easy to procure, easy to access, and easy to implement. Microsoft is committed to delivering more advanced AI capabilities across classification levels in the coming months.?

Also see the GA update for Microsoft Copilot for Microsoft 365 GCC here: https://aka.ms/M365CopilotGCCBlog

Blog Link: https://techcommunity.microsoft.com/t5/public-sector-blog/azure-openai-service-is-fedramp-high-and-copilot-for-microsoft/ba-p/4222955?

TECH CORNER WITH BEN

Ben Wheat, our Chief Technology Officer, provides insights into the latest and enduring trends in the technology landscape.

+++ Follow Ben

Embrace New Teams

• August 15th saw the “Classic Teams” reach end of support. We’ve been running “New Teams” since it was first available in GCC High and thankfully it’s been, mostly, smooth since the beginning. Upgrade to the new Teams client using policies - Microsoft Teams | Microsoft Learn

Power Automate has Improved Drastically – Give it a Look

• Perhaps, like me, you missed the date when the updated interface in Power Automate for GCC High went GA. The new interface is drastically better than the previous one, and many features are now available in GCC High. So I want to discuss Power Automate and Flows as O365 Connectors for Teams will is deprecated, Power Automate is the replacement (and superior product). If you work with Azure and embrace serverless or Logic apps there, even more possibilities open up.
• Logic Apps, the Azure counterpart to Flows, will soon support the inline execution of PowerShell. Pay attention to that one.. The sky's the limit. Run PowerShell Scripts directly in Logic Apps with inline action (microsoft.com)
• The Legacy Way: Webhooks directly to Teams channels were possible to set up, but it required enabling O365 Connectors (Retirement of Office 365 connectors within Microsoft Teams), uploading a 'custom app' for the webhook, and hoping the Teams Admin APIs played nicely. There was often a delay of at least a day for connectors to work, and the Teams built-in connector list wouldn't load consistently to add the webhook app. Once the connector was present though, you could add it to a channel and use the webhook generated to send data to the Teams channel in a formatted adaptive card. Easy, except if something broke in between, we'd never know, and we didn't have the telemetry to understand what went wrong.
• The New Way: Set up a Logic App or Flow and utilize the "HTTP Webhook" (subscribe to webhook) or the "HTTP Trigger" (receive a request). Use the actions to "post a message to Teams channel or group”. It uses an identity to fetch the available Teams information for you to select—not too bad. These flows are hosted outside of Teams, even though there's now a "Workflows" app in Teams, providing end-to-end testing and visibility of inputs and outputs. More control, more flexibility, and more consistency. This certainly feels like the newer way.
• GCC High Teams never received the ‘get email for channel’ functionality. ?This in Commercial was handy if we wanted a service notice or alert to arrive easily into a Teams Channel to be handled or chatted about.
• Power Automate has “When a new email arrives..” trigger actions. Again, through an identity link you can receive email to a Shared Mailbox or user then forward that email to a Teams Channel or even a Teams Group.

Low-code or no-code solutions have been around in the commercial cloud for quite some time and GCC High too. The apparent feature parity in GCC High is a welcome development, and you should check out the platform again.?

BLOG

Small Business Series Blog #7 Remote Work and Thriving

READ THE BLOG HERE

Recent Articles:

• Incident Response and Backup Testing
• Network Hardening: Through the Lens of Small Business Operations.
• Optimizing your Access Management, Zero Trust, & Allow-Listing Strategy.
• Security Documentation is Essential for GRC and Audit Preparation.
• How DIB Businesses Can Choose and Protect ERPs and CRMs.
• How to Share Files Within the Defense Industrial Base (DIB)

LEADERSHIP SPOTLIGHT

Sentinel Blue's August Leader is Michael Baker, Global CISO, DXC Corp.

+++ Follow Michael Baker

READ THE FULL INTERVIEW HERE

THE WATCHERS PODCAST

EPISODE 5: Robert Disney on Service, Sacrifice, AI and Our Future.

Robert Disney, a retired Air Force Pararescueman who served in combat and sustained multiple injuries, could have opted for a quiet retirement. Instead, he's pursued a new career as an artificial intelligence specialist, driven by his relentless passion for learning.

EPISODE 4: Bryan Ware on Modern Conflict, Entrepreneurship and Emerging Tech.

Bryan Ware is an entrepreneur, innovator, and technology leader who served as the first Presidentially appointed Assistant Director of Cybersecurity at CISA. With deep expertise in the current threat landscape, geopolitics, and emerging technologies like AI, Bryan is also known for his advocacy in promoting a stronger and more diverse cybersecurity workforce.

EPISODE 3: Robert Potter on the War in Ukraine, Cybersecurity, and the Future of Tech

Robert Potter is a renowned cybersecurity expert who has spent a career advising governments and institutions on fighting the growing threats in the cyber domain. For the past several years, Robert has been on the ground in Ukraine, helping the Ukrainians defend their assets in a new age of warfare.?

EPISODE 2: Renee Wynn on the Important Mission of NASA, Leadership, and Optimism

Renee Wynn, a dedicated public servant with over two decades at the Environmental Protection Agency, later became NASA's Chief Information Officer. During her four-year tenure, she led significant digital modernization efforts and established NASA's first global cybersecurity program. Now retired, Renee remains active as an advisor, board member, mentor, and community contributor.

EPISODE 1: Andrew McCabe on Democracy, Cybersecurity, and the work of the FBI.

Andrew McCabe, who became Acting Director of the FBI after the controversial firing of James Comey, had already spent over 20 years at the FBI, working on high-profile cases like 9/11, the Boston bombings, and Benghazi. Now retired from the FBI, McCabe continues to serve the public as a cybersecurity advisor, podcast host, and regular CNN contributor.

COMING UP!

We’ve got a lot to do. Come join us at an upcoming conference or event!

UWIC 2024 – The Cyber Guild

October 1, Army Navy Country Club, Arlington, VA

UWIC is the premier event for cybersecurity professionals and aspiring practitioners. Connect with a vibrant, diverse community focused on emerging global trends, technological advancements, and workforce development.

AFCEA TechNet Indo-Pacific

October 22-24, Honolulu Convention Center, Honolulu, HI (Booth 637)

TechNet Indo-Pacific is the premier strategic event in the Indo-Pacific region, now in its 39th year. The event features expert speakers and discussions, many of which qualify for Continuing Education credits, focusing on how industry, academia, and government can collaborate to address regional challenges. Exhibitors showcase solutions and services tailored to meet the needs of military services. TechNet Indo-Pacific is co-sponsored by AFCEA International and AFCEA Hawaii.

Society of American Military Engineers Federal Small Business Conference

November 20-22, New Orleans, LA (BOOTH 860)

The Small Business Conference for the Federal Architecture, Engineering, Construction and Facility Maintenance/Management Industry (SBC) brings together federal agencies and businesses operating in the federal marketplace to support the nation's government contracting goals.

Charleston Defense Contractors Association Eastern Defense Summit 24

December 11-12, Charleston, SC (Booth 630)

The 2024 Eastern Defense Summit is a major defense-focused event on the East Coast, bringing together government, military, academia, and industry leaders to address challenges and threats within the defense industry. It will take place on December 11-12, 2024 in North Charleston, SC.

Copyright ? 2024 Sentinel Blue. All Rights Reserved.

Subscribe to our Newsletter.

Subscribe to our The Watchers Podcast.