The Regulatory Shift: How CIRCIA and NIST are Redefining Cyber Defense with Sara Friedman
Season 3 Episode 9 •Show Notes
Cyber incident reporting is about to become mandatory for much of critical infrastructure—and the details are where the fight is. On February 26th, Frank Cilluffo spoke with Inside Cybersecurity managing editor Sara Friedman about CIRCIA’s proposed reporting rules, what industry says is overbroad, and why the 72-hour clock is hard in the real world. They also dig into overlap with other federal requirements, CISA’s capacity to execute the rulemaking, and what “getting it right” means for public-private trust. The conversation then pivots to NIST, AI agent standards, and how Washington is balancing innovation, security, and competitiveness.
Main Topics Covered
- What CIRCIA is designed to do.
- Who’s covered and what counts as reportable.
- The practical challenge of determining incident facts within 72 hours.
- Duplication concerns across rules, including SEC cyber disclosure timelines.
- Whether CISA has the staffing and leadership capacity to deliver.
- NIST’s role in AI agent standards and broader cyber “rules of the road.”
Key Quotes
“CISA was supposed to have voluntary partnerships… And with this new role, CISA is moving into more of a regulator role.” —Sara Friedman
“This rulemaking, when it was put out, it’s over 400 pages. There’s a lot in there.” — Sara Friedman
“House Homeland Security Chairman Andrew Garbarino threatened to, if the rulemaking does not meet congressional intent…to potentially roll this back.” — Sara Friedman
“When there’s a large attack on critical infrastructure, it just seems to wake up lawmakers in some ways that they need to be able to do something.” —Sara Friedman
“They’ve shed about a third of their workforce…One of the questions is, does CISA have the capacity that they need for this rulemaking and to do it effectively? —Sara Friedman
Relevant Links and Resources
CIRCIA town halls scheduled for March: https://insidecybersecurity.com/share/17759
When the CIRCIA NPRM was published: https://insidecybersecurity.com/share/15688
RSA 2024 panel on the rulemaking: https://insidecybersecurity.com/share/15832
NIST launches AI Agent Standards initiative: https://insidecybersecurity.com/share/17775
NIST AI security request for information: https://insidecybersecurity.com/share/17654
NIST work on an AI profile for the Cybersecurity Framework: https://insidecybersecurity.com/daily-news/stakeholders-weigh-ai-considerations-cybersecurity-nist-workshop-draft-framework-profile
Guest Bio
Sara Friedman is the managing editor of Inside Cybersecurity and has covered federal cybersecurity policy for years, including CIRCIA, NIST standards, and related rulemakings.
Transcript
1
00:00:00,000 –> 00:00:01,000
Sara Friedman [00:00:00]: There’s this concern over the burden, the burden of companies to report this information and the burden that CISA will have processing all this information that can be used in an actionable way.
2
00:00:01,000 –> 00:00:02,000
Frank Cilluffo [00:00:13]: Welcome to Cyber Focus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. I’m your host, Frank Cilluffo, and this week I get to sit down with one of the top cybersecurity reporters in town. And even beyond town, Sarah Friedman. Sarah is the managing editor of Inside Cybersecurity. Prior to that, she was a reporter with the Government Computer News and has been covering this beat for quite some time. And in all sincerity to our listeners and viewers, read Inside Cybersecurity. They do great reporting and go in depth on topics that many others don’t. Sarah, thank you so much for joining us today.
3
00:00:02,000 –> 00:00:03,000
Sara Friedman [00:00:53]: Thanks for having me.
4
00:00:03,000 –> 00:00:04,000
Frank Cilluffo [00:00:54]: So I thought we’d start with, you’ve done a number of pieces on CIRCIA, or the Cyber Incident Reporting for Critical Infrastructure Act, and I promise we will just call it CIRCIA because that would take up all of our time to mention that each time. And all things said and done, you’ve covered what could be the most monumental rulemaking set of issues around CIRCIA. So I thought we could start maybe at the very beginning. What exactly is CIRCIA trying to achieve?
5
00:00:04,000 –> 00:00:05,000
Sara Friedman [00:01:25]: So CIRCIA was passed in 2022. At that time, there was a lot of confusion about Colonial Pipeline. What CIRCIA does is it establishes a mandatory regime for cyber incident reporting, and it gave CISA new regulatory authorities to be able to accomplish this. They were required to issue a notice of proposed rulemaking within 2 years, which they put out in April 2024. And they’re in the process of gathering feedback on this rulemaking with the anticipation that they’ve said it will happen come out in May 2026.
6
00:00:05,000 –> 00:00:06,000
Frank Cilluffo [00:01:57]: Which is probably a bridge too far now, and we’ll talk about that in a second because you’ve also written about some of the town halls they plan to host. But before jumping into that, you’ve also done some really good reporting in terms of some of the tension. I mean, one of the reasons CISA exists is to be that trusted partner with industry. Have you seen anything in terms, any tension in terms of the shift from trusted partner to rule writer?
7
00:00:06,000 –> 00:00:07,000
Sara Friedman [00:02:20]: Yeah. I mean, CISA was supposed to have voluntary partnerships, and that was one of the hallmarks of getting industry to engage with them. And this idea of joint operational collaboration and bidirectional information sharing. And with this new role, CISA is moving into more of a regulator role. They’ve had that for the chemical sector, but this is an introduction into rulemaking more broadly. As a regulator, they need to get this rulemaking right, the notice of proposed rulemaking that came out.
8
00:00:07,000 –> 00:00:08,000
Frank Cilluffo [00:02:50]: I’ll double tap that. So, there’s a lot vested in getting CIRCIA right, and I think done right, it could be very significant and transformational in terms of incident reporting and hopefully moving toward genuine public-private partnership. And for transparency, I need to say that we stood up a task force with the US Chamber of Commerce to look at regulatory harmonization. So, more on that soon. But I’d also be curious if you’re hearing from any of the operators and anything that you’re hearing from them, how the reporting burden could change how they engage with CISA.
9
00:00:08,000 –> 00:00:09,000
Sara Friedman [00:03:29]: So this rulemaking, when it was put out, it’s over 400 pages. There’s a lot in there. And there was a lot of concerns that CISA had gone overbroad in terms of who would be covered, covered entities, and what incidents they would have to be reporting. So there’s this concern over the burden, the burden of companies to report this information and the burden that CISA will have processing all this information that can be used in an actionable way and actually provide information to agencies so they can get a broader look at what other people are seeing and so that they can provide this information back to industry on what threats they’re seeing and how they should respond.
10
00:00:09,000 –> 00:00:10,000
Frank Cilluffo [00:04:07]: Excellent.
11
00:00:10,000 –> 00:00:11,000
Sara Friedman [00:04:07]: Whether it’s indicators of, indicators of compromise, TTPs, tactics, techniques, and procedures, I believe.
12
00:00:11,000 –> 00:00:12,000
Frank Cilluffo [00:04:14]: Mm-hmm.
13
00:00:12,000 –> 00:00:13,000
Sara Friedman [00:04:14]: And trying to provide useful information back to industry and get it in return.
14
00:00:13,000 –> 00:00:14,000
Frank Cilluffo [00:04:20]: And, and I think that’s what the government get is visibility across various critical infrastructure owner operators and what’s playing out in a particular region in the country and say a transportation sector could have application for financial services, could have application for energy, whatever it may be. And all things said and done, I think that if we get CIRCIA right, that would also require maybe a little bit of that burden you were talking about, decluttering some of the, some of the other regulations from other agencies, which were all well-intended, but don’t necessarily get to the outcome we’re all looking for, at least not quickly.
15
00:00:14,000 –> 00:00:15,000
Sara Friedman [00:05:00]: Yeah, there’s a part of the rulemaking that is focused on regulatory harmonization, getting agreements between CISA and other agencies to have exceptions. Whether CISA is doing that, not entirely sure how that’s going so far. I would say one rulemaking that has created a lot of tension in industry is the SEC put in rules a few years ago to create disclosure for cyber incidents that have to be reported publicly within 4 business days. And there’s been a lot of question in terms of duplication with CISA because it’s a different audience. But there’s still, it still has a number of the same people that are involved in it. So that’s one of the major ones that we’re seeing. And there’s regulations like for the financial sector as well that could potentially come up as this goes on.
16
00:00:15,000 –> 00:00:16,000
Frank Cilluffo [00:05:48]: Energy. You could go sector by sector and almost see the same, but if we could get it all sort of streamlined, focused, and still get what we need out of it, maybe that is, maybe there is some opportunity there.
17
00:00:16,000 –> 00:00:17,000
Sara Friedman [00:06:00]: Yeah. Maybe you’ll have some recommendations in your upcoming research that we can report on.
18
00:00:17,000 –> 00:00:18,000
Frank Cilluffo [00:06:05]: I think we will. And, and, you know, what do you think the hardest thing for CISA to get right is in terms of, you mentioned the deadline, it’s coming up fast. I’m not sure we’re going to meet that deadline, but, uh, what, what are some of the hardest challenges that CISA has to get its arms around?
19
00:00:18,000 –> 00:00:19,000
Sara Friedman [00:06:23]: I think scoping remains a big challenge when it comes to the covered incident, covered entity challenge. I think showing industry that they will be able to—
20
00:00:19,000 –> 00:00:20,000
Frank Cilluffo [00:06:33]: What is material, right? What triggers?
21
00:00:20,000 –> 00:00:21,000
Sara Friedman [00:06:35]: Exactly. That’s come up in the SEC rulemaking as well, and trying to understand where CISA’s coming from. How are they going to be using this information as they move forward?
22
00:00:21,000 –> 00:00:22,000
Frank Cilluffo [00:06:46]: And when you talk to stakeholders, where do you see the strongest pushback? Is it in scope? Is it definitional? Is it timelines? Is it overlap with other rules, or is it all of the above?
23
00:00:22,000 –> 00:00:23,000
Sara Friedman [00:06:58]: I think it’s all of the above. I think scoping is going to be really important, and it’s not entirely clear what CISA is going to be doing with that. Part of the rulemaking actually goes sector by sector to describe what will be considered a covered entity, and they’re going in that much detail where they’re trying to get that technical. It could create some questions as they move forward.
24
00:00:23,000 –> 00:00:24,000
Frank Cilluffo [00:07:18]: And, you know, you sit down with so many of the stakeholders, both from the CISA perspective, from the regulator’s perspective, but also those that will be impacted by all of this, and I’d be curious, we touched on this very briefly, but what can, what counts as a substantial incident? Are you hearing different thoughts around that?
25
00:00:24,000 –> 00:00:25,000
Sara Friedman [00:07:39]: Yeah, I mean, it depends on the scope, who it’s impacting, and those kinds of requirements, the severity of it. Does it include focus on other nation states? What are they trying to do? Size is also impact here of the entity and the spread of the attack and what the actual incident is itself, because it’s really hard to actually know that within 72 hours what it is. And CISA is also allowing to have supplemental incident reporting after the first 72 hours. So what is that going to look like down the line?
26
00:00:25,000 –> 00:00:26,000
Frank Cilluffo [00:08:13]: These town halls, which honestly, from a process standpoint, it’s good to get feedback and get a sense. What do you think will, now, firstly, with the DHS shutdown, I’m not sure the town halls can exist in the timeframe they were hoping. But you’ve written about that a little bit, and also what you expect will dominate sort of the discussion around that.
27
00:00:26,000 –> 00:00:27,000
Sara Friedman [00:08:35]: Yeah. So CISA announced a series of town halls they’re going to be having in March, in mid-February. And they’re basically trying to get more feedback from different critical infrastructure sectors on the rulemaking and what should be done in terms of next steps. As a result of that, we’re seeing some people who are very interested in these rulemakings and want to participate, but there are some concerns about what CISA hopes to get out of this.
28
00:00:27,000 –> 00:00:28,000
Frank Cilluffo [00:09:04]: And, and these are geographically across the country?
29
00:00:28,000 –> 00:00:29,000
Sara Friedman [00:09:07]: No, these are all virtual this time.
30
00:00:29,000 –> 00:00:30,000
Frank Cilluffo [00:09:08]: They’re all virtual. Gotcha.
31
00:00:30,000 –> 00:00:31,000
Sara Friedman [00:09:09]: In 2022, they did them across the country and virtually.
32
00:00:31,000 –> 00:00:32,000
Frank Cilluffo [00:09:12]: Yeah. Yeah. And, but would you recommend if you were sitting down with some of the critical infrastructure owner operators, should they come armed with lots of questions or how much do you think they can actually absorb at this point?
33
00:00:32,000 –> 00:00:33,000
Sara Friedman [00:09:26]: Well, my understanding is this is more of a one-way communication. Like the listening sessions were back in 2022, unfortunately. But CISA, through a notice that was published in the Federal Register, actually outlined what they want to see industry doing through this, through these town halls. So they gave some indication finally of what they’re actually looking for post the comments that were published in 2024.
34
00:00:33,000 –> 00:00:34,000
Frank Cilluffo [00:09:49]: So this has been around a while.
35
00:00:34,000 –> 00:00:35,000
Sara Friedman [00:09:50]: Yes.
36
00:00:35,000 –> 00:00:36,000
Frank Cilluffo [00:09:51]: And not to put you on the spot, but if this goes poorly, What’s the long-term risk to public-private partnerships?
37
00:00:36,000 –> 00:00:37,000
Sara Friedman [00:09:58]: Yeah, it could have some big effects on all of this, and it will have a big effect on what CISA is doing moving forward as well. House Homeland Security Chairman Andrew Garberino threatened to, if the rulemaking does not meet congressional intent and what he was expecting, to introduce a Congressional Review Act resolution to potentially roll this back, like some lawmakers tried to do with the SEC rulemaking, which was eventually unsuccessful and did not get much traction.
38
00:00:37,000 –> 00:00:38,000
Frank Cilluffo [00:10:25]: And that requires both ends of Pennsylvania Avenue being in sync, right? Not only the interagency, but also congressional committees, all of whom have different jurisdictions. So, it gets a little challenging from a policy standpoint. And I think you kind of nailed it. Done right, it can be incredibly helpful, and it can bring clarity. I think that’s what I hear from a lot of our stakeholders is not even is this right, is this wrong? People can debate around the edges and should and will, but at the end of the day, they need clarity. They need to know, okay, this matters. How do we start moving forward? How do we devote resources? And let’s not make this just another check the box kind of approach.
39
00:00:38,000 –> 00:00:39,000
Frank Cilluffo [00:11:08]: I’d like to see something valuable and real come out at the back end for both government and industry. So perhaps even more so for industry.
40
00:00:39,000 –> 00:00:40,000
Sara Friedman [00:11:18]: Yes.
41
00:00:40,000 –> 00:00:41,000
Frank Cilluffo [00:11:18]: And, and hopefully they share that. Hopefully it’s not a one-way street.
42
00:00:41,000 –> 00:00:42,000
Sara Friedman [00:11:21]: I mean, it’s a little bit unclear at this point. Um, CISA does not have a Senate-confirmed leader. Uh, so we are waiting to see what happens in that respect. We’ve had a few hearings now with the acting director where he’s testified, but it remains to be seen what would happen potentially with the agency when they have Senate-confirmed leadership in place.
43
00:00:42,000 –> 00:00:43,000
Frank Cilluffo [00:11:39]: And that’s a good question. What are you hearing in terms of the mood around, I think there’s a lot of attention on some of the good work on the offensive side, but what’s the mood with respect to CISA these days?
44
00:00:43,000 –> 00:00:44,000
Sara Friedman [00:11:52]: Well, they’ve shed about a third of their workforce under the second Trump administration. And that’s had some impacts on morale and what they’ve been focused on.
45
00:00:44,000 –> 00:00:45,000
Frank Cilluffo [00:12:01]: Mm-hmm.
46
00:00:45,000 –> 00:00:46,000
Sara Friedman [00:12:01]: So one of the questions is, does CISA have the capacity that they need for this rulemaking and to do it effectively? And it’s not entirely clear at this time.
47
00:00:46,000 –> 00:00:47,000
Frank Cilluffo [00:12:10]: And do you feel the Office of the National Cyber Director should have a role in CIRCIA?
48
00:00:47,000 –> 00:00:48,000
Sara Friedman [00:12:14]: I mean, they could. Under the Biden administration, it played more of a convening role and rolling out the National Cyber Strategy and playing and leading those efforts along with budgets. But ONCD has a great capability to bring people together. And if CISA asked them to potentially help with this, I think they could if they needed to.
49
00:00:48,000 –> 00:00:49,000
Frank Cilluffo [00:12:37]: And maybe they don’t have to be asked, but maybe, maybe that is the right way to go. You know, moving sort of where CIRCIA is sort of by definition looking back in terms of incident reporting, you’re also doing a lot of work looking at an issue that is all looking forward, and that’s around NIST, agentic AI, and some of the rulemaking and, or processes and standards around that. So, NIST is the National Institute for Standards and Technology. I often say science and technology, but standards and technology. Can you talk us through, you’ve done a lot of good writing in terms of what NIST is tackling right now.
50
00:00:49,000 –> 00:00:50,000
Sara Friedman [00:13:18]: Yeah. So Inside Cybersecurity, we were actually created in 2013, and that’s when they were working on the first edition of the NIST Cybersecurity Framework. So we were there with all of the sessions that they held to try and get feedback from people. And since then it’s been updated twice. So the last update was in 2024. NIST has always been very exciting in certain ways, at least for me as a, as a standards nerd in some ways. In that they’re focused on creating standards that industry is supporting because industry is involved in this process and they’re giving comments and they’re giving buy-in. And in that way, it’s just been very collaborative. With AI, we’re seeing more of a focus in the Trump administration on moving away from safety to focus on innovation.
51
00:00:50,000 –> 00:00:51,000
Sara Friedman [00:13:59]: They recently announced an AI agent standards initiative, and we’re seeing more of an intersection with cyber and AI on that area.
52
00:00:51,000 –> 00:00:52,000
Frank Cilluffo [00:14:07]: And where do you see that going? The AI agent standards initiative?
53
00:00:52,000 –> 00:00:53,000
Sara Friedman [00:14:12]: Yeah. I mean, AI agents was something that I probably may have heard like in the past 2 years or so. It’s this generative AI is moving so quickly in so many ways. And this was a new issue to me and I had to wrap my head around it. But we’re seeing NIST potentially updating some of their guidance more quickly on AI because they have, because people are interested in getting more guidance on AI agents. And we’re seeing the pace of some of the threats in some ways escalating extremely quickly. Because AI can be used for offense, but there’s also benefits for AI.
54
00:00:53,000 –> 00:00:54,000
Sara Friedman [00:14:46]: It can also be used for defense as well and trying how to figure out how to do that effectively.
55
00:00:54,000 –> 00:00:55,000
Frank Cilluffo [00:14:51]: And we’re seeing that delicate dance right now in terms of Anthropic and Office of the Secretary of War and what have you. And I’m not going to ask you to weigh in on all that, but the reality is, is these are fast-moving issues. NIST by definition is a collaborative entity. Can it keep pace with the demand?
56
00:00:55,000 –> 00:00:56,000
Sara Friedman [00:15:14]: Well, part of the issue with NIST is that they’ve also lost part of their workforce as part of the Trump administration. People have just decided to take the voluntary fork in the road offer that came last year. And so they don’t necessarily have as many people as they did this time last year. So we’re seeing more of a focus on AI in some ways because that’s where they can get more of a buy-in. They were directed in Trump’s AI action plan to take specific steps, and they need to be able to carry that out.
57
00:00:56,000 –> 00:00:57,000
Frank Cilluffo [00:15:45]: Mm-hmm. Mm-hmm. And looking at sort of those AI policy shifts which are coming, agnostic to what government leaders think, it’s actually in practice happening pretty quickly, and it’s shifting sort of towards speed and competitiveness. What is the cyber risk you hear most coming up when it comes to AI?
58
00:00:57,000 –> 00:00:58,000
Sara Friedman [00:16:03]: Well, it’s like any other industry. I mean, the first time we see a major cyberattack that is done completely by AI, there’ll be a large impact from that and it will shake up the industries in some ways. So it’s similar to how cyber is seen in some way. When there’s a large attack on critical infrastructure, it just seems to wake up lawmakers in some ways, that they need to be able to do something.
59
00:00:58,000 –> 00:00:59,000
Frank Cilluffo [00:16:24]: And that’s actually a pet rock of mine. It’s a complaint I have is we tend to march into the future backwards. Something, in fact, we’ve almost ceded our strategy to the adversary. Something bad happens, we react to that, we respond to that, and we fix what we just saw, not necessarily what we will see in the future. And I don’t want to lead any witnesses here, but are we at risk of repeating sort of the move fast, secure later sets of issues we saw in cyber when it comes to AI, or is it the opposite?
60
00:00:59,000 –> 00:01:00,000
Sara Friedman [00:16:55]: I’m not entirely sure. We have a whole publication called Inside AI Policy that covers a lot of these issues more broadly, and it goes beyond cybersecurity. It covers defense, healthcare, financial sector, some of the ethics issues that come along with this. It gets extremely complicated when you’re trying to unpack all of this. And there’s a lot of different moving pieces. And where, where I come from, the standards perspective is trying to understand how all of this could work in practice and making sure that NIST has a central role in this will go a long way to making industry want to be able to participate in these efforts.
61
00:01:00,000 –> 00:01:01,000
Frank Cilluffo [00:17:32]: And again, it’s empirically based, right? So the challenge is sometimes, and I think it’s with every technology, technology is going to outpace policymaking, but we’ve got to get to some of those standards, those rules of the road and the like, right?
62
00:01:01,000 –> 00:01:02,000
Sara Friedman [00:17:48]: Yeah, absolutely. You got to get to a point where it’s, you kind of, in some ways you do some future-proofing where the law or regulation could apply to other technologies down the road. The cybersecurity framework in many ways, it’s not meant to apply to specific kind of technology. It’s very broad. These are the things that you should be doing to protect your systems, governance, identification, responding to different events and how, and how you do that. So with NIST’s role, they’re able to look back in some ways and, and think about things more objectively and the bigger picture rather than just AI or other issues, tech issues that come up.
63
00:01:02,000 –> 00:01:03,000
Frank Cilluffo [00:18:24]: And application is always a differentiator in some ways. So you can have policy, but at the end of the day, application is critical. And that’s where I think NIST can play a significant role. But dare I say, this is a race we as a country cannot afford to lose, right? Or would you disagree with that?
64
00:01:03,000 –> 00:01:04,000
Sara Friedman [00:18:44]: Absolutely. I mean, you’re seeing China in some ways catch up to us or—
65
00:01:04,000 –> 00:01:05,000
Frank Cilluffo [00:18:48]: Some ways maybe ahead in certain areas.
66
00:01:05,000 –> 00:01:06,000
Sara Friedman [00:18:51]: Yeah. So I think the idea to have more innovation in this space is really pushing some of the stuff that NIST and other agencies are doing to try and make sure government still has a role in all this, but in a way that actually supports AI and AI developers and allow this to be secure and safe in a manner as well.
67
00:01:06,000 –> 00:01:07,000
Frank Cilluffo [00:19:08]: Exactly. So it’s not just how, it’s not just the AI for attackers and defenders, but it’s actually the AI itself and making sure that that’s locked down as much as it can be is important, but also not at the expense of slowing down, right? So that’s a tough one. And I think we’re going to see incidents play out that will cause us to look back. Let’s just hope it’s not a catastrophic incident in my eyes. So you sort of have CIRCIA on one side, AI on the other. What do you think this means for the overall cyber posture? Is it maturing or is it further fragmenting?
68
00:01:07,000 –> 00:01:08,000
Sara Friedman [00:19:46]: I don’t necessarily think it’s a maturity issue. I mean, I think it is maturing in some ways in that we have new threats that we have to look at. I mean, NIST, that’s been doing this for 50 years, cybersecurity. So that’s not necessarily something that is new to them at all. It’s just a change in perspective. And as this tech evolves, as any tech evolves, it’s going to be more of a discussion on what parameters do we need to do that will help with this? How can we spur more innovation while still making sure that there’s room for safety considerations, making sure that organizations are protecting their data in a way that’s actually helpful and will help them as they try and adopt some of these new technologies.
69
00:01:08,000 –> 00:01:09,000
Frank Cilluffo [00:20:26]: So sort of quick questions and feel free to push them back and the like, but biggest misconception about CIRCIA?
70
00:01:09,000 –> 00:01:10,000
Sara Friedman [00:20:36]: I would say that industry in some ways, it seems like this is too big of an area to regulate. And that’s not necessarily the case. They just have to do a lot of work in order to get this right. And line it all up. And that’s a big challenge.
71
00:01:10,000 –> 00:01:11,000
Frank Cilluffo [00:20:51]: Yep. What about one federal agency punching above its weight?
72
00:01:11,000 –> 00:01:12,000
Sara Friedman [00:20:55]: Yeah, I mean, I would say NIST has always punched above its weight when it comes to, they have a small staff, but being able to actually develop all this, all of these standards and make guidance that is actually helpful to industry. CISA is also a very small agency when it comes to the government as well.
73
00:01:12,000 –> 00:01:13,000
Frank Cilluffo [00:21:14]: It is. Yeah.
74
00:01:13,000 –> 00:01:14,000
Sara Friedman [00:21:15]: So seeing them actually to move on some of this stuff is going to be really interesting moving forward.
75
00:01:14,000 –> 00:01:15,000
Frank Cilluffo [00:21:21]: One headline you predict we’ll see in 2026?
76
00:01:15,000 –> 00:01:16,000
Sara Friedman [00:21:25]: I expect that we will see more information on supply chain issues. I cover a lot of the software supply chain issues, and we’re of course also expecting and would love to see the National Cyber Strategy and how that’s going to be implemented. It will create a lot of different verticals to be working on in different topics, and we’re going to be on top of that as much as we can.
77
00:01:16,000 –> 00:01:17,000
Frank Cilluffo [00:21:48]: Great, great. So sort of to sum some of this together, if there were one thing you would be advising government and one thing you would be advising industry to take seriously, whether it’s through CIRCIA or whether it’s through the broader AI sets of questions, what would your thoughts be there?
78
00:01:17,000 –> 00:01:18,000
Sara Friedman [00:22:05]: So I think with government, I think they need to be able to pay attention to what industry is actually trying to understand and actually listen to them. And this idea of bidirectional information sharing, once again, it’s so important to industry and government and being able to get this, this right. And industry also wants to be heard and have their, and have what they provide government. They want to be able to get value out of that. And just seeing that moving forward and how that’s going to be working in practice is, is an ongoing tension, but it’s also just continues to be really important.
79
00:01:18,000 –> 00:01:19,000
Frank Cilluffo [00:22:38]: And for industry, anything?
80
00:01:19,000 –> 00:01:20,000
Sara Friedman [00:22:40]: I think with industry, they just, there’s a lot of surrounding questions with some of this stuff with CIRCIA and some of the other things that are going to be coming out. And they just want to get certainty about what’s going on and what the government wants to be focused on. And there’s a level of that right now where there’s always going to be uncertainty. But with like CIRCIA, there’s a level of uncertainty right now where it’s not really clear where things are going to go next.
81
00:01:20,000 –> 00:01:21,000
Frank Cilluffo [00:23:03]: Yeah. And I often say with the public-private partnership, long on nouns, short on verbs. I think we’re at the verb phase now, and yet I feel like the discussion is circa a decade ago. And what I’d like to see, and I’d be curious what your thoughts are, is to sort of move from that information sharing and need toward an operational collaboration. Would you agree, disagree?
82
00:01:21,000 –> 00:01:22,000
Sara Friedman [00:23:33]: Yes, I mean, we definitely, we have CISA 2015, the information sharing law that needs to be reauthorized. It’s reauthorized right now through September 30th, but in terms of what’s going to happen with that, we’re not entirely sure, but that goes a long way when it comes to industry being willing to share information with CISA as well.
83
00:01:22,000 –> 00:01:23,000
Frank Cilluffo [00:23:54]: And trust is the coin of the realm. I think people lose that. It takes a long time to build and very quick to lose. Right?
84
00:01:23,000 –> 00:01:24,000
Sara Friedman [00:24:00]: Yeah.
85
00:01:24,000 –> 00:01:25,000
Frank Cilluffo [00:24:00]: So, doing this right is important, not just knowing where you want to go, but how you get there. And hopefully, hopefully we’ll get to the point where we at least get to an end state we can all sort of agree to. Sarah, any questions I didn’t ask that I should have?
86
00:01:25,000 –> 00:01:26,000
Sara Friedman [00:24:18]: I would say that one thing that we’re really interested in at Inside Cybersecurity is DOD’s efforts to establish the CMMC program, the Cybersecurity Maturity Model Certification program. The rulemaking, the last rulemaking in that effort went into effect a few months ago, and we’re seeing that actually work out in practice now. This was something that took 6 years to get off the ground, and we’re actually seeing it happen. And CMMC is establishing a third-party assessment, a requirement for people, for companies in the defense industrial base to be able to show that they’re meeting certain standards. And there’s a question if that can be expanded outside DOD as well.
87
00:01:26,000 –> 00:01:27,000
Frank Cilluffo [00:25:00]: And what is a DOD or DOW company? The defense industrial base company is getting more and more complex, right?
88
00:01:27,000 –> 00:01:28,000
Sara Friedman [00:25:07]: Absolutely.
89
00:01:28,000 –> 00:01:29,000
Frank Cilluffo [00:25:08]: We’re doing a lot of work on defense critical infrastructure or civilian critical infrastructure that could impede the ability for the Department of Defense, Department of War to engage in their activities as well. Sarah, thank you so much for joining us today. Thank you for all the hard work you and your colleagues are doing at Inside Cybersecurity. Again, read it. It’s worth the read. And let me leave you with a token of our appreciation, both figuratively and literally, our coin. Thank you.
90
00:01:29,000 –> 00:01:30,000
Sara Friedman [00:25:38]: Thank you. Thank you for having me.
91
00:01:30,000 –> 00:01:31,000
Frank Cilluffo [00:25:40]: Thanks, Sarah. Thank you for joining us for this episode of Cyber Focus. If you liked what you heard, please consider subscribing. Your ratings and reviews help us reach more listeners. Drop us a line if you have any ideas in terms of topics, themes, or individuals you’d like for us to host. Until next time, stay safe, stay informed, and stay curious.