- Cybersecurity Docket
- Posts
- Pentagon Paused Its Cybersecurity Certification Program; What It Means
Pentagon Paused Its Cybersecurity Certification Program; What It Means
Plus, Illinois joins California and New York to create a national AI compliance framework.

Good morning! Here’s what’s up.

People
Jeff Nienaber announced in a LinkedIn post that he is departing Microsoft after more than 16 years with the company, most recently serving as senior director and principal program manager for Microsoft’s Office of the CTO.
Michelle Graff has joined Veeam Software, a data and AI trust company, as senior vice president of global partners. In this role, Graff will help Veeam’s global partners expand their services and solution opportunities for customers around data resilience, cyber readiness, and trusted data for AI. Most recently, Graff served as SVP of global partners at Commvault.

Clips ✂️
The Pentagon Just Paused Its Cybersecurity Certification Program. Here's What Everyone Is Missing.
Few cybersecurity initiatives have generated as much debate across the Defense Industrial Base as the Cybersecurity Maturity Model Certification. Yesterday, that debate took another unexpected turn when Secretary of War Pete Hegseth's Department of War suspended implementation of CMMC Phase II, established a 60-day CMMC Reform Task Force, and directed the Department to redesign the certification framework while maintaining existing cybersecurity obligations.
The decision immediately raised questions about the future of CMMC, the role of third-party assessments, and whether defense contractors should continue investing in cybersecurity readiness.
According to the memorandum signed by the DOD’s Chief Information Officer Kristen Davies, the Department will suspend the November 2026 transition to mandatory Phase II implementation, hold pending implementation milestones in abeyance, limit new procurements to Level 1 and Level 2 self-assessments during the review period, and deliver recommendations for a redesigned framework within sixty days.
Illinois AI Safety Measures Act SB 315: What Frontier AI Developers Must Do Before January 2028
On July 6, 2026, Illinois Governor JB Pritzker signed SB 315, the Artificial Intelligence (AI) Safety Measures Act (the Illinois Act), to establish a framework for AI safety, transparency, and accountability for the world’s most powerful AI models.
…
Illinois joins California, which enacted the Transparency in Frontier Artificial Intelligence Act (TFAIA) in September 2025; and New York, which enacted the Responsible AI Safety and Education (RAISE) Act in December 2025, in imposing a suite of obligations on developers of frontier models: transparency reports, AI safety frameworks, incident reporting requirements, and whistleblower protections.
Illinois goes a step further than the Empire State and the Golden State by mandating annual independent third-party audits.
With federal AI legislation unlikely in the near-term, these three states have effectively created a national compliance standard.
Canada's federal banking regulator warned the country's largest financial institutions about the risks of Anthropic's Claude Mythos and other advanced AI models, saying the new technology could increase cyber threats and reduce the time institutions have to identify and fix vulnerabilities, according to an email sent in April.
The regulator, the Office of the Superintendent of Financial Institutions, sent the email to chief technology officers, chief information security officers, and chief risk officers across the financial industry, including the big banks and insurers, according to documents Reuters obtained through an access-to-information request.
…
"Advanced artificial intelligence models, such as Anthropic Claude Mythos, significantly compress the timeframe for effective risk mitigation," OSFI said in the email. "Accordingly, this bulletin is grounded in our existing guidance and outlines sound practices that institutions can adopt to enhance the speed and effectiveness of risk identification, mitigation and response."
A new report from the Congressional Research Service identified that President Donald Trump’s Executive Order 14409 marks a shift toward voluntary collaboration with AI (artificial intelligence) developers as the federal government seeks to strengthen cybersecurity without imposing mandatory licensing or preapproval requirements on AI models.
It also noted that the order directs agencies to accelerate cyber defenses, expand AI-enabled defensive capabilities, establish an AI cybersecurity clearinghouse with industry participation, and protect critical infrastructure and intellectual property from emerging AI-related threats.
Published last week, the CRS report identified that E.O. 14409 ‘Promoting Advanced Artificial Intelligence Innovation and Security’ establishes a voluntary framework for evaluating frontier AI models with advanced cyber capabilities before public release.
Under the policy, developers may choose to provide the federal government with early access to designated models for security assessments, while the Justice Department is directed to prioritize enforcement against the criminal use of AI in computer intrusions, identity theft, wire fraud, and other cyber-enabled offenses.
Ransomware Groups Change Identities to Evade Cybercops
Ransomware hackers have reportedly begun rebranding to escape digital law enforcement.
As the Wall Street Journal (WSJ) reported Monday (July 13), this isn’t a new tactic, but one that is happening more frequently as cyberdefenders adopt better security tools.
Stopping ransomware attacks has “become a game of whack-a-mole,” with the number of ransomware and data-extortion attacks jumping from 1,363 in the first three months of year to 1,885 in the first quarter of 2026, the report said, citing cybersecurity firm ZeroFox.
“Cybercriminal groups are constantly reinventing themselves,” said Brian Carlson, chief technology, data, digital and innovation officer in North America at food services and facilities management company Sodexo.
Whether hackers show up using a new name or begin employing new tactics, Carlson said, “organizations can’t rely on yesterday’s defenses to address today’s threats.”
And Steven Masada, assistant general counsel at Microsoft’s digital crimes division, told the WSJ ransomware groups tend to rebrand following web takedowns, media exposure, sanctions or even a loss of trust within the underground economy.
Tracking The AI Revolution: Innovation And Cyber Risks
Artificial intelligence is rapidly becoming essential infrastructure, transforming global economies, governments, and daily life in an "Acceleration Era" where it converges with other advanced technologies. While AI offers vast potential for economic growth, healthcare innovation, and human enhancement, it simultaneously presents significant challenges. These include increased cyber risks, opaque "black box" systems, bias vulnerabilities, and the potential for misuse in areas like misinformation and automated attacks.
AI acts as both a powerful defensive tool in cybersecurity and a formidable weapon for adversaries. Therefore, integrating "security by design" and robust governance frameworks from the outset is crucial to harness AI's benefits while mitigating its substantial risks and ensuring ethical development.
