MSP Regulations Shift: CMMC 2.0, FedRAMP Overhaul, UK Cyber Bill & AI Security Concerns

[00:00:02] It's Wednesday, April 2nd, 2025 and I'm Dave Sill for 4 things to know today. New regulatory shifts for MSP's CMMC 2.0, the FedRAMP Overhaul and the UK's new Cyber Security Bill. CISA cuts and signal on government devices what could possibly go wrong. AI solutions everywhere, SolarWinds, CloudFlare and Red Hat go all in.

[00:00:25] And, OpenAI's image generation capabilities raise broad worries how businesses should respond. This is the Business of Tech. So, three big stories in the world of MSP regulations. Michael Duffy, President Donald Trump's nominee for Undersecretary of Defense for Acquisition and Sustainment, has committed to reviewing the Pentagon's controversial Cybersecurity Maturity Model Certification 2.0,

[00:00:53] if confirmed. The revamped program, which went into effect in December, mandates defense contractors handling controlled, unclassified information to comply with one of three levels of cybersecurity standards to qualify for Department of Defense contracts. Concerns have been raised regarding the burden these regulations may impose, particularly on smaller firms. A recent report by Redspin indicated

[00:01:19] that over 50% of respondents felt unprepared for the program's requirements. Duffy emphasized the need to balance security and regulatory burdens, highlighting that small and medium-sized businesses are crucial to national defense, but often more vulnerable to cyber attacks due to limited resources. He plans to explore options for improving the requirements and implementation of the cybersecurity maturity model to ensure industry compliance with current cybersecurity best practices.

[00:01:46] The General Services Administration is set to unveil significant changes to the Federal Risk Authorization Management Program, or FedRAMP, aimed at making the process leader and more automated. The new 2025 plan will focus on establishing standards and policies rather than approving cloud authorization packages, which previously extended the process for up to 11 months. The GSA intends to

[00:02:13] reduce reliance on external support services with only a small number of federal employees managing the program. Notably, the GSA plans to automate at least 80% of current requirements, allowing cloud service providers to demonstrate compliance more efficiently. Meanwhile, across the Atlantic, the UK government has announced a comprehensive cybersecurity and resilience bill aimed at strengthening the nation's defenses against

[00:02:39] cyber threats. The bill aims to bring more firms under regulatory oversight, addressing vulnerabilities in supply chains that could disrupt essential services. Managed service providers are specifically named, providing core IT services and having extensive access to client systems. The new regulations define a managed service as one that meets all of these criteria, provided to external organizations, uses network and

[00:03:05] information systems. This would make managed services providers managed entities. The proposed legislation also includes measures to enhance incident reporting requirements and improve the Information Commissioner's office capacity to identify and mitigate cyber risks proactively.

[00:03:31] Why do we care? On the US side, shifting waters of CMMC send a confusing message. While it seemed locked in, is it now? What do you do? Uncertainty is distinctly a negative for the market. Changes to FedRAMP might be more positive, although over-automation could lead to compliance gaps or false assumptions of security. Providers will still need human oversight to

[00:03:55] ensure comprehensive compliance. On the UK side, some MSPs may lack the in-house capabilities to meet the new regulatory expectations, especially regarding incident reporting and proactive risk management. By recognizing MSPs as managed entities, the government is setting expectations for heightened cybersecurity practices. The Information Commissioner's office will gain more

[00:04:18] power to enforce compliance. The days of anyone hanging out a shingle in the UK may be about to disappear. With every new breach and threat that I cover, it's clear that cybersecurity isn't a luxury anymore. It's a necessity. That's where Huntress comes in. Their fully managed cybersecurity platform is built for every kind of business, not just the 1%.

[00:04:43] Huntress seamlessly integrates their products and threat hunting team. Their EDR, ITDR, SIM, and security awareness training solutions are purposely built for their elite 24x7 security operations center to stop threats before anyone else even spots them. This potent combination of purpose-built cybersecurity and threat hunting expertise is one of the many reasons why G2 users have voted Huntress the number one rated EDR for

[00:05:12] growing businesses. To see what people-powered cybersecurity looks like, visit Huntress.com slash MSB Radio. In a recent testimony before the House Intelligence Committee, Director of National Intelligence Tulsi Gabbard revealed that the encrypted messaging app Signal is now pre-installed on government devices. Gabbard highlighted guidance from the Cybersecurity and Infrastructure Security Agency, which recommends that

[00:05:38] government personnel use only end-to-end encrypted communications, naming Signal as a preferred application. This shift raises questions about the security of sensitive communications, especially after a report surfaced that top officials use Signal in planning a military strike. Historically, Signal has been largely unauthorized for government use, with officials previously warned of its vulnerabilities. And speaking of CISA, enterprises are seeking alternative support for their cybersecurity needs as the U.S.

[00:06:08] cybersecurity and infrastructure security agency downsizes. Experts, including former CISA executives, expressed concern that the recent cuts, which reportedly affected over 130 positions, could compromise essential services like threat intelligence and incident response. With CISA's personnel count previously at around 3200, the 2025 budget overview indicates significant impacts. Experts recommend that businesses strengthen

[00:06:33] relationships with private security firms, which can provide vital resources and support that CISA may no longer fully offer. They emphasize the importance of investing in advanced threat intelligence and building internal capabilities to address the growing threat landscape effectively. Oh, and speaking of that use of Signal for planning a military strike, U.S. National Security Advisor Mike Waltz reportedly used his Gmail account to discuss

[00:06:59] sensitive military positions and weapons systems related to an ongoing conflict. Although Waltz emphasized that he did not send classified information via the open account, emails have surfaced showing that he communicated technical details with colleagues from other government agencies using Gmail while they used their government issued accounts. The situation has drawn attention, especially after Waltz's public Venmo account revealed information about numerous associates, including journalists and

[00:07:28] military officers. Why do we care? The pre-installation of single and government devices signals a shift toward prioritizing end-to-end encryption. That said, this isn't about the technology. It's about people using it properly. The revelation that Mike Waltz used Gmail to discuss military details highlights a glaring gap in cybersecurity training and protocol adherence among officials. Even if no classified information was shared, the perception of

[00:07:56] lack of lack of security can harm public trust and raise questions about the government's cybersecurity posture, as well as the damage the entire industry takes if lawmakers can disregard the law. Listen to my detailed piece on Monday. Providers should be aware they're going to have to fill the gaps left by CISA themselves. SolarWinds has unveiled its next-generation solution to integrate advanced capabilities and observability,

[00:08:23] incident response, service management, and artificial intelligence-powered automation. The portfolio includes the newly introduced Squadcast Incident Response, which aims to streamline incident resolution, and enhancements to SolarWinds observability, providing comprehensive visibility across major cloud providers and on-premises environments. Additionally, the company announced improvements in its database observability and service desk solutions to optimize database

[00:08:48] performance and automate operational tasks, respectively. Disclosure, I am a SolarWinds shareholder. Cloudflare has launched Cloudflare for AI, a suite of security tools designed to protect artificial intelligence applications for businesses of all sizes. The suite addresses critical threats such as the misuse of tools and data leaks to become increasingly relevant as AI integration grows.

[00:09:12] Mike Prince, co-founder and CEO of Cloudflare, stated that an organization's AI strategy will significantly influence its success in the coming decade. The new tools include features for discovering unauthorized AI applications, monitoring usage, and preventing sensitive information leaks. Red Hat has unveiled new updates to its artificial intelligence portfolio, aimed at enhancing its offerings across hybrid cloud environments.

[00:09:35] The updates include improvements to Red Hat OpenShift AI and Red Hat Enterprise Linux AI, which are designed to streamline the deployment of AI solutions. Key features of the latest version of Red Hat OpenShift AI include distributed serving, which optimizes model efficiency by utilizing multiple graphics processing units, and an end-to-end model tuning experience, making fine tuning of large language models more manageable.

[00:10:03] Additionally, Red Hat is now offering free online training courses on AI foundations, providing two learning certificates for both experienced leaders and novices. Anthropic is teaming up with Databricks in a five-year partnership to help large organizations integrate generative artificial intelligence into their businesses. The collaboration aims to offer clawed AI models through the Databricks Data Intelligence Platform, making tools available to over 10,000 companies.

[00:10:29] The latest Clawed 3.7 Sonnet model promises advanced reasoning capabilities and can quickly generate responses or provide detailed solutions when necessary. Arrow Electronics has announced the expansion of its managed services portfolio in North America, aimed at supporting channel partners in providing comprehensive solutions for AI, cloud, and security technologies.

[00:10:51] The new offerings, which focus heavily on artificial intelligence, include management solutions for large language models and a range of services from use case discovery to application modernization. Arrow Electronics reported sales of $28 billion in 2024. Why do we care? As AI integration increases, position yourself as the go-to expert in AI security and compliance.

[00:11:14] Offer hybrid AI management services leveraging Red Hat's OpenShift AI to optimize multi-cloud environments, or help clients understand the security implications of integrating AI into their operations. Leverage vendor partnerships to enhance your managed AI portfolio without reinventing the wheel, while being aware that relying heavily on a single vendor might create long-term dependency issues. Leverage vendor partnerships to enhance AI security and AI security and security.

[00:11:39] ChatGPT has launched a new image generator as part of its 4.0 model, significantly improving its ability to create text within images. Users are already leveraging the technology to produce fake restaurant receipts, raising concerns about its potential misuse in fraudulent activities. A recent post by venture capitalist Didi Das showcased a fake receipt from a San Francisco steakhouse, demonstrating the tool's capabilities.

[00:12:05] In TechCrunch's test, they successfully generated a fake receipt for an Applebee's, although their attempt revealed some inconsistencies, such as incorrect math and punctuation errors. OpenAI has stated that all generated images contain metadata indicating they were created by ChatGPT, and they take action against violations of their usage policies. Why do we care?

[00:12:27] The ease with which users can generate fake receipts, invoices, and other documents poses a direct threat to businesses, especially those relying on manual verification or outdated anti-fraud mechanisms. Consider now that documentation is very easy to forge. As fake documents become more prevalent, industries like finance, insurance, and hospitality will require tighter verification protocols.

[00:12:50] Providers will need to advise clients on updating their compliance practices, especially in regulated industries where document authenticity is crucial. The rise of AI-generated fake documents is not just a technological challenge, but a broader business risk that IT services firms need to address head on. This episode is supported by Comet Backup. Are you seeking a fast, secure, and flexible backup solution?

[00:13:17] Comet Backup empowers you to manage all your backups from a simple, centralized platform. Protect Windows, Linux, and macOS, as well as Hyper-V, VMware, Synology, Microsoft 365, and more. Manage backups on your terms. You choose where the data is stored. With on-prem storage and direct-to-cloud with industry-leading integrations like AWS and Microsoft Azure. Experience streamlined data protection and disaster recovery tailored to your needs.

[00:13:45] Visit cometbackup.com to start your free 30-day trial today. Get $100 free credit when you sign up with the promo code MSPRADIO. Start running backups in 15 minutes or less with Comet Backup. Thanks for listening. Today is National Peanut Butter and Jelly Day and National Ferret Day. It's also Autism Awareness Day. It's also National Ride Your Horse to a Bar Day.

[00:14:11] I'll be speaking on a webinar on April 22nd about inbound marketing in the AI era with the author of a new book. Link to register in the show notes and description. The Business of Tech is written and produced by me, Dave Sobel, under ethics guidelines posted at businessof.tech. If you've enjoyed the show, make sure you've subscribed or followed on your favorite platform. It's free and helps directly. Give us a review, too.

[00:14:40] If you want to support the show, visit patreon.com slash MSPRADIO and you'll get access to content early. Or buy our Why Do We Care merch at businessof.tech. Have a question you want answered? We take listener questions, send them in, ideally as a voice memo or video to question at MSPRADIO.com. I answer listener questions live on our Wednesday live show on YouTube and LinkedIn.

[00:15:06] If you've got a comment or a thought on a story, put it in the comments if you're on YouTube or reach out on LinkedIn if you're listening to the podcast. And if you want to advertise on the show, visit MSPRADIO.com slash engage. Once again, thanks for listening and I will talk to you again on our next episode. Part of the MSP Radio Network.