Three recent notable regulatory and legislative developments are significantly heightening expectations on cybersecurity disclosures and attestations.

• CISA Cyber Critical Infrastructure Incident Reporting.
  
  
• SEC Cyber Incident and Risk Disclosures by Public Companies.
  
  
• Secure Software Development Practice Attestation by Federal Vendors.

Over the last month, notable threat activity and U.S. Government regulatory pronouncements have highlighted the evolving technology supply chain security risk surface and the need for focused mitigation measures.

Companies that were forced to adapt to the reality of COVID are now grappling with operating in and evacuating from war zones (e.g., Ukraine), in contested or hostile environments (e.g., Russia), or on the edges of a conflict zone which could spread regionally, without warning. In addition to being one of the worst humanitarian crises Europe has faced in decades, the war in Ukraine—including its second and third order effects—highlights how quickly the operational landscape can shift.

On February 24, 2022, President Putin announced a “special military operation” in Ukraine to “protect” the people in the “republics of Donbas”, adding the actions were aimed at demilitarizing and “de-nazifying” Ukraine. Almost immediately following, Russian forces began a multi-pronged air, land, and sea invasion from the north, south, and east, launching missile strikes against multiple cities including the capital of Kyiv.

On Monday February 21, 2022, in the aftermath of a series of unproductive diplomatic meetings between Russia, the U.S., and NATO, and DDOS cyberattacks, President Putin announced that Russia would recognize the separatists in Donetsk and Luhansk in Eastern Ukraine as “independent republics” and that Russian troops were being deployed to the region as “peacekeepers.” This approach mirrors the actions that Russia took in Crimea in 2014 and in Georgia 2008. The White House has announced limited sanctions prohibiting Americans from doing business in or with the regions of Donetsk and Luhansk, as well as sanctions on Nordstream AG. German Chancellor Olaf Scholtz announced that Germany would not complete certification of the NordStream II pipeline as a response to the Russian actions.

Threats of government shutdowns and stopgap funding measures seem to have become standard operating procedure for the U.S. federal budget process.

 Far from a functioning appropriations process, Congress relies on continuing resolutions (CR) that maintain spending at prior year levels and massive “must sign” omnibus appropriations bills to keep the government open.