The Cybersecurity Maturity Model Certification (CMMC) is a Department of Defense (DoD) framework made to ensure organizations handling federal information maintain adequate cybersecurity controls. While CMMC is often associated with government agencies and defense contractors, research universities involved in DoD-funded projects may also need to protect Controlled Unclassified Information (CUI) like research data and technical specifications.

If you’ve deployed your first AI agent, then you must have given it access to your CRMs, ticketing systems, and your cloud storage. This AI agent is programmed to run 24/7, make decisions, call external APIs, and trigger actions (without a human in the loop). Now, answer these questions: If you cannot answer these questions, then you have an agentic AI identity issue. Traditional Identity and Access Management (IAM) was built for service accounts with static API keys and users with usernames.

Organizations continue investing heavily in cybersecurity tools, yet many security operations centers (SOCs) still struggle with alert fatigue, investigative delays, and inconsistent response outcomes. The issue is not necessarily a lack of technology. In many environments, it is the opposite. As security stacks expand, operational complexity often expands with them.

Cato CTRL recently analyzed an operator’s command-and-control (C2) server’s entire 33 days operation, including the steps he took to preserve access after the takedown. 339 commands. Four French victims. Between March 30 and May 1, 2026, Cato CTRL studied every command issued by a French-speaking threat actor (“Poisson”) against one French automotive small business and four French individuals.

Businesses must never store CVV/CVC codes, full magnetic stripe data, or PINs under any circumstances. For PANs that must be retained, use AES-256 encryption with hardware security modules (HSMs) or, better yet, replace card data entirely with tokens via a PCI-DSS-compliant third-party vault. This removes raw card data from your environment and reduces your compliance scope from SAQ D (hundreds of controls) to SAQ A (as few as 22 controls).

The days when compliance was just a documentation exercise are long gone. Now, it’s a critical priority for a wide variety of organizations. But compliance is more of a result than a goal. The goal is achieving resilience. Cybersecurity and data protection regulations are rapidly evolving far beyond traditional compliance checklists. Global frameworks and regulations such as NIS 2, DORA, GDPR, HIPAA, SOX and NIST 2.0 are placing greater emphasis on operational resilience.

The gap between your last backup and a failure defines exactly how much data disappears. That gap is your recovery point objective (RPO), and teams running production workloads on OpenShift and KubeVirt find that most traditional DR tools simply don’t understand the environment well enough to close it. Near-zero RPO requires synchronous replication at the block level. Data must hit both your primary and DR site simultaneously.

AI models that generate code are also the best at exploiting it. Here’s why independent verification, not the model itself, is the only trustworthy answer. This month, the US government ordered Anthropic to suspend access to its most capable models, Mythos 5 and the newly released Fable 5, for all foreign nationals, citing national security. The trigger was a single reported jailbreak that let one of those models slip past its own guardrails on cybersecurity tasks.

Most organizations responded to shadow AI the way they responded to shadow IT a decade ago: awareness campaigns, acceptable use policies, and training programs. The assumption was that if employees understood the risk, they would stop using unsanctioned tools. That approach did not work for shadow IT, and it won't work for shadow AI. The key difference is governance architecture.