Chris DeRusha, the federal chief information security officer, said the Office of Management and Budget plans to release new guidance intended to help agencies pursue secure software development.

The guidance, scheduled for release within the next eight to 12 weeks, will build on a Secure Software Development Framework and the Software Supply Chain Security Guidance, which the National Institute of Standards and Technology issued last month, Federal News Network reported Thursday.

DeRusha said Wednesday at a NIST-hosted workshop that adopting the framework would foster a culture change in agencies and some vendor organizations.

“This is about incenting the vendor communities that are serving and selling to the U.S. government to start adopting this framework and specifically secure development practices,” stated DeRusha, who is also a 2021 Wash100 Award.

Sen. Rob Portman, R-Ohio, the ranking member of the Senate Homeland Security and Governmental Affairs Committee, has released a report that documents the experiences of three U.S. companies targeted by the ransomware group, REvil, and recommends cybersecurity measures agencies and organizations should take to counter ransomware attacks.

“This report shows that all organizations, no matter the size or financial resources, can fall victim to sophisticated cyber adversaries,” Portman said in a statement published Thursday.

According to the report, ransomware groups gain access to networks of victims through phishing attacks. REvil stole sensitive data and post that data on its public blog using double extortion schemes before encrypting the victim’s networks.

The document recommends that the Cybersecurity and Infrastructure Security Agency (CISA) share incident reports received through the Cyber Incident Reporting for Critical Infrastructure Act and strengthen partnership with the FBI to help ransomware victims.

The bureau should maintain constructive working relationship with private organizations by considering ransomware victim priorities such as data protection and damage mitigation efforts.

Other recommendations are adopting zero trust approach, implementing multifactor authentication and patching vulnerabilities, developing incident response plans, maintaining offline backups and encrypting sensitive information.

“The Biden administration should work quickly to implement my recently enacted bipartisan Cyber Incident Reporting Act. This law will help prevent future cyberattacks by facilitating increased information sharing and enhance the federal government’s cyber defense and investigative capabilities,” noted Portman.

The Securities and Exchange Commission (SEC) is soliciting comments on proposed rules to improve and standardize disclosures by public companies regarding cybersecurity risk management, incident reporting, strategy and governance.

The proposal would require periodic reporting of a registrant’s procedures and policies to facilitate cyber risk management and disclosures of expertise and cyber risk oversight of the board of directors, according to a Federal Register notice published Wednesday.

SEC would require the presentation of cybersecurity disclosures using Inline eXtensible Business Reporting Language or Inline XBRL. The proposed rules are part of the agency’s efforts to inform investors about the risk management, governance and strategy of a registrant.

SEC, which first announced the proposed rules in early March, will accept comments through May 9th.