Last week, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) released guidance on Security-by-Design and Security-by-Default principles for technology manufacturers that was jointly developed by the Federal Bureau of Investigation and the National Security Agency, as well as cybersecurity authorities in Australia, Canada, United Kingdom, Germany, Netherlands, and New Zealand. While similar principles have been published in the past, such as those released by the U.S. Federal Trade Commission, this guidance builds on the White House’s recent roll-out of the U.S. National Cybersecurity Strategy and is in line with efforts to encourage a consistent, international approach to software security that emphasizes the responsibilities of software manufacturers across various jurisdictions. While the guidance primarily focuses on recommendations for technology manufacturers, it also includes recommendations for enterprise customers to “hold their supplying technology manufacturers accountable for the security outcomes of their products.” CISA and the authoring agencies are seeking feedback on the guidance, and indicated plans to hold future listening sessions to collect feedback.
FERC Approves New Cybersecurity Requirements for Low Impact Bulk Electric Systems
On March 16, 2023, the Federal Energy Regulatory Commission (“FERC”) approved a new Reliability Standard “adding new requirements focused on supply chain risk management for low impact bulk electric system (“BES”) Cyber Systems.”
Continue Reading FERC Approves New Cybersecurity Requirements for Low Impact Bulk Electric Systems
CISA Releases Revised Cybersecurity Performance Goals for Critical Infrastructure
On March 21, 2023, the United States Cybersecurity and Infrastructure Security Agency (“CISA”) announced the issuance of updated Cybersecurity Performance Goals (“CPGs”). The CPGs, which were originally released in October 2022, are intended to establish a set of fundamental cybersecurity practices to be voluntarily implemented by critical infrastructure owners and operators across all critical infrastructure sectors. The CPGs apply to both information technology (“IT”) and operational technology (“OT”) and are designed to reduce risk related to known, high-impact cyber threats and adversarial tactics, techniques, and procedures (“TTPs”).
Continue Reading CISA Releases Revised Cybersecurity Performance Goals for Critical Infrastructure
HHS Releases Guidance to Help Healthcare Organizations Align with the NIST Cybersecurity Framework
On March 8, 2023, the United States Department of Health and Human Services (“HHS”), through the Administration for Strategic Preparedness and Response and the Health Sector Coordinating Counsel Joint Cybersecurity Working Group, released an updated version of its Cybersecurity Framework Implementation Guide (the “Guide”) “to help the public and private health care sectors prevent cybersecurity incidents.” Specifically, the Guide aims to help healthcare organizations leverage the NIST Cybersecurity Framework to “determine their cybersecurity goals, assess their current cybersecurity practices, or lack thereof, and help identify gaps for remediation.”
EPA Requires States to Address the Cybersecurity of Public Water Systems
On March 3, 2023, the United States Environmental Protection Agency (“EPA”) published a memorandum requiring states to evaluate the cybersecurity of operational technology used by public water systems (“PWSs”) “when conducting PWS sanitary surveys or through other state programs.” EPA’s memorandum “interprets the regulatory requirements relating to the conduct of sanitary surveys to require that
TSA Issues New Cybersecurity Requirements for Airport and Aircraft Operators
On March 7, 2023, the United States Transportation Security Administration (“TSA”) announced the issuance of new cybersecurity requirements for airport and aircraft operators on an emergency basis. “The new emergency amendment requires that impacted TSA-regulated entities develop an approved implementation plan that describes measures they are taking to improve their cybersecurity resilience and prevent disruption and degradation to their infrastructure.”
Continue Reading TSA Issues New Cybersecurity Requirements for Airport and Aircraft Operators
White House Releases National Cybersecurity Strategy
The United States National Cybersecurity Strategy, released on March 2, 2023, is poised to place significant responsibility for cybersecurity on technology companies, federal contractors, and critical infrastructure owners and operators. The Strategy articulates a series of objectives and recommended executive and legislative actions that, if implemented, would increase the cybersecurity responsibilities and requirements of these types of entities. The overall goal of the Strategy is to create a “defensible, resilient digital ecosystem” where the costs of an attack are more than the cost of defending those systems and where “neither incidents nor errors cascade into catastrophic, systemic consequences.” The Strategy outlines two fundamental shifts to how the federal government will attempt to allocate roles, responsibilities, and resources in cyberspace.
Continue Reading White House Releases National Cybersecurity Strategy
FTC Publishes Blog Post on Data Security Practices for Complex Systems
In February, the Federal Trade Commission (“FTC”) published a blog post that elucidated key security principles from recent FTC data security and privacy orders. Specifically, the FTC highlighted three practices that the Commission regards as “effectively protect[ing] user data.” These practices include: (1) offering multi-factor authentication (“MFA”) for consumers and requiring it for employees; (2) requiring that connections within a company’s system be both encrypted and authenticated (e.g., deploying a “zero trust” methodology); and (3) requiring companies to develop data retention schedules. The FTC noted that while these measures “are not the sum-total of everything the FTC expects from an effective security program, they are a sample of provisions [that the FTC has] seen recently that speak directly to the idea of attacking things at their root cause to produce uniquely effective results.”
Continue Reading FTC Publishes Blog Post on Data Security Practices for Complex Systems
FERC Orders Development of New Internal Network Security Monitoring Standards
The Federal Energy Regulatory Commission (“FERC”) issued a final rule (Order No. 887) directing the North American Electric Reliability Corporation (“NERC”) to develop new or modified Reliability Standards that require internal network security monitoring (“INSM”) within Critical Infrastructure Protection (“CIP”) networked environments. This Order may be of interest to entities that develop, implement, or maintain hardware or software for operational technologies associated with bulk electric systems (“BES”).
Continue Reading FERC Orders Development of New Internal Network Security Monitoring Standards
NIST Requests Comments on Potential Significant Updates to the Cybersecurity Framework
On January 19, 2023, the National Institute of Standards and Technology (“NIST”) published a Concept Paper setting out “Potential Significant Updates to the Cybersecurity Framework.” Originally released in 2014, the NIST Cybersecurity Framework (“CSF” or “Framework”) is a framework designed to assist organizations with developing, aligning, and prioritizing “cybersecurity activities with [] business/mission requirements, risk tolerances, and resources.” Globally, organizations, industries, and government agencies have increasingly relied upon the Framework to establish cybersecurity programs and measure their maturity. The NIST CSF was previously updated in 2018, and NIST now seeks public comment on the latest changes outlined in the Concept Paper.