Last week, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) released guidance on Security-by-Design and Security-by-Default principles for technology manufacturers that was jointly developed by the Federal Bureau of Investigation and the National Security Agency, as well as cybersecurity authorities in Australia, Canada, United Kingdom, Germany, Netherlands, and New Zealand. While similar principles have been published in the past, such as those released by the U.S. Federal Trade Commission, this guidance builds on the White House’s recent roll-out of the U.S. National Cybersecurity Strategy and is in line with efforts to encourage a consistent, international approach to software security that emphasizes the responsibilities of software manufacturers across various jurisdictions. While the guidance primarily focuses on recommendations for technology manufacturers, it also includes recommendations for enterprise customers to “hold their supplying technology manufacturers accountable for the security outcomes of their products.” CISA and the authoring agencies are seeking feedback on the guidance, and indicated plans to hold future listening sessions to collect feedback.
On March 21, 2023, the United States Cybersecurity and Infrastructure Security Agency (“CISA”) announced the issuance of updated Cybersecurity Performance Goals (“CPGs”). The CPGs, which were originally released in October 2022, are intended to establish a set of fundamental cybersecurity practices to be voluntarily implemented by critical infrastructure owners and operators across all critical infrastructure sectors. The CPGs apply to both information technology (“IT”) and operational technology (“OT”) and are designed to reduce risk related to known, high-impact cyber threats and adversarial tactics, techniques, and procedures (“TTPs”).…
On September 12, 2022, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) published a Request for Information, seeking public comment on how to structure implementing regulations for reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”). Written comments are requested on or before November 14, 2022 and may be submitted through the Federal eRulemaking Portal: http://www.regulations.gov.…
On April 7, 2022, the U.S. Cybersecurity & Infrastructure Security Agency (“CISA”) announced the publication of its Sharing Cyber Event Information Fact Sheet (“Fact Sheet”) intended to provide clear guidance to critical infrastructure owners and operators and government partners on voluntary information sharing about “unusual cyber incidents or activity.” In its announcement, CISA explained that it will use the information provided to fill “critical information gaps,” deploy resources, analyze trends, issue warnings, and “build a common understanding of how adversaries are targeting U.S. networks and critical infrastructure sectors.”
CISA’s announcement of the Fact Sheet encourages entities to visit its Shields Up website for more information; the Shields Up website was recently updated with guidance in response to the heightened risk of Russian cyber attacks. The Shields Up website recommends that “all organizations—regardless of size—adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets” and provides detailed guidance that entities can use to protect themselves.
Continue Reading CISA Issues Voluntary Information Sharing Guidance for Critical Infrastructure Owners and Operators and Provides Resources for All
On January 4, 2022, the Federal Trade Commission published a warning to companies and their vendors to take reasonable steps to remediate the Log4j vulnerability (CVE-2021-44228). The FTC provided a list of recommended remedial actions for companies using the Log4j software. The FTC’s warning references obligations under the FTC Act and Gramm Leach Bliley Act (“GLBA”) to take reasonable action to remediate vulnerabilities, and hints at potential inquiries and enforcement actions against companies and vendors that fail to do so. As the FTC notes in its warning, the “FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.” …
Continue Reading FTC Warns Companies to Remediate the Log4j Vulnerability and Hints at Potential Enforcement Actions
On September 30, 2020, the Cybersecurity and Infrastructure Security Agency (“CISA”) and the Multi-State Information Sharing and Analysis Center (“MS-ISAC”) released a joint guide synthesizing best practices to prevent and respond to ransomware. This guide was published the day before OFAC and FinCEN released their coordinated guidance on ransomware attacks that we previously summarized here.
Ransomware is malware that encrypts data on a victim’s device, thus rendering the data inaccessible, until a ransom is paid in exchange for decryption. Both the nature and scope of ransomware incidents have become “more destructive and impactful” in recent years. In particular, tactics of malicious actors include threatening to release stolen data or publicly naming victims as part of the extortion. Accordingly, the guide encourages organizations to take proactive efforts to manage risks posed by ransomware and recommends a coordinated response to mitigate its impact.
Continue Reading CISA and MS-ISAC Release Joint Guide on Ransomware
In response to the drastic increase of U.S. employees working remotely, the U.S. Federal Trade Commission (“FTC”) and the U.S. National Institute of Standards and Technology (“NIST”) have both issued guidance for employers and employees on best practices for teleworking securely. In addition, the Cybersecurity and Infrastructure Security Agency (“CISA”) has provided advice on identifying essential workers, including IT and cybersecurity personnel, in critical infrastructure sectors that should maintain normal work schedules if possible. Each set of guidance is discussed in further detail below.
Continue Reading COVID-19 Cybersecurity Advice: FTC, NIST, and CISA Release Guidance on Secure Teleworking and Critical Infrastructure Jobs
Last week, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) released a set of cyber readiness recommendations for small businesses. The recommendations, which CISA developed in collaboration with small businesses and state and local governments, are intended to assist smaller organizations in implementing organizational cybersecurity practices. While not binding requirements, the recommendations may inform what CISA and U.S. regulators view as “reasonable” cybersecurity practices.
Continue Reading CISA Releases Cyber Readiness Recommendations for Small Business
Yesterday, the Department of Homeland Security (“DHS”) and Department of Justice released final guidance as required by Title I of the Cybersecurity Act of 2015 (“CISA”), which was enacted into law this past December. The guidance was prepared in consultation with several additional federal agencies, and includes four separate documents. We summarize each of the guidance documents below.
The first document (“sharing guidance”) provides guidance for non-federal entities (including state governments) that elect to share cybersecurity information with the federal government under CISA. It summarizes the sharing authorized by CISA as follows: “Effectively, the only information that can be shared under the Act is information that is directly related to and necessary to identify or describe a cybersecurity threat.” But it also notes that “otherwise conflicting laws, including privacy laws, do not restrict sharing or any other action undertaken pursuant to CISA,” consistent with the language of Section 104(c) of CISA, which permits such sharing “notwithstanding any other provision of law.” …
Continue Reading Federal Government Releases Final Guidance on CISA