U.S. National Cybersecurity Strategy

On March 27, 2024, the U.S. Cybersecurity and Infrastructure Security Agency’s (“CISA”) Notice of Proposed Rulemaking (“Proposed Rule”) related to the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”) was released on the Federal Register website.  The Proposed Rule, which will be formally published in the Federal Register on April 4, 2024, proposes draft regulations to implement the incident reporting requirements for critical infrastructure entities from CIRCIA, which President Biden signed into law in March 2022.  CIRCIA established two cyber incident reporting requirements for covered critical infrastructure entities: a 24-hour requirement to report ransomware payments and a 72-hour requirement to report covered cyber incidents to CISA.  While the overarching requirements and structure of the reporting process were established under the law, CIRCIA also directed CISA to issue the Proposed Rule within 24 months of the law’s enactment to provide further detail on the scope and implementation of these requirements.  Under CIRCIA, the final rule must be published by September 2025.

The Proposed Rule addresses various elements of CIRCIA, which will be covered in a forthcoming Client Alert.  This blog post focuses primarily on the proposed definitions of two pivotal terms that were left to further rulemaking under CIRCIA (Covered Entity and Covered Cyber Incident), which illustrate the broad scope of CIRCIA’s reporting requirements, as well as certain proposed exceptions to the reporting requirements.  The Proposed Rule will be subject to a review and comment period for 60 days after publication in the Federal Register. Continue Reading CISA Issues Notice of Proposed Rulemaking for Critical Infrastructure Cybersecurity Incident Reporting

On January 29, 2024, the Department of Commerce (“Department”) published a proposed rule (“Proposed Rule”) to require providers and foreign resellers of U.S. Infrastructure-as-a-Service (“IaaS”) products to (i) verify the identity of their foreign customers and (ii) notify the Department when a foreign person transacts with that provider or reseller to train a large artificial intelligence (“AI”) model with potential capabilities that could be used in malicious cyber-enabled activity. The proposed rule also contemplates that the Department may impose special measures to be undertaken by U.S. IaaS providers to deter foreign malicious cyber actors’ use of U.S. IaaS products.  The accompanying request for comments has a deadline of April 29, 2024.Continue Reading Department of Commerce Issues Proposed Rule to Regulate Infrastructure-as-a-Service Providers and Resellers

On July 13, 2023 the White House issued the National Cybersecurity Strategy Implementation Plan (“NCSIP”).  The NCSIP identifies 65 initiatives – to be led by 18 different departments and agencies – that are designed as a roadmap for implementing the U.S. National Cybersecurity Strategy released earlier this year.  This is the first iteration of the plan, which is intended to be an evolving document that the Administration plans to update annually.  Consistent with the Strategy, the NCSIP contemplates five broad lines of effort (“pillars”):

  • Defending critical infrastructure;
  • Disrupting and dismantling threat actors;
  • Shaping market forces to drive security and resilience;
  • Investing in a resilient future; and
  • Forging international partnerships to pursue shared goals.

Among the many initiatives, the Administration has outlined several specific efforts over the next three years that will be of interest to technology companies, federal contractors, and critical infrastructure owners and operators.Continue Reading White House Releases Implementation Plan for the National Cybersecurity Strategy

Last week, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) released guidance on Security-by-Design and Security-by-Default principles for technology manufacturers that was jointly developed by the Federal Bureau of Investigation and the National Security Agency, as well as cybersecurity authorities in Australia, Canada, United Kingdom, Germany, Netherlands, and New Zealand.  While similar principles have been published in the past, such as those released by the U.S. Federal Trade Commission, this guidance builds on the White House’s recent roll-out of the U.S. National Cybersecurity Strategy and is in line with efforts to encourage a consistent, international approach to software security that emphasizes the responsibilities of software manufacturers across various jurisdictions.  While the guidance primarily focuses on recommendations for technology manufacturers, it also includes recommendations for enterprise customers to “hold their supplying technology manufacturers accountable for the security outcomes of their products.”  CISA and the authoring agencies are seeking feedback on the guidance, and indicated plans to hold future listening sessions to collect feedback. Continue Reading CISA Publishes International Guidance on Implementing Security-by-Design and Security-by-Default Principles for Software Manufacturers and Customers

On March 16, 2023, the Federal Energy Regulatory Commission (“FERC”) approved a new Reliability Standard “adding new requirements focused on supply chain risk management for low impact bulk electric system (“BES”) Cyber Systems.”  Continue Reading FERC Approves New Cybersecurity Requirements for Low Impact Bulk Electric Systems

On March 8, 2023, the United States Department of Health and Human Services (“HHS”), through the Administration for Strategic Preparedness and Response and the Health Sector Coordinating Counsel Joint Cybersecurity Working Group, released an updated version of its Cybersecurity Framework Implementation Guide (the “Guide”) “to help the public and private health care sectors prevent cybersecurity incidents.”  Specifically, the Guide aims to help healthcare organizations leverage the NIST Cybersecurity Framework to “determine their cybersecurity goals, assess their current cybersecurity practices, or lack thereof, and help identify gaps for remediation.”  Continue Reading HHS Releases Guidance to Help Healthcare Organizations Align with the NIST Cybersecurity Framework

On March 7, 2023, the United States Transportation Security Administration (“TSA”) announced the issuance of new cybersecurity requirements for airport and aircraft operators on an emergency basis.  “The new emergency amendment requires that impacted TSA-regulated entities develop an approved implementation plan that describes measures they are taking to improve their cybersecurity resilience and prevent disruption and degradation to their infrastructure.”Continue Reading TSA Issues New Cybersecurity Requirements for Airport and Aircraft Operators

The United States National Cybersecurity Strategy, released on March 2, 2023, is poised to place significant responsibility for cybersecurity on technology companies, federal contractors, and critical infrastructure owners and operators.  The Strategy articulates a series of objectives and recommended executive and legislative actions that, if implemented, would increase the cybersecurity responsibilities and requirements of these types of entities.  The overall goal of the Strategy is to create a “defensible, resilient digital ecosystem” where the costs of an attack are more than the cost of defending those systems and where “neither incidents nor errors cascade into catastrophic, systemic consequences.”  The Strategy outlines two fundamental shifts to how the federal government will attempt to allocate roles, responsibilities, and resources in cyberspace. Continue Reading White House Releases National Cybersecurity Strategy