The Biden Administration is signaling several moves to strengthen cybersecurity defenses across a variety of sectors this winter. Here’s what you need to know.
As cyberattacks become increasingly common in today’s global environment, government agencies are looking at applying minimum cybersecurity guidelines across several new sectors as the year comes to a close. The following are some of the most critical updates to come, when they may go into effect, and what you can do now in preparation.
New Requirement for Asset Visibility and Vulnerability Detection on Federal Networks
In October of 2022, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) announced Binding Operational Directive 23-01 – Improving Asset Visibility and Vulnerability Detection on Federal Networks.
This new directive is set to go into effect on April 3, 2023, and requires organizations in the Federal Civilian Executive Branch (FCEB) to perform regularly automated asset recoveries and vulnerability enumeration. The definitions and cadences of these actions are as follows:
Asset Discovery – An activity through which an organization identifies what addressable IP assets reside on their networks and the associated IP addresses (hosts). Under these new requirements, organizations are to perform automated Asset Discovery every 7 days.
Vulnerability Enumeration – An action that identifies and reports suspected vulnerabilities on the assets identified in asset discovery. Vulnerability Enumeration detects host attributes (e.g., operating systems, applications, open ports, etc.), and identifies outdated software versions, missing updates, and misconfigurations. Under these new requirements, organizations are to perform automated Vulnerability Enumeration every 14 days.
These new requirements apply to any FCEB unclassified federal information system, including any federal information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information. There are certain exceptions and stipulations regarding the frequency of these actions. Connection with a certified federal CPA such as A-LIGN can help to ensure your organization remains in compliance with these updates.
New attention on TSA, HHS, EPA, FCC and their industry partners
Anne Neuberger, the President’s Deputy National Security Adviser for Cyber and Emerging Technology, recently discussed new implementations, explaining that many will expand beyond the original “critical infrastructure” target list and include healthcare, radio and broadcast, water utilities, and biotech.
Some specific upcoming targets include:
- Transportation Security Administration (TSA): Critical Railroads and Pipelines
- Department of Health and Human Services (HHS): Hospitals and Medical device manufacturers
- Environmental Protection Agency (EPA): Water Utilities
- Federal Communications Commission (FCC): Radio and Television Broadcasters
According to Neuberger, some of the key new implications include a notice of proposed rulemaking for emergency and public warning systems from the FCC, new guidelines for hospitals from HHS, and ways to regulate water systems’ cybersecurity from the EPA. Some of these industries, where federal agencies have clear jurisdiction could see interim rules as soon as the end of this year. Others may see longer time horizons as new legislation may be required.
Companies should keep in close communication with their agency sponsors and government affiliates as these new measures develop. For companies who wish to participate in the process, comment periods will likely precede final implementation.
Quantum computing expected to grow, compliance frameworks to follow
Advances in quantum computing technology continue to be of interest to the Biden Administration, as many fear that modern quantum computing will soon render current encryption measures obsolete. This summer, the National Institute of Standards and Technology (NIST) announced new encryption algorithms that the organization sees as the first steps in a post-quantum cryptographic standard. NIST expects these new algorithms to be finalized in the next two years.
The Administration is also doubling down on its own quantum computing investments in both research and development, and workforce training to ensure that the United States continues to lead from the front as the technology develops. In the coming years, the government will likely implement new controls to existing cybersecurity frameworks to capture post-quantum technology. A-LIGN’s experience with NIST security frameworks enables us with the ability to provide trusted guidance in preparation for these new quantum compliance requirements as they develop.
Discussions begin on consumer product labeling to reflect cybersecurity standards
This month, November 2022, the White House is bringing together companies and government stakeholders to explore new standardized labeling for consumer products that meet the highest standards of government-sponsored cybersecurity measures.
These new labels are meant to help American consumers better understand which products are most secure as they bring them into their homes. The Administration is targeting routers and home cameras for the first round of labels. These labels present a potential competitive advantage to companies that invest in the highest cybersecurity standards.
DCMA places renewed emphasis on NIST 800-171 compliance as audits continue
Earlier this summer, the Defense Contract Management Agency (DCMA) announced plans to spot check NIST SP 800-171 compliance using the Defense Industrial Base Cyber Assessment Center (DIBCAC) amid concerns that self-attested Plan of Action and Milestones (POAMs) are not being completed.
Possible ramifications of being found out of compliance include having a government contractor’s past performance reflect a breach of contract. To assure compliance, companies have the option to work with a 3PAO for a NIST 800-171 gap assessment or overall certification. If you are interested in learning more about NIST 800-171 services, please contact Matt Bruggeman at [email protected]
Get Ahead of Upcoming Compliance Updates With A-LIGN
A-LIGN has extensive experience with Federal compliance regulations and certifications including NIST 800-171, FISMA, FedRAMP, StateRAMP, and CMMC. If you have any questions regarding any of the updates discussed in this blog or would like information regarding anything else compliance-related, contact us via the form below.