The Cybersecurity and Infrastructure Security Agency has updated its data requirements model for federal agencies under the continuous diagnostics and mitigation program to establish consistency under a common schema for submitted information.
"The Cybersecurity and Infrastructure Security Agency (CISA) Continuous Diagnostics and Mitigation (CDM) Program operates on the premise of a common architecture that relies on capabilities provided by commercial off-the-shelf tools and sensors," CISA says in version 4.1.1 of the CDM model document.
A new “comprehensive” data privacy bill from Senate Commerce Chair Maria Cantwell (D-WA) and House Energy and Commerce Chair Cathy McMorris Rodgers (R-WA) would terminate a Federal Trade Commission rulemaking on commercial surveillance and data privacy that generated significant criticism from the private sector in 2022.
Cantwell and Rodgers unveiled a bipartisan privacy bill on April 7 to establish consumer privacy rights and require data minimization. The bill would enforce private sector adherence to data security standards and establish...
The Cyber Safety Review Board’s investigation into the Microsoft Exchange intrusion offers several best practices for cloud service providers and will result in the Cybersecurity and Infrastructure Security Agency embarking on an effort to verify their compliance annually under a recommendation from the group’s latest report.
“In the course of its review, the Board spoke with a range of large CSPs to assess the state of their security practices, and -- as is also its mandate -- the Board today...
The Financial Services Information Sharing and Analysis Center is warning cyber defenders to be prepared for an increase in geopolitically motivated attacks on banks and financial institutions, in a recent report on 2023 cyber trends and predictions for 2024.
“Geopolitical events provide ideologically motivated hacktivists opportunities for disruption, as has been evident since the outbreak of the Russia/Ukraine and the Israel/Hamas wars,” FS-ISAC says in the March report.
“FS-ISAC expects hacktivism to increase in 2024 in response to those...
The U.S. Coast Guard has extended the comment period to May 22 for its notice of proposed rulemaking to establish cyber requirements for the maritime sector.
“The Coast Guard proposes to update its maritime security regulations by adding regulations specifically focused on establishing minimum cybersecurity requirements for U.S.-flagged vessels, Outer Continental Shelf facilities, and U.S facilities subject to the Maritime Transportation Security Act of 2002 regulations,” the agency says in the NPRM published on Feb. 22 with a 60-day...
Notable attorneys and policy leaders at Venable and Wiley Rein are weighing in on key aspects of CISA’s notice of proposed rulemaking, including the scoping of covered entities and the threshold for reporting incidents to the cyber agency.
“While the requirements of this rule will not go into effect until after the final implementing rules are established, expected in late 2025, being informed and prepared is an important first step,” according to a Venable post written by Harley Geiger,...
The National Institute of Standards and Technology has published a crosswalk for public comment mapping the cybersecurity framework update, known as “CSF 2.0,” to the agency’s massive catalog of security and privacy controls found in Special Publication 800-53.
The crosswalk is part of NIST’s National Online Informative References (OLIR) Program, which allows subject matter experts to map “relationships between elements of documents across cybersecurity, privacy, and other information and communications technology domains,” according to NIST. The draft crosswalk was...
The IT Information Sharing and Analysis Center has launched a special interest group focused on protecting international data centers from cyber threats.
“The digital infrastructure hosted in data centers is integral for everything online, whether it's shopping, email, social media, smart home appliances, schools, hospitals or government networks,” IT-ISAC executive director Scott Algeier said in an April 2 release.
Algeier said, “By establishing this SIG, the industry is taking proactive action to address the evolving security challenges facing data...
The Cybersecurity and Infrastructure Security Agency is prioritizing establishing a customer-led demand signal for secure software as part of its secure by design work, according to cyber leader Eric Goldstein.
CISA aims to “generate customer-first demand” and “drive the market in a way that yields more secure outcomes for every customer,” Goldstein told Inside Cybersecurity Thursday on the sidelines of the International Association of Privacy Professionals Global Privacy Summit.
Goldstein said, “We are taking every possible road to both...
A broad coalition of industry groups is asking the Cybersecurity and Infrastructure Security Agency to provide a 30-day comment extension for a major rulemaking to implement an incident reporting regime for critical infrastructure owners and operators.
CISA published a notice of proposed rulemaking on Thursday in the Federal Register to establish requirements for reporting cyber incidents and ransom payments to the agency, as required under the 2022 Cyber Incident Reporting for Critical Infrastructure Act. The NPRM has a 60-day...
The Federal Communications Commission spells out how its net neutrality rulemaking set to be finalized on April 25 will enable future regulation over cybersecurity for broadband providers, in a draft of Chairwoman Jessica Rosenworcel’s 435-page proposal made available for circulation.
“High-speed Internet connections are indispensable to every aspect of our daily lives, from work, education, and healthcare, to commerce, community, communication, and free expression. Since the Commission’s abdication of authority over broadband in 2017, there has been no federal oversight...
Small and medium-sized businesses are facing increased compliance costs to participate in the self-certification process set by the Commerce Department for transatlantic data flows based on a U.S.-EU Data Privacy Framework, according to stakeholders involved in standing up framework enforcement mechanisms.
There are “complicated rules around data transfers” in the framework that make it difficult when SMBs are deciding where to make investments, according to Commerce framework leader Alex Greenstein.
Greenstein said many SMBs “don’t have the wherewithal to take...
Companies and government agencies in North America are failing to improve third-party cyber risk management practices, according to a new report from Moody’s Ratings, despite general trends reflecting adoption of best practices and growth of security budgets.
“[B]ucking the trend of improving cyber defenses is a lack of meaningful progress in assessing risks posed by third-party vendors. This is despite a number of high-profile attacks,” Moody’s says in a Thursday report.
The report says, “Apart from Financial Services and...
The Cybersecurity and Infrastructure Security Agency is now accepting comments on its notice of proposed rulemaking to implement mandatory cyber incident reporting requirements for critical infrastructure entities, according to a Federal Register notice published today.
CISA posted the NPRM on March 27 under public inspection. Publication in the Federal Register starts a 60-day public comment period, which closes on June 3.
The 2022 Cyber Incident Reporting for Critical Infrastructure Act directed CISA to establish a mandatory incident reporting regime...
The National Institute of Standards and Technology proposes a model for incident response mapped to the cybersecurity framework update, known as “CSF 2.0,” in a draft publication to revise the agency’s decade-old guidelines for handling computer security incidents.
“Incident response is a critical part of cybersecurity risk management and should be integrated across organizational operations. The six Functions of the NIST Cybersecurity Framework (CSF) 2.0 all play vital roles in incident response,” NIST says in a Wednesday announcement.
The National Institute of Standards and Technology has released a draft handbook for public comment focused on addressing cybersecurity considerations in the Internet of Things product development process.
“Significant risks can be introduced by vulnerable IoT product components even if the IoT device itself is hardened since these additional components will likely have privileged access to the IoT device and related data,” NIST says in a Wednesday announcement on the draft handbook white paper.
The Federal Communications Commission is working with international partners to establish a foundation for reciprocity that will enable use of the U.S. Cyber Trust Mark initiative around the world, according to an official leading the commission’s recently-established Internet of Things cyber labeling program.
The commission is in the “implementation and planning stage” of standing up its cyber labeling program, FCC’s Renee Roland said at a Wednesday summit. The FCC approved a report and order in March to establish a...
The Federal Communications Commission will finalize Chairwoman Jessica Rosenworcel’s rulemaking on April 25 to restore net neutrality rules with a focus on the security of broadband networks and establishing consumer protections.
“The pandemic proved once and for all that broadband is essential. After the prior administration abdicated authority over broadband services, the FCC has been handcuffed from acting to fully secure broadband networks, protect consumer data, and ensure the internet remains fast, open, and fair,” Rosenworcel said today in ...
The DHS-led Cyber Safety Review Board has released a report following an investigation into the Microsoft Online Exchange intrusion last year, offering a highly critical review of the company’s “security culture” and recommendations for leadership to address security issues in product development.
“In May and June 2023, a threat actor compromised the Microsoft Exchange Online mailboxes of 22 organizations and over 500 individuals around the world. The actor -- known as Storm-0558 and assessed to be affiliated with the People’s...
The Cybersecurity and Infrastructure Security Agency has stood up an online hub as a home base for its work to protect high-risk communities such as civil society organizations, developed through the Joint Cyber Defense Collaborative and alongside international partners.
“The High-Risk Communities planning effort furthers JCDC priorities by bringing together government and the private sector to execute cyber defense plans that achieve specific risk reduction goals and enable more focused collaboration,” CISA said in a Tuesday announcement.
