The Cybersecurity and Infrastructure Security Agency provides details in a blog post on how public-private partnership to improve the cybersecurity of oil and natural gas pipelines has blossomed through the Joint Cyber Defense Collaborative, resulting in increased collaboration among industry stakeholders and the federal government.
“Recognizing the criticality of the oil and natural gas (ONG) subsector to our shared security and prosperity, over 25 ONG organizations—with an emphasis on high-throughput midstream natural gas pipeline owner-operators–and their industrial control systems (ICS)...
The National Defense Information Sharing and Analysis Center has published a “shopping guide” to help small and medium-sized businesses pick an assessor who meets their needs to reach compliance with the Pentagon’s Cybersecurity Maturity Model Certification program.
The guide is designed to “address the challenges presented to an SMB when vetting an assessor for Cybersecurity Maturity Model Certification (CMMC),” and was developed by SMBs across the defense industrial base and feedback from CMMC third-party assessment organizations.
The Federal Communications Commission is accepting initial comments through April 24 on a further notice of proposed rulemaking that addresses national security concerns from the newly established Internet of Things cyber labeling program, according to a Federal Register notice.
The formal publication of the FRNRPM on Monday sets up a 30-day public comment period and an additional 30-day window closing on May 24 for reply comments. The FCC approved a report and order to establish the cyber labeling program...
Senate Homeland Security Chairman Gary Peters (D-MI) is asking CISA Director Jen Easterly and Health and Human Services Secretary Xavier Becerra to provide information on their efforts to address a February cyber attack on Change Healthcare and how the two agencies are engaging more broadly with the health sector on resiliency.
Peters calls HHS a “critical resource and regulator for the victims of this attack and the healthcare ecosystem at large” as the sector risk management agency for the healthcare...
The Cybersecurity and Infrastructure Security Agency has released a joint alert on software security with the FBI, detailing how manufacturers can prevent a “persistent” defect that was exploited in a 2023 attack campaign on the MOVEit file transfer service.
“SQL injection—or SQLi—vulnerabilities remain a persistent class of defect in commercial software products. Despite widespread knowledge and documentation of SQLi vulnerabilities over the past two decades, along with the availability of effective mitigations, software manufacturers have continued to develop products with...
The Cybersecurity Coalition proposes a path forward in a five-year policy roadmap for the European Union to enhance cybersecurity and resilience alongside international partners.
“The passage of the Cyber Resilience Act (CRA) and the AI Act, as well as the upcoming elections, offer the EU an opportunity to establish a new vision for collective digital resilience,” the Cybersecurity Coalition says in the roadmap released as part of the March 21 inaugural CyberNext Brussels conference.
A recent memorandum from CISA Director Jen Easterly reviews September recommendations from the agency’s Cybersecurity Advisory Committee and provides an update on progress when it comes to implementation.
“CISA values the hard work of the CSAC that led to a set of actionable recommendations to improve on CISA’s execution of its cybersecurity mission. The expert advice and key insights that the CSAC offers enhances the work of CISA and keeps us well-positioned to help address threats in a rapidly changing...
The Cybersecurity and Infrastructure Security Agency is providing guidance to users on how they can create an account and upload information on their compliance with secure software development practices in an online repository that will include self-attestation letters and corresponding artifacts.
CISA and the Office of Management and Budget released the final common form on March 11 for software producers to self-attest their compliance with practices derived from the NIST Secure Software Development Framework. The user guide is...
Senate Intelligence Chairman Mark Warner (D-VA) has introduced legislation to encourage healthcare providers to invest in minimum cybersecurity standards in exchange for support on Medicare payments in the event of a cyber incident.
The “Health Care Cybersecurity Improvement Act” is in response to the Change Healthcare cyber attack in February, which has impacted payments to physician practices and resulted in the Department of Health and Human Services allowing flexibilities to help state Medicaid agencies to provide support and access...
Banks around the world are consistently increasing their investments in cybersecurity defenses fueled largely by a rising number of cyber attacks on the financial sector, according to a recent report from Moody’s Ratings.
“Financial institutions are prime targets, as key institutions that safeguard client wealth, facilitate transactions through payment networks and manage vast amounts of personal information. Consequently, they are at the forefront of enhancing cyber strategies and investing in defenses, processes and talent,” Moody’s says in a March...
The CISA Cybersecurity Advisory Committee will investigate ways to mature the agency’s Joint Cyber Defense Collaborative as one of the workstreams under its 2024 efforts to provide guidance on top priorities for CISA Director Jen Easterly.
Easterly emphasized at the CSAC meeting on Thursday how the JCDC is a new model that needs to be “institutionalized.” The JCDC was launched in August 2021 at Def Con and has expanded over the years to take on new challenges.
The Office of Management and Budget is exploring phishing-resistant multifactor authentication solutions to improve identity management in use cases for applications, operational technology and Internet of Things devices at federal agencies, according to OMB’s Nick Polk.
Traditional MFA “is not really a defensible architecture, in the sense that is relatively easier to bypass,” so OMB has “moved toward phishing-resistant multifactor authentication as a baseline for agencies,” Polk said at a Thursday meeting of the Information Security and Privacy Advisory...
The National Institute of Standards and Technology is working on an update for tools used to validate cryptographic modules for federal agencies that are offered by third party suppliers, according to computer security division chief Matthew Scholl.
“The test programs that are designed for current algorithms, they need to be updated to test new algorithms,” such as quantum-resistant algorithms that federal agencies are required to implement on their systems by 2035, Scholl told Inside Cybersecurity on the sidelines of a...
CISA, the FBI and the Multi-State Information Sharing Analysis Center have updated guidance on how to understand and respond to distributed denial-of-service attacks with information on different types of techniques.
“This guide provides an overview of the denial-of-service (DoS) and DDoS landscapes, including attack types, motivations, and potential impacts on government operations, as well as practical steps on implementing preventative measures, and incident response for each of the defined DDoS and DoS technique types,” the updated guidance says.
The Cybersecurity and Infrastructure Security Agency will receive $73.9 million to support its work on implementing mandatory incident reporting regulations, under an agreement from House and Senate appropriators on fiscal 2024 spending for the Department of Homeland Security.
The incident reporting funding is $23.8 million below CISA’s request for fiscal 2024. Overall, the House-Senate agreement has a net decrease of $83.5 million below CISA’s fiscal 2024 budget request.
The House-Senate agreement is a six-bill package that provides full funding...
The House Energy and Commerce Committee unanimously approved four bills on Wednesday that would establish a 6G task force at the Federal Communications Commission and address national security risks from the People’s Republic of China, Iran, North Korea and Russia.
“We will begin by considering legislation that will protect our communications infrastructure from threats posed by the Chinese Communist Party and other foreign adversaries,” Chair Cathy McMorris Rodgers (R-WA) said in her opening remarks at the Wednesday markup session....
CISA and the Office of Management and Budget are taking a “crawl, walk, run” approach to rolling out the final version of the secure software self-attestation common form, according to CISA supply chain leader Shon Lyublanovits, and want to get feedback on how it is being used.
CISA has received a “lot of additional feedback that it may not be everything that folks wanted in there” following the release of the form, Lyublanovits said Wednesday at a NIST advisory...
Kevin Morley of the American Water Works Association is arguing for more targeted engagement from the Cybersecurity and Infrastructure Security Agency that meets the specific needs of the water sector and its role in the critical infrastructure ecosystem.
CISA’s efforts to promote positive cyber outcomes are “not always a two-way street” with “shared responsibility,” Morley told Inside Cybersecurity.
CISA is undertaking several efforts to address the needs of the water sector in partnership with the Environmental Protection Agency, including ...
The Department of Homeland Security and European Commission have released a report comparing incident reporting requirements proposed by the U.S. Cyber Incident Reporting Council and rules established under the European Union NIS 2 Directive.
The report is part of an initiative announced Wednesday by DHS and the European Commission’s Directorate General for Communications, Networks, Content, and Technology (DG CONNECT) on cyber incident reporting.
““Cyber incidents do not recognize borders and multinational companies are often required to report incidents across...
The National Institute of Standards and Technology walked small business stakeholders through a quick start guide during a Wednesday webinar aimed at introducing under-resourced entities to the NIST cybersecurity framework update, known as “CSF 2.0,” and previewed upcoming small business events.
The small business quick start guide “provides small and medium-sized businesses, specifically those who have modest or no cybersecurity plans in place, considerations to kickstart their cybersecurity risk management strategy using the NIST cybersecurity framework 2.0,” NIST small...
