Inside Cybersecurity

October 23, 2021

Daily News
Cyber Reg Watch: Analysis

‘Inadvertent’ posting sheds light on CMMC details; industry watches for next moves on Commerce ICT rule

By Charlie Mitchell / May 13, 2020

Details of how the Defense Department’s cyber certification program will actually work were “inadvertently” posted – then deleted -- over the weekend, while industry sources are increasingly confident the Commerce Department will offer a second take on its heavily criticized ICT supply chain rule, and software security was in the frame during a busy week of cyber regulatory work.

The independent accreditation body developing standards for auditors and assessors under the Pentagon’s Cybersecurity Maturity Model Certification program on Saturday posted information on how the provisional program will work, including fees and an initial structure for the selection process for third party assessors.

“The DoD expects to identify some select contracts beginning in the Fall of 2020 which will contain CMMC requirements,” the CMMC Accreditation Body wrote in a post on its website, since deleted. “These contracts will allow the DoD and the CMMC-AB to learn lessons as we develop assessor training, and build our assessment ecosystem.”

But the CMMC AB said the information was published “inadvertently” on its website, and that development of the program’s requirements and application details for the program is still in process. The information posted “should not be used to infer or draw any conclusions” about the “potential provisional program,” an official said.

Such details might be included in the Memorandum of Understanding signed in late March by Defense Department officials and the CMMC AB board of directors, but that document has not been publicly released.

On another front, expectations are growing that the Commerce Department will narrow a proposed rule on information and communications technology supply chain security. Commerce isn’t commenting just yet, but an industry attorney said, “There’s been a lot of signaling to different industry groups – they [Commerce] got sufficient pushback, I think they feel they need to have one more whack at this” before going final with the rulemaking.

The ICT Notice of Proposed Rulemaking was issued last November under an executive order and the comment period closed on Jan. 10, generating extensive industry criticism and calls to revise and re-issue the proposal.

The proposed regulation is designed to shore up ICT security by creating a process for identifying risky ICT suppliers and either mitigating the threat or banning the supplier from the U.S. supply chain. It is intended to go beyond bans on the products of a specific company, such as ongoing efforts targeting Chinese firms Huawei and ZTE.

President Trump today announced a one-year extension of the national emergency declared last year in the executive order that kicked off the Commerce rulemaking. Regardless of the state of the rule, the administration has authority under the EO and the emergency declaration to block specific transactions. Industry sources said officials have underscored that point in discussions.

Software

On software and supply chain issues, a new advocacy group led by former Commerce Department official Diane Rinaldo is trying to bring together telecom and software providers and vendors around a “consensus” message to regulators and lawmakers on the adoption of open and interoperable solutions in the Radio Access Network space.

And Cyberspace Solarium Commission staff discussed the roles of a “national certification labeling authority” and a Bureau of Cyber Statistics in a “mix of regulations and incentives” designed to improve software cybersecurity.

More news, more reg implications

The Cybersecurity and Infrastructure Security Agency and the FBI today issued a public service announcement about Chinese efforts “targeting COVID-19 research organizations.”

“The FBI is investigating the targeting and compromise of U.S. organizations conducting COVID-19-related research by PRC affiliated cyber actors and non-traditional collectors. These actors have been observed attempting to identify and illicitly obtain valuable intellectual property (IP) and public health data related to vaccines, treatments, and testing from networks and personnel affiliated with COVID-19-related research,” according to the alert. “The FBI and CISA urge all organizations conducting research in these areas to maintain dedicated cybersecurity and insider threat practices to prevent surreptitious review or theft of COVID-19-related material.”

Senate Homeland Security ranking member Gary Peters (D-MI) in a letter urged Trump to consider sanctions against China, improve information sharing with hospitals and medical research organizations, and direct the Department of Health and Human Services “to improve its cybersecurity posture.”

Related, Senate Republicans led by Commerce Chairman Roger Wicker (R-MS) last week introduced legislation to give consumers control over how their personal health, device, geolocation, and proximity data can be collected. The COVID-19 Consumer Data Protection Act sets up a regulatory regime under the Federal Trade Commission where companies will need to get “affirmative express consent” from individuals in order to collect their data for tracking the spread of COVID-19. – Charlie Mitchell (cmitchell@iwpnews.com)