Keeping abreast of cybersecurity regulations is essential if you want to understand how security events are changing in the U.S. The increasing frequency of malicious cyberattacks, such as ransomware attacks, has encouraged governments and regulators to take action. However, this has meant a lot of uncertainty amongst companies trying to stay up-to-date with cybersecurity regulations.
Let’s take a look at some of the most important regulatory changes we’ve seen recently.
NIST Implements Pres. Biden’s Cybersecurity Executive Order
On May 12, 2021, President Joe Biden signed the Executive Order on Improving the Nation’s Cybersecurity. This is intended to strengthen the Federal Information System’s security overall. The Executive Order detailed directives for federal agencies to update contracts, taking into account new information sharing requirements and changes to technical standards.
As part of this Executive Order, the National Institute of Standards and Technology (NIST) was one agency that needed to improve the security of the software supply chain. There are multiple objectives, with deadlines, to meet. At the time of writing, the NIST has met the first two objectives: defining “critical software” and publishing guidance on critical software and standards for the testing of software source code.
The NIST needs to provide the next updates by November 8, 2021, so keep an eye out for more guidance from them.
The White House Open Letter Regarding Ransomware
On June 2, 2021, the Deputy National Security Adviser for Cyber and Emerging Technology for Biden, Anne Neuberger, published an open letter to business executives and leaders, urging them to assist the federal government in its fight against ransomware. The letter includes a list of what Neuberger considers to be highly impactful steps, such as system backups and regularly testing incident response plans.
TSA Security Directives
On May 27, 2021, the Transport Security Administration (TSA) published a security directive on improving pipeline security. This directive includes four main actions:
- TSA-specified owners or operators need to appoint a cybersecurity coordinator
- Review existing practices
- Carry out a cybersecurity assessment and then report any weaknesses and plans for remediation
- Report security events and incidents to the Cybersecurity and Infrastructure Security Agency (CISA)
On July 20, 2021, the TSA then put out a second directive. This one requires pipelines to have in place specific measures that will mitigate ransomware attacks.
The Department of Defense’s Commitment to “Basic Cyber Hygiene”
The Department of Defense (DoD) has introduced the Cybersecurity Maturity Model Certification (CMMC). By obtaining this third-party certification, DoD contractors will show that they have cybersecurity practices and processes in place that accord with “basic cyber hygiene”. If organizations do not have the corresponding level of certification, as laid out by each DoD contract, then they won’t be able to compete for the contract.
The Securities and Exchange Commission Gets More Involved in Cybersecurity
The Securities and Exchange Commission (SEC), which oversees and regulates the securities markets, has become more involved in cybersecurity. For example, in June 2021, they settled with real estate settlement services company First American Financial Corporation for disclosure controls and procedures violations that resulted in sensitive customer data being exposed. The SEC is also investigating a cyberattack involving the compromise of software created by SolarWinds.
These events, alongside proposed rules changes relating to breach disclosure, suggest that public companies might find the SEC getting involved in their cybersecurity procedures.
Greater Enforcement of Cybersecurity Standards
The above changes to cybersecurity regulations show that industry regulators and the federal government are increasing their focus on cybersecurity regulatory compliance. The main takeaway is that regulators are strengthening their enforcement of existing standards, as well as updating standards that will make further enforcement possible.
How Organizations Should Respond
There are some ways organizations can best keep up with the many updates coming from regulators.
Firstly, pay close attention to the press releases you receive from your industry and organization’s regulatory agency or agencies. Being aware of any changes highlighted in these news releases allows you to plan and implement changes more quickly and cost-effectively.
Secondly, make sure that you speak with your auditor on a regular basis. This will help you to stay up to date on developing requirements or trends in enforcement, as these will change over time. Because regulating bodies require that auditors attest to your regulatory compliance, auditors will know exactly what you need to comply with existing cybersecurity standards.
Cybersecurity regulations are changing all the time in the US, sometimes over a short period of time. With an inundation of changes and new rules, it can be difficult for companies to ensure that they’re not violating any existing standards. This is why it’s important for any organization’s cybersecurity team to make awareness of these changes a top priority.
By following the latest news in the IT sector on a consistent basis, you can ensure that you never miss out on a crucial development. This will help your organization run smoothly, avoiding both legal repercussions and cyberattacks.
Cyberlocke is a comprehensive, full-service IT services provider that architects and implements efficient and secure solutions for enterprise customers and their data centers. We specialize in security, cloud, managed services, and infrastructure consulting. Contact Us today to learn more.
