October 22, 2024 at 06:12PM
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) proposes new security requirements to protect Americans’ personal and government-related data from adversarial states. Aimed at organizations handling sensitive information, the measures include asset management, vulnerability remediation timelines, and encryption protocols. Public input is encouraged via regulations.gov.
Here are the key takeaways from the meeting notes regarding CISA’s proposed security requirements:
1. **Purpose of Proposal**: CISA aims to establish security requirements to safeguard U.S. personal and government-related data from adversarial states, particularly concerning sensitive information involved in restricted transactions.
2. **Scope**: The proposed requirements target entities that handle bulk sensitive personal data or government-related data at risk of exposure to “countries of concern.”
3. **Regulatory Background**: The proposal is associated with the implementation of Executive Order 14117, signed by President Biden, which addresses significant data security vulnerabilities related to national security.
4. **Affected Organizations**: Key industries affected include technology providers (AI and cloud services), telecommunications, healthcare, biotechnology, finance, and defense contractors.
5. **Countries of Concern**: This designation refers to nations deemed adversarial or risky due to their history of cyber activities such as espionage and hacking.
6. **Security Requirements Summary**:
– **Asset Inventory**: Monthly updates of asset inventory including IP and hardware MAC addresses.
– **Vulnerability Management**: Address known exploited vulnerabilities within 14 days, critical vulnerabilities within 15 days, and high-severity flaws within 30 days.
– **Network Topology**: Maintain accurate network maps for incident management.
– **Authentication**: Implement multi-factor authentication (MFA), establish stringent password minimums, and ensure prompt revocation of access post-employment or role changes.
– **Device Restrictions**: Prevent unauthorized hardware from being connected to critical systems.
– **Logging**: Collect logs related to access and security events.
– **Data Minimization and Protection**: Limit the collection of sensitive data, apply encryption to covered data during transactions, and utilize advanced techniques to safeguard data integrity.
– **Encryption Practices**: Ensure encryption keys are stored securely and not in countries of concern.
7. **Public Input**: CISA invites public feedback to refine the proposal. Interested parties can submit comments via regulations.gov using the identifier CISA-2024-0029.
These points highlight the focus on enhancing data security in both organizational practices and technical measures to mitigate risks associated with adversarial access to sensitive information.