CISA proposes new security requirements to protect govt, personal data
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) is proposing security requirements to prevent adversary states from accessing American's personal data as well as government-related information.
The requirements are aimed at entities that engage in restricted transactions that involve bulk U.S. sensitive personal data or U.S. government-related data, especially if the info is exposed to "countries of concern" or "covered persons."
The proposal is linked to the implementation of Executive Order 14117, signed by President Biden earlier this year, aimed at addressing severe data security liabilities that extend to or amplify national security risks.
Impacted organizations may include technology businesses such as AI developers and cloud service providers, telecommunication firms, health and biotech organizations, financial institutions, and defense contractors.
Countries of concern typically refer to nations the U.S. government views as adversarial or posing a security risk due to a history of cyber espionage, data breaches, and state-sponsored hacking campaigns.
Security requirements
CISA proposes security measures categorized into organizational/system-level requirements and data-level requirements. Below is a summary of some of them:
- Maintain and update an asset inventory monthly, with IP addresses and hardware MAC addresses
- Remediate known exploited vulnerabilities within 14 days
- Remediate critical vulnerabilities (of unknown exploitation status) within 15 days and high-severity flaws within 30 days
- Maintain an accurate network topology to facilitate incident identification and response
- Enforce multi-factor authentication (MFA) on all critical systems, require passwords that are at least 16 characters long, and revoke access to any individual immediately after employment termination or a change of role in the organization
- Prevent unauthorized hardware, such as USB devices, from being connected to covered systems
- Collect logs on access and security-related events (IDS/IPS, firewall, data loss prevention, VPN, login events)
- Reduce the amount of data collected or mask it to prevent unauthorized access or linkability to U.S. persons, and apply encryption to protect covered data during restricted transactions
- Do not store encryption keys along with the covered data or in a country of concern
- Apply techniques such as homomorphic encryption or differential privacy to prevent the reconstruction of sensitive data from processed data
CISA is looking for public input to further develop the proposal into its final form. Those interested in doing so can visit regulations.gov, enter CISA-2024-0029 in the search field, click the "Comment Now!" icon, and then enter their comments in the fields.
source: BleepingComputer
Free security scan for your website
Top News:
Hackers now use AppDomain Injection to drop CobaltStrike beacons
August 24, 2024New Ymir Ransomware Exploits Memory for Stealthy Attacks; Targets Corporate Networks
November 12, 2024Attackers are exploiting 2 zero-days in Palo Alto Networks firewalls (CVE-2024-0012, CVE-2024-9474)
November 18, 2024CWE top 25 most dangerous software weaknesses
November 21, 2024Chinese APT Gelsemium Targets Linux Systems with New WolfsBane Backdoor
November 21, 2024