In the wake of NIST 800-171 Revision 3, the near-future of information security has been discussed at length across the Defense Industrial Base (DIB). Published in May 2023, this revised document has already made changes to the Cybersecurity Maturity Model Certification (CMMC) framework that will require at least 2 years of regulatory reshuffling to finalize.
But beyond this, and even beyond the DIB, changes persist. Rapid advancements in technology, presidential elections, and budding cyber mandates from a host of governmental agencies all promise to change American industry’s information security posture in the next five years.
Preparing your business for changing federal, state, and industry-specific cybersecurity regulations begins with understanding the rules on their way to the public. So where should you start? And once you know a rule is on its way, what’s next? Check out the short (but by no means complete) list of upcoming regulations and recommendations below to get started.
Precipitated by the Biden Administration’s 2021 Executive Order 14028, "Improving the Nation's Cybersecurity" the Secure Software Development Framework (SSDF) aims to secure the military’s software supply chain. First published in February 2022, the SSDF may require DIB businesses to self-attest to compliance as soon as December of 2023. NIST writes,
"The SSDF defines only a high-level subset of what organizations may need to do, so organizations should consult the references and other resources for additional information on implementing the practices."
Therefore, if your organization creates software for the federal government or a branch of the US military, don’t panic. Cost-effective ways to address the SSDF mandate are out there, and would best be explored sooner rather than later. It is also worth noting that in many cases, contracts which ask businesses to create software also contain or entail the creation of Controlled Unclassified Information (CUI), a class of information subject to the CMMC framework. So, some of your investment in satisfying SSDF may also support compliance with CMMC.
SVAC Act of 2022
This one is for businesses which maintain or seek contracts with the Department of Veterans’ Affairs (VA). Like SSDF, this mandate also covers a class of information considered CUI by NARA’s CUI Registry, health information. The Strengthening VA Cybersecurity Act of 2022 was signed into law in December 2022. It required two things: 1) for the VA to conduct an independent cybersecurity assessment of its most critical information systems, as well as its cybersecurity posture as a whole, and 2) in response to this assessment, the VA must develop a timeline and budget to fix any weaknesses identified by the report. This means that in the next year or so, the VA will develop a cybersecurity plan which is certain to include new cyber regulations for VA contractors processing, handling, or storing health information.
The Department of Homeland Security (DHS) has several cyber regulations on the way. Most pressingly, they are scheduled to publish “Cybersecurity in the Marine Transportation System” as well as “Enhancing Surface Cyber Risk Management” this year. The latter is a rulemaking that promises to “...permanently codify critical cybersecurity requirements for pipeline and rail modes,” and particularly those responsible for transporting hazardous liquids and natural gas, while the former intends to set baseline cybersecurity requirements to safeguard the Marine Transportation System.
Unlike previously discussed cyber rules, some of these requirements may impact organizations outside of the DIB.
The Securities & Exchange Commission (SEC) announced its intention to publish a new cyber rule on May 15, 2023. This would require market entities to implement information security practices which are, “reasonably designed to address their cybersecurity risks and, at least annually, review and assess the design and effectiveness of their cybersecurity policies and procedures, including whether they reflect changes in cybersecurity risk over the time period covered by the review.”
Market entities, according to the announcement, includes broker-dealers, clearing agencies, major security-based swap participants, the Municipal Securities Rulemaking Board, national securities associations, national securities exchanges, security-based swap data repositories, security-based swap dealers, and transfer agents. So, like upcoming DHS rulemaking, the SEC cyber rule is likely to bring federal information security requirements outside the DIB.
So now what?
So far, we have covered NIST SP 800-171r3, Biden’s Secure Software Development Framework (SSDF), and the Strengthening VA Cybersecurity Act of 2022, as well as upcoming rulemaking on the part of the Department of Homeland Security (DHS) and the Securities and Exchange Commission (SEC). Individual states may also release industry-specific cyber regulations in the near future. This means that within the next five years, you may have to track 56 or more new information security requirements.
In the context of DIB businesses working to meet recently delayed CMMC requirements, it is important to note which upcoming rules will impact the methods your organization uses to handle, process, or store CUI.
Best practices in an evolving cyber landscape include a) steady progress toward compliance and b) incident response preparedness. Regardless of the fluidity of cyber rulemaking at the moment, many organizations are still self-attesting to 800-171 compliance, and remain subject to the False Claims Act.
The consequences of not reporting a cyber incident are high. Almost everyone gets hacked. Before it happens to you, ensure that your organization has:
Mechanisms that ensure you know when you have an incident;
A complete list of regulations you are currently subject to;
A complete list of reportable incidents for each applicable regulation, including timeframes, report format, and to whom the report must be submitted.
In general, we recommend maintaining a sharp eye on cyber rulemaking. As state, federal, and industry-specific cyber regulations head your way, slow and steady really does win the race. Implement the controls that bolster your overall cyber hygiene first. Determine where rules overlap their requirements. Ask yourself: can I hit two birds with one stone? Focus on building a compliant information security posture gradually, over time. Just don’t put it off, or a new regulation may blindside you.