Cybersecurity - What a year to review!
We made it. Phew.?
That’s about the best way to capture federal cybersecurity policy activity in 2023, a year in which it seemed there was always an issue open for comment, an idea being floated that demanded feedback, or breaking news on some breach or compromise of consequence.? It’s been a lot!??
We started the year with the Transportation Security Administration (TSA) collecting feedback on surface transportation cybersecurity risk management. Since the Colonial Pipeline attack in 2021, TSA has been focused on the cybersecurity of the transportation modes under its purview, and 2023 continued that theme with Security Directives published in May, July, and October.??
Also early in the year, the Office of the National Cyber Director (ONCD) released the National Cybersecurity Strategy (NCS) which outlined the Administration’s strategic policy goals in cyberspace.? The NCS expanded upon prior executive guidance, like EO 14028, to outline strategic cyber policy goals, which included increasing critical infrastructure resilience, disrupting and dismantling threat actors, shaping market forces to promote security, investing in resiliency, and forging international partnerships.???
The NCS reminded us all, once again, that an effective public-private partnership is at the core of federal cybersecurity policy. As a result, in the months since the NCS release, ONCD, the National Security Council (NSC), Sector Risk Management Agencies (SRMAs), federal regulators, and the Cybersecurity and Infrastructure Security Agency (CISA) have been collaborating with industry to bridge the gap between the Administration’s strategic cyber goals and the private sector’s real-world operational challenges.??
In July, we got to see the National Cybersecurity Strategy Implementation Plan (NCSIP) which detailed both agency-specific and federal-wide initiatives to enhance cyber resiliency. ? ? In the six months since the NCSIP was published, we have seen tangible progress, including:??
Additionally, we also saw the Federal Acquisition Security Council (FASC) rule on the exclusion of insecure foreign technologies from federal supply chains.??
As if that all weren’t enough, in the second half of the year, we saw the beginning of a very welcome effort by ONCD to harmonize the federal government’s cybersecurity regulations.? By soliciting private sector feedback , ONCD made good on a commitment laid out in the NCS to address overlapping, complex, and contradictory cybersecurity regulations and standards across both information technology (IT) and operational technology (OT).? We look forward to seeing how feedback is incorporated into the next steps throughout next year.??
领英推荐
Along with a group of federal research agencies, ONCD also opened proceedings to collect information on the availability and applicability of open-source software products, with the goal of identifying policy solutions that can better utilize private sector advances within the open-source security ecosystem.? The security of open-source software was a theme throughout the year, and one that will surely continue in 2024 and beyond.???
2023 also marked one year since the passage of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). During 2023, CISA’s worked through comments submitted in response to a September 2022 Request for Information (RFI), which will be used to inform a Notice of Proposed Rulemaking (NPRM) coming in the first quarter of 2024.??
On the international level, CISA, the Federal Bureau of Investigation (FBI), and National Security Agencies (NSA), along with cybersecurity officials from Australia, Canada, the United Kingdom, Germany, the Netherlands, and New Zealand, issued "Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and Default." Originally released in April and updated in October, the guidance was consistent with other efforts to encourage greater software transparency while also building on the NCS strategic shift to hold software makers more accountable for the security of their products.? The guidance includes concepts from the NCS and fortunately aligns with NIST’s Secure Software Development Framework (SSDF) (NIST SP-800-218). ?
As if this weren’t enough, cybersecurity issues were also wedged into the October 2023 Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence (AI EO).? The EO required that key stakeholders within the federal government work together to conduct sector-specific risk assessments related to the use of AI and produce safety and security guidelines for critical infrastructure owners and operators that align with existing authorities. The EO also tasked the State Department with focusing on mitigating risk to critical infrastructure that crosses national borders. Additionally, as most of the country’s critical infrastructure is owned and operated by the private sector, the EO established an Artificial Intelligence Safety and Security Advisory Committee, which will bring both the public and private sectors to the table regarding AI usage.???
The EO also contained important language requiring “an operational pilot project to identify, develop, test, evaluate, and deploy AI capabilities, such as large-language models, to aid in the discovery and remediation of vulnerabilities in critical United States Government software, systems, and networks.” The EO directs the affected agencies to implement these provisions throughout 2024, adding to the list of anticipated cyber-related developments coming next year.??
NIST also got in on the cybersecurity action by releasing a draft of the Cybersecurity Framework (CSF 2.0) in August along with a list of implementation examples .? It is a full update following the release of the CSF 2.0 Concept Paper in January 2022, and the NIST CSF 2.0 Core released in April 2023.? Generally, CSF 2.0 broadened its scope from CSF 1.1 beyond securing critical infrastructure to focus on the cybersecurity of all organizations.? One of the biggest specific changes was the addition of a Govern function, which informs how organizations will achieve and prioritize the outcomes of the other five functions (Recover, Identify, Protect, Detect, and Respond) in the context of an organization’s mission and stakeholder expectations.? NIST hopes to finalize the CSF 2.0 in early 2024.??
To close out 2023, the fiscal year 2024 National Defense Authorization Act (NDAA) was passed by both the House and Senate and is now headed to President Biden for his signature. Like most recent NDAA bills, it includes a range of cybersecurity-related provisions spanning from weapons systems security to artificial intelligence. Of note was Section 1502 – Harmonization and clarification of Strategic Cybersecurity Program and related matters - which aims to consolidate and harmonize almost a decade worth of efforts to address the Department of Defense’s (DOD) Industrial Control Systems/OT cybersecurity deficiencies.? It does this through reporting requirements and designating roles and responsibilities to be executed by a new program office and program manager to oversee the efforts.??
And of course, it wouldn’t be 2023 if a last second cybersecurity announcement didn’t take place!? This one came as a part of a series of announcements made around the late December National Space Council meeting. Notably, it was announced that the US Government would be developing “minimum cybersecurity standards for space systems.” So, add that to the list of items we’ll be watching in 2024!??
With that, we conclude our review of major US cybersecurity policy happenings. We’ll be back in early January with an assessment of what the year ahead will hold. In the meantime, best wishes for a happy holiday, and enjoy the down time – you deserve it!??
Monument Advocacy
11 个月Great analysis from a great team!