The US Cybersecurity and Infrastructure Security Agency (CISA) has announced a set of proposed security requirements aimed at protecting Americans’ sensitive personal data and government-related information from foreign adversaries. These measures are part of the implementation of Executive Order 14117, signed by President Biden earlier this year, which seeks to mitigate the national security risks associated with unauthorized access to sensitive US data.
The new guidelines focus on businesses and organizations involved in “restricted transactions” that handle large volumes of sensitive personal or government-related data. These entities could include technology developers, AI firms, cloud service providers, telecommunications companies, financial institutions, healthcare and biotech firms, and defense contractors. CISA’s proposal specifically targets entities whose data may be vulnerable to access by “countries of concern” or “covered persons” — typically nations or entities linked to cyber espionage, data breaches, and state-sponsored hacking campaigns.
A Push for Stronger Security Measures
The proposed security requirements are divided into two main categories: organizational/system-level and data-level protections. These guidelines will require affected organizations to significantly enhance their data protection and cybersecurity efforts, ensuring that US sensitive data does not fall into the wrong hands.
Some of the key organizational and system-level requirements include maintaining an updated asset inventory, remediating known vulnerabilities within strict timelines, and enforcing multi-factor authentication (MFA) for critical systems. Additionally, companies will be required to keep accurate network topologies, collect and analyze security logs, and implement stringent access controls to prevent unauthorized data access.
On the data level, CISA has outlined additional measures such as encrypting sensitive information, masking data to prevent unauthorized linkability to US persons, and using advanced techniques like homomorphic encryption to protect the integrity of processed data. Furthermore, businesses must ensure that encryption keys are not stored alongside the protected data or within countries deemed adversarial by the government.
Impacted Sectors
The proposed measures will affect a broad range of industries. AI developers, cloud service providers, and telecommunications companies are expected to face increased scrutiny, given their role in managing large quantities of sensitive data. Financial institutions, health and biotech firms, and defense contractors could also see heightened regulatory demands due to the critical nature of the data they handle.
Countries of concern, as referenced in the proposal, typically include nations with a track record of cyber espionage or state-sponsored hacking activities, such as China, Russia, Iran, and North Korea. These countries have been implicated in past efforts to exploit vulnerabilities in US data systems, prompting the need for more robust defenses against potential threats.
Seeking Public Input
CISA is actively seeking public feedback on the proposed security requirements to ensure that they are practical and effective for impacted organizations. The agency is encouraging stakeholders to visit regulations.gov and search for CISA-2024-0029 to provide comments.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.