The US Cybersecurity and Infrastructure Security Agency (CISA) has put forward a series of proposed security requirements aimed at safeguarding Americans’ sensitive personal data and government-related information from foreign threats. These measures stem from the implementation of Executive Order 14117, signed by President Biden earlier this year to address the national security risks associated with unauthorized access to critical US data.
The focus of the new guidelines is on businesses and organizations involved in “restricted transactions” that handle substantial amounts of sensitive personal or government-related data. This includes a wide range of entities such as technology developers, AI firms, cloud service providers, telecommunications companies, financial institutions, healthcare and biotech firms, and defense contractors. The proposal specifically targets entities vulnerable to access by “countries of concern” or “covered persons” associated with cyber espionage, data breaches, and state-sponsored hacking campaigns.
The proposed security requirements are categorized into organizational/system-level and data-level protections. These guidelines will compel affected organizations to elevate their data protection and cybersecurity efforts to ensure the safeguarding of US sensitive data from potential threats. Key requirements at the organizational/system-level include maintaining an updated asset inventory, promptly remediating known vulnerabilities, and implementing multi-factor authentication for critical systems. Companies will also be mandated to maintain accurate network topologies, analyze security logs, and enforce stringent access controls to prevent unauthorized data access.
At the data level, additional measures outlined by CISA include encrypting sensitive information, masking data to prevent unauthorized linkability to US persons, and employing advanced techniques like homomorphic encryption to ensure data integrity. Moreover, businesses must ensure that encryption keys are not stored alongside the protected data or within countries perceived as adversarial by the government.
A wide array of industries will be impacted by these proposed measures, with AI developers, cloud service providers, and telecommunications companies expected to face heightened scrutiny due to their substantial role in managing sensitive data. Financial institutions, health and biotech firms, and defense contractors may also face increased regulatory demands due to the critical nature of the data they handle.
The proposal identifies “countries of concern” such as China, Russia, Iran, and North Korea, known for their involvement in cyber espionage and state-sponsored hacking activities. These nations have been implicated in previous efforts to exploit vulnerabilities in US data systems, necessitating the need for enhanced defenses against potential threats.
CISA is actively seeking public feedback on the proposed security requirements to ensure their practicality and effectiveness for impacted organizations. Stakeholders are encouraged to visit regulations.gov and search for CISA-2024-0029 to provide their comments and insights.
Overall, the proposed security requirements aim to bolster the protection of Americans’ sensitive data and government-related information from foreign adversaries, reinforcing the nation’s cybersecurity defenses in an increasingly digitized world.