Earlier this week, the Securities and Exchange Commission (“SEC”) published an update to its rulemaking agenda indicating that it does not plan to approve two proposed cyber rules until at least October 2023 (the agenda’s timeframe is an estimate). The proposed rules in question address disclosure requirements regarding cybersecurity governance
Continue Reading SEC Delays Cybersecurity Rules
April 2023 Developments Under President Biden’s Cybersecurity Executive Order and National Cybersecurity Strategy
This is the twenty-fourth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”). The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through March 2023. This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during April 2023.
CISA Requests Comment on Secure Software Self-Attestation Common Form
On April 27, 2023, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) released a 60-day Request for Comment on a draft secure software self-attestation common form. Comments will be accepted through June 26, 2023 and may be submitted through Regulations.gov. The draft common form, developed in close consultation with the U.S. Office of Management and Budget (“OMB”), is a key step in implementation of OMB Memorandum M-22-18, which was issued pursuant to Section 4 of the Cyber EO and directs agencies to only use software that complies with Government-specified secure software development practices (the “OMB Memorandum”). Specifically, and among other requirements, the OMB Memorandum directs that software providers self-attest that the software developer follows the secure development processes described by NIST Secure Software Development Framework (SP 800-218) and the NIST Software Supply Chain Security Guidance. The key provisions of the OMB Memorandum are discussed in more detail in our prior blog.
Scope. The OMB Memorandum applies to all software (other than agency-developed software) developed or experiencing major version changes to be operated “on the agency’s information systems or otherwise affecting the agency’s information.” CISA’s draft common form further specifies that the “following software requires self-attestation:
- Software developed after September 14, 2022;
- Existing software that is modified by major version changes […] after September 14, 2022; and
- Software to which the producer delivers continuous changes to the software code (such as software-as-a-service products or other products using continuous delivery/continuous deployment).”
January 2023 Developments Under President Biden’s Cybersecurity Executive Order
This is the twenty-first in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”). The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various Government agencies to implement the Cyber EO from June 2021 through December 2022. This blog describes key actions taken to implement the Cyber EO during January 2023.
GSA Announces That It Will Require Software Vendors to Submit Letters of Attestation Beginning in June 2023.
On January 11, 2023, the General Services Administration (“GSA”) Senior Procurement Executive and Chief Information Officer jointly issued Acquisition letter MV-23-02, “Ensuring Only Approved Software Is Acquired and Used at GSA” (the “GSA letter”). The GSA letter establishes a June 12, 2023 effective date for implementing the secure software acquisition requirements of Office of Management and Budget (“OMB”) Memorandum M-22-18, issued pursuant to Section 4 of the Cyber EO. That OMB memorandum directs that agencies must only use software that complies with Government-specified secure software development practices. These practices include obtaining self-attestations of conformity with secure software development practices and in certain cases as determined by agencies, artifacts such as Software Bills of Materials (SBOMs) from software vendors to verify that the acquired software[1] was developed and produced according to NIST security guidelines and best practices.
The GSA letter directs GSA’s IT officials to update GSA’s policies by June 12, 2023 to reflect the process for collecting, renewing, retaining, and monitoring the self-attestation information mandated by OMB M-22-18. For existing contracts that include the use of software, the GSA letter directs GSA IT to provide an internally accessible list of the software used for each contract and to collect vendor attestations by June 12, 2023. For new contracts that include the use of software, the GSA letter directs the relevant acquisition teams to modify the acquisition planning process to ensure that performance of such contracts begins only after the requisite attestations have been collected and considered. Finally, with respect to GSA-administered Government-wide indefinite delivery vehicles (e.g., Federal Supply Schedule contracts, Government-Wide Acquisition Contracts, and Multi-Agency Contracts), the GSA letter directs GSA contracting activities to allow, but not require, contractors to provide attestations at the base contract level rather than the task or delivery order level, and to make those attestations available to ordering activities to the extent possible. With this said, the GSA letter specifies that ordering agencies will ultimately be responsible for complying with OMB M-22-18.Continue Reading January 2023 Developments Under President Biden’s Cybersecurity Executive Order
FERC Orders Development of New Internal Network Security Monitoring Standards
The Federal Energy Regulatory Commission (“FERC”) issued a final rule (Order No. 887) directing the North American Electric Reliability Corporation (“NERC”) to develop new or modified Reliability Standards that require internal network security monitoring (“INSM”) within Critical Infrastructure Protection (“CIP”) networked environments. This Order may be of interest to entities that develop, implement, or maintain hardware or software for operational technologies associated with bulk electric systems (“BES”).
The forthcoming standards will only apply to certain high- and medium-impact BES Cyber Systems. The final rule also requires NERC to conduct a feasibility study for implementing similar standards across all other types of BES Cyber Systems. NERC must propose the new or modified standards within 15 months of the effective date of the final rule, which is 60 days after the date of publication in the Federal Register.
Background
According to the FERC news release, the 2020 global supply chain attack involving the SolarWinds Orion software demonstrated how attackers can “bypass all network perimeter-based security controls traditionally used to identify malicious activity and compromise the networks of public and private organizations.” Thus, FERC determined that current CIP Reliability Standards focus on prevention of unauthorized access at the electronic security perimeter and that CIP-networked environments are thus vulnerable to attacks that bypass perimeter-based security controls. The new or modified Reliability Standards (“INSM Standards”) are intended to address this gap by requiring responsible entities to employ INSM in certain BES Cyber Systems. INSM is a subset of network security monitoring that enables continuing visibility over communications between networked devices that are in the so-called “trust zone,” a term which generally describes a discrete and secure computing environment. For purposes of the rule, the trust zone is any CIP-networked environment. In addition to continuous visibility, INSM facilitates the detection of malicious and anomalous network activity to identify and prevent attacks in progress. Examples provided by FERC of tools that may support INSM include anti-malware, intrusion detection systems, intrusion prevention systems, and firewalls. Continue Reading FERC Orders Development of New Internal Network Security Monitoring Standards
International Cybersecurity Authorities Issue Joint Advisory on Russian Cyber Threats to Critical Infrastructure
On April 20, 2022, the cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom—the so-called “Five Eye” governments—announced the publication of Alert AA22-110A, a Joint Cybersecurity Advisory (the “Advisory”) warning critical infrastructure organizations throughout the world that the Russian invasion of Ukraine could expose them “to increased malicious cyber activity from Russian state-sponsored cyber actors or Russian-aligned cybercrime groups.” The Advisory is intended to update a January 2022 Joint Cybersecurity Advisory, which provided an overview of Russian state-sponsored cyber operations and tactics, techniques, and procedures (“TTPs”).
In its announcement, the authorities urged critical infrastructure network defenders in particular “to prepare for and mitigate potential cyber threats by hardening their cyber defenses” as recommended in the Advisory.
Overview. The Advisory notes that “evolving intelligence” indicates that the Russian government is exploring options for potential cyber attacks and that some cybercrime groups have recently publicly pledged support for the Russian government and threatened to conduct cyber operations on behalf of the Russian government. The Advisory summarizes TTPs used by five state-sponsored advanced persistent threat (“APT”) groups, two Russian-aligned cyber threat groups, and eight Russian-aligned cybercrime groups. Additionally, it provides a list of mitigations and suggests that critical infrastructure organizations should implement certain mitigations “immediately.”
Russian State-Sponsored Cyber Operations. The Advisory notes that Russian state-sponsored cyber actors have “demonstrated capabilities” to compromise networks; maintain long-term, persistent access to networks; exfiltrate sensitive data from information technology (“IT”) and operational technology (“OT”) networks; and disrupt critical industrial control systems (“ICS”) and OT networks by deploying destructive malware. The Advisory details five Russian APT groups:
Continue Reading International Cybersecurity Authorities Issue Joint Advisory on Russian Cyber Threats to Critical Infrastructure
NIST Publishes Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products
On February 4, 2022, the National Institute of Standards and Technology (“NIST”) published its Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products (“IoT Criteria”). The IoT Criteria make recommendations for cybersecurity labeling for consumer IoT products, in other words, for IoT products intended for personal, family, or household use.
The purpose of the publication, as described by NIST, is to identify “key elements of a potential labeling scheme.” The publication makes clear, however, that the scheme would not be established or managed by NIST, but rather “by another organization or program,” referred to in the publication as the “scheme owner.” The identity of the scheme owner is undetermined, but it “could be a public or private sector” entity.
The publication of the IoT Criteria represents another step toward a national cybersecurity labeling scheme for consumer IoT products. We should expect that the framework established by NIST in this publication will serve as a model for these requirements.
IoT Criteria Framework. The IoT Criteria establish recommended considerations for three key aspects of a potential cybersecurity IoT labeling program:
- Baseline Product Criteria
- Labeling
- Conformity Assessments
FTC Warns Companies to Remediate the Log4j Vulnerability and Hints at Potential Enforcement Actions
On January 4, 2022, the Federal Trade Commission published a warning to companies and their vendors to take reasonable steps to remediate the Log4j vulnerability (CVE-2021-44228). The FTC provided a list of recommended remedial actions for companies using the Log4j software. The FTC’s warning references obligations under the FTC Act
Continue Reading FTC Warns Companies to Remediate the Log4j Vulnerability and Hints at Potential Enforcement Actions
CISA Warns Critical Infrastructure Owners and Operators to Prepare for and Take Steps to Mitigate Holiday Cyber Threats
On December 15, 2021, the U.S. Department of Homeland Security Cybersecurity & Infrastructure Security Agency (“CISA”) announced the publication of a warning for “critical infrastructure owners and operators to take immediate steps to strengthen their computer network defenses against potential malicious cyber attacks” before the upcoming holiday season. CISA’s warning
Continue Reading CISA Warns Critical Infrastructure Owners and Operators to Prepare for and Take Steps to Mitigate Holiday Cyber Threats
November 2021 Developments Under President Biden’s Cybersecurity Executive Order
DOJ Announces New Civil Cyber-Fraud Initiative
In a December 2020 speech, Deputy Assistant Attorney General Michael Granston warned that cybersecurity fraud could see enhanced enforcement under the False Claims Act (“FCA”). On October 6, 2021, Deputy Attorney General Lisa Monaco announced that the Department of Justice (“DOJ”) would be following through on that warning with the
Continue Reading DOJ Announces New Civil Cyber-Fraud Initiative