The Department of Defense recently provided some clarity on the timeline for implementation of its Cybersecurity Maturity Model Certification (CMMC) program. The DoD now expects to complete documentation to submit to the Office of Management and Budget for its rulemaking process by July 2022. And, it plans to issue interim final rules by March 2023. If DoD sticks to this new timeline, the CMMC requirements could begin appearing in solicitations for government contracts as early as May 2023 (60 days after the rules are published).
The May 1 change to banks’ cyber-notification process is fast approaching. As we wrote previously the OCC, FDIC, and Federal Reserve Board implemented a final rule under which banks and their service providers must notify their primary federal regulators within 36 hours of certain incidents. A notification incident that triggers this requirement is defined as a computer security incident that materially disrupts a banking organization’s operations or lines of business. Thus not all incidents will meet these levels. For those that do, banks will need to be prepared. Part of that is having the right points of contact, which include:…
Continue Reading On the Clock: Cyber Incidents Notification Deadline Approaching for Banks
Indiana has made a minor amendment to its data breach notification law. Starting July 1, companies who are obligated to notify under the law must do so (to affected individuals and the Indiana Attorney General) without unreasonable delay, but no later than 45 days after discovery of the breach. This changes the current time frame, which is “without unreasonable delay.” Indiana joins many other states that impose a specific timing requirement, in particular no later than 45 days after determining there has been a breach. For example, Alabama, Maryland, Ohio, and Wisconsin (among several others) all require notice to individuals no later than 45 days from discovery.
Continue Reading Indiana Breach Notification Law Amended, Changes Effective July 1, 2022
President Biden recently signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 as a part of a larger omnibus appropriations bill. The new law sets out mandatory reporting requirements for critical infrastructure entities in the event of certain cyber incidents and ransomware payments. Under the Act, once implementing regulations are issued (which are not expected this year) covered entities will be subject to two new reporting requirements: …
Continue Reading Cybersecurity Act Signed Into Law Creates New Reporting Obligations
NIST recently released several key deliverables relating to cybersecurity. These focus on secure software development and new consumer labeling programs as contemplated by President Biden’s Executive Order 14028, which seeks to implement multiple new practices to improve the Nation’s cybersecurity.
Continue Reading NIST Releases New Guidance on Software Security and Cybersecurity Consumer Labeling Programs
The National Institute of Standards and Technology (NIST) is seeking comments to improve its Cybersecurity Framework, “Framework for Improving Critical Infrastructure Cybersecurity” (Request for Information available here). The Cybersecurity Framework is a key document providing organizations with standards, guidelines, and best practices to manage cybersecurity risk. With many changes to the cybersecurity landscape since the last update to the Cyber Framework in 2018, NIST hopes to address new threats, capabilities, technologies, and resources. Comments are due by April 25, 2022.
Continue Reading NIST Seeks Comments on Cybersecurity Framework Refresh
In light of Russia’s recent military actions in Ukraine, the New York Department of Financial Services issued guidance on its cybersecurity and virtual currency regulations. The Department is specifically concerned about heightened risk for Russia’s cyberattacks against Ukraine, which could in turn lead to retaliatory attacks against U.S. critical infrastructure due to U.S. sanctions against Russia.
Continue Reading NYDFS Issues Cybersecurity Guidance in Response to Events in Ukraine
President Biden recently signed a National Security Memorandum on cybersecurity. This memorandum was required by an earlier executive order, which we previously have discussed here. The new memorandum (NSM) requires certain network cybersecurity measures for any government information system that is used for highly sensitive national security purposes. The requirements go into effect on a rolling basis over the next 6 months.
Continue Reading White House Focuses on Improving the Cybersecurity of National Security Systems
Just as we thought 2022 was going to be significantly different than 2021, December 2021 and January 2022 events have thrown us for another (pandemic) loop. We anticipate that some of the privacy and cybersecurity developments from 2021 may similarly repeat in 2022. To help prepare for privacy and cybersecurity program plans for the year, we have created a comprehensive resource of all our www.eyeonprivacy.com posts from last year. From artificial intelligence, biometrics, new US privacy laws, ongoing scrutiny of breach and security issues, to concerns over global data flows, 2021 was a busy year. We have also included several articles focused specifically on managing privacy compliance, and include an examination of right-sized privacy programs, regulatory priorities, and managing “unknown” and unpredictable risks.
Continue Reading 2021 Privacy Year In Review
As 2021 draws to a close, we wanted to share a recap of some of the most important cybersecurity developments we covered this past year along with some suggestions on what companies (particularly those that do business with the federal government) should expect in 2022. This is part four of a four-part series (you can read Part 1 here, Part 2 here, and Part 3 here.
Continue Reading 2021 Cybersecurity Recap for Government Contractors (and What to Expect in 2022) – Part 4 of 4: Cybersecurity Maturity Model Certification (“CMMC”) 2.0
As 2021 draws to a close, we wanted to share a recap of some of the most important cybersecurity developments we covered this past year along with some suggestions on what companies (particularly those that do business with the federal government) should expect in 2022. This is part three of a four-part series (you can read Part 1 here and Part 2 here).
Continue Reading 2021 Cybersecurity Recap for Government Contractors (and What to Expect in 2022) – Part 3 of 4: Cyber Incident & Ransomware Payment Reporting Legislation