To conclude our series of cybersecurity areas to focus on in 2023 for those who do business with the Federal government, we look at the FedRAMP and StateRAMP developments from 2022. For the rest of this series, see our prior articles (Part One, Part Two, Part Three, and Part Four).
The federal government has continued its efforts to fulfill the requirements set forth in Executive Order 14028, Improving the Nation’s Cybersecurity. For companies that do business with the Federal government, beyond looking at the other issues raised in this series of posts (see here, here and here), these efforts will be important to keep in mind in 2023. There are three efforts underway by the FAR Council to amend the Federal Acquisition Regulations (FAR) related to the Executive Order (in addition to the Secure Software efforts discussed in Part Three).
Today we continue our series (see here and here) with the Office of Management and Budget’s September 2022 memorandum requiring federal agencies to only use software from software producers that attest compliance with secure software development guidance issued by the NIST. The new requirements will apply to any third-party software that is used on government information systems or that otherwise “affects” government information. You can read our article about the guidance here.
In this second in our series, we look at the long awaited update to NIST SP 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” which is expected to be released in late spring 2023. NIST SP 800-171 forms the backbone for contractor security requirements in Department of Defense regulations and the CMMC program. It remains unclear if this update will impact the rollout of the CMMC program.
As we start down the path of 2023, with the pandemic not quite behind us and economic uncertainty looming, the world can seem unsettled. Some things do appear to be a constant. Included in those are regulatory and court scrutiny on privacy and cybersecurity. As companies’ privacy and security teams make plans for their 2023 compliance efforts, it can be helpful to look back at last year’s developments.
As we get settled into the New Year it is a good time to reflect on your company’s current data security and plans for 2023. In this five-part series, we reflect on the top important cybersecurity developments for companies that do business with the federal government (whether directly or as a supplier or reseller) and what we anticipate in the new year.
The Department of Defense recently provided some clarity on the timeline for implementation of its Cybersecurity Maturity Model Certification (CMMC) program. The DoD now expects to complete documentation to submit to the Office of Management and Budget for its rulemaking process by July 2022. And, it plans to issue interim final rules by March 2023. If DoD sticks to this new timeline, the CMMC requirements could begin appearing in solicitations for government contracts as early as May 2023 (60 days after the rules are published).
Continue Reading Updated Timeline for DoD’s Cybersecurity Certification Program
The May 1 change to banks’ cyber-notification process is fast approaching. As we wrote previously the OCC, FDIC, and Federal Reserve Board implemented a final rule under which banks and their service providers must notify their primary federal regulators within 36 hours of certain incidents. A notification incident that triggers this requirement is defined as a computer security incident that materially disrupts a banking organization’s operations or lines of business. Thus not all incidents will meet these levels. For those that do, banks will need to be prepared. Part of that is having the right points of contact, which include:
Continue Reading On the Clock: Cyber Incidents Notification Deadline Approaching for Banks
Indiana has made a minor amendment to its data breach notification law. Starting July 1, companies who are obligated to notify under the law must do so (to affected individuals and the Indiana Attorney General) without unreasonable delay, but no later than 45 days after discovery of the breach. This changes the current time frame, which is “without unreasonable delay.” Indiana joins many other states that impose a specific timing requirement, in particular no later than 45 days after determining there has been a breach. For example, Alabama, Maryland, Ohio, and Wisconsin (among several others) all require notice to individuals no later than 45 days from discovery.
Continue Reading Indiana Breach Notification Law Amended, Changes Effective July 1, 2022
President Biden recently signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 as a part of a larger omnibus appropriations bill. The new law sets out mandatory reporting requirements for critical infrastructure entities in the event of certain cyber incidents and ransomware payments. Under the Act, once implementing regulations are issued (which are not expected this year) covered entities will be subject to two new reporting requirements:
Continue Reading Cybersecurity Act Signed Into Law Creates New Reporting Obligations
NIST recently released several key deliverables relating to cybersecurity. These focus on secure software development and new consumer labeling programs as contemplated by President Biden’s Executive Order 14028, which seeks to implement multiple new practices to improve the Nation’s cybersecurity.
Continue Reading NIST Releases New Guidance on Software Security and Cybersecurity Consumer Labeling Programs