- Work to stand up new cyber regulatory structures for critical infrastructure sectors (CIS)
- Sector-specific agencies to decide who should implement appropriate cybersecurity defenses
- CISA’s cross-sector cybersecurity performance goals (CPGs) may be a precursor for mandatory requirements
October 2022
New cyber regulation rollouts
“The security abroad begins with security at home, confidence abroad begins with confidence at home. And a key way to deter adversaries in cyberspace is to know we have confidence in a level of security, that we have locked our digital doors and put on our digital alarm system.”
The expectation of the administration is that the critical infrastructure separates the portions of its network using information technology (IT) for corporate processes from those running the operational technology (OT) in its industrial control systems.
Eg. The Transportation Security Administration (TSA) announced a new cybersecurity directive regulating designated passenger and freight railroad carriers. The carriers are ordered to develop network segmentation policies and controls to ensure that the OT system can continue to safely operate if an IT system has been compromised and vice versa.
The Federal Communications Commission (FCC) has launched a rulemaking to improve the security and reliability of the Emergency Alert System (EAS) and Wireless Emergency Alerts (WEA). Only recently, the FCC’s cybersecurity division finalized a rule for applying its new Mandatory Disaster Response Initiative to wireless network providers.
CISA’s CPGs
The National Security Memorandum (NSM)-5 on improving cybersecurity in critical infrastructure control systems signed in July 2021, required CISA in coordination with NIST and the interagency community to develop baseline cybersecurity goals that are consistent across all CIS.
The CPGs released in October 2022 provides ‘an approachable common set of IT and OT cybersecurity protections that are clearly defined, straightforward to implement, and aimed at addressing some of the most common and impactful cyber risks.’ The CPGs are intended to be voluntarily adopted by organizations to enable the prioritization of security investments toward the most critical outcomes, in conjunction with broader frameworks like the NIST Cybersecurity Framework (NIST CSF).
The CPGs:
- Are a prioritized subset of IT and OT cybersecurity practices aimed at meaningfully reducing risks to both CI operations and to the country’s people. These goals are applicable across all CIS.
- Can be leveraged by organizations as part of a broader cybersecurity program based on the NIST CSF or other frameworks and standards
- Can help organizations that may lack the cybersecurity experience, resources, or structure in place to quickly identify and implement basic cybersecurity practices
CISA, in coordination with NIST, will regularly update the goals, and starting in late 2022, CISA will begin working with Sector Risk Management Agencies (SRMAs) to build on this foundation to develop sector-specific goals.
The SRMAs are entrusted with the role of identifying systemically important entities for cybersecurity regulation.
In the coming months:
The US administration is preparing to activate its regulatory authorities at three more agencies besides the TSA viz. Environmental Protection Agency (EPA), Department of Health and Human Services (DHHS), and the FCC, for coming out with new cybersecurity requirements in the Water, Healthcare and Communications sectors respectively.
Discussions with industry groups are planned to discuss a new initiative to create a cybersecurity label for Internet of Things (IoT) devices.
The administration is aiming to regulate cybersecurity in the crucial information technology sector, and others, where a statutory authority is absent.