The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has proposed a series of stringent security requirements to safeguard American personal data and sensitive government information from potential adversarial states. The initiative aims to prevent foreign entities from exploiting data vulnerabilities and potentially compromising national security.
These new security protocols target organizations involved in restricted transactions that handle large volumes of U.S. sensitive personal data or government-related data, especially when such information could be exposed to "countries of concern" or "covered persons." This proposal is part of the broader implementation of Executive Order 14117, signed by President Biden earlier this year, which seeks to address critical data security risks that could pose threats to national security.
The scope of affected organizations is wide, including technology companies such as AI developers, cloud service providers, telecommunications firms, health and biotech organizations, financial institutions, and defense contractors. These businesses are expected to comply with the new security measures to prevent unauthorized access to sensitive information.
"CISA’s security requirements are split into two main categories: organizational/system-level requirements and data-level requirements," stated the agency. Below is a breakdown of some of the proposed measures:
- Monthly Asset Inventory: Organizations must maintain and update a comprehensive asset inventory that includes IP addresses and hardware MAC addresses.
- Vulnerability Remediation: Known exploited vulnerabilities should be addressed within 14 days, while critical vulnerabilities, regardless of known exploitation, must be remediated within 15 days. High-severity vulnerabilities should be resolved within 30 days.
- Accurate Network Topology: Companies must maintain a precise network topology, which is crucial for identifying and responding to security incidents swiftly.
- Multi-Factor Authentication (MFA): All critical systems must enforce MFA, and passwords must be at least 16 characters long. Immediate access revocation is required upon employee termination or a change in roles.
- Unauthorized Hardware Control: Organizations must ensure that unauthorized hardware, such as USB devices, cannot be connected to systems handling sensitive data.
- Log Collection: Logs of access and security-related events, including intrusion detection/prevention, firewall activity, data loss prevention, VPN usage, and login events, must be systematically collected.
- Data Reduction and Masking: To prevent unauthorized access, organizations should reduce the volume of data collected or mask it, and encrypt data during restricted transactions.
- Encryption Key Security: Encryption keys must not be stored alongside the encrypted data, nor in any country of concern.
- Advanced Privacy Techniques: The use of techniques like homomorphic encryption or differential privacy is encouraged to ensure sensitive data cannot be reconstructed from processed data.
CISA has called for public feedback on the proposed security measures before they are finalized. Interested parties can submit their comments by visiting regulations.gov, entering CISA-2024-0029 in the search bar, and submitting feedback through the available form.
