- CISA is requiring organizations in critical sectors to update their security
- MFA, vulnerability management, and data encryption will be enforced
- These changes will help mitigate the potential theft of data by state-sponsored and nation state actors
The US Cybersecurity and Infrastructure Security Agency (CISA) has unveiled a set of proposed security requirements aimed at reducing risks posed by unauthorized access to American data.
The move is due to concerns about the vulnerabilities exposed by recent cyberattacks, state-sponsored hacking campaigns, and the misuse of personal data by hostile nations.
The proposal aligns with Executive Order 14117, signed by President Biden earlier in 2024, which seeks to address gaps in data security that could compromise national interests.
Strengthening protections against foreign threats
The proposed requirements focus on entities that handle large-scale sensitive data, particularly in industries such as artificial intelligence, telecommunications, healthcare, finance, and defence contracting.
Companies operating in these fields are seen as critical targets due to the nature of the data they manage, with the US telecommunications industry recently being hit by a huge attack.
CISA’s primary concern is that data from these organizations could fall into the hands of “countries of concern” or “covered persons” – terms used by the U.S. government to refer to foreign adversaries known for engaging in cyber espionage and data breaches.
These new security standards aim to close loopholes that could expose sensitive data to state-sponsored groups and foreign intelligence actors.
Businesses will need to keep an updated inventory of their digital assets, including IP addresses and hardware configurations, to stay prepared for potential security incidents. Companies will also be required to enforce multi-factor authentication (MFA) on all critical systems and require passwords that are at least 16 characters long to prevent unauthorized access.
Vulnerability management is another key focus, and organizations must remediate and address any known exploited vulnerabilities or critical flaws within 14 days, even if exploitation has not been confirmed. High-severity vulnerabilities must be fixed within 30 days.
The new proposal also emphasizes network transparency, and companies are required to maintain accurate network topologies to enhance their ability to identify and respond to security incidents.
Immediate revocation of access for employees following termination or changes in role is mandated to prevent insider threats. Additionally, unauthorized hardware, such as USB devices, will be prohibited from connecting to systems that handle sensitive data, further reducing the risk of data leakage.
In addition to system-level protections, CISA’s proposal introduces robust data-level measures aimed at minimizing the exposure of personal and government information. Organizations will be encouraged to collect only the data that is essential for their operations and, where possible, mask or de-identify it to prevent unauthorized access. Encryption will play a vital role in securing data during any transaction that involves a “restricted entity,” ensuring that even if data is intercepted, it cannot be easily deciphered.
A critical requirement is that encryption keys must not be stored alongside the data they protect, particularly in regions identified as countries of concern. Furthermore, organizations will also be encouraged to adopt advanced privacy-preserving techniques, such as homomorphic encryption or differential privacy, which allow data to be processed without exposing the underlying information.
CISA is seeking public feedback on the proposed requirements to refine the framework before it is finalized. Interested stakeholders, including industry leaders and cybersecurity experts, are invited to submit their comments via regulations.gov by entering CISA-2024-0029 in the search field and following the instructions to provide input.
Via BleepingComputer
