This is the 20th in a series of Covington blogs on implementing Executive Order 14028, “Improving National Cybersecurity” (“Cyber EO”), issued by President Biden on May 12, 2021. In the first blog, he summarized the key provisions and timeline of Cyber EO, and in subsequent blogs, he took steps taken by various government agencies to implement Cyber EO from June 2021 to November 2022. explained the measures. This blog describes the key steps we have taken to implement Cyber EO in December 2022.
OMB Issues Guidance to Agencies on Reporting Serious Cyber Incidents
The Office of Management and Budget (OMB) issued Memorandum M-23-03 to federal agencies on December 2, 2022, establishing 2023 guidance on requirements of the Federal Information Security and Privacy Management Act (FISMA) . The memorandum highlights a shift in government views on cybersecurity, stating:[t]The federal government does not consider any federal system or network to be “trustworthy” unless that trust is justified by clear data. This means that internal traffic and data should be considered at risk. In addition, among the requirements discussed in the OMB memorandum are requirements for agency reporting of “serious” cyber incidents. The memorandum says FISMA directs agencies to notify Congress of “significant incidents,” and he directs OMB to define the term. The Memorandum defines the term “serious incident” as any of the following:
- every incident that may manifestly harm U.S. national security interests, sovereign relations, or the economy, or public confidence, civil liberties, or public health and safety; The memo states that agencies should use the incident management process established in NIST SP 800-61, Computer Security Incident Handling Guide, to determine the impact level of an incident.Also
- Breach involving personally identifiable information (PII), stolen, altered, deleted, or compromised, U.S. national security interests, diplomatic relations, economy, or public confidence , civil liberties, or public health and safety.
The memorandum says agencies should evaluate each violation on a case-by-case basis to determine whether it meets the definition of a serious incident. However, the memorandum expressly requires that any unauthorized modification, unauthorized deletion, unauthorized disclosure, or unauthorized access to more than 100,000 of her PII be considered a major incident. Note that other factors may cause an agency to consider a violation a serious incident. The memorandum also states that it does not preclude government agencies from reporting incidents or violations that fall below the threshold for serious incidents to Congress.
This memorandum states that you must report to the Cybersecurity and Infrastructure Security Agency (CISA) and OMB OFCIO within one hour of determining that a major incident has occurred, and after determining that an already reported incident has occurred. We require institutions to update their CISA and OMB OFCIO within an hour. Or the violation is a serious incident. The agency shall report the serious incident to the appropriate Congressional Commission and its Office of the Inspector General (OIG) within seven days from the date the agency determines that there are reasonable grounds for including that a serious incident has occurred. must be notified. The memorandum says reports to Congress must take into account the information known at the time of the report, the sensitivity of details related to the incident, and the level of classification of the information.
The memorandum also requires agencies to supplement serious incident reports to Congress “within a reasonable time” after additional information related to the information is discovered. It should include the following summary:
- Threats and threat actions, vulnerabilities, and impacts associated with the incident.
- A risk assessment performed on the affected information system prior to the incident.
- Whether the affected information system complies with the security requirements applicable at the time of the incident.When
- Detection, response, and remediation actions.
In addition, agencies must submit a supplemental report to Congress within 30 days of discovering a violation that constitutes a serious incident.
- A summary of the information available about the violation, including how the violation occurred, based on information available to agency officials on the date we submitted the report.
- Estimated number of individuals affected by a breach, including an assessment of the risk of harm to affected individuals based on information available to agency officials on the date the agency submitted its report.When
- An estimate of whether and when we will notify the affected individual, and a description of the circumstances under which such notification may need to be delayed.
NIST Issues Final Guidance on Integrity Verification of Computer Components
On December 9, 2022, the National Institute of Standards and Technology (NIST) published Special Publication 1800-34, “Verifying the Integrity of Computing Devices.” This document describes prototype technical activities that OEMs and their authorized manufacturers can use to prevent and detect counterfeiting, tampering, and undocumented modification of firmware and hardware, as well as client and server computer devices and Describes the corresponding customer practices for verifying that the component has not been tampered with. otherwise it will be changed. This document specifically addresses his three usage scenarios: (1) creation of verifiable platform artifacts; (2) verification of components during acceptance testing; (3) Identify in-use component verification and prototype verification techniques that can be used in each of these areas.
NIST Releases Draft Practical Guide to Securing IOT Devices
The NIST National Cybersecurity Center of Excellence published a draft of Practice Guide 1800-36, “Trusted Interest of Things (IOT) Device Network-Layer Onboarding and Lifecycle Management,” on December 6, 2022. -Things (IOT) devices equipped with the necessary credentials and policies to join the network, a process known as “network layer onboarding”, in which the network and IOT devices prior to such onboarding Establishing trust is critical to mitigating risk. of potential attacks. The draft guide identifies standards, recommended practices, and off-the-shelf technologies to demonstrate various mechanisms for reliable network layer onboarding of IOT devices. Comments on the draft guide will be accepted by NIST until February 3, 2023.