The US wants security requirements as standard to stop sensitive data from
falling into enemy hands

Date:
Sat, 14 Dec 2024 13:05:00 +0000

Description:
CISA has proposed new security requirements to protect sensitive data from
foreign adversaries.

FULL STORY

The US Cybersecurity and Infrastructure Security Agency (CISA) has unveiled a
set of proposed security requirements aimed at reducing risks posed by
unauthorized access to American data. 

The move is due to concerns about the vulnerabilities exposed by recent
cyberattacks, state-sponsored hacking campaigns, and the misuse of personal
data by hostile nations. 

The proposal aligns with Executive Order 14117, signed by President Biden
earlier in 2024, which seeks to address gaps in data security that could
compromise national interests.

Strengthening protections against foreign threats

The proposed requirements focus on entities that handle large-scale sensitive
data, particularly in industries such as artificial intelligence,
telecommunications, healthcare, finance, and defence contracting. 

Companies operating in these fields are seen as critical targets due to the
nature of the data they manage, with the US telecommunications industry
recently being hit by a huge attack . 

CISA's primary concern is that data from these organizations could fall into
the hands of countries of concern or covered persons - terms used by the U.S.
government to refer to foreign adversaries known for engaging in cyber
espionage and data breaches. 

These new security standards aim to close loopholes that could expose
sensitive data to state-sponsored groups and foreign intelligence actors. 

Businesses will need to keep an updated inventory of their digital assets,
including IP addresses and hardware configurations, to stay prepared for
potential security incidents. Companies will also be required to enforce
multi-factor authentication (MFA) on all critical systems and require
passwords that are at least 16 characters long to prevent unauthorized 
access. 

Vulnerability management is another key focus, and organizations must
remediate and address any known exploited vulnerabilities or critical flaws
within 14 days, even if exploitation has not been confirmed. High-severity
vulnerabilities must be fixed within 30 days. 

The new proposal also emphasizes network transparency, and companies are
required to maintain accurate network topologies to enhance their ability to
identify and respond to security incidents. 

Immediate revocation of access for employees following termination or changes
in role is mandated to prevent insider threats. Additionally, unauthorized
hardware, such as USB devices, will be prohibited from connecting to systems
that handle sensitive data, further reducing the risk of data leakage. 

In addition to system-level protections, CISAs proposal introduces robust
data-level measures aimed at minimizing the exposure of personal and
government information. Organizations will be encouraged to collect only the
data that is essential for their operations and, where possible, mask or
de-identify it to prevent unauthorized access. Encryption will play a vital
role in securing data during any transaction that involves a restricted
entity, ensuring that even if data is intercepted, it cannot be easily
deciphered. 

A critical requirement is that encryption keys must not be stored alongside
the data they protect, particularly in regions identified as countries of
concern. Furthermore, organizations will also be encouraged to adopt advanced
privacy-preserving techniques, such as homomorphic encryption or differential
privacy, which allow data to be processed without exposing the underlying
information. 

CISA is seeking public feedback on the proposed requirements to refine the
framework before it is finalized. Interested stakeholders, including industry
leaders and cybersecurity experts, are invited to submit their comments via
regulations.gov by entering CISA-2024-0029 in the search field and following
the instructions to provide input. 

Via BleepingComputer

======================================================================
Link to news story:
https://www.techradar.com/pro/The-US-wants-security-requirements-as-standard-t
o-stop-sensitive-data-from-falling-into-enemy-hands

$$
--- SBBSecho 3.20-Linux