U.S. cybersecurity watchdog CISA recently issued a consultation list of new mandatory security requirements. These should prevent malicious countries or individuals from accessing large amounts of personal data of U.S. citizens and the government.
CISA is very concerned about state hackers from malicious countries or individuals being able to access data of U.S. citizens. Especially when this involves countries and/or individuals acting out of malicious motives, such as state hackers.
To this end, the cybersecurity regulator recently issued a list of possible new mandatory cybersecurity measures to prevent such access to sensitive data in question.
Several proposed measures
The measures in the proposal address both the organization within companies and agencies and for the sensitive data itself. Among other things, it is proposed to maintain and update a list of IT assets, including IP addresses and hardware MAC addresses, patch known exploits exploited within 14 days, vulnerabilities identified as critical within 15 days and high-impact vulnerabilities within 30 days, and enable accurate network topology for incident identification and resolution.
In addition, they should address such issues as strictly implementing MFA on all critical systems, long passwords, revoking all access rights upon termination of employment or job changes and preventing unauthorized hardware such as USB sticks from connecting to the systems covered by the measures.
They should also collect logs for security incidents. Consider data on IDS/IPS, firewalls, prevention of data breaches and VPN logins.
Other Proposals
Other proposed measures include limiting data collected to prevent unwanted access or linking that data to U.S. persons. Furthermore, companies and agencies should not store encryption keys alongside the data in question or house it in potentially suspicious countries. Last, but not least, it is nice if companies use more advanced encryption and privacy techniques to prevent hackers or other malicious parties from distilling sensitive data from (leaked) processed data.
Executive Order
The CISA proposal does not stand alone, by the way. The proposed measures now presented stem from an Executive Order previously issued by U.S. President Biden that can hold companies and organizations liable when severe data breaches of personal and corporate data threaten national security.
The proposed measures are now up for consultation in the US before final adoption by the cybersecurity regulator.
Also read: Nvidia vulnerability puts 35% of cloud environments at risk