The Cybersecurity and Infrastructure Security Agency (CISA) has proposed new security requirements that aim to protect Americans’ sensitive personal data and U.S. government-related data from being accessed by “ countries of concern [or] covered persons.” More specifically, the rules aim to reinforce cybersecurity policy among companies doing work with or making transactions with the U.S. Government.
Many requirements listed in the proposal are cited specifically from National Institute of Standards and Technology (NIST) framework.
The proposal splits rules into two categories: Organizational and system-level requirements and Data-Level requirements.
When it comes to physical access to on-site systems, CISA’s requirements commit organizations to strict credential management, including not just multifactor authentication, but prohibiting unauthorized connected hardware and disabling AutoRun itself.
Another proposed rule would create configurations on machines to “deny by default all connections to covered systems and any network on which covered systems reside, unless connections are explicitly allowed for specific system functionality.”
For the data itself, CISA wants to require organizations to use data minimization and data masking techniques to protect and obfuscate what could be deemed as sensitive from prying eyes. The proposal states that this may be done “through application of techniques such as aggregation, pseudonymization, de-identification, or anonymization.” These methods help keep data private and secure while still allowing businesses to use the information for their operations.
By implementing strong organizational, system-level, and data-level requirements, CISA aims to position businesses to better handle the risks associated with restricted transactions. As threats grow, the government must act to enact policies that can both combat their impact and raise a culture of security among industries.