Federal information security officials urged Congress to sharpen the teeth of new cybersecurity legislation designed to make critical infrastructure companies quickly disclose information about hacking incidents. Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly indicated that it would be ideal for critical infrastructure companies to disclose cyber incidents with 24 hours of their occurrence.
These exhortations took place at a recent hearing conducted by the U.S. Senate Homeland Security and Governmental Affairs Committee. Easterly’s recommended disclosure timeframe matches the 24-hour reporting window requirement contained in the Senate bill, which also would enable CISA to fine companies up to 0.5% of their annual revenue for each day that they delay a disclosure. A separate but related House bill calls for critical infrastructure companies to disclose hacks within 72 hours (but no fines, although CISA could subpoena companies that do not disclose breaches within three days).
Other new rules and regulations related to incident disclosures and Internet of Things (IoT) security appear sure to follow, especially after the Colonial Pipeline hack and President Biden’s executive order on national cybersecurity in May.
Agreed-upon standards are a decisive component of effective rules and regulations as well as an organization’s ability to comply with those rules as effectively and cost-efficiently as possible. To that end, the May cybersecurity executive order directs the National Institute of Standards and Technology (NIST) to initiate two labeling programs on cybersecurity capabilities of Internet-of-Things (IoT) consumer devices and software development practices.
NIST is busy these days. The agency has also been working to create new guidelines for enhancing the security of the software supply chain. Preliminary guidance will be published by early November, and NIST is slated to issue a final set of practices that enhance software supply chain security in February 2022.
Although the IoT labeling programs are focused on consumer devices, these efforts are also important to third party risk management (TPRM) practitioners. The secure IoT software development practices NIST is developing will apply to consumer and B2B applications. Plus, the fact that work from home (WFH) models (appear likely to remain in use (permanently or in a hybrid format) for at least the next 12 months means that consumer IoT devices will remain a business – and therefore, third party – risk.
That should also motivate TPRM and cybersecurity professionals and their organizations to help shape NIST’s guidance concerning IoT labeling and secure software development practices. One way to do so is by commenting on the draft criteria NIST has developed and/or by submitting a position paper on the agency’s software labeling effort. Both calls for information remain in effect through Oct. 17.
IoT offers a vivid demonstration “of the immutable fact that technology always overtakes the law,” notes Shared Assessments Senior Advisor Bob Jones, who asserts that IoT security standards and rules-making “certainly deserve commentary from security experts.”
Shared Assessments’ IoT Risk Management survey report offers a convenient way to sharpen your knowledge of current IoT risk management practices and challenges.