The US wants standard security requirements to prevent sensitive data from falling into enemy hands
- CISA requires organizations in critical sectors to update their security
- MFA, vulnerability management and data encryption will be enforced
- These changes will help limit the potential theft of data by state-sponsored and national actors
The US Cybersecurity and Infrastructure Security Agency (CISA) has unveiled a series of security measures proposed security requirements aimed at reducing the risks arising from unauthorized access to US data.
The move comes amid concerns about the vulnerabilities exposed by recent cyber attacks, state-sponsored hacking campaigns and the misuse of personal data by hostile countries.
The proposal follows Executive Order 14117, signed by President Biden earlier in 2024, which aims to address data security gaps that could compromise national interests.
Strengthening protection against foreign threats
The proposed requirements are aimed at entities that process sensitive data on a large scale, particularly in sectors such as artificial intelligence, telecommunications, healthcare, finance and defense contracts.
Companies operating in these areas are seen as critical targets due to the nature of the data they manage, with the US telecommunications industry recently hit by a massive attack.
CISA’s primary concern is that data from these organizations could fall into the hands of “countries of concern” or “covered persons” – terms used by the US government to refer to foreign adversaries known for their involvement in cyber espionage and data leaks.
These new security standards are intended to close loopholes that could expose sensitive data to state-sponsored groups and foreign intelligence services.
Companies will need to maintain an updated inventory of their digital assets, including IP addresses and hardware configurations, to stay prepared for potential security incidents. Companies will also be required to enforce multi-factor authentication (MFA) on all critical systems and require passwords that are at least 16 characters long to prevent unauthorized access.
Vulnerability management is another key focus, and organizations must remediate and address any known exploited vulnerabilities or critical flaws within 14 days, even if the exploitation has not been confirmed. Very serious vulnerabilities must be resolved within 30 days.
The new proposal also emphasizes network transparency, and companies are required to maintain accurate network topologies to increase their ability to identify and respond to security incidents.
To prevent insider threats, immediate revocation of access for employees after dismissal or job changes is mandatory. Additionally, unauthorized hardware, such as USB devices, will be prohibited from connecting to systems that process sensitive data, further reducing the risk of data leakage.
In addition to system-level protections, the CISA proposal introduces robust data-level measures aimed at minimizing the exposure of personal and government information. Organizations will be encouraged to collect only the data that is essential to their operations and mask or anonymize it where possible to prevent unauthorized access. Encryption will play a crucial role in securing data during any transaction involving a ‘restricted entity’, ensuring that even if data is intercepted, it cannot be easily deciphered.
A crucial requirement is that encryption keys cannot be stored next to the data they protect, especially in regions identified as countries of concern. In addition, organizations will also be encouraged to adopt advanced privacy-preserving techniques, such as homomorphic encryption or differential privacy, which allow data to be processed without exposing the underlying information.
CISA is seeking public feedback on the proposed requirements to refine the framework before finalizing it. Interested stakeholders, including industry leaders and cybersecurity experts, are invited to submit their comments via regulations.gov by entering CISA-2024-0029 in the search field and following the prompts to provide input.
Via BleepingComputer