At a glance.
- Software bills-of-materials, and their place in a larger policy.
- Five-year tenure for the CISA director?
- Alternative cookie controls in the UK.
- US Commerce Department's AI advisory panel.
- Comment on CISA's plans for zero-trust.
How SBOM might fit into a larger cybersecurity policy.
Executive Gov relays CISA advisor Allan Friedman’s comments on rolling out the Government’s software bill of materials (SBOM) agenda. SBOM is not a “standalone concept,” he said, but “part of a multifaceted cybersecurity agenda” that “enables further intelligence efforts.” Next steps involve getting everyone on the same terminological page and scaling implementation with both urgency and care.
Proposed law would give the CISA Director a five-year tenure.
Representative Andrew Garbarino (Republican, New York 2nd) along with a bipartisan cohort of lawmakers this week introduced the CISA Leadership Act, which Garbarino explains would establish a five year term for the Director of CISA. Co-sponsor Representative Jim Langevin (Democrat, Rhode Island 2nd) says the bill would allow CISA to be “a step removed from the day-to-day politics of Washington.” The Director would still be nominated by the President and approved by the Senate.
British data protection authority pitches alternate cookie controls.
Citing ‘pop-up fatigue,’ the UK Information Commissioner’s Office is attempting to convince standards groups and browser merchants to shift cookie consent to the browser level with a little goading from G7 counterparts, the Record reports. The EU’s “cookie law” came into force nearly a decade ago, and has been gumming up the user experience ever since. Cornell University research suggests the regulation has not had the desired effect.
The US Commerce Department convenes an AI advisory panel.
FedScoop describes the Department of Commerce and National AI Initiative Office’s new National AI Advisory Committee (NAIAC), organized in compliance with the National AI Initiative Act of 2020. Commerce is recruiting industry, academic, nonprofit, and Government experts for the board and for a separate AI and Law Enforcement subcommittee. NAIAC will tackle strategic, R&D, legal, civil rights, ethical, resourcing, workforce, and global outreach topics with an eye to ensuring “accuracy, security, explainability and interpretability, reliability, privacy, safety, and the mitigation of bias” in AI applications, according to Commerce.
“AI presents an enormous opportunity to tackle the biggest issues of our time, strengthen our technological competitiveness, and be an engine for growth in nearly every sector of the economy,” Commerce Secretary Raimondo commented, “But we must be thoughtful, creative, and wise in how we address the challenges that accompany these new technologies.”
Industry comment on the US Federal Government's zero-trust framework.
We saw, yesterday, how CISA had offered guidance on the US Government's plans for zero-trust. We've since heard from Tim Erlin, VP of strategy at Tripwire, who sees the CISA maturity model as a welcome step forward:
“CISA’s maturity model provides a needed tool for Federal agencies to assess their own status and plan progress towards Zero Trust. The transition to Zero Trust isn’t an all or nothing proposition, and the maturity model acknowledges that agencies can make progress across different “pillars” and in different ways.
"A government-wide shift in cybersecurity policy and implementation will take time, but it’s important that agencies can lay out a plan and measure execution against that plan. Real progress can be made in very reasonable time frames.
"As agencies work towards the specific objectives identified in the OMB draft, it will be important that they have tools in place to assess their progress and identify non-compliance. For example, if all production systems should be using HTTPS and not HTTP, the ability to identify production systems that are misconfigured is vitally important.
"The specific actions outlined in the OMB draft are highly valuable, but do not constitute a fully functional Zero Trust architecture. By comparing the OMB guidance with CISA’s maturity model, government agencies can identify and address gaps. OMB and CISA are well aligned, but they must address a wide variety of current states across existing agencies.”