At a glance.
- NIST close-reads the Executive Order on improving cybersecurity and explains the role it will play.
- An NTSB for cyber?
- US House considers two bills informed by the Colonial Pipeline incident.
NIST’s role under the US cybersecurity Executive Order.
The National Institute of Standards and Technology (NIST) recaps its new duties under Executive Order (E0) 14028, “Improving the Nation’s Cybersecurity.” NIST will craft standards and tools in consultation with stakeholders to strengthen software supply chain security from development and vendor vetting to implementation and testing, with an accelerated timeline for guidelines surrounding “critical software.” The agency is tasked with defining “critical software” with reference to features like network access, system interdependence, criticality of function, and consequences if compromised. As we’ve seen, the resulting standards will guide Federal software procurement.
NIST will also develop labeling programs for consumer software and IoT devices, and issue recommendations for source code testing best practices, such as what kinds of automated or manual tests are preferable.
Will the NTSB analogy work for cyber incidents?
FCW wonders about the viability of the cybersecurity EO-instituted cyber incident safety review board patterned after the National Transportation Safety Board (responsible for investigating events like aircraft disasters), given the comparative poverty of regulation in the cyber domain, and the fast pace and broad reach of cyber. One member of Congress suggested having a “Bureau of Cyber Statistics” draw conclusions from cumulative incident data instead. Another industry observer said the Administration ought to hold off on multiplying roles until a National Cyber Director is confirmed.
The model could improve transparency, however, and generate beneficial policy advice, according to other experts. The first board will examine the Holiday Bear breach, under the guidance of the Secretary of Homeland Security, an industry leader, and officials from the FBI, NSA, Pentagon, Justice Department, Cybersecurity and Infrastructure Security Agency (CISA), and private sector. Within roughly four months of convening, the panel will deliver their findings to the President.
Congress considers two bills after the Colonial Pipeline attack.
BankInfo Security describes two bipartisan bills Congress is pursuing in the wake of the Colonial ransomware attack. The Pipeline Security Act, which stalled in 2019, would formalize CISA and the Transportation Security Administration’s (TSA’s) responsibilities for protecting pipelines, direct TSA to modernize pipeline safety protocols, and impose new oversight on the agency.
The CISA Cyber Exercise Act would instruct CISA to support state and local assessments of critical infrastructure security and design a “national cyber exercise program” for public and private asset testing.