At a glance.
- NIST to rework its cybersecurity guidelines.
- NSA updates its internet protocol guidance.
- CRA violations could mean steep fines.
NIST to rework its cybersecurity guidelines.
Yesterday the US National Institute of Standards and Technology (NIST) announced plans to revise its Cybersecurity Framework (CSF), a voluntary guidance document initially published in 2014 and last updated in 2018. NIST has described the CSF as a “living document that is refined and improved over time,” and the planned revisions will be based on feedback received during a recent workshop and a Request for Information released last year. As Nextgov explains, some of the updates could include protocols regarding increased international collaboration, clearer integration with other NIST frameworks, and expanded coverage supply chains. The introduction to the concept paper states, “With this update, NIST is open to making more substantial changes than in the previous update. The ‘CSF 2.0’ version reflects the evolving cybersecurity landscape—but community needs will drive the extent and content of the changes.” Comments for the concept paper are due by March 3, and NIST will be hosting a virtual workshop on February 15 to promote engagement with the update.
NSA updates its internet protocol guidance.
Executive Gov reports that the US National Security Agency (NSA) on Wednesday issued the IPv6 (internet protocol version 6) Security Guidance, updated guidelines outlining recommendations to help the Department of Defense and other federal bodies to increase awareness and prevention of security issues during the transition from the current legacy internet protocol networks. Neal Ziring, cybersecurity technical director at NSA, explained, “The Department of Defense will incrementally transition from IPv4 to IPv6 over the next few years and many DoD networks will be dual-stacked.” In order to protect against security risks and decrease the attack surface, NSA is advising organizations to assign IPv6 addresses to a host, avoid tunnels, employ cybersecurity mechanisms that support both IPv4 and IPv6, and provide necessary training for network administrators.
CRA violations could mean steep fines.
HelpNetSecurity reviews the penalties associated with violations of the EU’s Cyber Resilience Act (CRA), introduced in September and currently undergoing consultation for a 24-month transition period. The measure is focused on remediating the digital fragmentation of devices and systems with network connections, with a special focus on industrial networks and critical infrastructure. EU officials are trying to emphasize the importance of keeping such devices secure, and as such, the financial fines for affected manufacturers and distributors are steep: up to 15 million euros or 2.5 % of global annual revenues for the past fiscal year, whichever is larger. Impacted entities are required to notify ENISA, the EU’s cybersecurity agency, within twenty-four hours of detection of a security vulnerability, and failure to do so could result in sanctions. Jan Wendenburg, CEO at European automated security & compliance analysis firm ONEKEY, explains, “This makes it absolutely clear: there will be substantial penalties on manufacturers if the requirements are not implemented.”