At a glance.
- Federal Cybersecurity Vulnerability Reduction Act would extend vulnerability disclosure regulations to contractors.
- What to expect from the updated Fair Credit Reporting Act.
- The US takes a reward/punishment approach to securing critical infrastructure.
Federal Cybersecurity Vulnerability Reduction Act would extend vulnerability disclosure regulations to contractors.
Representative Nancy Mace (Republican, South Carolina First District) this morning announced the introduction of the Federal Cybersecurity Vulnerability Reduction Act of 2023. Mace chairs the House Oversight and Accountability Committee’s cybersecurity, information technology, and government innovation subcommittee.
The proposed measure would extend to contractors, FedScoop reports, the vulnerability disclosure requirements under which Federal agencies presently work. Representative Mace, who sponsors the measure, said, "The Federal Cybersecurity Vulnerability Reduction Act will play a crucial role in safeguarding our nation's digital infrastructure. By mandating Vulnerability Disclosure Policies (VDP) for federal contractors, we can ensure a proactive approach to cybersecurity, enabling contractors to identify and address software vulnerabilities promptly. This legislation, aligned with internationally recognized standards, empowers contractors to stay ahead of malicious actors, preventing potential exploits and protecting sensitive information. With the Federal Cybersecurity Vulnerability Reduction Act, we will reinforce our commitment to a robust and resilient cyberspace, fostering trust and security in the digital age."
HackerOne expressed its support for the bill. "We strongly endorse the Federal Cybersecurity Vulnerability Reduction Act, introduced this week by @RepNancyMace. If enacted, the bill would require VDPs for all federal contractors.
What to expect from the updated Fair Credit Reporting Act.
Following a March inquiry conducted by the US Consumer Financial Protection Bureau (CFPB), on August 15 Director Rohit Chopra announced plans to extend the Fair Credit Reporting Act (FCRA) to certain “data broker practices.” The new rules are expected to be published for public comment in 2024, but in the meantime, the CFPB released a fact sheet offering an overview of the proposed changes. As cyber/data/privacy insights explains, the new rules would expand the FCRA in two ways. One: Data brokers that sell certain types of consumer information would be defined as “consumer reporting agencies” (CRAs), meaning they would be required to comply with certain requirements regarding accuracy and dispute handling. Two: The extent to which “credit header data” (identification details like name, date of birth, and Social Security number) constitutes a “consumer report” would be clarified in order to protect against disclosure of this data. As well, the new rules address concerns about how data brokers use artificial intelligence and automated decision-making. This change falls in line with recent federal warnings and state-level legislation focused on more closely regulating automated decision-making. Chopra also noted that the CFPB would employ a cross-sector approach to rulemaking, stating that “any updated rules under the [FCRA] can be enforced by the CFPB and state law enforcement across sectors of the economy,” as well as by the “Federal Trade Commission, the Department of Transportation, the Department of Agriculture, and other agencies … for specific sectors under their jurisdiction.”
The US takes a reward/punishment approach to securing critical infrastructure.
As cyberattacks have become more and more commonplace, the US, like many countries, has been taking strides to better protect its critical infrastructure from intrusion. Security Intelligence looks at the federal government’s recent efforts and deduces that lawmakers have employed a carrot-and-stick approach, using both incentives and penalties as motivators to direct company behavior. For instance, one stick would be 2022’s Cyber Incident Reporting for Critical Infrastructure Act, which states that critical infrastructure companies that fail to report cyberincidents to the Cybersecurity and Infrastructure Security Agency will face steep penalties. Underreporting is a major concern, as the Federal Bureau of Investigation estimates it receives reports for only 10-12% of all cybercrimes, and a recent report from cybersecurity technology company Bitdefender revealed that more than 40% of IT security professionals have been told to keep cyberincidents under wraps. On the other hand, one example of a carrot would be a new cyber incentive framework from the Federal Energy Regulatory Commission. Companies that make certain cybersecurity investments or join a threat information-sharing program are rewarded by receiving access to an incentive-based rate recovery, allowing them to fund cybersecurity investments through increases in consumer electric bills. Falling under the requirements of the Biden administration’s Infrastructure Investment and Jobs Act, the program makes cybersecurity costs part of the equation when it comes to setting customer rates.