The US wants security requirements as standard to stop sensitive data from falling into enemy hands

News
By published

New organizational requirements for critical sectors

AI security shield
(Image credit: Shutterstock / ArmadilloPhotograp)
  • CISA is requiring organizations in critical sectors to update their security
  • MFA, vulnerability management, and data encryption will be enforced
  • These changes will help mitigate the potential theft of data by state-sponsored and nation state actors

The US Cybersecurity and Infrastructure Security Agency (CISA) has unveiled a set of proposed security requirements aimed at reducing risks posed by unauthorized access to American data.

The move is due to concerns about the vulnerabilities exposed by recent cyberattacks, state-sponsored hacking campaigns, and the misuse of personal data by hostile nations.

The proposal aligns with Executive Order 14117, signed by President Biden earlier in 2024, which seeks to address gaps in data security that could compromise national interests.

Strengthening protections against foreign threats

The proposed requirements focus on entities that handle large-scale sensitive data, particularly in industries such as artificial intelligence, telecommunications, healthcare, finance, and defence contracting.

Companies operating in these fields are seen as critical targets due to the nature of the data they manage, with the US telecommunications industry recently being hit by a huge attack.

CISA's primary concern is that data from these organizations could fall into the hands of “countries of concern” or “covered persons” - terms used by the U.S. government to refer to foreign adversaries known for engaging in cyber espionage and data breaches.

These new security standards aim to close loopholes that could expose sensitive data to state-sponsored groups and foreign intelligence actors.

Businesses will need to keep an updated inventory of their digital assets, including IP addresses and hardware configurations, to stay prepared for potential security incidents. Companies will also be required to enforce multi-factor authentication (MFA) on all critical systems and require passwords that are at least 16 characters long to prevent unauthorized access.

Vulnerability management is another key focus, and organizations must remediate and address any known exploited vulnerabilities or critical flaws within 14 days, even if exploitation has not been confirmed. High-severity vulnerabilities must be fixed within 30 days.

The new proposal also emphasizes network transparency, and companies are required to maintain accurate network topologies to enhance their ability to identify and respond to security incidents.

Immediate revocation of access for employees following termination or changes in role is mandated to prevent insider threats. Additionally, unauthorized hardware, such as USB devices, will be prohibited from connecting to systems that handle sensitive data, further reducing the risk of data leakage.

In addition to system-level protections, CISA’s proposal introduces robust data-level measures aimed at minimizing the exposure of personal and government information. Organizations will be encouraged to collect only the data that is essential for their operations and, where possible, mask or de-identify it to prevent unauthorized access. Encryption will play a vital role in securing data during any transaction that involves a “restricted entity,” ensuring that even if data is intercepted, it cannot be easily deciphered.

A critical requirement is that encryption keys must not be stored alongside the data they protect, particularly in regions identified as countries of concern. Furthermore, organizations will also be encouraged to adopt advanced privacy-preserving techniques, such as homomorphic encryption or differential privacy, which allow data to be processed without exposing the underlying information.

CISA is seeking public feedback on the proposed requirements to refine the framework before it is finalized. Interested stakeholders, including industry leaders and cybersecurity experts, are invited to submit their comments via regulations.gov by entering CISA-2024-0029 in the search field and following the instructions to provide input.

Via BleepingComputer

You might also like

Efosa Udinmwen
Efosa Udinmwen
Freelance Journalist

Efosa has been writing about technology for over 7 years, initially driven by curiosity but now fueled by a strong passion for the field. He holds both a Master's and a PhD in sciences, which provided him with a solid foundation in analytical thinking. Efosa developed a keen interest in technology policy, specifically exploring the intersection of privacy, security, and politics. His research delves into how technological advancements influence regulatory frameworks and societal norms, particularly concerning data protection and cybersecurity. Upon joining TechRadar Pro, in addition to privacy and technology policy, he is also focused on B2B security products. Efosa can be contacted at this email: udinmwenefosa@gmail.com

Read more
Digital US flag
Biden orders review, new rules governing US national cybersecurity
healthcare
US government wants to toughen up cybersecurity rules for healthcare organizations
IT
US government says companies are no longer allowed to send bulk data to these nations
An American flag flying outside the US Capitol building against a blue sky
The FCC is creating a security council to bolster US defenses against cyberattacks
Closing the cybersecurity skills gap
How CISOs can meet the demands of new privacy regulations
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
NIS2: the GDPR of cybersecurity
Latest in Pro
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Lock on Laptop Screen
Medusa ransomware is able to disable anti-malware tools, so be on your guard
AI quantization
What is AI quantization?
US flags
US government IT contracts set to be centralized in new Trump order
An abstract image of digital security.
Fake file converters are stealing info, pushing ransomware, FBI warns
Google Gemini AI
Gmail is adding a new Gemini AI tool to help smarten up your work emails
Latest in News
Girl wearing Meta Quest 3 headset interacting with a jungle playset
Latest Meta Quest 3 software beta teases a major design overhaul and VR screen sharing – and I need these updates now
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Hatch Restore 3 in Putty
You can finally start your day with The Office theme song, and I couldn't be more excited
Cassian Andor looking nervously over his shoulder in Andor season 2
New Andor season 2 trailer has got Star Wars fans asking the same question – and it includes an ominous call back to Rogue One's official teaser
Ncuti Gatwa as The Fifteenth Doctor in Doctor Who
Disney+ drops new trailer for Doctor Who season 2 that promises an epic adventure across time and space
23andMe
23andMe is bankrupt and about to sell your DNA, here's how to stop that from happening
More about pro
Dell Pro Max with GB300

HP and Dell's latest Nvidia powered PCs are likely to be some of the most expensive workstations ever launched
AI quantization

What is AI quantization?
AI hallucinations

We're already trusting AI with too much – I just hope AI hallucinations disappear before it's too late
See more latest
Most Popular
Girl wearing Meta Quest 3 headset interacting with a jungle playset
Latest Meta Quest 3 software beta teases a major design overhaul and VR screen sharing – and I need these updates now
Hatch Restore 3 in Putty
You can finally start your day with The Office theme song, and I couldn't be more excited
Dell Pro Max with GB300
HP and Dell's latest Nvidia powered PCs are likely to be some of the most expensive workstations ever launched
Shape of Russia filled with Russian flag-colored internet codes on a black hacking background
A new wave of blocks in Russia targets VPN apps and Cloudflare subnets
An abstract image of digital security.
Fake file converters are stealing info, pushing ransomware, FBI warns
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Ncuti Gatwa as The Fifteenth Doctor in Doctor Who
Disney+ drops new trailer for Doctor Who season 2 that promises an epic adventure across time and space
Cassian Andor looking nervously over his shoulder in Andor season 2
New Andor season 2 trailer has got Star Wars fans asking the same question – and it includes an ominous call back to Rogue One's official teaser
23andMe
23andMe is bankrupt and about to sell your DNA, here's how to stop that from happening
Lock on Laptop Screen
Medusa ransomware is able to disable anti-malware tools, so be on your guard