The impact of cybersecurity incidents is growing larger every year. In January 2021, more than 30,000 U.S. businesses were impacted by a massive attack on the Microsoft Exchange email servers. A few months later, attacks on Facebook and LinkedIn resulted in the theft of more than 1.2 billion user records. The Colonial Pipeline ransomware attack caused the shutdown of the oil pipeline system and panic-driven fuel shortages in April 2021.
These and many other similar incidents highlight the critical importance of strong cybersecurity defenses, and the fallout their absence can cause across all sectors of the economy. They make a good case for government regulation – which is why the regulatory landscape in the U.S. is now undergoing seismic changes after many decades of being largely static.
Discover the most important new and upcoming regulations you need to know about.
The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) was signed into law by President Biden in March 2022 as Title II of the Strengthening American Cybersecurity Act (SACA). CIRCIA requires companies that own or manage critical infrastructure to report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within specified time frames.
Essentially, CIRCIA is making it impossible for companies in the 16 critical-infrastructure sectors to sweep cyber attacks under the rug by, for example, paying ransom without telling anyone about the incident. The obligation to make an incident report remains effective even if the incident does not involve Personally Identifiable Information (PII).
The Cybersecurity Maturity Model Certification (CMMC) was first announced by the Department of Defense (DoD) in June 2019 as a new assessment framework for DoD contractors and subcontractors that handle Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Its purpose is to improve the cybersecurity posture of the Defense Industrial Base (DIB), which is comprised of 300,000 prime contractors and subcontractors. Since its original announcement, the framework has been refined and re-released as CMMC 2.0.
In this latest form, CMMC is divided into three maturity levels. The two higher levels require contractors to pass third-party audits to demonstrate compliance and win contracts from the DoD. A formal rulemaking process is currently underway, and it’s expected to be completed no later than November 2023.
NIST’s SP 800-218 Secure Software Development Framework (SSDF) was created in response to President’s Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity issued in May 2021. Its goal is to mitigate the risk of software vulnerabilities. Companies that supply software and software services to the U.S. government must implement a core set of high-level secure software development practices.
The SSDF isn’t prescriptive because it focuses on outcomes rather than specific tools, techniques, and mechanisms. This makes it possible for organizations in any sector – regardless of their size – to take advantage of it to produce more secure software. The document can also be used by the customers of software vendors to make more informed purchase decisions.
The U.S. has a patchwork of data privacy regulations that protect specific types of data; however, it lacks a comprehensive federal data privacy law like the GDPR in the EU. The American Data Privacy and Protection Act (ADPPA) is due to change that by regulating how organizations keep and use consumer data at the federal level.
The ADPPA was introduced in June 2022 and became the first federal online privacy bill to pass committee just a month later – nearly unanimously. Just like GDPR, or other similar national privacy laws, the ADPPA embraces the principles of:
The bill still needs to pass the House before it can continue to the Senate, but the bipartisan support it enjoys should make it relatively painless.
Cybersecurity regulations are not just being proposed and enacted at the federal level, but also at the state level. Several local governments, including the government of Connecticut, have followed the example set by California in 2018 with its groundbreaking privacy law – the California Consumer Privacy Act (CCPA).
The Connecticut Data Privacy Act (CTDPA) was signed into law by Connecticut Governor Ned Lamont in May 2022. This new law gives consumers a broad swath of rights, including:
The law will go into effect on July 1, 2023 and is applicable to individuals who conduct business in Connecticut or produce products or services that are targeted to residents of Connecticut.
It’s paramount for all organizations to monitor new and upcoming regulations because the regulatory landscape governing data privacy and cybersecurity is rapidly changing. Failure to comply with a single cybersecurity regulation can result in a large financial and reputational loss that may take months, or even years, to recover from. Our experts at Aligned Technology Solutions understand how frustrating it can be to navigate the cybersecurity regulatory landscape alone. Partner with our team today and rest easy knowing you have the best expertise and affordable solutions at your fingertips. Your small or medium-sized business will effortlessly stay ahead of cybersecurity regulations. Contact us for more information.