FROM THE HILL: Cybersecurity #8
U.S. Vendors and Industries Prepare for New Cyber Rules
~4 minute read
Critical Infrastructure Providers
Cybersecurity industry watchers are expecting President Biden to imminently release his National Cybersecurity Policy. The Policy will call for enhanced reporting and increased regulations on several industry sectors with a focus on supply chain. At least eight federal agencies have multiple pending cybersecurity regulatory proceedings ongoing focused on 12 industry segments, federal government procurement, and the cybersecurity providers. The federal government market for cyber equipment, software, and services used to protect networks, computers, programs, and data from attack reached an all-time high of $8.7 billion in fiscal 2022, a 180% increase over the last decade (see chart below).
The Status of Cyber-Regulations
For the cybersecurity industry…The National Institute of Standards and Technology (NIST) will promulgate regulations later this year which will require federal agencies to obtain “self-attestation letters” from cybersecurity vendors declaring their product adheres to NIST guidance. Federal Acquisition Regulation (FAR) officials are still considering the proposed rule, but the General Services Administration (GSA) said it will start collecting attestations by mid-June. GSA is in the process of developing training on the new rule and “anticipates a forthcoming FAR rule will provide definitive instructions for the requirements of the attestation at the contract level.” The agency plans to use a Cybersecurity and Infrastructure Security Agency (CISA) form that it expects to be available before June on GSA’s website.
The newest proposed rule has generated criticism on all sides. Watchdog organizations indicate the rule is unworkable, voluntary “self-attestation” will result in fraud, and the many thousand cybersecurity companies that do not even understand NIST standards. Federal contractors may have to do some digging into cybersecurity requirements, especially if they use third party partners. Federal program managers expressed confusion around whether they will be required to collect attestation letters or if CISA will be the repository. The confusion spreads to as to “whom” will have responsibility over governing whether or not the vendor meets NIST standards. Also, there are questions regarding if there will be a standardized form between agencies, or if each agency will be allowed to develop its own self-attestation if it is the one that must police the cybersecurity provider.
NIST and CISA continue to develop what they term as a “labelling scheme,” designed to require cybersecurity providers to label their products based upon the NIST standard and the threat they are designed to protect against. NIST and CISA have been seeking industry comments for months. Regulated industries are concerned a comprehensive index will be required to meet cybersecurity requirements, but there may be gaps in the covered requirement areas.
In addition, cybersecurity providers are concerned about a drawn-out transition to version of 2.0 of the Defense Department’s Cybersecurity Maturity Model Certification (CMMC) program. There’s a lack of clarity on the program’s timeline and a CMMC 2.0 compliance date for defense industrial base contractors is in question. The new framework will be implemented through the rulemaking process, which the DOD said can take up to two years since the program was first announced in November 2021. CMMC 2.0 will be tied more closely to NIST standards that defense contractors should already be familiar with. It will allow for some self-assessments in order to streamline the review process as well as institute a network of independent third-party assessors. Beyond the CMMC 2.0 rollout, the Department of the Navy stayed on message at a three-day industry event last week, using the military doctrine of readiness to elevate the fields of cybersecurity, information warfare, and technology innovation—and emphasize the growing threat that China poses. officials brought up examples throughout the week of the role the private sector could play to enhance the US’s offensive cyber warfare capabilities and to speed up successes of technology innovation among multinational alliances.
Regulated industries…NIST’s proposed regulations are the latest criticism of the Administration’s cybersecurity policies. In 2021, the Transportation Security Administration (TSA) waded into the complex waters of cyber-regulations, quickly promulgating rules for the pipeline industry and noticing proposed rules for the water, wastewater, and transportation industries. The rules, issued in response to the Colonial Pipeline attack, followed the NIST standards and applied them to the consumer data industry which dealt with information privacy and not operational systems. The ensuing confusion led to nearly 900 requests for variance and clarification from the industry as wells as cybersecurity providers. In response, other federal agencies asserted individual jurisdiction over regulated markets.
The Securities and Exchange Commission (SEC) is the most recent federal regulatory agency to assert such authority. The SEC is finalizing a rule to require publicly traded companies to report cyberattacks to investors within four business days. As with most of the pending rules, what exactly will qualify as a “material cybersecurity incident” requiring disclosure is still unclear. The rule has received fierce pushback from the private sector over its ambiguity, practicality, and overlapping mandates. A group of 34 trade associations wrote a letter to the SEC on the initial proposed rule last June laying out its concerns. The final rule is expected in April 2023.
The Environmental Protection Agency, Department of Energy, Federal Highway Administration, Federal Aviation Administration, and TSA all have pending cybersecurity rules. In addition, the ION Trading Hack has the top US derivatives watchdog, Commodity Futures Trading Commission, plotting new cyber rules due to the attack. The spate of new rules, frameworks, and strategies reflects a dynamic threat landscape in which bad actors have successfully attacked hospital systems, school district networks, and even local drinking supplies. Critical infrastructure all the way up to the government’s trove of sensitive data are at constant risk.
What Congress is Doing
· The House Energy and Commerce Innovation, Data and Commerce Subcommittee marked up five bills last week relating to Chinese apps, semiconductors, internet privacy, and jobs investment.
· The Energy Department would have to provide financial assistance to graduate students and postdoctoral researchers taking cybersecurity and energy infrastructure courses under a modified version of HR 302. the Senate is currently scheduled to take up.
· Finally, the Senate has consideration of HR 346 and S. 66 which require cybersecurity update recommendations to the Notice to Air Missions (NOTAM) system at FAA.
Federal Spending Trends on Cybersecurity
Despite economic hard times for many sectors of the technology industry, federal sales for cybersecurity are expected to continue at record levels for the 3rd consecutive year. While DOD and HHS top the list for expected contract spending, the combination of several agencies including DOE, DOT, and and the Department of Education will also see record appropriations for cybersecurity. In all of our discussions concerning the impact of the debt ceiling on the FY2023 appropriations cycle cybersecurity, does not appear to be on the list for possible reductions, known as recissions, from previously authorized amounts. As currently planned, the federal government will spending over $7.6 billion on cybersecurity in this fiscal year.
Status of Industry Regulations
The grind toward federal rulemaking continues which in our opinion may provide further openings into the non-federal State-Local-Education (SLED), utility infrastructures, and transportation markets. There are currently 194 proposed rules by federal agencies impacting cybersecurity requirements internally for the agency, for industry providers, or for regulated entities. While many are minor modifications, major rules are pending at the following agencies:
Department of Energy – Cybersecurity incentives
Department of Health and Human Services – Medicare program requirements
General Services Administration – Cybersecurity contracting requirements (modification to the FARs)
Federal Communications Commission – Wireless networks and major communications systems
Department of Treasury – Computer incident reporting requirements (Banking Industry)
Department of Defense – Contractor requirements
Securities Exchange Commission – Government Securities
Department of the Treasury – Virtual currency, blockchain requirements and market data structure
Department of Transportation – Automated Driving Systems
Department of Energy – Standard business practices, communications, and infrastructure (major utilities)
Nuclear Regulatory Commission – Cybersecurity programs for reactors
Environmental Protection Agencies – Cybersecurity requirements for water providers
Transportation Security Administration – Pipeline operators
Transportation Security Administration – Rail operators
Transportation Security Administration – Airlines and Airports
While local agency assistance programs were included in the Infrastructure Investment and Jobs Act and the Inflation Reduction Act, for the most part many of these programs are undersubscribed due to agency delays in rulemaking and confusion with the proposed rules’ requirements.
From the Hill is an industry snapshot for Capitol Core Group clients in select industries of interest. It is compiled from Capitol Core research and discussions as well as outside resources including Bloomberg Government, Roll Call, and other relevant sources. All data provided is public data but is compiled for ease of understanding.
This is the eighth in the series on the topic of cybersecurity since 2020 and is a general overview. Capitol Core initiated this snapshot because reports that the President’s National Cybersecurity Policy will be released in the near future and Congressional actions on the subject.
Michael W. McKinney leads Capitol Core’s “technology” practice area which includes cybersecurity.
Download the document: