General 1 — Cybersecurity Law Fundamentals

Updates to Chapter 9

Federal Cybersecurity Regulations and Guidelines

UPDATES TO SECOND EDITION

9.1 The NIST Framework

On February 26, 2024, NIST published version 2.0 of its Cybersecurity Framework.

9.2.11 Government Contractors, Federal—Federal Acquisition Regulation

On March 11, 2024, CISA and the Office of Management and Budget (OMB) released the Secure Software Development Attestation Form, required under the OMB’s September 2022 memorandum and EO 14028 for companies selling software products to the U.S. government.

In September 2023, the Department of Defense, the General Services Administration, and the National Aeronautics and Space Administration proposed amendments to the FAR intended to implement sections of President Biden’s May 2021 EO 14028, Improving the Nation’s Cybersecurity, by strengthening and standardizing contract requirements for cybersecurity and by providing mechanisms to help ensure that entities or individuals that knowingly put U.S. information or systems at risk, by violating these cybersecurity requirements, are held accountable. The proposed rule would also implement OMB Memorandum M-21-07, Completing the Transition to Internet Protocol Version 6 (IPv6), dated November 19, 2020. https://public-inspection.federalregister.gov/2023-21328.pdf

9.2.14 Nuclear Power Plants—Nuclear Regulatory Commission

In February 2023, the U.S. Nuclear Regulatory Commission issued Revision 1 to Regulatory Guide (RG) 5.71, “Cyber Security Programs for Nuclear Power Reactors.” It provides NRC licensees with guidance on meeting the cyber security requirements described in section 73.54 of title 10 of the Code of Federal Regulations (10 CFR), “Protection of digital computer and communication systems and networks.”

9.2.22 Telecommunications—Federal Communications Commission

In November 2023, the FCC adopted regulations designed to address two fraudulent practices bad actors use to take control of consumers’ cell phone accounts. In the Matter of Protecting Consumers from SIM Swap and Port-Out Fraud, Report and Order and Further Notice of Proposed Rulemaking (released Nov. 16, 2023). In the first type of scam, a bad actor convinces a victim’s wireless provider to transfer the victim’s mobile service and number from the victim’s cell phone to a cell phone in the bad actor’s possession. This is called “SIM swapping” because it involves an account being fraudulently transferred (or “swapped”) from a device associated with one subscriber identity module (SIM) to a device associated with a different SIM. In the second type of scam, the bad actor, posing as the victim, opens an account with a wireless provider other than the victim’s current provider. The bad actor then arranges for the victim’s phone number to be transferred (or “ported out”) to the account with the new wireless provider controlled by the bad actor. After completing either scam, the bad actor can use the phone to wreak havoc on a person’s financial and digital life. In response, the FCC revised its Customer Proprietary Network Information (CPNI) and Local Number Portability (LNP) rules to require wireless providers to adopt secure methods of authenticating a customer before redirecting a customer’s phone number to a new device or provider. See 47 C.F.R. § 64.2010. Safeguards on the disclosure of customer proprietary network information, and 47 C.F.R. § 52.37, Number Portability Requirements for Wireless Providers. The Commission also required wireless providers to immediately notify customers whenever a SIM change or port-out request is made on customers’ accounts, and to offer all customers, at no cost, the option to lock or freeze their account to stop SIM changes and port-outs.

9.2.12 Health Care Industry—Department of Health and Human Services

In December of 2023, HHS released a Department-wide cybersecurity strategy for the health care sector. Among other things, it indicated that HHS, through CMS, would impose cybersecurity requirements on hospitals reeiving payments under Medicare and Medicaid. Under the proposed provisions, hospitals will be required to establish a cybersecurity program and take proven steps to assess internal and external cybersecurity risks, use defensive techniques and infrastructure, implement measures to protect their information systems from unauthorized access or other malicious acts, and take actions to prevent cybersecurity events before they happen.

9.2.12.1 The HIPAA Security Rule

In February 2024, the HHS Office for Civil Rights (OCR) and the National Institute of Standards and Technology (NIST) issued Special Publication (SP) 800-66 Revision 2, Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide.

In January 2024, HHS issued voluntary performance goals to enhance cybersecurity across the health sector. The publication provides an overview of the HIPAA Security Rule, strategies for assessing and managing risks to electronic protected health information (ePHI), suggestions for cybersecurity measures and solutions that HIPAA covered entities and business associates might consider as part of an information security program, and resources for implementing the Security Rule. Specific topic areas include:

Explanations of the HIPAA Security Rule’s Risk Analysis and Risk Management requirements.
Key Activities to consider when implementing Security Rule requirements.
Actionable steps for implementing security measures.
Sample questions to determine adequacy of cybersecurity measures to protect ePHI.

In addition to the publication itself, NIST has also provided supplementary content on its website to further assist HIPAA-covered entities and business associates with strategies to improve their cybersecurity in specific areas including:

Telehealth/Telemedicine
Mobile Device Security
Ransomware & Phishing
Medical Device Security
Cloud Services
Internet of Things Used in Healthcare
Application Security
Supply Chain

NIST also updated its Cybersecurity and Privacy Reference Tool (CPRT). The CPRT shows HIPAA Security Rule regulations with links to additional NIST tools.

OCR also maintains information on its website to assist regulated entities with their obligations to protect ePHI including HIPAA Security Rule Guidance Material and Cybersecurity Guidance Material.

____________________________________________________________________

ARCHIVED UPDATES TO THE FIRST EDITION (last updated: December 7, 2022), INCORPORATED INTO THE SECOND EDITION

In August 2022, the Federal Trade Commission took the first major step towards adoption of a general cybersecurity regulation. See updates to Chapter 10 adding a new Chapter 10.4.10.

9.1 NIST Framework

Although, as the book states, the NIST framework is voluntary for private sector entities, President Trump’s May 2017 executive order on strengthening the cybersecurity of federal networks and critical infrastructure, EO 13800, required that, effective immediately, each agency head shall use the framework to manage the agency’s cybersecurity risk.

9.2.1 Automobiles—National Highway Traffic Safety Administration

In September 2022, the U.S. Department of Transportation’s National Highway Traffic Safety Administration released Cybersecurity Best Practices for the Safety of Modern Vehicles, an update to its 2016 guidance. The non-binding document describes NHTSA’s guidance to the automotive industry for improving vehicle cybersecurity for safety.

[New subchapter:] 9.2.1A Bus Operators - Transportation Security Administration

In December 2021, TSA issued voluntary guidance for “Over-The-Road-Bus” owner/operators. Over-the-Road Bus means a bus characterized by an elevated passenger deck located over a baggage compartment. TSA, Surface Transportation IC 2021-01, Enhancing Surface Transportation Cybersecurity.

9.2.4 Defense Contractors—Department of Defense

The book describes a 2020 DoD initiative to move towards requiring contractors to obtain third-party certification of compliance with specific cybersecurity criteria, embodied in a system called Cybersecurity Maturity Model Certification (CMMC). In November 2021, in response to extensive contractor complaints, the DoD announced the broad outlines of a recalibration of the program. The revised program, CMMC 2.0, will –

reduce the number of security tiers from five to three;
reduce the number of security controls required of many companies and limit the controls to those in NIST SP 800-171 and its supplement SP 800-172 (CMMC 1.0 had augmented the 110 controls in SP 800-171 with an additional 61 controls);
allow all entities in the lower tier and some in the middle tier to self-assess compliance (as opposed to requiring all covered contractors to undergo third-party assessment);
for entities in the top tier, require governmental assessment rather than third-party assessment;
allow companies, under certain limited circumstances, to make Plans of Action & Milestones (POA&Ms) to achieve certification;
allow waivers to CMMC requirements under certain circumstances.

In December 2021, DoD published a revised CMMC Model Overview and Scoping Guidance and Assessment Guides for Levels 1 and 2. Further details and full implementation will await publication of amendments to Title 32 of the Code of Federal Regulations and the DFARS (Title 48 of the C.F.R.), which DoD said could take anywhere from 9 months to two years.

When initially announced in 2020, CMMC was not to be fully implemented until October 2025. While the November 2020 interim rule launching the program allowed inclusion of certification requirements in contracts before full implementation in 2025, it does not appear that CMMC third-party certification was ever included as a requirement in a solicitation or contract. (In other words, I don’t think clause 252.204-7021 was ever used.) The November 2021 announcement made it clear that no elements of the CMMC process will be included in any contracts until the rulemaking process is completed.

In terms of what controls are required, CMMC 2.0, like CMMC 1.0, relies on NIST SP 800-171, which specifies 110 security practices or controls. At the lowest level (Level 1), CMMC 1.0 and 2.0 are the same: they both incorporate the 17 controls drawn from SP 800-171 that are in FAR 52.204-21. (FAR 52.204-21 has 15 subsections, but one of them combines three controls; these were broken out separately in the CMMC, yielding 17 controls at the basic level in both 1.0 and 2.0.) At the middle tier for CMMC 2.0, as it was with the middle tier for 1.0, all 110 controls in SP 800-171 are supposed to be fully implemented. CMMC 1.0 had supplemented the SP 800-171 controls, resulting in a total of 130 controls at the mid-level, but 2.0 sticks with just the 110. At the top tier (Level 3), CMMC 2.0 will add some additional controls drawn from SP 800-172. (Under CMMC 1.0. the top tier had a total of 171 controls (the 110 in SP 800-171, plus the 20 added for its middle level, plus an additional 41.)

Version 1 of the CMMC is no longer available on the DoD website, but for anyone wishing to do a comparison, a copy is here. This comparison of NIST SP 800-171 and CMMC 1.0 is also very helpful, but only of historical interest.

Remember: Despite the changes and delays in implementing CMMC, the DFARS clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, is included in all solicitations and contracts, including those using Federal Acquisition Regulation (FAR) part 12 commercial item procedures, except for acquisitions solely for commercially available off-the-shelf (COTS) items. The clause requires contractors to apply the security requirements of NIST SP 800-171 to “covered contractor information systems,” as defined in the clause (see the following paragraph), that are not part of an IT service or system operated on behalf of the Government. And the SP 800-171 DoD Assessment Methodology is still in place and DFARS clause 252.204-7020 still requires contractors to self-assess their compliance with NIST SP 800-171.

Further clarification: FAR 52.204-21 applies to contractor information systems that process, store or transmit “federal contract information” (FCI), defined as information not intended for public release that is provided by or generated for the government under a contract to develop or deliver a product or service. DFARS 252.204-7012 applies to contractor information systems that process, store, or transmit “covered defense information,” which is defined (paraphrasing here) as “controlled unclassified information” (CUI) that requires safeguarding or dissemination controls and is collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract. So CUI is a subset of FCI. See this short explanation from the Information Security Oversight Office in the National Archives. While DFARS 252.204-7012 imposes all 110 controls of SP 800-171 for all contracts involving CUI, FARS 52.204-21, for FCI, only requires compliance with a basic set of 17 controls drawn from SP 800-171. Under CMMC 2.0, Level 1 refers to those contracts that involve only FCI, while Levels 2 and 3 apply to contracts involving CUI.

9.2.5 Educational Institutions, Post-Secondary—Department of Education

In Dear Colleague Letter GEN-15-18 and GEN-16-12, the Office of Federal Student Aid (FSA) within the Department of Education reminded institutions about the longstanding requirements of GLBA and notified them of the office’s intention to begin enforcing the GLBA through annual compliance audits. In Dear CPA Letter CPA-19-01, the FSA explained the procedures for auditors to determine whether institutions were in compliance with GLBA.

9.2.7 Electric Power, Bulk Supply - Federal Energy Regulatory Commission

In January 2022, FERC issued a draft Notice of Proposed Rulemaking that proposes, pursuant to section 215(d)(5) of the Federal Power Act, to direct NERC to develop and submit for Commission approval new or modified Critical Infrastructure Protection (CIP) Reliability Standards that would require internal network security monitoring (INSM) for high and medium impact bulk electric system (BES) cyber systems. According to the notice, network security monitoring currently required under the CIP Reliability Standards focuses on preventing unauthorized access to BES cyber systems at the network perimeter, while INSM is applied within a “trust zone” and is designed to address situations where an attacker has already gained access to a system, with the aim of increasing the chance of early detection of malicious activity.

9.2.10.1 Financial Institutions—FTC Safeguards Rule

In October 2021, the FTC adopted the amendments to the GLBA Safeguards Rule mentioned in the book. The new rule is considerably more detailed in terms of the elements required in an information security plan. Among other things, regulated entities must:

Implement and periodically review access controls to (1) authenticate and permit access only to authorized users and (2) limit authorized users’ access only to customer information that they need to perform their duties and functions.
Inventory and manage data, personnel, devices, systems, and facilities.
Encrypt all customer information both in transit over external networks and at rest.
Adopt secure development practices for in-house developed applications that process customer information and procedures for evaluating, assessing, or testing the security of externally developed apps.
Implement multi-factor authentication for any individual accessing any information system or use other reasonably equivalent or more secure access controls.
Develop, implement and maintain procedures for the secure disposal of customer information no later than two years after the last date the information is used.
Adopt procedures for change management.
Monitor and log the activity of authorized users and detect unauthorized access or use of, or tampering with, customer information.

Details were also added to the requirement to test or otherwise monitor the effectiveness of key controls: For information systems, the monitoring and testing shall include continuous monitoring or periodic penetration testing and vulnerability assessments.

While the old rule said a regulated entity had to designate “an employee or employees” to coordinate its information security program, the new rule specifies that companies must designate a single “qualified individual” responsible for overseeing, implementing and enforcing their information security program. And under the new rule, the designated lead on cybersecurity must report to the board of directors at least annually.

In November 2022, the FTC extended by six months, to June 9, 2023, the deadline for companies to comply with many of the changes.

In an supplemental NPRM published on December 9, 2021, the FTC requested public comment on a proposal to further amend the Safeguards Rule to require a financial institution to report to the Commission any security event where the regulate entity has determined that misuse of customer information has occurred or is reasonably likely and at least 1,000 consumers have been affected or reasonably may be affected. Written comments were due by February 7, 2022.

9.2.10.3.1 Federal Financial Institutions Examination Council

In 2021, the FFIEC issued guidance titled Authentication and Access to Financial Institution Services and Systems. It sets forth risk management principles and practices that can support a financial institution’s authentication of (a) users accessing financial institution information systems, including employees, board members, third parties, service accounts, applications, and devices and (b) consumer and business customers authorized to access digital banking services. The 2021 guidance replaced the FFIEC-issued Authentication in an Internet Banking Environment (2005) and the Supplement to Authentication in an Internet Banking Environment (2011). Like much other cybersecurity guidance, it starts from the proposition that risk assessment (conducted prior to implementing a new financial service, as well as periodic risk assessments) should inform a financial institution’s decisions about authentication solutions and other controls that are deployed to mitigate identified risks. In other words, application of the principles and practices described in the guidance may vary at financial institutions based on their respective operational and technological complexity, risk assessments, and risk appetites and tolerances. With that caveat, the guidance lists 62 examples of practices or controls related to access management, authentication, and supporting controls, covering authentication, passwords, access and transactions, customer call centers and IT help desks, customers, logging and monitoring, systems access, privileged users, system and network design and architecture, email systems, and internet browsers.

One interesting point to note is the guidance’s evolving attitude toward multi-factor authentication. The 2005 guidance stated:

The agencies consider single-factor authentication [account # or username and password], as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties. … Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks.

Note that layered security, such as the use of security questions, was recognized as suitable for high-risk transactions under this 2005 guidance, although it is not MFA. Note, too, that institutions’ security measures are dependent on their self-assessment of risk, and the guidance does not exactly define what is a high-risk transaction. Is every transaction that involves access to customer information or the movement of funds to other parties high risk?

By 2021, in recognition of the expanding attack surface and the evolving and increasingly sophisticated methods of attackers, the FFIEC concluded that “certain authentication controls, previously shown effective, no longer provide sufficient defense:”

Accordingly use of single-factor authentication as the only control mechanism has shown to be inadequate against these threats. Furthermore, single-factor authentication with layered security has shown to be inadequate for customers engaged in high-risk transactions and for high-risk users. When a financial institution management’s risk assessment indicates that single-factor authentication with layered security is inadequate, MFA or controls of equivalent strength as part of layered security can more effectively mitigate risks.

Note, again, how everything depends on a bank’s risk assessment. Note too, that the guidance does not specifically recommend MFA; it recommends “MFA or controls of equivalent strength.” And again, the guidance is circular on what constitutes high risk transactions: Transactions should be accorded more robust controls if they are “transactions that present higher risk of financial loss or potential breach of information for which enhanced authentication controls are warranted.”

The implication, though, is clear enough: a financial institution should take risk assessment seriously, and if it chooses not to require MFA, it should have a good reason.

9.2.11 Government Contractors, Federal – Federal Acquisition Regulation

On May 12, 2021, President Biden issued Executive Order 14028, Improving the Nation’s Cybersecurity, 86 Fed. Reg. 26633 (May 17, 2021). The order is much more detailed and technical than the average Executive Order. It directs officials throughout the executive branch to undertake scores of actions to improve the cybersecurity of federal systems, with varying deadlines. Many of these actions will deeply affect government contractors and their products and services. The EO also orders a variety of actions intended to reach beyond federal contractors. Different parts of the order address “systems that process data” (information technology or IT), systems “that run the vital machinery that ensures our safety” (operational technology or OT), information and communications technology (ICT) service providers, software, and cloud services and cloud service providers (CSPs).

Among the notable provisions of EO 14028 that will affect government contractors:

Data sharing: The Director of OMB will lead a process to amend the Federal Acquisition Regulation with contract language and requirements designed to ensure that providers of IT and OT service to the government collect and preserve data relevant to cybersecurity event prevention, detection, response and investigation and that they share cyberthreat and incident information with the government.
- This includes “implementing technical capabilities, such as monitoring networks for threats in collaboration with agencies they support, as needed.”
Incident reporting: The Secretary of Homeland Security will lead a process to amend the FAR to include contract language that requires reporting of cyber incidents.
Cybersecurity requirements: The Secretary of Homeland Security will review agency-specific cybersecurity requirements that currently exist as a matter of law, policy, or contract and recommend to the FAR Council standardized contract language for appropriate cybersecurity requirements. Such recommendations shall include consideration of the scope of contractors and associated service providers to be covered by the proposed contract language.
Zero Trust Architecture and cloud services: The order embraces Zero Trust Architecture and cloud services. The Secretary of Homeland Security, acting through CISA, shall develop security principles governing Cloud Service Providers (CSPs) for incorporation into agency modernization efforts; cloud-security technical reference architecture documentation; and a cloud-service governance framework.
Multi-factor authentication and encryption: Agencies shall adopt multi-factor authentication and encryption for data at rest and in transit.
Revamping FedRAMP: The Administrator of General Services is ordered to begin modernizing FedRAMP by, among other things, improving communication with CSPs through automation and standardization of messages at each stage of authorization, incorporating automation throughout the lifecycle of FedRAMP, including assessment, authorization, continuous monitoring, and compliance, and identifying relevant compliance frameworks that can be used as a substitute for the relevant portion of the authorization process.

The EO speaks broadly and in detail about enhancing software supply chain security. The order is directed specifically at the supply chain for software acquired by the federal government, but the forthcoming guidance may have a broader impact. And here’s what’s really important: Within one year of the date of the order, the Secretary of Homeland shall recommend to the FAR Council contract language requiring suppliers of software available for purchase by agencies to comply with, and attest to complying with, any requirements issued pursuant the supply chain security provisions of the EO. Thereafter, “agencies shall, as appropriate and consistent with applicable law, remove software products that do not meet the requirements of the amended FAR from all indefinite delivery indefinite quantity contracts; Federal Supply Schedules; Federal Government-wide Acquisition Contracts; Blanket Purchase Agreements; and Multiple Award Contracts.”

To develop such requirements, the EO requires the Director of NIST to adopt preliminary guidelines for enhancing software supply chain security and to publish guidance outlining security measures for critical software. It also requires the Secretary of Commerce, acting through the Director of NIST, to issue guidance identifying practices that enhance the security of the software supply chain. Such guidance shall include standards, procedures, or criteria covering a wide range of topics related to secure software development, conformance the use of automated tools to maintain trusted source code supply chains and to check for vulnerabilities, providing purchasers with a Software Bill of Materials, and attesting to conformity with secure development practices.

The order has other provisions likely to have impact on federal contractors, including in products offered to non-government customers. For example--

The Secretary of Commerce acting through the Director of NIST shall publish guidelines recommending minimum standards for vendors’ testing of their software source code, including identifying recommended types of manual or automated testing (such as code review tools, static and dynamic analysis, software composition tools, and penetration testing).

Finally, the order has provisions directly aimed at consumer products: The Secretary of Commerce acting through the Director of NIST, in coordination with the Chair of the Federal Trade, shall identify IoT cybersecurity criteria for a consumer labeling program and secure software development practices or criteria for a consumer software labeling program.

Already, the EO is being implemented with –

A NIST definition of critical software.
NIST guidance outlining security measures for critical software use.
NIST guidelines recommending minimum standards for vendors’ testing of their software source code.
NIST-recommended minimum standards for vendor or developer verification (testing) of software.
NIST preliminary guidelines for software supply chain security, included in the second draft of NIST Special Publication 800-161 Revision 1, “Supply Chain Risk Management Practices for Systems and Organizations.”
A draft NIST Secure Software Development Framework.

Addition to fn 38: In January 2022, President Biden issued National Security Memorandum 8, further describing the authority of the National Security Agency with respect to national security systems. Among other things, the memo gave NSA the express authority to issue Binding Operational Directives to other defense and intelligence agencies, parallel to CISA’s authority for civilian systems.

9.2.12.2 HHS HIPAA Security Rule Guidance

In addition to the HHS resources, there is NIST Special Publication 800-66 Rev. 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (2008), which discusses security considerations and resources that may provide value when implementing the HIPAA Security Rule. In 2021, noting that cybersecurity resources have evolved since 2008, NIST initiated a process to revise the SP. Comments were due June 15, 2021.

9.2.12.3 Cybersecurity Guidance for the Health Industry Beyond HIPAA

In December 2021, HHS launched a new website for the 405(d) Program and Task Group. Some of the URLs provided in the book for 405(d) outputs no longer work, but all the items referenced in the book, including the HICP and Technical Volumes 1 and 2, are now compiled at https://405d.hhs.gov/public/navigation/resources. The program issues an almost bewildering number of other resources, including a bi-monthly newsletter, a Spotlight series, a “That Seems Risky” series, a Myth Versus Fact series, a set of awareness products, and a series called Situation, Background, Assessment, Recommendation (SBAR), which had two items as of December 7. Everything under the 405(d) program is “voluntary,” but anything there could be cited by a plaintiff in a civil lawsuit--or possibly by a regulator--as indicative of a cybersecurity norm.

9.2.13 Medical Devices—Food and Drug Administration

In April 2022, to replace a never-finalized 2108 draft mentioned in the book, the FDA released a new draft guidance “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions.” It is intended to supersede the 2014 guidance referenced in the book.

The new version, like the 2014 guidance and the 2018 draft, stresses that security is a matter of design that must be considered from the outset of a product’s development. (The word “design” appears 110 times in the new draft.) Building on references in the earlier versions, the new guidance highlights the need to address cybersecurity risks and mitigations throughout a product’s lifecycle. Like the 2018 version, for example, the new draft states that devices should be designed to facilitate the rapid patching and updating of deployed devices. (Patching was mentioned once in the 2014 version.) As in the 2018 draft, the new version emphasizes the theme of transparency, finding in the Food, Drug and Cosmetic Act an obligation to inform device users of relevant risks and security information. And like the 2018 version, the 2022 draft includes a long list of security controls, such as “Provide mechanisms for verifying the authenticity of information originating from the device” and “Implement design features that allow for security compromises and suspected compromise attempts to be detected, recognized, logged, timed, and acted upon during normal use.”

The document has evolved in notable ways. The new draft drops the 2018 version’s reliance on the NIST Cybersecurity Framework and instead introduces a new concept, Secure Product Development Framework (SPDF), as a way to achieve total product lifecycle considerations. The new version also drops an earlier two-tiered approach (“higher” and “standard”) to defining cybersecurity risk. It advances the use of multiple “architecture views” to communicate the threat model for a device from the perspective of different concerns. The new version replaces the 2018 concept of a Cybersecurity Bill of Materials with a Software Bill of Materials (SBOM), more narrowly defined to exclude hardware. Also, the new draft guidance gives more attention to vulnerability management, including the establishment of a coordinated vulnerability disclosure process and procedures for the communication of remediations, patches, and updates to customers.

9.2.14 Nuclear Power Plants—Nuclear Regulatory Commission

See also Nuclear Energy Institute, Identifying Systems and Assets Subject to the Cyber Security Rule (July 2012).

9.2.16 Pipelines—Transportation Security Administration

In May 2021, the Department of Transportation issued a directive requiring major pipelines carrying petroleum products to review their current activities against TSA’s recommendations for pipeline cybersecurity to assess cyber risks, identify any gaps, develop remediation measures, and report the results to TSA and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency. Transportation Security Administration, Security Directive Pipeline-2021-1, Enhancing Pipeline Cybersecurity (May 28, 2022). See Jim Dempsey, Regulatory Alchemy: Turning Cybersecurity Guidelines Into Rules, Lawfare (June 1, 2021).

Based on responses to the May directive, the TSA issued a second security directive to pipelines in July 2021. The text of the directive, with a few redactions, is available here. It requires owners and operators of TSA-designated critical pipelines to implement specific mitigation measures to protect against ransomware attacks and other known threats to information technology and operational technology systems, develop and implement a cybersecurity contingency and recovery plan, and conduct a cybersecurity architecture design review.

9.2.17 Publicly Owned Companies – Securities and Exchange Commission

On March 9, 2022, the SEC proposed amendments to its rules to explicitly require certain disclosures by public companies regarding cybersecurity incidents, risk management, strategy, and governance. The proposed amendments would amend Form 8-K to require registrants to disclose information about a material cybersecurity incident within four business days after the registrant determines that it has experienced such an incident and would require periodic reporting to provide updates about previously reported incidents. The proposal also would require periodic reporting about a registrant’s policies and procedures to identify and manage cybersecurity risks; its board of directors' oversight of cybersecurity risk; and management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures. The proposal further would require annual reporting or certain proxy disclosure about the board of directors’ cybersecurity expertise, if any.

[New subchapter:] 9.2.17A Railroads - Transportation Security Administration

On December 2, 2021, DHS’s Transportation Security Administration issued two new Security Directives, effective December 31, 2021:

TSA, Security Directive 1580-21-01, Enhancing Rail Cybersecurity - applicable to freight railroad carriers.
TSA, Security Directive1582-21-01, Enhancing Public Transportation and Passenger Railroad Cybersecurity – applicable to passenger railroad carriers and rail transit systems.

The two directives are essentially identical. Each requires covered entities to --

(1) designate a cybersecurity coordinator who is available 24/7;

(2) report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA);

(3) develop a cybersecurity incident response plan;

(4) conduct a cybersecurity vulnerability assessment using a form provided by TSA.

The incident reporting requirement got the most attention in the popular press. It requires reporting as soon as practicable, “but no later than 24 hours after a cybersecurity incident is identified.” A cybersecurity incident is defined as an event that jeopardizes, disrupts or otherwise impacts, or is reasonably likely to jeopardize, disrupt or otherwise impact, the integrity, confidentiality or availability of computers, information or communications systems or networks, physical or virtual infrastructure controlled by computers or information systems, or information resident on the system. Elsewhere the directive states that this includes unauthorized access to an information or operational technology system, discovery of malicious software on an IT or OT system, or activity resulting in denial of service.

Perhaps equally if not more consequential is the requirement for a vulnerability assessment. Owner/operators “must identify remediation measures to address the vulnerabilities and cybersecurity gaps identified during the assessment and implement the plan for applying the identified measures.” The completed vulnerability assessment forms and remediation plans must be submitted to TSA by March 31, 2022. An awful lot turns on how TSA responds to the vulnerability assessments and remediation plans. A sign of its seriousness will be whether it sends any back for revision.

TSA also issued voluntary guidance for railroad owner/operators, public transportation agencies, and “Over-The-Road-Bus” owner/operators not otherwise covered under the two security directives. (Over-the-Road Bus means a bus characterized by an elevated passenger deck located over a baggage compartment.) TSA, Surface Transportation IC 2021-01, Enhancing Surface Transportation Cybersecurity.

9.2.18 SEC-Regulated Entities (Securities Exchanges, Broker-Dealers, Investment Advisers and Investment Companies)

In February 2022, the SEC proposed new rules under the Investment Advisers Act of 1940 and the Investment Company Act of 1940, focused on four elements: requiring advisers and funds to implement cybersecurity risk management policies and procedures; amending adviser and fund disclosure requirements to provide advisory clients and fund shareholders with improved information regarding cybersecurity risks and cybersecurity incidents; requiring advisers to report significant cybersecurity incidents to the Commission on a confidential basis; and new record-keeping requirements. The proposed risk management rules enumerate certain general elements that advisers and funds would be required to address in their cybersecurity policies and procedures, including risk assessment; access controls (such as procedures for the timely distribution, replacement, and revocation of passwords or methods of authentication); monitoring and other protections against unauthorized access; threat and vulnerability management (detecting, mitigating, and remediating threats and vulnerabilities); and incident response and recovery. Comments are due by April 11, 2022.

The SEC’s examinations and compliance priorities for 2022 again include cybersecurity. (In December, 2020, the OCIE, referred to in the book, became the Division of Examinations, referred to as EXAMS.)

Specifically, EXAMS will continue to review whether firms have taken appropriate measures to: (1) safeguard customer accounts and prevent account intrusions, including verifying an investor’s identity to prevent unauthorized account access; (2) oversee vendors and service providers; (3) address malicious email activities, such as phishing or account intrusions; (4) respond to incidents, including those related to ransomware attacks; (5) identify and detect red flags related to identity theft; and (6) manage operational risk as a result of a dispersed workforce in a work-from-home environment.

9.2.20A Substance Abuse Programs - Department of Health and Human Services

42 U.S.C. 290dd-2(g) authorizes the Secretary of Health and Human Services to prescribe regulations for the confidentiality of records of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any program or activity relating to substance use disorder education, prevention, training, treatment, rehabilitation, or research, which is conducted, regulated, or assisted by any department or agency of the United States. The regulation is at 42 C.F.R. Part 2. Section 2.16 provides: “The part 2 program or other lawful holder of patient identifying information must have in place formal policies and procedures to reasonably protect against unauthorized uses and disclosures of patient identifying information and to protect against reasonably anticipated threats or hazards to the security of patient identifying information.” For electronic records, these policies and procedures must address “(i) Creating, receiving, maintaining, and transmitting such records; (ii) Destroying such records, including sanitizing the electronic media on which such records are stored, to render the patient identifying information non-retrievable; (iii) Using and accessing electronic records or other electronic media containing patient identifying information; and(iv) Rendering the patient identifying information non-identifiable in a manner that creates a very low risk of re-identification (e.g., removing direct identifiers).”

9.2.24 Welfare and Pension Benefit Plans—Department of Labor

In April 2021, the Employee Benefits Security Administration in the U.S. Department of Labor issued guidance for plan sponsors, plan fiduciaries, record keepers, and plan participants on best practices for cybersecurity. (The 2016 guidance was issued by an advisory council and thus was not, strictly speaking, a DoL product.) The EBSA guidance came in three parts:

Tips for Hiring a Service Provider: Intended to help plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices and monitor their activities, as ERISA requires.
Cybersecurity Program Best Practices: Assists plan fiduciaries and record-keepers in their responsibilities to manage cybersecurity risks. The guidance identifies 12 areas requiring attention, many familiar from other guides. It says that plans should have a formal, well documented cybersecurity program, conduct prudent annual risk assessments, have a reliable annual third party audit of security controls, clearly define and assigned information security roles and responsibilities, have strong access control procedures, and implement and manage a secure system development life cycle program. Perhaps representing a newer generation of guidance, the EBSA document specifically calls out the need to ensure that assets or data stored in the cloud or managed by a third party service provider are subject to appropriate security reviews and independent security assessments.
Online Security Tips: Offers plan participants and beneficiaries who check their retirement accounts online basic rules to reduce the risk of fraud and loss.

Like other guidance, the EBSA documents are non-binding. The DoL, in releasing the guidance, did not specifically discuss enforcement.

[New subchapter:] 9.4 Standards for Industrial Control Systems

On July 28, 2021, President Biden signed a National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems. The President’s move was unique in that it focused not on a sector but rather on a type of function: industrial control systems (ICSs). It has been recognized for some time that, throughout many otherwise distinct sectors, there are pieces of networked equipment that control physical assets (for example, turning valves on and off). Attacks on these systems can have catastrophic impact. The memorandum announced establishment of an Industrial Control Systems Cybersecurity Initiative, a voluntary, collaborative effort between the federal government and the critical infrastructure community to significantly improve the cybersecurity of these critical systems. It instructed DHS and NIST to develop and issue voluntary cybersecurity performance goals for critical infrastructure, beginning with preliminary goals for control systems across critical infrastructure sectors no later than September 22, 2021, followed by the issuance of final cross-sector control system goals and sector-specific critical infrastructure cybersecurity performance goals by July 2022. Note that the memorandum works at two levels: it requires issuance of performance goals for controls systems and sector-specific critical infrastructure cybersecurity performance goals; the latter seems to reach beyond ICSs.

As required, on September 21, CISA and NIST issued nine preliminary control system cybersecurity performance goals. Each of the nine goals includes specific objectives that support the deployment and operation of secure control systems that are further organized into baseline and enhanced objectives.

The Initiative had already began with a pilot effort with the electricity subsector. According to the White House, as of July 2021, over 150 electricity utilities representing almost 90 million residential customers were either deploying or had agreed to deploy control system cybersecurity technologies. As of July 2021, an action plan for natural gas pipelines was underway, and additional initiatives for Water and Wastewater Sector Systems and the Chemical Sector were planned to follow later in the year. On August 25, 2021, the Biden Administration announced the formal expansion of the ICS cybersecurity initiative to a second major sector: natural gas pipelines.

Last updated: May 3, 2024.

Photo: “The Allegory of Good Government," by Ambrogio Lorenzetti, 1338, Museo Civico, Siena, (c) Erik Törner, CC BY-NC-SA 2.0.