Category Archives: Cybersecurity and Infrastructure Security Agency (CISA)

Biden National Security Memorandum Bolsters CISA Role for Cybersecurity Oversight in Critical Infrastructure

by Beth Burgin Waller and Patrick J. Austin

Photos of authors

Beth Burgin Waller and Patrick J. Austin (photos courtesy of Woods Rogers Vandeventer Black PLC)

The Biden Administration recently rolled out a new critical infrastructure memorandum, titled National Security Memorandum on Critical Infrastructure Security and Resilience (NSM-22) which is intended to set forth the role of the federal government, including responsibilities for specific federal agencies, in protecting U.S. critical infrastructure.

NSM-22 serves to supplant PPD-21, formally known as the Presidential Policy Directive — Critical Infrastructure Security and Resilience (pdf). PPD-21, a memorandum issued during the Obama Administration, designated 16 critical infrastructure sectors that will be subject to additional oversight through the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Pursuant to CIRCIA, entities operating in critical infrastructure sectors will be obligated to report “covered cyber incidents” within 72 hours of the entity developing a reasonable belief that a cyber incident occurred. In addition, critical infrastructure entities must report ransom payments within 24 hours after a payment is made. CIRCIA delegated rulemaking authority to the Cybersecurity and Infrastructure Security Agency (CISA). We wrote about CISA’s proposed rule containing cyber incident reporting requirements in a recent article.

Continue reading

Security Principles: Addressing Vulnerabilities Systematically

by Staff at the Federal Trade Commission’s Office of Technology

Photo of author

Federal Trade Commission

For more than two decades, the FTC has been bringing enforcement actions for violations of national consumer protection laws due to companies’ poor security practices. These poor practices have included failure to encrypt sensitive data, storing credentials in source code, failing to test for common vulnerabilities, and failure to use multi-factor authentication, among others. To remedy these practices, the orders the FTC has obtained in these enforcement actions have required companies to improve their security practices. Last year FTC staff published a blog post on how the agency’s orders incorporate modern security best practices that take inspiration from research into the causes of risk in complex systems. This post is a continuation on the theme of effectively addressing risks in complex systems.

Continue reading

Proposed Federal Cyber Incident Reporting Rule Adds Hefty Federal Reporting Requirements to Critical Infrastructure Sector and Large Businesses

 by Beth Burgin Waller and Patrick J. Austin

Photos of authors

From left to right: Beth Burgin Waller and Patrick J. Austin (photos courtesy of authors)

The federal Cybersecurity and Infrastructure Security Agency (CISA) released a draft of its proposed rule detailing how covered entities operating in critical infrastructure sectors report cyberattacks and ransomware payments to the federal government. The proposed rule states that entities operating in critical infrastructure sectors will be obligated to report “covered cyber incidents” within 72 hours after an entity reasonably believes a cyber incident has occurred and report ransom payments within 24 hours after a payment is made.  The proposed Cyber Rule – hundreds of pages as drafted – adds significant requirements for those required to make a report, including a requirement that the entity preserve materials used to create the report (such as the threat actor’s ransom note, logs, and forensic artifacts) for two years.  As proposed, the Rule applies to large businesses and the critical infrastructure sector alike. Failure to comply can result in an entity being subpoenaed and ultimately referred to the Department of Justice for noncompliance.   

The proposed rule is scheduled to be published on the Federal Register on April 4, 2024. An unpublished version of the proposed rule may be accessed here (pdf).

Continue reading

White-Collar and Regulatory Enforcement: What Mattered in 2023 and What to Expect in 2024

by John F. Savarese, Ralph M. Levene, Wayne M. Carlin, David B. Anders, Sarah K. Eddy, Randall W. Jackson, and Kevin S. Schwartz

Photos of Authors

Top left to right: John F. Savarese, Ralph M. Levene, Wayne M. Carlin, and David B. Anders.
Bottom left to right: Sarah K. Eddy, Randall W. Jackson, and Kevin S. Schwartz. (Photos courtesy of Wachtell, Lipton, Rosen & Katz)

This past year was yet another notable and intensely active one across the entire range of white-collar criminal and regulatory enforcement areas. We heard continued tough talk from law enforcement authorities, especially concerning the government’s desire to bring more enforcement actions against individuals and on the need to keep ramping up corporate fines and penalties. The government largely lived up to its talking points about increasing the numbers of individual prosecutions and proceedings, particularly with respect to senior executives in the cryptoasset industry. But there were some notable stumbles. The most striking example of this was DOJ’s failure to secure convictions in cases where it attempted to extend criminal antitrust enforcement in unprecedented areas, such as no-poach employment agreements and against certain vertical arrangements—neither of which has historically been viewed as involving per se violations of the federal antitrust laws. And, as in years past, many state attorneys general remained active throughout 2023, using broad state consumer-protection statutes to bring blockbuster cases across a wide array of industries, from ridesharing and vaping to opioids and consumer technology offerings.

Continue reading

The Year That Was: Key Cybersecurity and Privacy Developments in 2023 and Issues for 2024

by John P. Carlin, Jeh Charles Johnson, Jeannie S. Rhee, Peter Carey, and Steven C. Herzog

From left to right: John P. Carlin, Jeh Charles Johnson, Jeannie S. Rhee, Peter Carey, and Steven C. Herzog. Photos courtesy of Paul, Weiss, Rifkind, Wharton & Garrison LLP.

At the beginning of the year, we predicted that the use of personal information and the protection of data in an evolving threat environment would be the focus of increased legislation, regulation, and regulatory enforcement. And 2023 delivered, with both threat actors and regulators presenting new challenges for technology and legal teams. At the same time, these teams are navigating how to harness the burgeoning potential of rapidly evolving artificial intelligence applications while mitigating associated security, legal, and related risks. Amidst all of the noise, we break down below ten key developments of 2023 that contributed to an increasingly complex legal and data security landscape and prompted business leaders to increase resources and attention to bolster their defenses and ensure compliance with their growing list of legal obligations. We predict a continued flurry of activity in 2024. Continue reading

Resisting Hindsight Bias: A Proposed Framework for CISO Liability

by Andrew J. Ceresney, Charu A. Chandrasekhar, Luke Dembosky, Erez Liebermann, Julie M. Riewe, Anna Moody, Andreas A. Glimenakis, and Melissa Muse

photos of the authors

Top left to right: Andrew J. Ceresney, Charu A. Chandrasekhar, Luke Dembosky, and Erez Liebermann.                    Bottom left to right: Julie M. Riewe, Anna Moody, Andreas A. Glimenakis, and Melissa Muse. (Photos courtesy of Debevoise & Plimpton LLP)

On October 30, 2023, the U.S. Securities and Exchange Commission (“SEC” or “Commission”) charged SolarWinds Corporation’s (“SolarWinds” or the “Company”) chief information security officer (“CISO”) with violations of the anti-fraud provisions of the federal securities laws in connection with alleged disclosure and internal controls violations related both to the Russian cyberattack on the Company discovered in December 2020 and to alleged undisclosed weaknesses in the Company’s cybersecurity program dating back to 2018.[1] This is the first time the SEC has charged a CISO in connection with alleged violations of the federal securities laws occurring within the scope of his or her cybersecurity functions.[2] In doing so, the SEC has raised industry concerns that it intends to—with the benefit of 20/20 hindsight, but without the benefit of core cybersecurity expertise—dissect a CISO’s good-faith judgments in the aftermath of a cybersecurity incident and wield incidents to second guess the design and effectiveness of a company’s entire cybersecurity program (including as it intersects with internal accounting controls designed to identify and prevent errors or inaccuracies in financial reporting) and related disclosures and attempt to hold the CISO liable for any perceived failures.

Continue reading

CISA Releases Revised Draft of Secure Software Development Self-Attestation Form

by Michael T. Borgia, Andrew M. Lewis, and Patrick J. Austin

Photos of the authors

Left to right: Michael T. Borgia, Andrew M. Lewis, and Patrick J. Austin. (Photos courtesy of Davis Wright Tremaine LLP)

Once Finalized, the Form will Establish Secure Software Development Baselines for Companies that Provide Software to the Federal Government

The Cybersecurity and Infrastructure Security Agency (CISA) has released a revised draft of its Secure Software Development Attestation Common Form (“Form”).  The Form, once finalized, will obligate vendors providing software to the federal government to attest to enumerated practices to secure their software, third-party components, and the development environment.  Software vendors to federal agencies are advised to review the draft Form and assess their current secure development practices—both for in-house and third-party developed software—against the Form’s relevant attestations and the supporting NIST guidance.  Software producers unable to make any of the required attestations should prioritize conforming their software development practices to the Form’s attestations and NIST guidance, and should consider whether to pursue a plan of action and milestones (POA&M) with their federal agency customers once the Form is finalized.

Continue reading

Federal Agencies Publish New Version of the #StopRansomware Guide

by Benjamin A. Powell, Matthew F. FerraroShannon Togawa Mercer, and Ariel Dobkin

Photos of the authors

From left to right: Benjamin A. Powell, Matthew F. Ferraro, Shannon Togawa Mercer, and Ariel Dobkin (photos courtesy of Wilmer Cutler Pickering Hale and Dorr LLP)

On May 23, 2023, the Cybersecurity and Infrastructure Security Agency (CISA) published a second edition of the #StopRansomware Guide (the Guide). The Guide, first published in September 2020, aims to help organizations reduce the risk of ransomware attacks, and it provides best practices to prevent, detect, respond to, and recover from such incidents. The 2023 version contains updated guidance and best practices in the areas of initial infection vectors, cloud backups, zero trust architecture and ransomware response.

Continue reading

The Biden Administration Signals New Direction for Cybersecurity

by Alexander Southwell, Stephenie Gosnell Handler, and Eric Hornbeck

From left to right: Alexander Southwell, Stephenie Gosnell Handler, and Eric Hornbeck (photos courtesy of Gibson, Dunn & Crutcher LLP)

The Biden administration has been steadily evolving its views of national security risks and priorities—and what measures the executive branch will take to mitigate those risks.  Last fall’s National Security Strategy called out critical technology and cybersecurity as key national security concerns.  This focus sharpened with the release of the National Cybersecurity Strategy last month.  And, most recently, the administration has submitted a $3.1 billion budget request for the Cybersecurity and Infrastructure Security Agency (CISA), a 22 percent increase from its request last year, to implement that strategy and fund other initiatives.  While strategy is not policy, and budget proposals are not appropriations, these are strong signals of the shifting winds of the administration regarding the tools and incentives the administration will deploy to mitigate cybersecurity risks.

Continue reading