On January 4, 2023, the Biden Administration released its latest regulatory agenda (Regulatory Agenda). One of its key components includes new regulations aimed at enhancing cybersecurity requirements for government contractors, public companies, the maritime industry, and other sectors.
These regulations are a clear indication of the critical need for robust cybersecurity measures across all aspects of operations – including information systems, operational systems, and information technology. Companies subject to these regulations will face significant and comprehensive cybersecurity obligations and regulatory scrutiny.
Staying ahead of the game and ensuring your cybersecurity measures are up to par will be crucial as these new regulations will have important implications for contracting and operational practices. Here are just some of the key policies that will impact businesses nationwide.
Key Policies
Assessing Contractor Implementation of Cybersecurity Requirements and CMMC Program by U.S. Department of Defense (DoD)
The DoD is set to issue its Cybersecurity Maturity Model Certification (CMMC) program in May 2023. These regulations will mandate that all contractors in the DoD supply chain, with the exception of commercial off-the-shelf product providers, obtain third-party or self-certification for compliance with designated cybersecurity controls. The certification required will be contingent on the type of information handled by the contractor.
Staying compliant with DoD regulations and preparing for CMMC certification will be paramount for contractors looking to win big in 2023.
DoD Plans to Expand Cybersecurity Program for DIB
The Department of Defense (DoD) is looking to strengthen its Defense Industrial Base (DIB) Cybersecurity (CS) program. Their goal is to increase the cybersecurity threat information provided to defense contractors who handle “controlled unclassified information.”
Currently, the program is only accessible to defense contractors with a clearance. But starting in April 2023, DoD plans to release a proposed rule that will expand the program to include all contractors who process, store, develop, or transit controlled unclassified information.
This move demonstrates the government’s commitment to protecting sensitive information and data from cyber threats. Stay tuned for more details as the proposed rule is released.
Increase Cybersecurity Information Sharing between Federal Government and Contractors
The Department of Defense, General Services Administration (GSA), and NASA seek to amend the Federal Acquisition Regulation (FAR) to improve information sharing on cybersecurity threats and incidents. Under the proposed changes, specific government contractors would need to report incidents to the federal government as a means to prevent further cyber threats.
Although the proposed rules were anticipated to be released in December 2022, some speculate that they may overlap with the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) that was passed earlier in the year. Stay updated on the latest cybersecurity regulations to ensure your company remains compliant.
Standardizing Cybersecurity Requirements for Unclassified Information Systems (FAR)
Proposed FAR regulations seek to standardize cybersecurity requirements across all federal agencies. Although government-wide regulatory requirements exist, they are basic and permit other agencies to create their own varying and more rigorous standards. Several agencies, including the DoD, U.S. Department of Transportation (DOT), U.S. Department of State, NASA, and the IRS, have issued agency-specific regulations.
Taking Additional Steps to Address National Cybersecurity Threats
The Commerce Department is set to introduce regulations to address the issue of significant malicious cyber-enabled activities. These regulations, which follow Executive Order 13984, are expected to require providers of United States Infrastructure as a Service (IaaS) products to take additional measures to protect against cyber threats. Specifically, the new rules will require IaaS providers to verify the identity of individuals obtaining IaaS accounts, maintain records of actors using United States IaaS products, and limit certain foreign actors’ access to US IaaS products. The proposed rule is anticipated to be released in June 2023.
It should be noted that any measures introduced under this proposed rule that facilitate government access to data about cloud and managed services accounts must be reconciled with Executive Order 14086 and ongoing discussions regarding individual rights and transparency in personal data transfers to the US from the European Union (EU) and other jurisdictions. As a national security measure, these regulations will help to protect against cyber threats and ensure the safety and security of critical US infrastructure.
Improved Cybersecurity Monitoring for Bulk Electric Systems
The Federal Energy Regulatory Commission (FERC) issued a Notice of Proposed Rulemaking (NPRM) in January 2022. This NPRM mandates the North American Electric Reliability Corporation (NERC) to create new or revised standards for internal network security monitoring of high or medium-impact Bulk Electric Systems (BES). FERC is also gathering opinions about whether low-impact BES cybersecurity systems should also be regulated to ensure a more secure internal network for bulk electric systems, something that is critical to protect against cyber attacks.
Cybersecurity Regulations for Marine Transportation System by DHS
In June 2023, the U.S. Department of Homeland Security is set to propose new regulations aimed at mitigating cybersecurity risks and threats in maritime transportation. The new regulations will establish minimum cybersecurity standards for vessels and facilities in order to protect the Marine Transportation System.
It is currently unclear what specific form these regulations will take and which companies and vessels will be impacted. However, in December 2020, the Trump Administration released its National Maritime Cybersecurity Plan, which is expected to serve as a blueprint for the new regulations.
Stay tuned for more information on this important development in marine transportation cybersecurity.
Enhancing Surface Cyber Risk Management: DHS Announcement
The DHS has announced an advanced notice of proposed rulemaking (ANPRM) for public review and feedback until Jan. 17, 2023. The proposed regulations aim to counter the persistent threat to pipeline and rail systems by introducing new cybersecurity requirements. The Surface Transportation Cybersecurity Toolkit by TSA and other cybersecurity directives will be incorporated into the regulations.
Recently, TSA issued a new directive called Rail Cybersecurity Mitigation Actions and Testing. Through this ANPRM, individuals and companies will have an opportunity to address these proposed regulations ahead of time.
For a complete list of regulations and proposed changes, please visit the Office Of Information and Regulatory Affairs at Reginfo.gov.
As the upcoming year brings new cybersecurity requirements, businesses across various sectors are advised to stay vigilant. With a slew of anticipated regulations, 2023 will be a busy year for companies looking to stay compliant.
To ensure your company stays ahead, it is recommended to monitor the regulatory process throughout the year. This will help you stay informed on whether additional compliance measures must be taken. If you have any questions about these new regulations or need assistance with compliance, don’t hesitate to reach out to the experts at DIGITALSPEC Technologies, an SBA 8(a) NHO with 15+ years of experience in GovCon.
