The U.S. Cybersecurity & Infrastructure Security Agency (CISA) is proposing security requirements to prevent adversary states from accessing American’s personal data as well as government-related information.

The requirements are aimed at entities that engage in restricted transactions that involve bulk U.S. sensitive personal data or U.S. government-related data, especially if the info is exposed to “countries of concern” or “covered persons.”

The proposal is linked to the implementation of Executive Order 14117, signed by President Biden earlier this year, aimed at addressing severe data security liabilities that extend to or amplify national security risks.

Impacted organizations may include technology businesses such as AI developers and cloud service providers, telecommunication firms, health and biotech organizations, financial institutions, and defense contractors.

Countries of concern typically refer to nations the U.S. government views as adversarial or posing a security risk due to a history of cyber espionage, data breaches, and state-sponsored hacking campaigns.

Security requirements

CISA proposes security measures categorized into organizational/system-level requirements and data-level requirements. Below is a summary of some of them:

• Maintain and update an asset inventory monthly, with IP addresses and hardware MAC addresses
• Remediate known exploited vulnerabilities within 14 days
• Remediate critical vulnerabilities (of unknown exploitation status) within 15 days and high-severity flaws within 30 days
• Maintain an accurate network topology to facilitate incident identification and response
• Enforce multi-factor authentication (MFA) on all critical systems, require passwords that are at least 16 characters long, and revoke access to any individual immediately after employment termination or a change of role in the organization
• Prevent unauthorized hardware, such as USB devices, from being connected to covered systems
• Collect logs on access and security-related events (IDS/IPS, firewall, data loss prevention, VPN, login events)
• Reduce the amount of data collected or mask it to prevent unauthorized access or linkability to U.S. persons, and apply encryption to protect covered data during restricted transactions
• Do not store encryption keys along with the covered data or in a country of concern
• Apply techniques such as homomorphic encryption or differential privacy to prevent the reconstruction of sensitive data from processed data

 CISA is looking for public input to further develop the proposal into its final form. Those interested in doing so can visit regulations.gov, enter CISA-2024-0029 in the search field, click the “Comment Now!” icon, and then enter their comments in the fields.