In the face of escalating cyber threats to our critical infrastructure, economy, and way of life, federal agencies are continuously releasing mandates, memos, requirements, and executive orders focused on improving cyber hygiene. This creates a heavy, ever-shifting compliance burden for these agencies, as well as the many private companies, especially those in the critical sectors, that tend to rely on these agencies’ requirements in enhancing their own cyber strategies.

The White House has taken note, and in July 2023 released a harmonized National Cybersecurity Strategy Implementation Plan.

Among its initiatives, the strategy broadly mentions the need to drive key cybersecurity standards. A few days after the strategy’s release, the Office of the National Cyber Director (ONCD) issued a Request for Information (RFI) seeking input from stakeholders in order to “understand existing challenges with regulatory overlap and inconsistency in order to explore a framework for reciprocal recognition by regulators of compliance with common baseline cybersecurity requirements.”

“When cybersecurity regulations of the same underlying technology are inconsistent or contradictory – or where they are duplicative but enforced differently by different regulators – consumers pay more, and our national security suffers,” ONCD wrote.

CohnReznick expects the final output will create a baseline standard for federal agencies, instead of the multiple and disparate standards they currently must comply with. Additionally:

• There will be a standardized cybersecurity rule for incident reporting and multifactor authentication.
• High-risk operators in the Transportation sector would be required to have a standardized vulnerability assessment procedure in place.
• Cloud Service Providers (CSPs) such as AWS, Microsoft Azure, Google Cloud Platform, and Oracle may be designated as “critical infrastructure.”

However, the White House is careful that it is not “over-regulating” the cybersecurity industry. To that end, Robert Knake, former acting principal deputy national cyber director, said that the national strategy does not seek to iron out “conflicting rules or even conflicting regulators,” but rather to devise a process for “reciprocity,” which would allow organizations to meet multiple requirements with a minimal number of assessments.

Both the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) will continue to play key roles in the new national cybersecurity strategy implementation plan.

The White House is fully aware the national cybersecurity strategy can quickly become obsolete as cyber criminals devise new methods to outwit defenses. Hence, the strategy will be a living document, and will undergo updates when necessary.

The current compliance landscape

As more streamlined frameworks continue to develop, agencies and organizations still face a vast array of cybersecurity-related memorandums, programs, laws, policies, and standards. 

The table below highlights some of the top ones to be aware of in developing your strategies. A more comprehensive list is available from the General Services Administration (GSA).

One of the most important mandates is Executive Order 14028, “Improving the Nation’s Cybersecurity,” which lays great emphasis on implementing a Zero Trust architecture and securing the supply chain for critical software used by federal agencies.

Federal agencies are feverishly working toward the implementation of EO 14028. The all-encompassing order mandates compliance across eight security domains:

• Implement multifactor authentication (MFA)
• Encrypt data-at-rest and data-in-transit
• Adopt endpoint detection and response solutions
• Collect and maintain system logs
• Enhance critical software supply chain security
• Migrate on-premises solutions to secure cloud offerings
• Utilize vulnerability management best practices and incident response playbooks
• Implement Zero Trust Architecture

The ink had barely dried on federal agency gap analyses and technical implementation of EO 14028 when CISA produced more recommendations on anti-phishing MFA. The Pentagon also introduced its definitive version of a Zero Trust strategy. On top of these, the National Archives and Records Administration (NARA) recently issued a new requirement on logging and retention periods. More OMB memoranda and new FISMA audit requirements are constants and will be forthcoming down the road.

Interim steps to strengthen compliance

While relief is on the way, federal agencies may still feel overburdened now with all these requirements. In the meantime, the following steps can help provide a head start on shoring up your compliance practices.

• Assess your current compliance program to confirm it aligns with the expectations of the myriad of applicable drivers, while also being right-sized for the mission.
• Confirm that your current program is managing and prioritizing the requisite compliance risks, including any risks related to government funding.
• Develop a process for ongoing periodic assessment of plan adequacy, resources, and effectiveness.

Contact our team for more information or to get started.

Contact

Bhavesh N. Vadhani, CISA, CRISC, CGEIT, PMP, CDPSE, Principal, Global Leader, Cybersecurity, Technology Risk, and Privacy

703.847.4418

Bill Hughes, CPA, CDFM, CGFM, CGMA, Partner, Federal Market Leader, Government and Public Sector

703.744.6750

Adonye Chamberlain, Manager, Cybersecurity, Technology Risk, and Privacy

703.744.7409