Lawmakers Prioritized Cybersecurity in 2022
If 2020 opened the “Wild West” of cybersecurity, 2022 was essentially the new sheriff rolling into town.
Security pioneers who survived the pandemic – in the sense that our entire work paradigm shifted – are now coming up for air to find a bevy of new rules and regulations when it comes to cyber policy. While states continue to forge ahead in developing reporting requirements and training incentives, the federal government began turning its regulatory wheels with a keen focus on Zero Trust.
After various ransomware attacks like the Colonial Pipeline or SolarWinds of recent years, governmental bodies at all levels appear to have taken a “do something” approach, per analysis by the Harvard Business Review – though much of it, it seems, is the work of legislators who may not be aware of the nuances involved in developing security measures.
“… lawmakers often struggle to regulate technology — they respond to political urgency, and most don’t have a firm grasp on the technology they’re aiming to control. The consequences, impacts, and uncertainties on companies are often not realized until afterward,” author Stuart Madnick wrote. The difference, according to the article, is that governments up until now have focused mainly on privacy as the key onus for reporting a cyberattack. But in an example like Colonial Pipeline, where no customer data was compromised, but the attack was crippling – it forced legislators to think differently about cybersecurity.
Just a glance at the legislative slate from state governments shows a number of enacted, passed, and pending laws – along with a few failures, to boot. A few notable examples include Florida’s apparent commitment to its new strategy via the Florida Digital Service, headed by previous Conference Keynote Jamie Grant.
The state of Kentucky also passed all its legislation from 2022, including a requirement for investment advisers to establish written cybersecurity policies. Louisiana established a task force, while New Jersey and Massachusetts are pending bills regarding task forces.
According to the National Conference of State Legislatures, 40 states and Puerto Rico brought more than 250 bills to their members that deal with cybersecurity. Of those, 24 states enacted approximately 41 bills, often requiring government agencies to provide more training, better funding for security programs in local governments and schools, bolstered election security practices, and developed incentives for organizations who develop workforce training programs.
At the federal level, the White House’s 2021 Executive Order for “Improving the Nation’s Cybersecurity” began hitting some critical due dates. NIST, for example, issued updates on its work earlier this year, stating it’d made labeling recommendations for IoT software – often considered a hot opportunity for threat actors.
The Department of Defense issued its Zero Trust Strategy framework to the public in late fall of this year, where it extolled the values and virtues of such a strategy for a highly sensitive department such as DoD.
“This Zero Trust strategy, the first of its kind for the Department, provides the necessary guidance for advancing Zero Trust concept development; gap analysis, requirements development, implementation, execution decision-making, and ultimately procurement and deployment of required ZT capabilities and activities which will have meaningful and measurable cybersecurity impacts upon adversaries,” wrote DoD’s Chief Information Officer John B. Sherman in the report’s introduction.
Prior to the Pentagon’s release, the Office of Management and Budget (part of the executive branch) issued its strategy for a Zero Trust framework – discussing in a memo that all agencies across the government should adopt zero trust architecture as its cybersecurity standard.
OMB’s document lays out a series of visions for this strategy, as implemented across agencies. Per the summary:
This strategy envisions a Federal Government where:
- Federal staff have enterprise-managed accounts, allowing them to access everything they
need to do their job while remaining reliably protected from even targeted, sophisticated
- The devices that Federal staff use to do their jobs are consistently tracked and monitored,
and the security posture of those devices is taken into account when granting access to
- Agency systems are isolated from each other, and the network traffic flowing between
and within them is reliably encrypted.
- Enterprise applications are tested internally and externally, and can be made available to
staff securely over the internet.
- Federal security teams and data teams work together to develop data categories and
security rules to automatically detect and ultimately block unauthorized access to
“This strategy sets a new baseline for access controls across the Government that prioritizes defense against sophisticated phishing, and directs agencies to consolidate identity systems so that protections and monitoring can be consistently applied. Tightening access controls will require agencies to leverage data from different sources to make intelligent decisions, such as analyzing device and user information to assess the security posture of all activity on agency systems,” according to the report.
Agencies will have until the end of Fiscal Year 2024 to meet the Zero Trust security goals set out by the federal government, according to the OMB memo. And with the sun setting on 2022 in a few short days, it’s likely that many agencies have already begun this vital transition.
Recent news posts
Laid-Off Tech Workers Could Consider Any of the Nearly 800,000 Open Cybersecurity Jobs
The Rise of ChatGPT: How AI Plays a Vital Role In Cybersecurity
Round Up: Partner Blogs Look Toward 2023
Hackers Don’t Take This Week Off: Weekly News Roundup
Lawmakers Prioritized Cybersecurity in 2022
Attend an Event!
Connect and collaborate with fellow security innovators at our Virtual Cybersecurity Summits.