CISA Security Requirements: Protecting Sensitive Information
The U.S Cybersecurity and Infrastructure Security Agency (CISA) recently announced proposed security requirements designed to prevent adversarial nations from gaining access to American’s personal and government-related information. These proposed guidelines come as part of a broader effort under Executive Order 14117, signed by President Biden earlier this year, and reflect growing concerns about data security risks that threaten national security.
With data breaches and state-sponsored cyber activities on the rise, these security requirements aim to counter foreign threats and strengthen the security posture of U.S. entities.
Who is Impacted by CISA Security Requirements?
The new security requirements primarily focus on organizations handling restricted transactions involving large volumes of sensitive U.S. personal data or data tied to government interests. The emphasis is on entities in sectors like technology, telecommunications, healthcare, biotechnology, finance, and defense contracting. CISA’s requirements seek to mitigate risks that could arise if data managed by these organizations is exposed to “countries of concern” or “covered persons,” which generally include nations and individuals known for cyber espionage and state-sponsored hacking campaigns against U.S. interests.
What are the Proposed Security Requirements?
CISA outlines two main areas of focus: organizational- and system-level security and data-level security requirements. Here’s a breakdown of some key proposals.
- Organizations should maintain and update an asset inventory every month, including IP addresses and hardware MAC addresses.
- Remediate known exploited vulnerabilities (KEVs) within 14 days.
- Remediate critical vulnerabilities within 15 days (even if not exploited) and high-severity vulnerabilities within 30 days. TuxCare’s KernelCare Enterprise can significantly streamline this process by automating the patching of kernel vulnerabilities without requiring reboots. KernelCare supports all major enterprise Linux distributions, including Ubuntu, Debian, RHEL, CentOS, Rocky Linux, AlmaLinux, CloudLinux, Oracle Linux, Amazon Linux, and more.
- CISA proposes maintaining accurate network topology for effective incident identification and response.
- Enforce multi-factor authentication (MFA) on critical systems and implement strong password policies (minimum 16 characters). Additionally, revoke access credentials immediately when individuals leave the organization or change roles.
- Implement policies to prevent unauthorized devices, like USBs, from connecting to covered systems.
- Collect and store logs related to access- and security-focused events for at least 12 months (or until final resolution of a data breach). These include Intrusion Detection System/Intrusion Prevention System (IDS/IPS) alerts, firewall logs, VPN, and login events to enable timely identification of potential security breaches.
- Deny all connections by default unless explicitly allowed for specific functions.
- Apply data minimization and data masking strategies to reduce the need to collect or obfuscate data.
- Apply encryption to sensitive data in all restricted transactions to protect against unauthorized access. Encrypt data in transit and at rest using industry-standard encryption (e.g., TLS 1.2 or higher). Store encryption keys separately and prevent access by unauthorized individuals or locations.
- Use techniques like homomorphic encryption and differential privacy to prevent reconstruction of covered data, ensuring processed data cannot be linked back to sensitive information.
Conclusion
CISA is welcoming public feedback on these proposed security requirements before finalization. If you’re concerned about data security and want to contribute to a more secure digital future, you can provide your comments on regulations.gov by searching for CISA-2024-0029 and selecting the “Comment Now!” option.
As organizations adapt to CISA’s new security requirements, implementing modern approaches like automated live patching can simplify vulnerability patching process while minimizing disruption. KernelCare Enterprise enables businesses to maintain security and compliance without sacrificing uptime or operational continuity.
Have questions about Linux security, vulnerability patching, or compliance standards? Reach out to our experts today—we’re here to help you find effective solutions for your organization!
Source: CISA