Cybersecurity Regulations that Will Shape the Next 6+ Months

By Hayden Smith

There’s a saying about security: if there’s a vulnerability, it will be exploited…and everything is vulnerable in some way. This sums up why cybersecurity regulations are important, and to understand their impact on the federal government, you need only to scan the news.

The Biden administration has already made significant moves to create federal cybersecurity guidelines, resulting in a slew of compliance tasks and deadlines. If I step back and use current guidelines and upcoming regulations to guide the next six months, here’s a list of expected deadlines and coming announcements to watch for.

Add these to your calendar to stay ahead of the curve and to plan a well-integrated response for your team and department:

September

• The Office of Management and Budget (OMB) will formulate policies regarding agency logging requirements.
• The Homeland Security Secretary will issue preliminary goals for control systems across critical infrastructure sectors by September 22, 2021. These will be followed by final cross-sector control system goals in July 2022.
• Expect to see federal guidance on how IT service providers are to share incident or event data with agencies, especially the FBI and the Cybersecurity and Infrastructure Security Agency (CISA).
• We should see an update to the Federal Acquisition Regulation (FAR) clause addressing the recommended contract language available for comment.
• The federal government will release a “playbook” addressing how Federal Civilian Executive Branch (FCEB) agencies should plan and conduct vulnerability and incident response activities.
• The FCEB agencies will adopt governmentwide Endpoint Detection and Response (EDR) requirements.
• Also expect to see a new FAR rule addressing governmentwide incident reporting requirements.

October

• It is National Cybersecurity Awareness month, so double down on the No. 1 security aspect you can control: your cyber hygiene.
• Federal agencies were given 60 days to identify critical software in their systems and they are due this month. A year from now, you’ll need to have them secured. As a reminder, the National Institute of Standards and Technology (NIST) defines critical software as software that runs on or depends on software that:
  • Is designed to run with elevated privilege or managed privileges.
  • Has direct or privileged access to networking or computing resources.
  • Was designed to control access to data or operational technology.
  • Performs a function critical to trust.
  • Operates outside of normal trust boundaries with privileged access.
• Expect to see an updated FAR clause targeting IT and OT service providers.

November

• NIST will collect, compile and review the proposed solutions and ideas garnered to enhance software supply chain security. Look for final guidance in February 2022.
• The Cybersecurity Maturity Model Certification (CMMC) Certified Professional (CCP) beta test period will start mid-month and the official exam is expected to be offered in February 2022.
• Agencies are expected to have in place multi-factor authentication (MFA) and data-at-rest encryption protocols. This could prove a challenging deadline to meet as defense contractors have struggled with this same effort for years.
• If unable to accomplish MFA and data-at-rest encryption protocols an agency must explain why to CISA, OMB and the National Security Advisor’s (NSA) office.

December

• The final DFARS CMMC rule and an update to the CMMC Model are expected in the November/December time frame. CMMC delays have caused many to question whether CMMC will be scrapped. I think along with many other cybersecurity professionals that CMMC will survive – it’s needed now more than ever. The details and timeline involved in standing up such a robust program were originally overestimated, but I think it will happen by the end of the year. Pro tip: Start thinking about how you will address the need for a Point of Contact 24/7/365.

Early 2022

• I expect NIST will issue guidance that identifies practices that enhance software supply chain security, with references to standards, procedures and criteria.
• Also expect to see formal guidance from NIST identifying IoT (Internet of Things), cyber and secure software development practices or criteria for consumer labeling programs.
• Look for OMB to require agencies to comply with supply chain security guidance for all new purchases.

Why it’s important to look ahead

No one likes a surprise that makes extra work or causes panic. It’s important to anticipate and prepare for coming regulations. Planning is a force multiplier that benefits your agency. Sharing deadlines and news both up and down the reporting chain eliminates any surprises and allows your team to make knowledgeable, empowered security decisions. Take note of these expected cybersecurity regulations and stay informed on what’s around the corner.

Interested in becoming a Featured Contributor? Email topics you’re interested in covering for GovLoop to [email protected]. And to read more from our summer/fall 2021 Cohort, here is a full list of every Featured Contributor during this cohort and a link to their stories.

Hayden Smith is a senior engineer with Anchore, a software container security company. Currently, Smith leads developer projects across the Defense Department (DoD) and numerous federal agencies to help government organizations adopt DevSecOps best practices. His work includes building and automating Platform One, a collection of hardened and approved containers for use across agencies.

Smith’s dedication to advancing safe cloud-native development practices has been able to guide, empower, equip and accelerate DoD programs through their DevSecOps journeys. Prior to joining Anchore, Smith was a DevOps and infosecurity technologist with Booz Allen Hamilton, where he worked extensively on FedRAMP compliance. You can connect with Anchore on Twitter and LinkedIn.