As cyber threats continue to evolve and increase in frequency, governments and regulatory bodies are responding by imposing stricter cyber security regulations on businesses. Here are some notable regulations that are coming soon:
Transportation Security Administration (TSA)
The Transportation Security Administration (TSA) has issued a new cyber security amendment on an emergency basis to certain airport and aircraft operators’ security programs. This amendment aims to enhance the cyber security resilience of U.S. critical infrastructure, following extensive collaboration with aviation partners.
The new emergency amendment requires impacted TSA-regulated entities to develop an approved implementation plan that describes measures they are taking to improve their cyber security resilience and prevent disruption and degradation to their infrastructure. The TSA will continue to work closely with industry stakeholders to reduce cyber security risks and improve cyber resilience to support safe, secure and efficient travel.
I recently joined a webinar hosted by Andrew Ginter from Waterfall Security to go over TSA’s regulatory journey and what we can expect going forward. After he started discussing the differences between various standards, guidelines and regulations, I asked him how one could keep up with all of the differences and on-going updates:
“I can’t even keep up with all of them” – Andrew Ginter
Just like the various standards, guidelines and regulations that require companies to conduct assessment, there’s as many cyber security start-ups out there, so how could one expect him to know that SecurityGate can help CISOs and OT Cyber Security managers map controls from the industry’s leading standards and frameworks.
U.S. Securities and Exchange Commission Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure
This expansive rule was published by the SEC in March 2022 and is expected to be finalized this month. It would require companies subject to the Exchange Act‘s reporting requirements to report material cyber security incidents and periodic updates about previously reported cyber security incidents. The proposed rule would also require companies to disclose their governance abilities for cyber security, such as which board members have cyber security expertise, what processes are in place to educate the board on cyber risks, and how their business strategy addresses cyber risks.
Cybersecurity Maturity Model Certification (CMMC) Program
The CMMC 2.0 is an updated Department of Defense rule that is expected to take effect next month. This program requires any DoD contractor to certify that their cyber security controls are meeting federal requirements.
Although this program only applies to organizations that work with the Department of Defense, it signifies a trend where government agencies and large enterprises are no longer willing to take claims of cyber security seriously at face value – they want to see proof. This trend is expected to grow, so it’s a smart idea to document and provide evidence of all cyber controls to be prepared for the future.
Tiered Model, Assessment Requirement and Implementation through Contracts are the CMMC 2.0 key features, more details here.
With these new regulations on the horizon, it’s critical that businesses assess their cyber risk tolerance and position to ensure they are compliant. Organizations need to take action to assess their posture ahead of new regulations releasing so they can be prepared when it happens. A platform like SecurityGate can track everything automatically and let organizations easily share proof of their cyber security controls and implementation with their cyber insurance provider, vendors, or customers.