Email
Password
Remember meForgot password?
    Log in with Twitter

article imageSoftware vendors will soon need to disclose all breaches Special

By Tim Sandle     Apr 6, 2021 in Technology
A planned Biden administration executive order will require many software vendors to notify their federal government customers when a cybersecurity breach has taken place. The bill stops short of consumers being contacted.
This planned order will compel vendors to preserve more digital records and work with U.S. Cybersecurity and Infrastructure Security Agency (CISA) when responding to incidents. Additionally, the proposed order would require multi-factor authentication and encryption of data inside federal agencies. The order is not yet final but could be released as early as April 2021. While a step-forward, the legislation is not as strong as rules in place in most European countries.
Looking at the issue Matt Sanders, Director of Security at LogRhythm, tells Digital Journal:
“The past four months have been a hotbed for cybersecurity hacks and breaches. As foreign nation state-sponsored adversaries continue to ramp up attacks as we saw in the SolarWinds compromise and most recently with the Microsoft Exchange zero-day attack, organizations across industries need to work together to thwart future incidents.”
Looking at the legislation specifically, Sanders says: “The planned executive order, which would require many software vendors to notify their federal government customers when the companies experience a cybersecurity breach, is a positive first step in improving transparency and speeding up the investigation and remediation of future attacks.”
He adds that “Department of Defense (DoD) contractors have been required to rapidly report breaches to the DoD for many years now, but what has been missing is similar reporting requirements on non-DoD Federal contractors. Currently, all DoD contractors get Defense Federal Acquisition Regulations (DFARS) 252.204-7012 written into their contracts that requires rapid reporting (within 72 hours) of data breaches to the DoD. A similar clause in the non-DoD Federal Acquisition Regulations (FARS) has been expected for some time now but never materialized.”
In terms of how to deal with cybersecurity incidents, responding quickly is important: “While rapid reporting is an important aspect, hopefully this executive order will require and enforce additional security measures for protecting Federal Government data as well.”
With defense issues, Sanders adds: “One thing we’ve seen in the DoD industry is strong security requirements imposed via regulations, but lacked enforcement until recently. With the Cybersecurity Maturity Model Certification (CMMC), the DoD is finally adding some teeth to enforcing security by requiring contractors to undergo an independent 3rd party assessment of their security controls.”
On the legislation and what it should be composed of, Sanders states: “Ideally, a new Executive Order should also add a similar enforcement piece to ensure those security requirements are being adhered to. The Biden administration has already worked to address future cybercrime by allocating nearly $2 billion in funding to secure and improve government technology and security in the most recent stimulus package, and this latest action shows that the federal government is extremely serious about working with the private sector to ensure national security is preserved.”
More about Software, Data breach, Government, Cybercrime
More news from
Latest News
Top News