Across a range of agencies and issues, the Federal Government continues to roll out new initiatives and update current programs focused on improving cybersecurity readiness. With the passage of the infrastructure bill, which was signed into law by President Biden on November 15, 2021, critical funding will be provided to cybersecurity infrastructure, focused in particular on state and local resources in turn bolstering some the nation’s most vulnerable assets. Meanwhile, the Department of Defense (DOD) has announced that the controversial Cybersecurity Maturity Model Certification (CMMC) program for the Defense Industrial Base (DIB) will be revised in an effort to reduce costs and address questions about implementation, particularly for smaller government contractors. At the State Department, the Biden Administration announced the launch of a new bureau of cyberspace and digital policy, to strengthen the United States’ cyber expertise and combat the rising cybersecurity-related issues of our time. Lastly, Congress’s Committee on Oversight and Reform released a memorandum regarding the nation’s widespread fight against ransomware.
DOD Announces CMMC Modifications
A revised CMMC 2.0, which comes with an ill-defined implementation schedule, simplifies some core elements of the framework. Congress and the DOD have concluded that the prevailing mode of operations in the DIB—relying on third-party contracting—has been a major point of exploitation posing cybersecurity risk. The DOD introduced the CMMC as a means through which cybersecurity preparedness could be normalized and standardized throughout the DIB. The first version proposed that each contractor receive a third-party certification, even if the contractor was not directly involved with controlled, unclassified data. DIB industry members provided extensive comments to the initial rollout, questioning the cost and plausibility of contractors’ being able to meet the standards of certification. Now, the CMMC will be pared down, removing the requirement for third-party contractors who are not involved with classified information to get certified. Further, the number of security tiers involved in the CMMC would decrease from five tiers to three. In the third tier, a bifurcated model will be followed, whereby some contracts that handle controlled, unclassified information will be able to follow a cheaper and more efficient self-assessment protocol. Lastly, the new CMMC 2.0 would allow contractors to use Plan of Action and Milestone (PoAM) reports, giving contractors who do not meet all control criteria for certification time to prove that standards for certification will eventually be met.
New Bureau of Cyberspace and Digital Policy
The Biden Administration announced the formation of a new Bureau of Cyberspace and Digital Policy in the Department of State, alongside a new Special Envoy for Critical and Emerging Technology. These developments seek to increase the United States’ expertise in the fields of international cyberspace security, international digital policy, and digital freedom, becoming key foreign policy initiatives. The State Department noted that the Bureau is being created to combat the constant threat of cyber-attack to the U.S. private and public sectors. The goal of the special envoy will be to lead a technology diplomacy and partnerships agenda.
Cybersecurity-Related Implications of the new Infrastructure Bill
On November 15, President Biden signed into law the bipartisan infrastructure bill. Amongst the provisions in the $1.2 trillion act, are a number of investments in cybersecurity infrastructure. The funding package includes $550 billion in new spending for U.S. transportation and utility infrastructure and $50 billion for protection against climate change and cyberattack. An additional $2 billion has been allocated for cybersecurity investments, half of which funds the State, Local, Tribal, and Territorial Cyber Grant Program within the Cybersecurity and Infrastructure Agency (CISA). The law also provides funding for the national cyber director and created a $100 million Cyber Response and Recovery Fund. Importantly, improvements in critical infrastructure, occurring outside of the aforementioned provisions, will include cybersecurity criteria. The new legislation encourages cross-sector information sharing, and identification of vulnerable infrastructure. Further, within two years, the legislation mandates that the Federal Highway Administration implement tools to identify, detect, protect, and respond to cyber incidents, coordinating with the National Institute of Standards and Technology, Transportation Security Administration, and CISA.
Congress’s Ransomware Memorandum
The Committee on Oversight and Reform (COR) launched an investigation into ransomware attacks and U.S. private-sector ransomware payments. The results of the investigation and further findings were noted in a COR memorandum. The memorandum included major findings from investigating some of the nation’s largest ransomware attacks. Amongst the findings, the memo highlighted three observations:
- Small lapses led to major breaches – Ransomware attackers rely on minor security lapses, occurring at individual levels (due to weak passwords or old active account information), to launch catastrophic wide-scale attacks.
- Some companies lacked clear initial points of contact with the federal government – Companies are faced with a disorganized patchwork of federal agencies to engage with after falling victim to a ransomware attack.
- Companies faced pressure to quickly pay the ransom – Given uncertainty on the level of data theft, deletion, and lack of data restoration/backup, private entities felt pressure to pay ransoms in as expedient a manner as possible.
In lieu of these findings, the memo recommended a clearly established federal point of contact in response to ransomware attacks. The memo also emphasized that although the FBI has released guidance to not pay ransoms, companies feel pressure to do so given escalating threats and promises for leniency from attackers if ransoms are paid. Ransomware attacks are becoming a widespread national threat, and investigations such as these show that Congress is actively seeking methods to legislatively intervene.