This is the fourteenth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”). The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various Government agencies to implement the Cyber EO from June 2021 through May 2022. This blog describes key actions taken to implement the Cyber EO during June 2022.

NIST Issues Final Draft Guidance on Engineering Secure Systems

On June 7, 2022, the National Institute of Standards and Technology (NIST) issued a final draft of its Special Publication (SP) 800-160, Volume 1, Revision 1, titled “Engineering Trustworthy Secure Systems.” According to NIST, the updated draft publication provides a “renewed emphasis on the importance of systems engineering and viewing systems security engineering as a critical sub-discipline necessary to achieving trustworthy secure systems.” The draft provides systems engineers with design principles and a methodology for developing trustworthy secure systems, it clarifies key systems engineering and systems security engineering terminology, and provides additional references to international standards and technical guidance to support the security aspects of the systems engineering process.

CISA Releases Version 2.0 of Its Cloud Security Technical Reference Architecture

The Cybersecurity and Infrastructure Security Agency (CISA) released the second version of its Cloud Security Technical Reference Architecture (TRA) guidance on June 22, 2022. Section 3(c)(ii) of the Cyber EO provides that the purpose of the Cloud Security TRA is to outline recommended approaches to cloud migration and data protection and to provide guidance for agencies’ secure migration to the cloud.. Contributing authors were CISA, the United States Digital Service and the Federal Risk and Authorization Management (FedRAMP) program. The TRA reflects a number of changes from the prior draft published in September 2021 in response to more than 300 comments that CISA received on the prior draft.

NIST Issues Guidance and Discussion Paper Regarding its Cybersecurity Internet of Things (IoT) Program, Hosts a Workshop, and Awards CRADAs to Partners For Solutions for Secure Network-Layer Onboarding of IoT Devices

NIST took several steps in June 2022 in furtherance of its IoT Cybersecurity Program. First, NIST issued draft guidance for public comment on the baseline criteria for consumer IoT product labelling that it developed pursuant to the Cyber EO. Second, NIST issued for public comment a draft Discussion Essay titled “Ideas for the Future of IoT Cybersecurity at NIST: IoT Risk Identification Complexity”, which sets forth various considerations and approaches for identifying and addressing risks for IoT devices. Third, NIST held a virtual workshop on June 22, 2022, during which NIST officials, industry representatives, and other stakeholders discussed the results of NIST’s cybersecurity labelling initiative for IoT devices and issues related to IoT device cybersecurity generally. Finally, on June 27, 2022, NIST entered into Cooperative Research and Development Agreements (CRADAs) with fourteen different organizations to develop solutions to ensure the security credentials of IoT devices that are attempting to connect to a network..