AI DevwWrld CyberDSA Chatbot Summit Cyber Revolution Summit CYSEC Global Cyber Security & Cloud Expo World Series Digital Identity & Authentication Summit Asian Integrated Resort Expo Middle East Low Code No Code Summit TimeAI Summit

DHS releases new cybersecurity regulations: impact on policyholders

New rules implemented by the US Department of Homeland Security introduce new requirements for protecting information and reporting cybersecurity incidents

This pill is also available in Italian language

The United States Department of Homeland Security (DHS) recently issued new cybersecurity regulations with the goal of protecting controlled unclassified information (CUI). These long overdue regulations amend and add to the Homeland Security Acquisition Regulations (HSAR) and will be integrated into future tenders, including commercial contracts issued under Federal Acquisition Regulation (FAR) Part 12. These regulations link to requirements existing and future ones of the United States Department of Defense (DoD) and the Federal Acquisition Regulatory Council (FAR Council) and will take effect on July 21, 2023.

Detailed analysis of the regulations

The new regulations not only stipulate how contractors must protect CUI, but also what the new reporting requirements are for cybersecurity incidents, and in some cases, require third-party assessments. These regulations will incur additional costs for contractors, but according to DHS, those costs are necessary to protect CUI and other critical information. Three new regulations have been introduced: HSAR 3052.204-71, HSAR 204-72 and HSAR 3052.204-73, which regulate contractors' employees' access to CUI, security measures, incident notification and credit monitoring.

DHS specific security controls and definition of CUI

Curiously, DHS has decided not to use the security controls outlined in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 as a baseline, but rather builds on the security controls outlined by DHS itself. Additionally, DHS has developed a definition of CUI that differs from existing definitions in the DoD. The DHS definition of CUI includes critical infrastructure information, sensitive security information, information about current or development technology, physical security information, and PII, among other things. DHS is working to update security policies, with a promise to replace current policies and procedures once they are finalized.

Additional requirements of the new regulations

The basic requirements of the regulation apply when CUI are managed as part of the contractual requirements. There are additional requirements for policyholders who have access to a government system or operate a system on behalf of DHS. These include the need to obtain an Operation Authorization (ATO), complete the Safety Clearance (SA) process in line with DHS Policy Directive 4300A, and undergo third-party assessments. The new rules place particular emphasis on incident notification, employee training, and compliance with DHS' stringent safety standards.

Follow us on Google News for more pills like this

06/28/2023 00:00

Editorial AI

Last pills

Serious vulnerability discovered in Rabbit R1: all user data at riskVulnerability in Rabbit R1 exposes sensitive API keys. What are the privacy risks?

Cyber attack in Indonesia: the new Brain Cipher ransomware brings services to their kneesNew ransomware hits Indonesia: learn how Brain Cipher crippled essential services and the techniques used by hackers

Patelco Credit Union: security incident halts customer services in CaliforniaService disruption and customer frustration: Patelco Credit Union works to resolve security incident

Cyber attack on TeamViewer: immediate response and investigations underwayStrengthened security measures and international collaborations to counter the cyber threat