5 Critical Cybersecurity Updates Forecasted for 2023

Originally published by A-LIGN.

Written by Tony Bai, Federal Practice Lead, A-LIGN.

As cyberattacks become increasingly common in today’s global environment, government agencies are looking at applying minimum cybersecurity guidelines across several new sectors as the year comes to a close. The following are some of the most critical updates to come, when they may go into effect, and what you can do now in preparation.  

New Requirement for Asset Visibility and Vulnerability Detection on Federal Networks 

In October of 2022, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) announced Binding Operational Directive 23-01 – Improving Asset Visibility and Vulnerability Detection on Federal Networks.  

This new directive is set to go into effect on April 3, 2023, and requires organizations in the Federal Civilian Executive Branch (FCEB) to perform regularly automated asset recoveries and vulnerability enumeration. The definitions and cadences of these actions are as follows:  

Asset Discovery – An activity through which an organization identifies what addressable IP assets reside on their networks and the associated IP addresses (hosts). Under these new requirements, organizations are to perform automated Asset Discovery every 7 days. 

Vulnerability Enumeration – An action that identifies and reports suspected vulnerabilities on the assets identified in asset discovery. Vulnerability Enumeration detects host attributes (e.g., operating systems, applications, open ports, etc.), and identifies outdated software versions, missing updates, and misconfigurations. Under these new requirements, organizations are to perform automated Vulnerability Enumeration every 14 days.  

These new requirements apply to any FCEB unclassified federal information system, including any federal information system used or operated by another entity on behalf of an agency, that collects, processes, stores, transmits, disseminates, or otherwise maintains agency information. There are certain exceptions and stipulations regarding the frequency of these actions. Connection with a certified federal CPA such as A-LIGN can help to ensure your organization remains in compliance with these updates.  

New attention on TSA, HHS, EPA, FCC and their industry partners  

Anne Neuberger, the President’s Deputy National Security Adviser for Cyber and Emerging Technology, recently discussed new implementations, explaining that many will expand beyond the original “critical infrastructure” target list and include healthcare, radio and broadcast, water utilities, and biotech.  

Some specific upcoming targets include: 

• Transportation Security Administration (TSA): Critical Railroads and Pipelines 
• Department of Health and Human Services (HHS): Hospitals and Medical device manufacturers 
• Environmental Protection Agency (EPA): Water Utilities 
• Federal Communications Commission (FCC): Radio and Television Broadcasters 

According to Neuberger, some of the key new implications include a notice of proposed rulemaking for emergency and public warning systems from the FCC, new guidelines for hospitals from HHS, and ways to regulate water systems’ cybersecurity from the EPA. Some of these industries, where federal agencies have clear jurisdiction could see interim rules as soon as the end of this year. Others may see longer time horizons as new legislation may be required.  

Companies should keep in close communication with their agency sponsors and government affiliates as these new measures develop. For companies who wish to participate in the process, comment periods will likely precede final implementation.  

Quantum computing expected to grow, compliance frameworks to follow 

Advances in quantum computing technology continue to be of interest to the Biden Administration, as many fear that modern quantum computing will soon render current encryption measures obsolete. This summer, the National Institute of Standards and Technology (NIST) announced new encryption algorithms that the organization sees as the first steps in a post-quantum cryptographic standard. NIST expects these new algorithms to be finalized in the next two years.  

The Administration is also doubling down on its own quantum computing investments in both research and development, and workforce training to ensure that the United States continues to lead from the front as the technology develops. In the coming years, the government will likely implement new controls to existing cybersecurity frameworks to capture post-quantum technology. A-LIGN’s experience with NIST security frameworks enables us with the ability to provide trusted guidance in preparation for these new quantum compliance requirements as they develop. 

Discussions begin on consumer product labeling to reflect cybersecurity standards  

This month, November 2022, the White House is bringing together companies and government stakeholders to explore new standardized labeling for consumer products that meet the highest standards of government-sponsored cybersecurity measures.  

These new labels are meant to help American consumers better understand which products are most secure as they bring them into their homes. The Administration is targeting routers and home cameras for the first round of labels. These labels present a potential competitive advantage to companies that invest in the highest cybersecurity standards.  

DCMA places renewed emphasis on NIST 800-171 compliance as audits continue  

Earlier this summer, the Defense Contract Management Agency (DCMA) announced plans to spot check NIST SP 800-171 compliance using the Defense Industrial Base Cyber Assessment Center (DIBCAC) amid concerns that self-attested Plan of Action and Milestones (POAMs) are not being completed.  

Possible ramifications of being found out of compliance include having a government contractor’s past performance reflect a breach of contract. To assure compliance, companies have the option to work with a 3PAO for a NIST 800-171 gap assessment or overall certification.

About the Author

Mr. Bai is a cybersecurity professional with a range of certifications. As the Federal Practice Lead at A-LIGN, Mr. Bai supports all FedRAMP, FISMA, NIST 800-171 and other NIST-based projects. He is responsible for overseeing all NIST-based engagements and providing security controls advisory and guidance to our clients. Mr. Bai has hands-on experience leading all stages of system security, including requirements definition, auditing, scanning, and mitigation. With over 27 years of information systems experience to include 10 years specializing in cybersecurity. His extensive background includes providing risk assessments of information systems for government agencies and commercial clients. Mr. Bai brings an impressive blend of knowledge of security controls and technical aspects of cybersecurity and IT operations.