Two top CISA officials, Bob Lord and Lauren Zabierek, have resigned citing their work on the Secure by Design program, coinciding with White House cuts and a potential shift in the program’s direction. The agency faces significant budget cuts and staff reductions.
The US government initially ended funding for the Common Vulnerabilities and Exposures (CVE) database. However, funding has been restored through the CVE Foundation and CISA. This article covers CVE from the perspective of effects on Android alone.
In the wake of the Salt Typhoon hacks, the US government agencies have reversed course on encryption, urging the use of end-to-end encryption after decades of advocating against it. This is a major turnaround from their previous demands for law enforcement backdoors.
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) is proposing security measures to prevent adversary states from accessing American's personal data and government-related information, aimed at entities handling sensitive data exposed to 'countries of concern.'
# Proposed Security Measures
| **Category** | **Requirements** |
|-------------------------------|---|
| **Asset Inventory** | Maintain and update monthly with IP addresses and hardware MAC addresses. |
| **Vulnerability Remediation** | Remediate known exploited vulnerabilities within 14 days, critical vulnerabilities within 15 days, high-severity flaws within 30 days. |
| **Network Topology** | Maintain an accurate network topology for incident identification and response. |
| **Authentication** | Enforce MFA on all critical systems, require 16+ character passwords, revoke access immediately upon employment termination or role change. |
| **Unauthorized Hardware** | Prevent unauthorized hardware (e.g., USB devices) from being connected to covered systems. |
| **Logging** | Collect logs on access and security-related events (IDS/IPS, firewall, data loss prevention, VPN, login events). |
| **Data Management** | Reduce or mask data to prevent unauthorized access or linkability, apply encryption to protect covered data during restricted transactions. |
| **Encryption Key Storage** | Do not store encryption keys along with covered data or in countries of concern. |
| **Data Protection Techniques**| Apply techniques such as homomorphic encryption or differential privacy to prevent reconstruction of sensitive data from processed data. |
# Proposed Security Measures
| **Category** | **Requirements** |
|-------------------------------|---|
| **Asset Inventory** | Maintain and update monthly with IP addresses and hardware MAC addresses. |
| **Vulnerability Remediation** | Remediate known exploited vulnerabilities within 14 days, critical vulnerabilities within 15 days, high-severity flaws within 30 days. |
| **Network Topology** | Maintain an accurate network topology for incident identification and response. |
| **Authentication** | Enforce MFA on all critical systems, require 16+ character passwords, revoke access immediately upon employment termination or role change. |
| **Unauthorized Hardware** | Prevent unauthorized hardware (e.g., USB devices) from being connected to covered systems. |
| **Logging** | Collect logs on access and security-related events (IDS/IPS, firewall, data loss prevention, VPN, login events). |
| **Data Management** | Reduce or mask data to prevent unauthorized access or linkability, apply encryption to protect covered data during restricted transactions. |
| **Encryption Key Storage** | Do not store encryption keys along with covered data or in countries of concern. |
| **Data Protection Techniques**| Apply techniques such as homomorphic encryption or differential privacy to prevent reconstruction of sensitive data from processed data. |
