The U.S. Cybersecurity & Infrastructure Security Agency (CISA) is proposing security measures to prevent adversary states from accessing American's personal data and government-related information, aimed at entities handling sensitive data exposed to 'countries of concern.'
# Proposed Security Measures
| **Category** | **Requirements** |
|-------------------------------|---|
| **Asset Inventory** | Maintain and update monthly with IP addresses and hardware MAC addresses. |
| **Vulnerability Remediation** | Remediate known exploited vulnerabilities within 14 days, critical vulnerabilities within 15 days, high-severity flaws within 30 days. |
| **Network Topology** | Maintain an accurate network topology for incident identification and response. |
| **Authentication** | Enforce MFA on all critical systems, require 16+ character passwords, revoke access immediately upon employment termination or role change. |
| **Unauthorized Hardware** | Prevent unauthorized hardware (e.g., USB devices) from being connected to covered systems. |
| **Logging** | Collect logs on access and security-related events (IDS/IPS, firewall, data loss prevention, VPN, login events). |
| **Data Management** | Reduce or mask data to prevent unauthorized access or linkability, apply encryption to protect covered data during restricted transactions. |
| **Encryption Key Storage** | Do not store encryption keys along with covered data or in countries of concern. |
| **Data Protection Techniques**| Apply techniques such as homomorphic encryption or differential privacy to prevent reconstruction of sensitive data from processed data. |
# Proposed Security Measures
| **Category** | **Requirements** |
|-------------------------------|---|
| **Asset Inventory** | Maintain and update monthly with IP addresses and hardware MAC addresses. |
| **Vulnerability Remediation** | Remediate known exploited vulnerabilities within 14 days, critical vulnerabilities within 15 days, high-severity flaws within 30 days. |
| **Network Topology** | Maintain an accurate network topology for incident identification and response. |
| **Authentication** | Enforce MFA on all critical systems, require 16+ character passwords, revoke access immediately upon employment termination or role change. |
| **Unauthorized Hardware** | Prevent unauthorized hardware (e.g., USB devices) from being connected to covered systems. |
| **Logging** | Collect logs on access and security-related events (IDS/IPS, firewall, data loss prevention, VPN, login events). |
| **Data Management** | Reduce or mask data to prevent unauthorized access or linkability, apply encryption to protect covered data during restricted transactions. |
| **Encryption Key Storage** | Do not store encryption keys along with covered data or in countries of concern. |
| **Data Protection Techniques**| Apply techniques such as homomorphic encryption or differential privacy to prevent reconstruction of sensitive data from processed data. |
