6 USC 652: Cybersecurity and Infrastructure Security Agency

Threats and vulnerabilities cannot be eliminated and reducing cybersecurity risks is especially challenging. The health care environment is complex, and manufacturers, hospitals, and facilities must work together to manage cybersecurity risks. While discussing future priorities for federal cybersecurity during a Nextgov event Thursday, Steven Hernandez, chief information security officer for the Education Department and chair of the Federal CISO Council, said a new mandate on software supply chain is forthcoming. To request additional information from other Federal Government agencies, State, local, Agency Cybersecurity tribal, and territorial government agencies, and the private sector relating to threats of terrorism in the United States, or relating to other areas of responsibility assigned by the Secretary, including the entry into cooperative agreements through the Secretary to obtain such information. To review, analyze, and make recommendations for improvements to the policies and procedures governing the sharing of information relating to homeland security within the Federal Government and between Federal Government agencies and State, local, tribal, and territorial government agencies and authorities.

The Department also emphasizes that Notices of Exemption should be filed electronically via the DFS Portal. The Covered Entity should utilize the account that they used to file the original Notice of Exemption or create a new account if an individual filing was previously not made. If a Covered Entity files a Notice of Exemption with the Department representing that it qualifies for one of these limited exemptions, then the Covered Entity should maintain data and documentation supporting the Notice of Exemption for five years and shall provide such data and documentation if requested by the Department. Pursuant to 500.19, when a Covered Entity no longer qualifies for an exemption, it has 180 days from its fiscal year end to comply with all applicable requirements of the Cybersecurity Regulation. 500.19 – To qualify, regulated individuals and entities must not utilize an Information System and must not, and must not be required to, directly or indirectly control, own, access, generate, receive or possess Nonpublic Information.This is a limited exemption.

Within 30 days of the date of this order, the Secretary of Homeland Security acting through the Director of CISA shall provide to the Director of OMB recommendations on options for implementing an EDR initiative, centrally located to support host-level visibility, attribution, and response regarding FCEB Information Systems. Articulate progress and completion through all phases of an incident response, while allowing flexibility so it may be used in support of various response activities. The Secretary of Homeland Security, in consultation with the Attorney General and the APNSA, shall review the recommendations provided to the President through the APNSA pursuant to subsection of this section and take steps to implement them as appropriate. Within 30 days of issuance of the guidance described in subsection of this section, the Director of OMB acting through the Administrator of the Office of Electronic Government within OMB shall take appropriate steps to require that agencies comply with such guidelines with respect to software procured after the date of this order.

To the extent a Covered Entity relies on an Affiliate's cybersecurity program in whole or in part, that program must be made available for examination by the Department. Depending on the facts and circumstances, the same entity can be a Covered Entity, an Authorized User, and a Third Party Service Provider. For example, a DFS-licensed independent agent that works with multiple insurance companies is a Covered Entity with its own obligation to establish and maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of its Information Systems and Nonpublic Information.

The cybersecurity training curriculum must include training on the identification of each cybersecurity incident severity level referenced in sub-subparagraph 9.a. Within 120 days of the date of this order, the Secretary of Homeland Security and the Director of OMB shall take appropriate steps to ensure to the greatest extent possible that service providers share data with agencies, CISA, and the FBI as may be necessary for the Federal Government to respond to cyber threats, incidents, and risks. The FDA has provided information to medical device and pharmaceutical manufacturers on steps they should take to mitigate cybersecurity issues and actions to take when they believe a cybersecurity incident has occurred. Manufacturers are already assessing whether they are affected by these vulnerabilities, evaluating the risk, and developing remediation actions. Manufacturers who may be affected by this most recent issue should communicate with their customers and coordinate with the Cybersecurity and Infrastructure Agency . To recommend measures necessary to protect the key resources and critical infrastructure of the United States in coordination with other Federal Government agencies, including Sector-Specific Agencies, and in cooperation with State, local, tribal, and territorial government agencies and authorities, the private sector, and other entities.

Accordingly, Covered Entities are requested to notify the Department of those unsuccessful attacks that appear particularly significant based on the Covered Entity’s understanding of the risks it faces. For example, in making a judgment as to whether a particular unsuccessful attack should be reported, a Covered Entity might consider whether handling the attack required measures or resources well beyond those ordinarily used by the Covered Entity, like exceptional attention by senior personnel or the adoption of extraordinary non-routine precautionary steps. Medical devices are increasingly connected to the Internet, hospital networks, and other medical devices to provide features that improve health care and increase the ability of health care providers to treat patients. Medical devices, like other computer systems, can be vulnerable to security breaches, potentially impacting the safety and effectiveness of the device. Threats to the nation's critical infrastructures and the information technology systems that support them require a concerted effort among federal agencies; state, local, tribal, and territorial governments; and the private sector to ensure their security. The seriousness of the threat was reinforced by the December 2020 discovery of a cyberattack that has had widespread impact on government agencies, critical infrastructures, and private-sector companies.