The Promoting Good Cyber Hygiene Act
On June 22, 2017 the bipartisan Promoting Good Cyber Hygiene Act was introduced into both the US House of Representatives and the Senate. The Act instructs the National Institute of Standards and Technology (NIST) to establish a publicly accessible set of voluntary best practices for good cyber hygiene. CloudCheckr is an ideal solution for ensuring that organizations of all sizes meet the recommendations that will be set forth in the Promoting Good Cyber Hygiene Act.
The bill instructs NIST,
in consultation with the Federal Trade Commission and the Department of Homeland Security, after notice and an opportunity for public comment, shall establish a list of best practices for effective and usable cyber hygiene for use by the Federal Government, the private sector, and any individual or organization utilizing an information system or device.
While it is impractical for any single list of IT security standards to be truly comprehensive, the Promoting Good Cyber Hygiene Act is expected to detail the basic security precautions that organizations of all sizes should undertake in order to protect both their own networks and any Personally Identifiable Information (PII) upon which they operate.
The best practices to be included in the Promoting Good Cyber Hygiene Act are not yet codified. While there is general agreement about the broad strokes of what the Promoting Good Cyber Hygiene Act’s recommendations list will contain, the details are still up in the air. The deadline for the creation of the best practice list is June 2018, after the governmental and public consultations noted above.
Defining the Act
The text of the Act specifies the following criteria in relation to the list of recommendations:
“Such list shall–
(1) be a list of simple, basic controls that have the most impact in defending against common cybersecurity threats and risks;
(2) utilize technologies that are commercial off-the-shelf and based on international standards; and
(3) to the degree practicable, be based on and consistent with the Cybersecurity Framework contained in Executive Order 13636, entitled Improving Critical Infrastructure Cybersecurity, issued in February 2013, or any successor framework.”
You can view the framework NIST first released in response to Executive Order 13636 (the NIST Cybersecurity Framework or CSF). In January of this year, NIST released a draft update to the framework. Wikipedia has a good overview, and TechRepublic has a useful guide.
The CSF describes five core “functions”: Identify, Protect, Detect, Respond and Recover. These are, in fact, a good set of IT security basics, and they were developed by the same body working on the Act. As such, the Promoting Good Cyber Hygiene Act’s recommendations list will likely contain very similar guidelines.
The TL;DR version of the CSF is this:
- Identity is all about figuring out what IT infrastructure you have
- Protect is about applying common sense measures to keep that infrastructure up to date and as secure as is possible.
- Detect is about accepting that you can’t prevent all IT security instances, so you need to have tools that constantly monitor your environment for anomalies.
- Respond is a combination of incident response and post-mortem analysis: make sure you know what to do once a security incident has occurred, and have procedures in place to learn from the incident.
- Recover is focused on restoring capability after compromise.
The CSF has its critics. One critique states that the CSF does not adequately cover security precautions for the healthcare industry. Others have pointed out that there are existing best practice lists that could have been used by legislators instead, for example those published by the Center for Internet Security (CIS).
An additional framework to be considered is the the Cybersecurity Framework 3 Implementation Guidance for Federal Agencies, recently released by NIST, which builds on the above CSF work.
In short, the Promoting Good Cyber Hygiene Act is likely to build on all of the above, and more, as the consultation process incorporates recommendations from an increasing number of IT security experts.
The Promoting Good Cyber Hygiene Act is to be a set of voluntary best practices. As such, there are no penalties at the moment for non-compliance. The Act itself says “The best practices on the list established under this section shall be considered voluntary and are not intended to be construed as a list of mandatory actions.”
Despite the voluntary nature of the Act, its existence will have repercussions, and should be examined in the wider political context of major cyber security incidents in the United States. Two important breaches to keep in mind are the Office of Personnel Management (OPM) incident and the Equifax data breach.
The OPM incident hit the US government at its core. It included the theft of security clearance information that rocked the US intelligence and law enforcement communities. More than 21 million records were compromised, including 5.6 million sets of fingerprints. A large number of federal employees were directly affected by this breach, including many of the people who make federal law.
The Equifax data breach involved the loss of PII on up to half the US population, in addition to potentially millions of individuals from the UK and Canada. Both events were painful demonstrations of just how unprepared trusted, critical institutions can be.
It is likely that organizations directly overseen by the US federal government will be required to implement the recommendations in the Promoting Good Cyber Hygiene Act. Similarly, it would not be surprising if it eventually became a requirement for those organizations that wish to act as suppliers to the federal government.
Other NIST compliance recommendations have been made mandatory for organizations that interact with the US federal government financially, such as higher education institutions that receive grant funds.
Thus, while the Promoting Good Cyber Hygiene Act will not be mandatory out of the gate, it – or a successor – may well become mandatory for certain organizations before too long. But even if it never becomes so, there are good reasons to implement the recommendations when they are finalized.
The Why of Cyber Hygiene
Michael Overly, a lawyer at Foley & Lardner LLP, believes that implementing the recommendations in the Promoting Good Cyber Hygiene Act may help organizations prove that they are putting a reasonable effort into IT security. Overly says “this type of legislation could be argued to create a de facto standard that if a business follows it, they will be protected from potential liability.”
Even the Act’s critics have embraced the notion of implementing the recommendations of the Promoting Good Cyber Hygiene Act as a means of limiting an organization’s IT security liability. Phil Reitinger, CEO of the Global Cyber Alliance, who was generally unenthusiastic about the legislation, nonetheless mentioned that there was “value” in a single approach from the federal government: it provides a baseline for regulators, if nothing else. Reitinger says “That would, for example, likely preclude an FTC unfair trade practice case for entities complying with the best practices.”
Megan Stifel, a former Justice Department cyber security official who now works with the consumer advocacy group Public Knowledge, sees getting everyone on the same page as important. Stifel says “…the plethora of existing best practices and security recommendations is exactly the point…Companies and consumers don’t know which list they should be using.”
According to Stifel, the Promoting Good Cyber Hygiene Act would increase transparency: “Going through the process [of interagency and public consultation] will be an opportunity for a transparent public dialogue”, allowing organizations to focus on what the most important security measures are.
CloudCheckr Can Help
If all of this seems a little intimidating, you’re not alone. As mentioned previously, there are existing best practice lists that could have been used by legislators instead of having NIST make a new one, including the best practices published by the CIS.
CloudCheckr incorporates both the CIS best practices as well as best practices designed by CloudCheckr’s own in-house experts.
CloudCheckr can analyze and report on over 500 best practices relating to both cost efficiency and IT security implementation. CloudCheckr mixes tried-and-true security approaches with newly developed strategies to provide a comprehensive approach to compliance.
CloudCheckr incorporates a number of technologies to provide these capabilities. Regular port scanning and digital environment monitoring, including in-depth network architecture and functionality analysis, are a starting point. Single Sign On (SSO) integration with SAML 2.0 compliant providers PingOne, OneLogin, and Okta extends CloudCheckr’s Role Based Access Control’s (RBAC) monitoring and implementation capabilities. Additionally, ongoing configuration best practice monitoring and analysis is combined with robust reporting capabilities.
Among the regulatory regimes CloudCheckr supports are the Defense Federal Acquisition Regulation Supplement (DFARS aka NIST 800-171), Health Insurance Portability and Accountability Act (HIPAA), Federal Risk and Authorization Management Program (FEDRAMP aka NIST 800-53), and Payment Card Industry (PCI) compliance.
Nobody knows exactly what the Promoting Good Cyber Hygiene Act will contain. It looks set to be an important set of recommendations about IT security best practices. If nothing else, it will set the tone for all the next decade’s worth of regulatory compliance discussions in the coming decade.
Organizations implementing CloudCheckr’s recommendations today are likely to already be implementing most of what will eventually be in the Promoting Good Cyber Hygiene Act. When the Act’s recommendations are finalized, they will be added to CloudCheckr, allowing organizations to comply with any additional recommendations that enter the final bill.
The Promoting Good Cyber Hygiene Act may end up as the focal point for a collaborative effort to define the minimum acceptable IT security effort, with implications that could ultimately affect everything from insurance rates to ability to bid on federal contracts. Fortunately, CloudCheckr can help. Why not try it today?
Schedule a demo to learn how CloudCheckr can help keep your cloud compliant with new regulations, or try a 14-day free trial.