The White House just released a list of stepped-up guidelines related to cybersecurity. The alert is an indication of how genuine the Administration’s concern is about cyberbreaches.
The latest communication is likely tied to evolving intelligence indicating that Russia may be planning a cyber-offensive against critical U.S. infrastructure. Federal cybersecurity rules have been in place for years, and compliance has been required in the past. But, compliance will be monitored more closely in the immediate future. Guidelines are morphing into mandates, and leaders in both the public and private sectors will be held responsible for compliance in the future. Enhanced protection from cyberbreaches has become a critical protection component for all Americans.
The increased security mandates make it critically important for both public and private-sector leaders to renew their knowledge of cybersecurity rules and requirements. Compliance oversight will be a top priority for federal officials in the coming months. If a public entity is found to be in non-compliance, millions in funding could be in jeopardy.
The threat of cyberbreaches is not new, but there is currently more angst. And, because compliance oversight has not been as intense in the past, it’s possible that some government executives are unaware of the responsibility that rests with them.
Handing off or delegating cybersecurity responsibility to CIOs, CISOs, and CTOs will no longer protect government executives. Technology teams, no matter how capable, will not be the targets if a cyberbreach occurs. It is the top officials at state agencies, universities, cities, counties, and school districts who will be held accountable.
Universities that have federal research grant funding, state agencies that accept federal funding for health care programs, and other related services and local governments will be held to the same high standards for cybersecurity protection that are in place for federal agencies.
Mandates include critical protection on network equipment, endpoint protection, data encryption, individual passwords, cloud security, data back-up procedures, emergency response training, and more.
Public or private organizations operating within any of the 16 critical infrastructure sectors may be under even more scrutiny. According to the Cybersecurity and Infrastructure Security Agency (CISA), 16 sectors industry sectors are designated as “critical.” These are:
- Chemical production facilities.
- Communications.
- Critical manufacturing.
- Dams.
- Defense industrial bases.
- Emergency services.
- Energy plants.
- Financial services.
- Food and agriculture.
- Government facilities.
- Health care.
- Information technology.
- Nuclear reactors and materials.
- Transportation systems.
- Water and wastewater systems.
Network security requirements will also be enhanced for critical for public entities as well. These include:
- Mass transit and passenger rail systems.
- Intercity bus companies.
- Freight railroad carriers.
- Ferries.
- Other forms of shipping that are eligible for the Department of Homeland Security’s Transit Security Grant awards.
Over the 2021 fiscal year alone, over $1 billion was made available for cybersecurity-related grant awards. As more funding gets authorized, CISA will increase its efforts to verify that its grant money fulfills cybersecurity objectives and grant recipients meet federal network security standards. CISA is now gaining a more comprehensive view of the country’s network security shortfalls.
Many rules are currently being rewritten, but at least by October 2025, private-sector entities contracting with the U.S. Department of Defense (DoD) will be required to maintain compliance through the department’s re-worked version of the Cybersecurity Maturity Model Certification program (CMMC).
State leaders are also allocating funds to develop and enhance cybersecurity preparedness. In Florida, the governor announced an allocation of $20 million for a program to foster cybersecurity opportunities through work with the Florida Center for Cybersecurity at the University of South Florida. This comes after state leaders received $16 million to support Florida’s first statewide cybersecurity initiative.
Lawmakers in Maryland recently proposed a bill to create a cyber preparedness task force under the state’s Department of Emergency Management. The cybersecurity unit, if implemented, will have authority to make improvements to the state’s overall cybersecurity posture.
In New York, the governor’s recent budget proposal doubled the state’s annual investment in cybersecurity protections to a sum of $62 million. As these measures strengthen the state government’s cybersecurity posture, the governor hopes to allocate an additional $30 million to help industry build out private-sector cybersecurity programs.
There are clear directives and a national urgency to increase network security throughout the country. With more high-level compliance, America’s citizens, businesses, hospitals, transportation options, water and power facilities, and governmental agencies will all be safer. Individuals in leadership positions should be carefully monitoring the requirement changes that are developing.