The Biden Administration released its Fall 2022 regulatory agenda (Regulatory Agenda) on Jan. 4, 2023. In it, the administration outlined regulations aimed at cybersecurity requirements for government contractors, the maritime industry, public companies and others. Taken together, these regulations are a stark reminder of the growing importance of design, implementation, testing and updating cybersecurity measures in all aspects of operations, including information systems, operational systems and information technology within operational systems. The regulations represent significant and more comprehensive cybersecurity obligations and regulatory review, as well as important contracting implications, for companies covered by these regulations.
This Holland & Knight alert examines notable examples from the administration’s agenda.
Assessing Contractor Implementation of Cybersecurity Requirements and Cybersecurity Maturity Model Certification (CMMC) Program (U.S. Department of Defense, or DoD). As discussed in a previous Holland & Knight blog, the DoD is rolling out its Cybersecurity Maturity Model Certification (CMMC) program. These regulations, which are expected in May 2023, will institute a program that will require all contractors in the DoD supply chain (excluding providers of commercial off-the-shelf products) to obtain a third-party or self-certification of their compliance with stated cybersecurity controls. The kind of certification will be dependent on the information the contractor is handling.
DoD-Defense Industrial Base (DIB) Cybersecurity (CS) Activities (DoD). The current DIB CS program provides cybersecurity threat information to defense contractors with a clearance. DoD is proposing to expand that program to include contractors that “process, store, develop, or transit” controlled unclassified information. A proposed rule is scheduled to be released in April 2023.
Cyber Threat and Incident Reporting and Information Sharing (Federal Acquisition Regulation, or FAR). The DoD, General Services Administration (GSA) and NASA are proposing to amend FAR to increase sharing of information about cyber threats and incidents between the federal government and certain contractors. To facilitate the sharing of such information, the proposed amendment will require certain companies receiving government contracts to report cybersecurity incidents to the federal government. Proposed rules were expected in December 2022; however, these proposed rules may be at least partially redundant to the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) that was passed in 2022.
Standardizing Cybersecurity Requirements for Unclassified Information Systems (FAR). Proposed FAR regulations would aim at standardizing cybersecurity requirements across all federal agencies. While government-wide regulatory requirements already exist under FAR 52.204-21, they are basic and invite other agencies to craft their own more stringent and varying standards. Agency-specific regulations have been issued by the DoD, U.S. Department of Transportation (DOT), U.S. Department of State, NASA and the IRS, among others.
Taking Additional Steps to Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities (Commerce Department). These forthcoming regulations follow Executive Order 13984, issued in the final days of the Trump Administration. The proposed rule is anticipated to require providers of United States Infrastructure as a Service (IaaS) products to verify the identity of persons obtaining IaaS accounts, maintain records of actors use of United States IaaS products, maintain records related to foreign actors’ use of United States IaaS products and limit certain foreign actors’ use of United States IaaS products. A proposed rule is expected in June 2023. To the extent the rule facilitates government access to data about cloud and managed services accounts, this national security measure will need to be reconciled with Executive Order 14086 and ongoing discussions involving transparency and individual rights in connection with personal data transfers to the U.S. from the European Union (EU) and other jurisdictions.
Internal Network Security Monitoring for High and Medium Impact Bulk Electric System Cyber Systems (Federal Energy Regulatory Commission, or FERC). FERC released a Notice of Proposed Rulemaking (NPRM) in January 2022 to direct the North American Electric Reliability Corporation (NERC) to develop and submit new or modified standards for internal network security monitoring for high- or medium-impact Bulk Electric Systems (BES). The regulators also sought comments on whether regulations should also be implemented for low-impact BES cybersecurity systems.
Incentives for Advanced Cybersecurity Investment; Cyber Incentives (FERC). FERC is due to propose new regulations that would “provide incentive-based rate treatments for the transmission of electric energy in interstate commerce and the sale of electric energy at wholesale in interstate commerce by utilities.” This was required by the Infrastructure Investment and Jobs Act of 2021 (IIJA). FERC issued its NPRM on Sept. 22, 2022, and proposed regulations were due in December 2022.
Cyber Security at Fuel Cycle Facilities (Nuclear Regulatory Commission, or NRC). The NRC is expecting to propose regulations in July 2023 that would require certain fuel cycle applicants and licensees to establish, implement and maintain a cybersecurity program in order to obtain and/or maintain a license. NRC previously issued a draft and final regulatory basis in 2015 and 2016, respectively.
Cybersecurity in the Marine Transportation System (U.S. Department of Homeland Security, or DHS). The DHS is expected to propose regulations in June 2023 that will seek to address cybersecurity risks and threats in maritime transportation. The regulations will “set minimum cybersecurity requirements for vessels and facilities to safeguard the Marine Transportation System.” It is unknown what form the regulations may take or which companies/vessels would be impacted yet; in December 2020, the Trump Administration released its National Maritime Cybersecurity Plan. The proposed regulations are likely to emulate elements of this plan.
Enhancing Surface Cyber Risk Management (DHS). On Nov. 30, 2022, DHS announced an advanced notice of proposed rulemaking (ANPRM) allowing individuals and companies to comment prior to the issuance of proposed rules until Jan. 17, 2023. According to the ANPRM, future regulations will be aimed at protecting the ongoing threat to pipeline and rail systems – including freight, passenger and transit rail systems – by instituting new cybersecurity requirements. The Transportation Security Agency (TSA) has established a Surface Transportation Cybersecurity Toolkit and issued a number of new directives aimed at securing rail and pipeline systems, including most recently a next-level Rail Cybersecurity Mitigation Actions and Testing directive. The regulations would seek to incorporate elements of those directives and other elements.
Cyber Risk Management (Farm Credit Administration, or FCA). If finalized in their current form, the regulations would require Farm Credit System institutions to develop cyber risk management programs, which would include annual cyber risk assessments, incident response plans that would require notification to the FCA within 36 hours and a vendor management program. In addition, the proposed rule requires specific cybersecurity governance practices, including board of director approval of the written cyber risk program. The final regulations are scheduled to be released in June 2023.
Cyber Incident Notification Requirements for Federally Insured Credit Unions (National Credit Union Administration, or NCUA). NCUA proposed a rule on July 27, 2022, requiring federally insured credit unions to notify NCUA of any cybersecurity incidents within 72 hours. Reportable incidents will include incidents that “actually or imminently” jeopardize an information system or information residing on an information system. A final regulation was scheduled for release in December 2022.
Cybersecurity Requirements for Investment Adviser and Companies (U.S. Securities and Exchange Commission, or SEC). In March 2022, the SEC proposed rules that would require registered investment advisers and investment companies to 1) develop and periodically update written cybersecurity risk assessments and to adopt and implement specific written cybersecurity policies and procedures reasonably designed to address cybersecurity risks, 2) disclose significant cybersecurity risks and cybersecurity incidents that affect advisers and funds and their clients and shareholders on Form ADV Part 2A and associated fund forms and 3) adhere to new recordkeeping requirements under the Investment Advisers Act (IAA) and Investment Company Act. The goal is to “enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies.” Final regulations are expected in April 2023.
Cybersecurity Incident and Governance Disclosure Obligations for Public Companies (SEC). In March 2022, the SEC proposed rules that would require public companies to 1) report material cybersecurity incidents within four business days after determining that it has experienced such incidents, 2) provide periodic updates of previously reported cybersecurity incidents, 3) describe its cybersecurity risk management policies and procedures, 4) disclose its cybersecurity governance practices and 5) disclose cybersecurity expertise on the board of directors. Final regulations are expected in April 2023.
Cybersecurity (SEC). The SEC expects to issue proposed regulations on registered brokers and dealers requiring disclosure of cybersecurity risks in April 2023.
As demonstrated by the slew of anticipated regulations, 2023 will be a busy year for companies in various sectors regarding new cybersecurity requirements. Companies of all types would be wise to continue monitoring how the regulatory process plays out over the course of the year to determine whether additional compliance measures need to be taken.
Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.