U S Cybersecurity Agency Publishes List of Free Security Tools and Services

The Director of NIST shall examine all relevant information, labeling, and incentive programs, employ best practices, and identify, modify, or develop a recommended label or, if practicable, a tiered software security rating system. This review shall focus on ease of use for consumers and a determination of what measures can be taken to maximize participation. The criteria shall reflect increasingly comprehensive levels of testing and assessment that a product may have undergone, and shall use or be compatible with existing labeling schemes that manufacturers use to inform consumers about the security of their products. The Director of NIST shall examine all relevant information, labeling, and incentive programs and employ best practices.

Additionally, as a condition of federal assistance, under 49 U.S.C. 5323, rail transit operators must certify that they have a process to develop, maintain, and execute a plan for identifying and reducing cybersecurity risks. The American people’s confidence in the value of their vote is principally reliant on the security and resilience of the infrastructure that makes the Nation’s elections possible. Accordingly, an electoral process that is both secure and resilient is a vital national interest and one of the Department of Homeland Security’s highest priorities.

CISA completed 2 of 3 phases in its organization plan, including defining an organizational structure. It also completed about a third of the tasks planned for the final phase by its December 2020 milestone. (Sec. 2) This bill amends the Homeland Security Act of 2002 to redesignate the Department of Homeland Security's (DHS's) National Protection and Programs Directorate as the Cybersecurity and Infrastructure Security Agency. The CIS3 Partnership focuses on the development Agency Cybersecurity and maintenance of security standards for interoperability in the area of Consultation, Command and Control . The Urbanized Area Formula Program (49 U.S.C. 5307) makes Federal resources available to urbanized areas and governors for transit capital and operating assistance and for transportation-related planning in urbanized areas. A recipient must spend at least 1 percent of its 5307 funds on security projects, unless it determines this is not necessary.

Key areas of focus include vulnerability and risk assessments; securing soft targets and crowded places; training and exercises; and securing high-risk chemical facilities. Develop, and annually update by February 1, a statewide cybersecurity strategic plan that includes security goals and objectives for cybersecurity, including the identification and mitigation of risk, proactive protections against threats, tactical risk detection, threat reporting, and response and recovery protocols for a cyber incident. Within 14 days of the date of this order, the Secretary of Homeland Security, in consultation with the Attorney General and the Administrator of the Office of Electronic Government within OMB, shall provide to the Director of OMB recommendations on requirements for logging events and retaining other relevant data within an agency’s systems and networks. Such recommendations shall include the types of logs to be maintained, the time periods to retain the logs and other relevant data, the time periods for agencies to enable recommended logging and security requirements, and how to protect logs. Logs shall be protected by cryptographic methods to ensure integrity once collected and periodically verified against the hashes throughout their retention. Data shall be retained in a manner consistent with all applicable privacy laws and regulations.

Medical devices are increasingly connected to the Internet, hospital networks, and other medical devices to provide features that improve health care and increase the ability of health care providers to treat patients. Medical devices, like other computer systems, can be vulnerable to security breaches, potentially impacting the safety and effectiveness of the device. CISA acts as the quarterback for the federal cybersecurity team, protecting and defending the home front—our federal civilian government networks—in close partnership with the Office of Management and Budget, which is responsible federal cyber security overall. CISA also coordinates the execution of our national cyber defense, leading asset response for significant cyber incidents and ensures that timely and actionable information is shared across federal and non-federal and private sector partners. CISA concurred with this recommendation and in September 2021 provided information on adjustments it has planned or under way for its performance management system.

Using such complaints, the IC3’s Recovery Asset Team has assisted in freezing hundreds of thousands of dollars for victims of cyber crime. The rapid-response Cyber Action Team can deploy across the country within hours to respond to major incidents. If you or your organization is the victim of a network intrusion, data breach, or ransomware attack, contact your nearest FBI field office or report it at tips.fbi.gov. If you are the victim of online or internet-enabled crime, file a report with the Internet Crime Complaint Center as soon as possible. Visit ic3.gov for more information, including tips and information about current crime trends.

The security and integrity of “critical software” — software that performs functions critical to trust — is a particular concern. Accordingly, the Federal Government must take action to rapidly improve the security and integrity of the software supply chain, with a priority on addressing critical software. Following any updates to the FAR made by the FAR Council after the public comment period described in subsection of this section, agencies shall update their agency-specific cybersecurity requirements to remove any requirements that are duplicative of such FAR updates.

Such portions of records may be made available to a local government, another state agency, or a federal agency for cybersecurity purposes or in furtherance of the state agency’s official duties. Such reports must comply with the notification procedures and reporting timeframes established pursuant to paragraph . The development also comes as the agency released an alert detailing proactive steps that critical infrastructure entities can take to assess and mitigate threats related to information manipulation, while noting that the advancements in communications and networked systems have created new vectors for exploitation. The tools catalog is the latest in a string of initiatives launched by CISA to combat cyber threats and help organizations adopt foundational measures to maximize resilience by patching security flaws in software, enforcing multi-factor authentication, and halting bad practices.