Cybersecurity Legislative Activity: Summer 2023

The Summer of 2023 has been a busy stretch regarding cybersecurity legislative activity. Here’s a recap of some of the significant actions.

CMMC

The updated Cybersecurity Maturity Model Certification (CMMC) rule continues to move through the rule-making process. On July 24, the proposed CMMC rule appeared on the Office of Management and Budget’s (OMB) Office of Information and Regulatory Affairs’ docket. The Department of Defense (DoD) and OMB appear to be on track for a September release of the updated CMMC. At that point the DoD will collect data and respond to public comments, pushing final rule codification into late 2024. CMMC could be written into government contracts as early as Q1 or Q2 of 2025, leading to a potential “audit crunch” for many organizations.

The CMMC rule states that DoD contractors must comply with NIST 800-171, which has a typical implementation timeline of approximately 12-18 months. CMMC will move the defense industry away from self-attestations for NIST compliance and instead require third-party assessors. Current and aspiring DoD contractors must proactively enhance their cybersecurity posture to avoid challenges associated with a condensed implementation timeline.

New Incident Disclosure Rules

The Securities and Exchange Commission (SEC) adopted new rules that require publicly traded companies to disclose cyber incidents that could cause material damage within four days. Companies can hold off on the disclosure if the U.S. Attorney General determines it would pose a substantial risk to national security or public safety.

The new rules also require companies to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats. Companies must also provide information on the anticipated material effects from potential cybersecurity threats. Information is also required on how a company’s board of directors handles risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats. These disclosures will be required in a registrant’s annual report on Form 10-K.

The final rules will become effective in late August 2023. The Form 10-K and Form 20-F disclosures will be due beginning with annual reports for fiscal years ending on or after December 15, 2023. The Form 8-K and Form 6-K disclosures will most likely be due beginning sometime in December 2023. Smaller reporting companies will have an additional 180 days before they must begin providing the Form 8-K disclosure.

Update: The disclosure rule went into effect in December 2023. Learn more here.

Push to Expand Cybersecurity Workforce Continues

The Biden administration announced the National Cyber Workforce and Education Strategy (NCWES), an effort focused on giving workers the skills to fill current and future cybersecurity job openings. The NCWES will use the following four-pronged approach to strengthen the country’s cyber workforce:

Equip Every American with Foundational Cyber Skills

• Make foundational cyber skill learning opportunities available to all
• Promote the pursuit of foundational cyber skills and cyber careers
• Foster global progress in foundational cyber skills

Transform Cyber Education

• Build and leverage ecosystems to improve cyber education, from K-12 education to higher education, community colleges, and technical schools
• Expand competency-based cyber education
• Invest in educators and improve cyber education systems
• Make cyber education and training more affordable and accessible

Expand and Enhance the National Cyber Workforce

• Grow the cyber workforce by proliferating and strengthening ecosystems
• Promote skills-based hiring and workforce development
• Leverage the diversity of America to strengthen the cyber workforce
• Enhance international engagements

Strengthen the Federal Cyber Workforce

• Drive sustained progress through greater federal collaboration  
• Attract and hire a qualified and diverse federal cyber workforce 
• Improve career pathways in the federal cyber workforce
• Invest in human resources capabilities and personnel

Many organizations and agencies are backing NCWES through financial and other support methods, including:

• The National Science Foundation will invest $24 million in cyber education scholarships
• The National Security Agency’s (NSA) National Center of Academic Excellence in Cybersecurity program will release four grants to support a pilot initiative to develop four new Cyber Clinics
• The National Institute of Standards and Technology (NIST) will award up to $3,600,000 for Regional Alliances and Multistakeholder Partnerships to stimulate cybersecurity education and workforce development projects.
• The Department of Veterans Affairs announced a Cybersecurity Apprenticeship Program for Veterans: a two-year developmental program within the VA Cybersecurity Operations Center (CSOC) to provide a unique, hands-on learning and development experience for cybersecurity apprentices, and to encourage a career in the federal cybersecurity workforce.

European Union AI (Artificial Intelligence) Act

Much like when the General Data Protection Regulation (GDPR) was established to protect the privacy of EU citizens, the upcoming AI Regulation may also have a global implication.

The European Commission’s proposed EU AI Act is the first of its kind artificial intelligence regulation. Its purpose will be to establish a regulatory framework to analyze AI systems and applications and classify them by the risk they pose to users. The AI act defines the risk levels as:

Unacceptable risk – Unacceptable risk AI systems are systems considered a threat to people and will be banned. They include:

• Cognitive behavioral manipulation of people or specific vulnerable groups: for example, voice-activated toys that encourage dangerous behavior in children.
• Social scoring: classifying people based on behavior, socio-economic status, or personal characteristics.
• Real-time and remote biometric identification systems, such as facial recognition

Some exceptions may be allowed: For instance, “post” remote biometric identification systems where identification occurs after a significant delay will be allowed to prosecute serious crimes but only after court approval.

High risk – AI systems that negatively affect safety or fundamental rights will be considered high risk and will be divided into two categories:

• AI systems that are used in products falling under the EU’s product safety legislation. This includes toys, aviation, cars, medical devices, and lifts.
• AI systems falling into eight specific areas that will have to be registered in an EU database:
  • Biometric identification and categorization of natural persons
  • Management and operation of critical infrastructure
  • Education and vocational training
  • Employment, worker management, and access to self-employment
  • Access to and enjoyment of essential private services and public services and benefits
  • Law enforcement
  • Migration, asylum, and border control management
  • Assistance in legal interpretation and application of the law.

All high-risk AI systems will be assessed before reaching the market and throughout their lifecycle.

Generative AI – Generative AI, like ChatGPT, would have to comply with transparency requirements:

• Disclosing that the content was generated by AI.
• Designing the model to prevent it from generating illegal content.
• Publishing summaries of copyrighted data used for training.

Limited risk – Limited risk AI systems should comply with minimal transparency requirements that would allow users to make informed decisions. After interacting with the applications, the user can then decide whether they want to continue using it. Users should be made aware when they are interacting with AI. This includes AI systems that generate or manipulate image, audio, or video content, for example, deepfakes.

Currently, the European Parliament has adopted the EU AI Act with an overwhelming vote of 499 in favor, and 28 against and will begin discussions with EU member states to finalize the law. The goal is to reach an agreement and finalize the new law by year’s end.

CompliancePoint has a team of experienced cybersecurity professionals and a full suite of services that can help solve your cybersecurity challenges. Contact us at connect@compliancepoint.com to learn more.