Standards, Regulations & Compliance
Cyber Defense Agency Aims to Bolster Protections Against Chinese Intrusion
Americans selling or sharing restricted bulk data with Chinese firms must now navigate strict cybersecurity rules designed to block Beijing from accessing sensitive, identifiable or easily decrypted data.
See Also: Netskope PCI DSS 4.0 Mapping Guide
The Cybersecurity and Infrastructure Protection Agency published a final rule Friday for bulk data protection days after the Department of Justice finalized a regulation throttling bulk commercial transfers to adversary nations – principally China, but also including Russia and Venezuela (see: US Finalizes Rule Throttling Bulk Data Sales to China).
The new cybersecurity requirements task U.S. individuals engaging in restricted transactions with maintaining regularly updated inventories of their system assets, developing incident response plans, collecting logs for covered systems and implementing processes to ensure unauthorized hardware is not connected to covered assets.
The final rule limits covered systems to those handling sensitive data “in bulk,” excluding systems that primarily access or display individual user data without bulk interaction. The agency also noted that any systems which interact with any government-related data – data containing the geolocation of national security or military facilities or data marketed for containing links to current or recent government employees and contractors – is considered covered systems.
The rule stems from a February executive order from President Joe Biden calling adversary countries’ access to Americans’ bulk sensitive personal data a national security concern. Concerns about the weaponization of data have grown in tandem with the rise of machine learning and artificial intelligence – as well as more than a decade of sustained interest from Beijing in hacking or buying as much bulk data on Americans as it can (see: Biden Executive Order Targets Bulk Data Transfers to China).
The final CISA rule contains some revisions from an earlier draft, changes meant to ease compliance that include softened requirements on network visibility, removal of a requirement for mandatory firmware updates, and adjusting access revocation timelines from “immediately” to “promptly.” The agency said it crafted the security requirements “with the goal of balancing regulatory burden, technical feasibility and flexibility with the underlying national security needs.”
CISA also said it was adopting a new approach requiring organizations to address known exploited vulnerabilities in internet-facing systems through a risk-based strategy, prioritizing critical assets and ensuring remediation within 45 days.
The cyber defense agency revised its password rule, lowering the minimum from 16 to 15 characters for systems without multi-factor authentication. It rejected further reductions, stating that OT assets are unlikely to host covered data and emphasizing strong passwords for IT systems.
The final rules come amid a wave of high-profile Chinese-linked cyberattacks targeting U.S. critical infrastructure and federal agencies, including the recent breach of the Treasury Department’s sanctions office and hacking of at least nine telecommunications firms across the country.
CISA and the DOJ did not immediately respond to requests for comment.