On 15 May 2019, President Trump issued an Executive Order on Securing the Information and Communications Technology and Services Supply Chain that authorizes the Commerce Secretary to regulate the acquisition and use of information and communications technology and services from a “foreign adversary.”

Broadly speaking, the order authorizes the creation of national security focused import regulation mirroring the long-standing export control and foreign investment regimes. The order represents a dramatic expansion of federal power without Congressional involvement. Given the pervasiveness of information and communications technology and services throughout the economy and the globalization of supply chains, practical effects could be far-reaching and surprising.

The Commerce Secretary has 150 days (until mid October) to promulgate regulations implementing the Supply Chain Order. The Commerce Department has broad discretion, and businesses developing, making and using information and communications technology and services should consider weighing in with the department on the scope, content and effect of this new regulatory program.

Objective

In promulgating the Supply Chain Order under International Emergency Economic Powers Act of 1977, the President declared a national emergency, asserting the order was necessary because “foreign adversaries are increasingly creating and exploiting vulnerabilities in information and communications technology and services … in order to commit malicious cyber-enabled actions, including economic and industrial espionage.” In the President’s words, “openness must be balanced by the need to protect our country against critical national security threats.”

Regulatory Authorization

The Supply Chain Order provides that the Commerce Secretary, in consultation with other agencies, may prohibit or condition the acquisition, importation, transfer, installation, dealing in, or use by persons subject to U.S. jurisdiction of information and communications technology or services “designed, developed, manufactured, or supplied” by persons owned, controlled or directed by a “foreign adversary” where the Secretary believes there is an “unacceptable risk” to U.S. national security.

The term “information and communications technology or services” is defined capaciously as “hardware, software, or other product or service primarily intended to fulfill or enable the function of information or data processing, storage, retrieval, or communication by electronic means, including transmission, storage, and display.” Products ranging from watches to cars now include information and data processing technologies. Just about the only things not potentially covered by the Supply Chain Order are raw materials and other commodities.

A “foreign adversary” is any foreign government, entity or individual “engaged in a long‑term pattern or serious instances of conduct significantly adverse to the national security.” Thus, prohibitions and restrictions could extend to products and services from specific companies and individuals as well as more broadly from particular countries.

In sum, the Supply Chain Order authorizes the Commerce Secretary to regulate from where and from whom businesses operating in the United States may acquire information and communications technology and services. If the Secretary deems that a particular country or entity presents an “unacceptable risk,” he can prohibit U.S. persons from using products or services made or supplied by that “foreign adversary.” He could also prohibit U.S. businesses from buying inputs from foreign firms from allied countries that employ, say, programmers or technicians the Secretary thinks are subject to the direction of a foreign adversary. Arguably, he could even effectively prohibit U.S. companies from employing in the United States foreign individuals the Secretary believes are subject to the direction of a foreign adversary. Given the centrality of the United States to information and communications technologies and services globally, one could expect any such U.S. prohibitions would have global repercussions.

Implementing Regulations

The Commerce Secretary is to publish implementing regulations by mid October 2019. The regulations will presumably define (1) the types of technologies or services that will be covered, (2) the countries, companies and people (“foreign adversaries”) that will be the target of regulation, and (3) procedures and conditions to license particular transactions and classes of transactions. Given how much discretion the Commerce Secretary has in designing the regulatory regime, it will be important for interested parties to provide input.

Interagency Consultation and Decision Authority

In promulgating and applying these regulations, the Commerce Secretary is to consult with other economic and security agencies. This list of agencies overlaps significantly with the Committee on Foreign Investment in the United States (CFIUS), which has decades of experience in applying U.S. foreign investment law. However, in the investment context, the ultimate decision power rests with the President, and CFIUS operates by consensus, which has a moderating effect. Under the Supply Chain Order, the Commerce Secretary is the decision-maker, and he need not heed input from other agency heads.

Conclusion

The Supply Chain Order is a remarkable appropriation of legislative authority by the executive and it will likely lead to new and disruptive market interventions. As dramatic as it is, the order is but one of series of recent regulatory measures prompted by national security concerns arising from commercial transactions, with other measures relating to sanctions, foreign investment, dual use exports, and government procurement. [1] While tariffs on U.S./China trade have attracted the most attention, the expanding regulation in the name of national security may prove more durable and important, reflecting as it does growing geo-strategic competition and concerns over new vulnerabilities created by technology.


[1] Foreign Investment Risk Review Modernization Act of 2018 (expanding foreign investment regulation); Export Control Reform Act of 2018 (requiring identification and regulating for export “emerging and foundation technologies”); Section 889 of National Defense Authorization Act for Fiscal Year 2019 (FY19 NDAA) (prohibiting use by U.S. agencies of services or equipment from certain foreign companies).

The post US: President Trump Issues Supply Chain Executive Order appeared first on Global Compliance News.

Source

Texas House of Representatives Passes House Bill 4390

Frisco, TX, May 16, 2019HITRUST, a leading data protection standards development and certification organization, supports legislation that would create a council to study privacy laws and how privacy practices for Texas businesses could be strengthened through potential legislation.

Representative Giovanni Capriglione’s (Southlake) House Bill 4390, passed by the Texas House unanimously on May 7, 2019 and would create the Texas Privacy Protection Advisory Council. The Council would study and evaluate Texas laws and other privacy laws in order to make recommendations to the Texas Legislature on privacy provisions to consider during the 2021 session. The Council would include representatives from the Texas House, Texas Senate, and industry stakeholders.

HITRUST applauds Rep. Capriglione’s concept of a public-private council to review and make recommendations in this important policy area. Consumer awareness of data protection issues continue to attract scrutiny and Texas businesses must acknowledge and respond to consumer concerns. Ensuring that policy experts and representatives of the businesses who would need to implement any changes work together will allow Texas to address data protection and privacy in an effective, efficient, and practical manner.

“Texas is known as a leader in data privacy and innovation,” said Anne Kimbol, HITRUST’s Chief Privacy Officer. “We fully support our government partners leveraging the expertise of the private sector to drive privacy and security best practices and further protect Texans with meaningful legislation such as HB 4390.”

HITRUST is the standard in privacy and security certifications and has unique insight into the privacy practices and challenges facing businesses across industries. As an independent party, HITRUST brings value to public policy discussions, such as HB 4390, and similar legislation in other States.

House Bill 4390 is currently in the Texas Senate.

Read the full press release here

The post HITRUST® Supports Texas Legislation on Privacy appeared first on HITRUST.

Source

Texas House of Representatives Passes House Bill 4390

Frisco, TX, May 16, 2019HITRUST, a leading data protection standards development and certification organization, supports legislation that would create a council to study privacy laws and how privacy practices for Texas businesses could be strengthened through potential legislation.

Representative Giovanni Capriglione’s (Southlake) House Bill 4390, passed by the Texas House unanimously on May 7, 2019 and would create the Texas Privacy Protection Advisory Council. The Council would study and evaluate Texas laws and other privacy laws in order to make recommendations to the Texas Legislature on privacy provisions to consider during the 2021 session. The Council would include representatives from the Texas House, Texas Senate, and industry stakeholders.

HITRUST applauds Rep. Capriglione’s concept of a public-private council to review and make recommendations in this important policy area. Consumer awareness of data protection issues continue to attract scrutiny and Texas businesses must acknowledge and respond to consumer concerns. Ensuring that policy experts and representatives of the businesses who would need to implement any changes work together will allow Texas to address data protection and privacy in an effective, efficient, and practical manner.

“Texas is known as a leader in data privacy and innovation,” said Anne Kimbol, HITRUST’s Chief Privacy Officer. “We fully support our government partners leveraging the expertise of the private sector to drive privacy and security best practices and further protect Texans with meaningful legislation such as HB 4390.”

HITRUST is the standard in privacy and security certifications and has unique insight into the privacy practices and challenges facing businesses across industries. As an independent party, HITRUST brings value to public policy discussions, such as HB 4390, and similar legislation in other States.

House Bill 4390 is currently in the Texas Senate.

Read the full press release here

The post HITRUST® Supports Texas Legislation on Privacy appeared first on HITRUST.

Source

Update Ensures the HITRUST CSF Continues to Provide the Most Comprehensive Global Privacy and Security Framework Available

HITRUST, a leading data protection standards development and certification organization, today announced it will release version 9.3 of its HITRUST CSF® during the third quarter of 2019.

Learn more about HITRUST, and the HITRUST CSF by attending our
HITRUST 2019 Conference in May. Click here to learn more. 

The HITRUST CSF controls framework addresses security, privacy, and regulatory challenges facing organizations in industries such as healthcare, financial services, retail, hospitality and travel. These updates reflect HITRUST’s continuing commitment to facilitate HITRUST CSF’s adoption in multiple industries, both domestically and internationally.

By incorporating numerous international, federal and state governmental regulations as well as recognized standards the HITRUST CSF helps organizations address information risk management and compliance challenges through a comprehensive, risk-based flexible framework of prescriptive and scalable controls. By including both privacy and security standards, the HITRUST CSF uniquely enables organizations to address the big picture of data protection. Most privacy regulations require appropriate security measures, which the HITRUST CSF helps identify.

By allowing organizations to conduct a comprehensive privacy and security assessment, the HITRUST CSF encourages cooperation between these disciplines and assists in achieving better compliance with regulatory requirements and best practices. Through the HITRUST CSF Assurance Program, organizations who obtain HITRUST CSF Certification covering both privacy and security can demonstrate that they are achieving high standards in their data protection program.

HITRUST ensures the HITRUST CSF relevancy and remains current to the needs of organizations by regularly updating the framework to incorporate new standards and regulations. HITRUST CSF v9.3 will include new requirements placed on organizations by the California Consumer Privacy Act (CCPA). Passed in 2018, the new legislation takes effect January 1, 2020 with enforcement of the new law taking effect on July 1, 2020. The CCPA is similar to the European Union’s General Data Protection Regulation (GDPR) which takes additional steps to protect the transmission, sharing and storage of consumer data. HITRUST CSF v9.3 also reflects key differences of the two laws, including the applicability, requirements for data access, and detailed requirements about opt-out methods.

The HITRUST CSF v9.3 will also reflect updates to a number of authoritative sources, including:

  • Centers for Medicare & Medicaid Services’ (CMS) Information Security ARS: CMS Minimum Security Requirements for High Impact Data, version 3.1.
  • The Federal Risk and Authorization Management Program (FedRAMP).
  • IRS Publication 1075: Tax Information Security Guidelines for Federal, State and Local Agencies: Safeguards for Protecting Federal Tax Returns and Return Information.
  • The National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity: Framework Core – Subcategories, v1.1.
  • South Carolina’s Bill 4655, the Insurance Data Security Act.

HITRUST understands the challenges of assembling and maintaining the many and varied programs needed to manage information risk and compliance. The HITRUST Approach provides organizations an integrated information risk management and compliance approach that ensures all programs are aligned, maintained, and comprehensive to support an organization’s information risk management and compliance objectives.

The HITRUST CSF provides the depth and breadth of controls organizations need to efficiently and effectively assess the strength of their risk-based protection programs and their compliance with multiple regimes through one assessment, as well as the structure, clarity, functionality, and cross-references to authoritative sources, eliminating the need for organizations to interpret, engage, and harmonize the multitude of frameworks and standards. The HITRUST CSF leverages nationally and internationally accepted standards and regulations such as GDPR, ISO, NIST, PCI, FFIEC, FTC and HIPAA to ensure a comprehensive set of baseline security and privacy controls. The CSF normalizes these requirements and provides clarity and consistency, reducing the burden of compliance with the varied requirements that apply to organizations.

Organizations interested in assessing against any of the authoritative sources in the HITRUST CSF can do so by leveraging the HITRUST MyCSF tool. More information can be found at www.hitrustalliance.net.

The post New Version of HITRUST CSF® Incorporates California Consumer Privacy Act, NIST Cybersecurity Framework and Additional Legislation & Standards appeared first on HITRUST.

Source

Risk Management Events to Appear in Cities Coast-to-Coast

Frisco, TX., March 26, 2019 – HITRUST, a leading data protection standards development and certification organization, today announced the dates and locations of its Community Extension Program (CEP) throughout 2019.

Since their inception in 2017, the CEP sessions have been sought by organizations of all sizes striving to enhance and improve their information risk management and compliance programs. The local events create a critical mass of community-based professionals who are seeking more education and knowledge in simplifying the process of managing risk to their organization’s information while shortening their HITRUST Journey.

 

Date Location
April 24 New York City
June Seattle
June Nashville
July 10 Tampa
July Philadelphia
September Miami
October Dallas
November Los Angeles
December Houston

 

The HITRUST CEP events are free and open to all qualifying organizations and individuals, but capacity is limited. To learn more, click here. Specific dates and locations will be added to the website once confirmed, including some planned international events later this year.

The HITRUST Approach:

Comprehensive Risk Management and Compliance Programs and Services

HITRUST understands the challenges of assembling and maintaining the many and varied programs needed to manage information risk and compliance, which is why its integrated approach ensures the components are aligned, maintained and comprehensive to support an organization’s information risk management and compliance program.

The HITRUST Approach is designed to provide organizations a comprehensive information risk management and compliance program that integrates the following best-in-class components:

  • HITRUST CSF® – a robust privacy and security controls framework.
  • HITRUST CSF Assurance Program – a scalable and transparent means to provide reliable assurances to internal and external stakeholders.
  • HITRUST Threat Catalogue™ – a list of reasonably anticipated threats mapped to specific HITRUST CSF controls.
  • HITRUST® Shared Responsibility Program – a matrix of HITRUST CSF requirements identifying service providers and customer responsibilities.
  • HITRUST MyCSF® – an assessment and corrective action plan management platform.
  • HITRUST Assessment XChange™ – An automated means of sharing assurances between organizations.
  • HITRUST Third Party Assurance Program – a third party risk management process.

Read the official press release here.

The post HITRUST® Announces Community Extension Program Schedule appeared first on HITRUST.

Source

To listen to the Federal Newscast on your phone or mobile device, subscribe on PodcastOne or Apple Podcasts. The best listening experience on desktop can be found using Chrome, Firefox or Safari.

  • The Trump administration’s budget proposal unveiled March 11 drew a lot of attention to the $8.6 billion request to complete a southern border wall. It also asked for $72 million to fund stronger enforcement of immigration laws and the reduction of the nation’s backlog of asylum cases. The additional money would allow the Justice Department to hire more than 100 new immigration judges and support staff. Officials said in the budget request that the goal would be to have 659 immigration judges in place by sometime in 2020. There are currently 412 immigration judges. At the beginning of fiscal 2019, there were nearly 790,000 cases still pending in immigration courts nationwide. (Justice Department)
  • The Defense Department said it is looking for a place to house up to 5,000 unaccompanied migrant children, following a request for space by the Department of Health and Human Services (HHS). Tens of thousands of families cross the border illegally every month, and officials predict the problem will grow as the weather improves. The Pentagon last summer approved the use of Goodfellow Air Force Base near San Anjelo, Texas, for an HHS request to accommodate up to 20,000 children. That space was never used. (Federal News Network)
  • DoD said the 2020 White House budget proposal would mean hiring more civilians across most of the military. The Army is the only exception: It expects a modest reduction in civilian employment. But overall, DoD’s budget called for 6,000 new civilian employees, despite plans to reduce the size of its headquarters organizations. Officials said most of the new positions will be directly connected to warfighting and readiness needs. And in future years, up to 15,000 military health care positions could be converted to civilian ones. (Federal News Network)
  • DoD also said it’s looking to use artificial intelligence to improve its business process. The director of the Joint Artificial Intelligence Center, Lt. Gen. John Shanahan, said he intends to set up an office specifically devoted to improving business processes through robotic process automation. He told the Senate Armed Services subcommittee on emerging threats and capabilities that finances will be the first target for business process automation. (Federal News Network)
  • The United States Marine Corps said it will be getting rid of its minimum time in service requirement to become eligible for tuition assistance. The new policy would allow marines who are awaiting training status to use their tuition assistance benefits. Previously, they had to wait 18 months before assistance was available to them. (U.S. Marine Corps)
  • The 2020 budget proposal also included $220 billion in spending for the Department of Veterans Affairs. The proposal would mean a six percent funding increase, the fifth consecutive year VA would see a budget boost. Veterans medical care could go up to $80 billion next year, but some lawmakers worry it’s not enough. Republicans on the House VA committee said recently the agency’s focus on electronic health record modernization has diverted resources away from VA’s already stretched IT shop. (Federal News Network)
  • Agriculture Secretary Sonny Perdue announced more than 135 parties in 35 states have expressed interest in hosting the USDA’s Economic Research Service and National Institute of Food and Agriculture. Perdue didn’t name any favorites for the selections, but indicated a preference for moving the agencies away from Washington and closer to stakeholders. Perdue said it’s his intention for USDA to become the most customer-focused agency in the government. (Agriculture Department)
  • Cybersecurity is no longer a material weakness at the VA. After 19 years in a row of earning that distinction, the VA inspector general told the agency in the annual Federal Information Security Management Act report that while there are significant concerns, they do not rise to previous levels. The IG did make 28 recommendations, including many that auditors made previously. Among them is the need to fix ineffective enforcement of an agency-wide information security risk management program. The IG also said VA continues to use weak passwords for major databases, applications and networking devices. (Department of Veterans Affairs)
  • The Government Accountability Office said most agencies estimated that one-in-five IT jobs aren’t actually doing IT work. GAO said agencies are likely miscategorizing the IT work that their employees are performing. The agency warned that inaccurate and incomplete work coding means agencies are missing out on valuable workplace planning. (Government Accountability Office)
  • The head of a troubled Interior Department bureau has vowed to fix the problems that landed it on Congress’s high risk list. Rear Adm. Michael Weahkee told members of the Senate Committee on Indian Affairs that the Indian Health Service (IHS) has already made progress on conditions cited by the GAO. Weakhee said a new Office of Quality aims to improve health care. He also said he’s hired an independent contractor to discover how a pedophile doctor remained with the IHS for 30 years. (U.S. Senate)
  • The Trump administration named Ned Sharpless to serve as acting chief of the Food and Drug Administration (FDA) when current commissioner Scott Gottlieb steps down. Sharpless is currently director of the National Cancer Institute (NCI). Gottlieb abruptly announced his plans to step down last week, raising questions about whether the agency will pursue some of the ambitious proposals he introduced, including many aimed at curbing youth “vaping” and the use of e-cigarettes. (The Hill)

Source

The threat of another government shutdown in fiscal 2019 has come and gone, but lawmakers on both sides of the aisle aren’t giving up their push to secure a few more financial flexibilities for participants in the Thrift Savings Plan during future lapses in appropriations.

Sen. Bill Cassidy (R-La.) is the latest member of Congress to introduce legislation that would waive the typical penalty that TSP participants would usually incur if they take a hardship withdrawal before a certain age.

Cassidy’s bill essentially mimics language that the Federal Retirement Thrift Investment Board, the agency that administers the TSP, had written following 2017’s devastating hurricane season. The legislation would treat a government shutdown as a financial hardship and allow current federal employees under the age of 59-and-a-half to withdraw from their TSP accounts without incurring a 10 percent early withdrawal penalty tax.

With Cassidy’s bill, there are now five pieces of legislation that aim to accomplish this similar goal. The bills would also let TSP participants repay the hardship loans under certain deadlines and parameters.

The FRTIB is still working with congressional staffers to change the original legislative text to something the agency can implement, said Kim Weaver, director for external affairs.

Reps. Pete Olson (R-Texas), Don Beyer (D-Va.), Ed Perlmutter (D-Colo.) and Elaine Luria (D-Va.), along with Sens. Tim Kaine (D-Va.), Ron Wyden (D-Ore.), Patty Murray (D-Wash.) and Susan Collins (R-Maine), were among the members who had originally introduced or co-sponsored one of these bills.

“The bills are going to be amended as they move forward,” Weaver said at the board’s monthly meeting Monday. “I’m told by staff on both sides that they intend to get this type of legislation in permanent law. If there’s another government shutdown come Oct. 1, which would be the next opportunity, [we don’t want] this scramble we experienced in January.”

From Weaver’s perspective, there’s bipartisan, bicameral support for some sort of legislation in this Congress regardless of the timing of the next government shutdown, though she said it’s unclear which bill would be the most likely to move forward.

Meanwhile, the FRTIB is still noticing the impact of the 35-day government shutdown in other ways.

The FRTIB saw a 25 percent jump in hardship withdrawals in January. New loan requests, however,  at this point are stable.

The agency also saw a lower than usual increase in participation to the Federal Employee Retirement System (FERS) last month. The FERS participation rates went up just less than 1 percent in January, meaning that 90.3 percent of FERS employees deferred money to the Thrift Savings Plan that month.

“We’re attributing that to the furlough,” Tee Ramos, FRTIB’s director of participant service, said. “There are several organizations where we derive our numbers, and there were several organizations that didn’t have payroll for that month.”

Auditor finds TSP cybersecurity lacking

The TSP is still struggling with its cybersecurity posture and hasn’t fully developed and implemented an effective information security program, according to the most recent results of an independent Federal Information Security Modernization Act (FISMA) audit.

The FRTIB has been struggling to meet FISMA requirements since at least fiscal 2016, when the agency conducted its first-ever such audit. The agency suffered a cyber breach back in 2012, when hackers accessed personal information for 123,000 TSP participants through one of its contractors.

Using the FISMA maturity model, an independent auditor considered three out of eight domains as “defined.” The remaining five are still considered “ad-hoc,” meaning most FRTIB security policies and procedures aren’t formalized and still reactive in nature.

The FRTIB doesn’t have an inspector general and uses an independent consultant, Williams Adley in this case, to review the agency’s compliance.

Data protection and privacy, identity and access management and configuration management were among the three domains that moved up a notch on the FISMA model rating this past year, according to the Williams Adley audit.

“Many initiatives were in place during the year, but by the time our assessment had concluded, those initiatives were either not completed or they had just recently been completed and we weren’t able to assess the level of completion,” the auditors said at Monday’s board meeting.

Both the agency and the auditors were relatively confident the FRTIB’s cyber posture would, in fact, continue to improve in the coming years. The agency has had one permanent chief technology officer (CTO) on board for nearly a full year now, who’s leading the FRTIB’s FISMA response strategy.

The agency also found a deputy CTO and formed an enterprise risk management steering committee, which has a direct reporting line to FRTIB management and the executive director.

Williams Adley told the board it sees signs that more secure leadership, along with the FRTIB’s improvement strategy, demonstrate that the agency is thinking about cybersecurity in a different way.

Patrick Bevill, the FRTIB’s relatively new chief information security officer, said the agency would segment “cure activities” into 90-day, six month and one-year blocks for the eight FISMA domains. The goal is to bring all domains to the “consistently implemented” level by at least 2020.

Source

Latest version includes shift to industry-agnostic approach and Singapore’s Personal Data Protection Act  

HITRUST today announced the release of version 9.2 of the HITRUST CSF.

This version integrates Singapore’s Personal Data Protection Act (PDPA) into the HITRUST CSF and includes additional plain language interpretations of relevant articles and recitals from the European Union’s General Data Protection Regulation (GDPR). Further, the HITRUST CSF Control Category for Privacy Practices has been revised significantly to support the placement of HIPAA-specific requirements in a separate segment in all categories, marking a shift to a more industry-agnostic approach for the HITRUST CSF and to better align with existing international privacy frameworks.

Designating HIPAA as a standalone segment creates no impact to healthcare organizations beyond the need to select their industry when conducting an assessment.

These updates reflect HITRUST’s continuing commitment to facilitate HITRUST CSF’s adoption in multiple industries, both domestically and internationally. HITRUST ensures the HITRUST CSF stays relevant and current to the needs of organizations by regularly updating the framework to incorporate new standards and regulations as authoritative sources.

HITRUST’s market-leading risk management and compliance framework – a key component of the HITRUST Approach – integrates and cross-references multiple authoritative sources such as ISO, NIST, PCI, and HIPAA. The HITRUST CSF provides the depth and breadth of controls organizations need to efficiently and effectively assess the strength of their risk-based protection programs and their compliance with multiple regimes through one assessment.

The post HITRUST Releases Expanded CSF v9.2 appeared first on HITRUST.

Source

Frisco, TX, January 15, 2019 – HITRUST, in collaboration with the Quality Subcommittee of the HITRUST CSF Assessor Council, is announcing updates to the HITRUST CSF Assurance Program to provide greater transparency and ensure continued integrity relating to HITRUST CSF Assessments.

The HITRUST CSF Assurance Program is governed by a comprehensive set of requirements, which are regularly reviewed, and updates are key in maintaining the robust nature of the Program that provides unmatched reliability to internal and external stakeholders.

HITRUST established and maintains the standard for providing integrity, transparency, accuracy and scalability of information risk management reporting through its HITRUST CSF Assurance Program which delivers efficiencies and cost savings to the assessed organization through its ‘assess once – report many’ approach. Most standards and frameworks lack an assurance program, which creates inconsistency of results and a lack of transparency and validity. With the HITRUST CSF Assurance Program, management, as well as external audiences, such as clients, vendors and regulators can be assured of a high degree of accuracy, consistency and comprehensiveness of the information privacy and security controls reported in the HITRUST CSF Assessment report.

The updates to the HITRUST CSF Assurance Program being released today include:

  1. Ensuring clarity of scope of an assessment – HITRUST Assurance Advisory 2019-01. Updated assessment scoping guidance will require assessors, working with the assessed entity, to include a more detailed description of each system covered in the assessment as well as specific details on the components for each system (e.g., operating system, database system); service offerings included in the system; and specifications for each service offering, such as what is in scope, what is not in scope, and what is partially in scope.
  2. Change regarding the number of qualified HITRUST Certified CSF Practitioner (CCSFP) hours for HITRUST CSF Validated Assessments – HITRUST Assurance Advisory 2019-02. Changed to increase the CCSFP resources requirement on an assessment to at least 50% of assessment hours to ensure qualifications of resources performing assessments.
  3. Providing direction for HITRUST Approved Assessor Organizations –HITRUST Assurance Advisory 2019-03Additional guidance relating to assessor test plans and aligning those plans to HITRUST CSF implementation requirement statements. Including guidance on acceptable documentation to support the activities and procedures that were performed.
  1. Changes to further ensure HITRUST Approved Assessor quality and consistency – HITRUST Assurance Advisory 2019-04Changes to clarify the current requirement for assessors to perform independent quality assurance (QA) reviews of the assessment results, in addition to providing additional required training to those performing the QA review, and the completion of a checklist by the engagement executive and QA reviewer.
  1. Changes related to Interim Reviews – HITRUST Assurance Advisory 2019- 05Changes the name ‘Interim Reviews’ to ‘Interim Assessments’ and outlines additional rigor and assurance around the process, in addition to Interim Assessments must be performed within the HITRUST MyCSF tool.

Click here to find a complete list of HITRUST Assurance Advisories.

About HITRUST CSF Assessor Council – Quality Subcommittee

Established in January 2017, the Quality Subcommittee of the HITRUST CSF Assessor Council consists of industry leaders committed to ensuring the reliability of HITRUST assessments who periodically review industry standards to provide guidance to improve assessment criteria.

For inquiries regarding these updates, please contact us at support@hitrustalliance.net.

The post Notice of HITRUST CSF Assurance Program Updates appeared first on HITRUST.

Source

Current and former NASA employees are at risk of identity theft after the space agency discovered a cyber attack.

On Oct. 23, NASA found one of its servers containing personal data, including social security numbers, suffered a data breach.

“The agency will provide identity protection services to all potentially affected individuals,” said a NASA spokeswoman in an email to Federal News Network. “NASA does not believe that any agency missions were jeopardized by the intrusions. Once discovered, NASA took immediate action to secure the impacted servers and has been working to perform a forensic analysis since then — this process will take time. The ongoing investigation is a top NASA priority.”

SpaceRef first reported the cyber attack and loss of data.

NASA didn’t say how many employees were impacted by this data breach, but said in a Dec. 18 memo from Bob Gibbs, the assistant administrator and chief human capital officer, that the attack affected those who worked at NASA for a 12-year period.

“Those NASA civil service employees who were on-boarded, separated from the agency, and/or transferred between centers, from July 2006 to October 2018, may have been affected,” Gibbs writes. “Once identified, NASA will provide specific follow-up information to those employees, past and present, whose PII was affected, to include offering identity protection services and related resources, as appropriate.”

Systemic cyber challenges?

This data breach is the most recent example of NASA’s continued cybersecurity challenges.

NASA’s inspector general found in May that its security operations center has “fallen short of its original intent to serve as NASA’s cybersecurity nerve center. Due in part to the agency’s failure to develop an effective IT governance structure, the lack of necessary authorities, and frequent turnover in [Office of the Chief Information Officer] leadership, these shortcomings have detrimentally affected SOC operations, limiting its ability to coordinate the agency’s IT security oversight and develop new capabilities to address emerging cyber threats. In sum, the SOC lacks the key structural building blocks necessary to effectively meet its IT security responsibilities.”

In the fiscal 2017 report on the Federal Information Security Management Act (FISMA)—the 2018 report isn’t out yet—the IG found NASA’s cyber posture is considered immature, a level two of the cyber framework, and configuration management continues to be a problem.

“For example, during this year’s review the compliance rate with NASA security baselines averaged 79 percent for Windows devices. However, for Windows servers — considered a higher risk because they provide services to other computer devices over a network — the compliance rate for implementation of secure configuration settings dropped to 49 percent,” the report states.

The Office of Management and Budget’s most recent cyber scorecard under the President’s Management Agenda shows NASA struggling with hardware and software asset management. The space agency is doing well with authorization management, meaning critical systems have an authority to operate, and mobile device management.

And finally, the latest Federal IT Acquisition Reform Act (FITARA) scorecard said NASA earned a “F” grade under the FISMA section for meeting only two of the four cross-agency priority goals. Overall, NASA received a B+ under FITARA.

All of these struggles continued after NASA put its main end-user network and systems at risk because of unpatched systems in 2016. At one point, NASA CIO Renee Wynn took the unusual step of not signing system authorizations because of the lack of basic cyber hygiene on the systems.

“NASA takes cybersecurity very seriously and is committed to devoting the necessary resources to ensure the security of agency information and IT systems,” the spokeswoman said. “The agency is continuing its efforts to secure all servers, and is reviewing its processes and procedures to ensure the latest security practices are followed throughout the agency.”

Source