Executive Order on Improving the Nation's Cybersecurity

NPPD's goal was to advance the Department's national security mission by reducing and eliminating threats to U.S. critical physical and cyber infrastructure. Cybersecurity Notices of Exemption, Certifications of Compliance, and Notices of Cybersecurity Events should be filed electronically via the DFS Web Portal as instructed. You will first be prompted to create an account and log in to the DFS Web Portal, then directed to the filing interface.

Those requirements shall support a capability of the Secretary of Homeland Secretary, acting through the Director of CISA, to engage in cyber hunt, detection, and response activities. Agencies with cybersecurity vulnerability or incident response procedures that deviate from the playbook may use such procedures only after consulting with the Director of OMB and the APNSA and demonstrating that these procedures meet or exceed the standards proposed in the playbook. Within 1 year of the date of this order, the Secretary of Commerce, in consultation with the heads of other agencies as the Secretary of Commerce deems appropriate, shall provide to the President, through the APNSA, a report that reviews the progress made under this section and outlines additional steps needed to secure the software supply chain. Following any updates to the FAR made by the FAR Council after the public comment period described in subsection of this section, agencies shall update their agency-specific cybersecurity requirements to remove any requirements that are duplicative of such FAR updates. Within 90 days of the date of this order, the Secretary of Defense acting through the Director of the NSA, the Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence shall jointly develop procedures for ensuring that cyber incident reports are promptly and appropriately shared among agencies. Agencies are already under mandate from a May 2021 executive order to adhere to the framework, though a forthcoming policy order could give additional guidance and force to that requirement.

Within 30 days of the date of this order, the Secretary of Commerce acting through the Director of NIST shall solicit input from the Federal Government, private sector, academia, and other appropriate actors to identify existing or develop new standards, tools, and best practices for complying with the standards, procedures, or criteria in subsection of this section. The guidelines shall include criteria that can be used to evaluate software security, include criteria to evaluate the security practices of the developers and suppliers themselves, and identify innovative tools or methods to demonstrate conformance with secure practices. CISA concurred with this recommendation and in September 2021 provided information on adjustments it has planned or under Agency Cybersecurity way for its performance management system. These include how the performance management system was updated to include newly created divisions and mission support offices as a result of the transformation and how the three "pillars" of the organizational transformation are reflected in the performance management process. In addition, CISA described recent actions regarding the reassessment of its performance management system, specifically regarding a robust approach in educating the supervisory cadre on how to address poor performance and how it incentivizes and rewards top performers. The agency added that its human capital office is currently revising its existing performance management instruction and plans to complete this by March 31, 2022.

See the chart below for a list of the sections of Part 500 with which a Covered Entity must still comply. This Resource Center is designed to help Covered Entities understand how to comply with the Cybersecurity Regulation. Among other things, it provides links to industry guidance, answers frequently asked questions , and explains how and when to submit cybersecurity-related filings to DFS, including the requisite Certifications of Compliance and notifications of Cybersecurity Events. Submit to the Florida Digital Service, within 1 week after the remediation of a cybersecurity incident or ransomware incident, an after-action report that summarizes the incident, the incident’s resolution, and any insights gained as a result of the incident.

Data shall be retained in a manner consistent with all applicable privacy laws and regulations. Such recommendations shall also be considered by the FAR Council when promulgating rules pursuant to section 2 of this order. The criteria shall reflect a baseline level of secure practices, and if practicable, shall reflect increasingly comprehensive levels of testing and assessment that a product may have undergone. The Director of NIST shall examine all relevant information, labeling, and incentive programs, employ best practices, and identify, modify, or develop a recommended label or, if practicable, a tiered software security rating system. This review shall focus on ease of use for consumers and a determination of what measures can be taken to maximize participation. Log4j is broadly used in a variety of consumer and enterprise services, websites, and applications—as well as medical devices and supporting systems—to log security and performance information.

Covered Entities must assess the risks each Third Party Service Provider poses to their data and systems and effectively address those risks. The Department has provided a two year transitional period to address these risks and expects Covered Entities to have completed a thorough due diligence process on all Third Party Service Providers by March 1, 2019. Reporting Cybersecurity Events to the Department is not only an important obligation of all Covered Entities, but also enables the Department to more rapidly identify techniques used by attackers so that DFS can alert industry, respond quickly to new threats, and continue to effectively protect consumers and the financial services industry.

Tasks such as these appear to be critical to CISA's transformation initiative and accordingly its ability to effectively and efficiently carry out its cyber protection mission. In addition, the agency had not established an updated overall deadline for completing its transformation initiative. Until it establishes updated milestones and an overall deadline for its efforts, and expeditiously carries out these plans, CISA will be hindered in meeting the goals of its organizational transformation initiative.

All but one of the exemptions are limited in scope and require compliance with some sections of the Cybersecurity Regulation. These exemptions have been tailored to address particular circumstances and include requirements that the Department believes are necessary for each category of exempted entities. If a Covered Entity ceases to qualify for a previously claimed exemption, the Covered Entity should, as soon as reasonably possible, notify the Department through the DFS Portal by terminating its previously filed exemption. Submit to the department annually by July 31, the state agency’s strategic and operational cybersecurity plans developed pursuant to rules and guidelines established by the department, through the Florida Digital Service. Submitting after-action reports following a cybersecurity incident or ransomware incident. Such guidelines and processes for submitting after-action reports must be developed and published by December 1, 2022.