News Alerts and Breach Report for Week of June 27, 2022
American Data Privacy and Protection Act Moves Forward
Last week, on June 23, the U.S. House Committee on Energy and Commerce began marking up the ADPPA. The bill’s sponsors call the markup process the next “major” step toward passing the bill and encourage public input—when the time comes.
White House Signs Three Cybersecurity Bills
The Biden Administration passed three bills focused on cybersecurity last week. The bipartisan pieces of legislation will focus on “protecting federal information technology supply chains by fostering coordination between the Cybersecurity and Infrastructure Security Agency (CISA) and state and local governments,” according to The Cyberwire. The State and Local Government Cybersecurity Act will require CISA to provide tools and training to state and local governments, while Federal Rotational Cyber Workforce Program Act, “creates a civilian personnel rotation program for cybersecurity professionals at federal agencies.” Finally, the Supply Chain Security Training Act, requires the “General Services Administration (GSA), in coordination with the Department of Homeland Security (DHS), Department of Defense (DOD) and the Office of Management and Budget (OMB), to create a supply chain security training program for federal officials with supply chain risk management responsibilities.” The Act also requires the OMB to develop training programs for federal agencies.
Government Accountability Office Orders Insurance Audit
The Government Accountability Office (GAO) last week urged the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the Department of the Treasury’s (Treasury) Federal Insurance Office (FIO) to assess whether a federal insurance plan is needed to hedge against catastrophic cyberattacks on critical infrastructure. The order is pursuant to the Terrorism Risk Insurance Program Reauthorization Act (TRIPRA) of 2019, which requires GAO to study cyberattack risks to infrastructure, assess whether states’ cyber liability coverage is adequate for terrorism, whether such risks can be assessed by the private market, and whether the risk-share program established under TRIPRA is adequate.
DOD Memo Identifies Penalties for Noncompliance
The Department of Defense issued a memo on June 16 that, according to JD Supra, directs “Contracting Officers to enforce penalties on DoD contractors that fail to comply with DFARS Clauses 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) on contracts not subject to either DFARS 252.204-7020 (DoD Assessment Requirements) or, by implication, DFARS 252.204-7021 (CMMC), which is not currently in effect.” This means, at minimum, implementing NIST SP 800-171, or a plan of action and associated milestones for doing so. This framework covers contractors that possess covered information systems that are part of an Information Technology service or system operated on behalf of the government. For more information read this guide.
BREACH REPORT:
* * * * * * *
To read our coverage on the use of artificial intelligence in data privacy, click here.
To browse through our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.
Our Podcasts are released every Thursday, here. They can also be enjoyed on Spotify and Apple Podcasts. Don’t forget to subscribe!