Following up on the July 28, 2021 cybersecurity memorandum by the President, the Department of Homeland Security (DHS) announced this week the results of a review of resources and practices by DHS’s Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST). This review led CISA and NIST to identify nine categories of cybersecurity practices and to use those categories as the preliminary basis of related cybersecurity performance controls.
The following are the nine identified categories and related high-level goals listed by the DHS, each of which has a familiar ring for all of us who have been involved over the years in implementing ITAR, DFARS, and NIST 800-171 controls and best practices:
- Risk Management and Cybersecurity Governance
- Architecture and Design
- Configuration and Change Management
- Physical Security
- System and Data Integrity, Availability, and Confidentiality
- Continuous Monitoring and Vulnerability Management
- Training and Awareness
- Incident Response and Recovery
- Supply Chain Risk Management
In its written announcement, DHS provided a brief explanation of the goals, rationale, and baseline objectives for each category.
Each of us involved in trade compliance or federal contracting, or providing support for those who are, should become very familiar with what the DHS has announced as it will no doubt form the basis for what is coming.