Insights

We are proud to be named a West Coast Regional Leader for 2024

A review of the current administration's cybersecurity priorities

ARTICLE | May 30, 2024

Authored by RSM US LLP


President Joe Biden assumed office in January 2021 amid an unquestionably challenging environment for cyberthreats. A month earlier, a cybersecurity researcher from Google subsidiary Mandiant discovered an exploited vulnerability in network management software developed by SolarWinds. Over the next several weeks, a series of high-profile ransomware attacks breached a range of companies, including natural gas provider Colonial Pipeline, meatpacker JBS Foods and IT software maker Kaseya. Meanwhile, the world was confronting the scale of the intrusion, as the blame fell on Russian threat actors. The events colored the new administration's priorities and programs of work, which the U.S. Chamber of Commerce has organized into three categories.

Priority 1: Raising baseline cybersecurity requirements for critical infrastructure

From the first security directives issued by the Transportation Security Administration to the “More Than a Password” information campaign developed by CISA (Cybersecurity & Infrastructure Security Agency) to open letters to the business community, the administration's first cybersecurity priority was to voluntarily leverage regulations to raise baseline requirements protecting critical infrastructure.

Why this matters

The Biden administration expects organizations of all sizes to increase their cybersecurity and risk management investments.

Applicability

The administration has taken a sector-by-sector approach to review each of the 16 infrastructure sectors designated vital to the United States under the USA Patriot Act, the Homeland Security Act of 2002, and Presidential Policy Directive 21—all measures enacted to bolster security for the country’s physical and digital infrastructure.

What does good look like?

Standards-based compliance is increasing the minimum expectation by governments. The U.S. Chamber recommends that organizations use the Cybersecurity Framework developed by NIST (National Institute of Standards and Technology) to guide risk management and to conform with ISO/IEC 2700X, which was developed jointly by the International Organization for Standardization and the International Electrotechnical Commission, as well as NIST’s SP 800-53 and 800-171 standards.

Priority 2: Securing the software supply chain and driving security by design

Second only to legitimate credentialed access, supply chain threats and attacks are among organizations’ top cybersecurity risks.

Administration action: The Biden administration published the definitive policy directive for software supply chain security, Executive Order 14028, Improving the Nation’s Cybersecurity, in May 2021.

Why it matters

EO 14028 sets forth roughly 60 action items related to supply chain security, including these minimum elements: a software bill of materials, guidelines for software supply chains and updates to regulations for contractors.

Applicability

Acting through the Federal Acquisition Regulatory (FAR) Council, the Biden administration will require new software security and incident reporting by nearly all federal contractors.

Priority 3: Enhancing the government's visibility of cybersecurity incidents

The United States, the European Union and other governments around the world have promoted initiatives to close the visibility gap between government agencies and cyberattack victims. The U.S. Chamber has also promoted global principles to guide policymakers who are considering the establishment of business incident reporting requirements.

Why does disclosure matter?

The first of two theories contends that public disclosure of material cyber incidents will prompt prioritization and longer-term investment by organizations at the executive level. The second theory purports that government agencies are blind to the heightened threat environment, and only enhanced visibility will ensure that they:

  • Better understand national risk.
  • Prioritize resources for the most at-risk entities.
  • Tailor improved mitigation for victims.

Cost versus cyber risk reduction?

CISA recently estimated that implementing its CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act) rules will cost CISA and the industry $2.6 billion over 11 years of implementation. Will the tidal wave of incident reports actually result in risk reduction? Despite policymakers’ best intentions, probably not—at least in the near term. However, there may be incremental reductions in cyber incidents and breaches on a yearly basis.

For more information, contact Vince Voci (vvoci@uschamber.com), vice president for cyber policy and operations at the U.S. Chamber of Commerce.

U.S. Chamber of Commerce logo

Let's Talk!

Call us at +1 213.873.1700, email us at solutions@vasquezcpa.com or fill out the form below and we'll contact you to discuss your specific situation.

  • Topic Name:
  • Should be Empty:

Source: RSM US LLP.
Reprinted with permission from RSM US LLP.
© 2024 RSM US LLP. All rights reserved. https://rsmus.com/insights/services/risk-fraud-cybersecurity/a-review-of-the-current-administrations-cybersecurity-priorities.html

RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent assurance, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit rsmus.com/about for more information regarding RSM US LLP and RSM International.

​Vasquez + Company LLP has over 50 years of experience in performing audit, tax, accounting, and consulting services for all types of governmental entities, nonprofit organizations, private companies, and publicly traded companies. We are the largest minority-controlled accounting firm in the United States and the only one to have global operations, and certified as MBE with the Supplier Clearinghouse for the Utility Supplier Diversity Program of the California Public Utilities Commission.

For more information on how Vasquez can assist you, please email solutions@vasquezcpa.com or call +1.213.873.1700.

Subscribe to receive important updates from our Insights and Resources.

  • Should be Empty: