Ransomware attacks continue to be one of the most harmful and detrimental to federal departments and vendors among the rising cybersecurity risks in 2022. Ransomware incidences have increased this year by 13%, a more significant increase than in the previous five years combined, according to Verizon’s annual Data Breach Investigation Report (DBIR).

Even though many cyber attackers use a double extortion strategy to demand twice as much money from their victims, the cost of ransomware is not the US government’s top worry. Ransomware is being used more and more against Western companies by foreign foes, including China, North Korea, and Russia; occasionally, they even cooperate.

Governmental Programs and New Security Challenges

Ransomware is a risk that both public and private sector organizations should be concerned about because it not only poses a threat to the financial stability of companies but also poses a danger to national security by compromising critical infrastructure and exposing sensitive data to nation-state actors. Thus, the need for CMMC consulting Virginia Beach has gone up.

Thankfully, 2022 has also seen numerous efforts spanning departments and offices within the US government to help reduce the prevalence of ransomware and keep businesses secure for years to come. Federal employees will have to comply with some of these new security requirements if they want to continue operating legally.

1. New Cyber Reporting Requirements

Organizations are ethically obligated to notify their customers following a cyber event or data breach, but sadly, this doesn’t always happen promptly. However, public safety is at risk when a ransomware attack targets crucial infrastructure, making quick disclosure even more critical.

The “Cyber Incident Reporting for Critical Infrastructure Act of 2022″1 (CIRCIA), which was voted into law in March, mandates that critical infrastructure businesses disclose any significant cybersecurity events within 72 hours and any ransom payouts within 24.

Although the exact scope of covered organizations is still unknown, it is likely to encompass industries like 

  • Critical Manufacturing
  • Energy Financial Services
  • The base for Defense Industry (DIB)

The new cyber reporting regulations will eventually aid law enforcement organizations in gathering information on attack trends, monitoring the activities of advanced persistent threat (APT) groups, and quickly responding to cyber emergencies.

The Consolidated Appropriations Act of 2022 is the official source for CIRCIA; for the benefit of readers, the PDF linked above only includes the Act’s sections that apply to CIRCIA.

2. CMMC 2.0 and Updated CMMC Timeline

The Department of Defense (DoD) is now collaborating with federal officials on an implementation schedule for CMMC 2.0, which might result in its deployment on DoD contracts by May 2023.

By forcing government contractors to go through a third-party review for cybersecurity adherence before they are eligible for the majority of Defense contracts, CMMC 2.0 aims to secure controlled unclassified information (CUI). The DoD will allow self-assessment for “Level 1” contracts that are less sensitive; for “Level 3” contracts that are more sensitive, firms will need a more formal government review.

CMMC consultant professionals will guarantee that the most vulnerable CUI is only shared with vendors who are prepared to safeguard it from a range of threats, such as ransomware, by executing information security controls corresponding to the vulnerability of each contract. This will not only promote better security all through the DIB.

3. NIST’s Cybersecurity Framework updates (CSF)

Since it was initially released in 2014, the National Institute for Standards and Technology (NIST cybersecurity )’s framework (CSF), a collection of guidelines, has directed cybersecurity initiatives in both the public and private sectors. The CSF is currently being updated. NIST requested opinions in February of this year for a planned change to CSF, which sparked a flood of responses from professionals in the field.

To match the CSF framework with another NIST special publication (SP), 800-30, “Guide for Conducting Risk Assessments,” DoD officials have revealed that they desire greater risk-management recommendations in the framework’s upcoming revision. Companies now using the CSF would benefit from a better awareness of risk and the risk variables that result in data breaches, cybercrime, and other threats if the two NIST resources were aligned.

Whether NIST follows this suggestion, an update to CSF could not have arrived at a better time as cyber strategies have evolved quickly since the last update was published in 2018, and enterprises want direction. The majority of people who responded to the agency’s application for comments claimed to believe the CSF is a “viable method for organizations seeking to recognize, evaluate, acknowledge, and maintain cybersecurity risk”; however, it can only continue to be useful for as long as it is kept current with the most critical risk sources.