CISA and NIST have been busy, so let’s cover that as we look at moves by the federal government.
I’ve previously discussed how The U.S. National Institute of Standards and Technology (NIST) is facing a backlog of vulnerability analysis in the National Vulnerability Database (NVD) due to a lack of interagency support. NIST has fallen behind in adding essential enrichment information to new CVE entries, and the institute analyzed only 199 of the 3370 CVEs it received last month. New is that NIST is working to establish a public-private consortium to improve the NVD and is prioritizing analysis of the most significant vulnerabilities while reassigning staff to deal with the backlog.
The Cybersecurity and Infrastructure Security Agency (CISA) has directed federal agencies to investigate if Russian hackers stole Microsoft account details. The hackers gained access to sensitive agency information by compromising Microsoft’s corporate email accounts, and CISA has deemed the stolen emails a “grave” risk to the federal government. Affected agencies have been instructed to take immediate remediation action, reset credentials, and perform a cybersecurity impact analysis.
According to a report from the U.S. Cyber Safety Review Board, the 2023 Microsoft cloud email breach that impacted multiple federal agencies was preventable and attributed to Microsoft’s inadequate security culture. The report highlights a cascade of errors by Microsoft, including failure to detect compromises and inaccurate public statements. The board recommends major changes and restoration of security as a top corporate priority for Microsoft. That report is also noted as causing significant damage to Microsoft’s reputation with the US Government. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has made its “Malware Next-Gen” analysis system publicly available, allowing any organization or person to submit malware samples for analysis. The system, designed to handle the growing workload of cyber-threat analysis, offers advanced analysis capabilities and encourages registration and submission of suspicious files for analysis. However, only CISA analysts and vetted individuals can access the analysis reports.
The Pentagon has officially established the Office of the Assistant Secretary of Defense for Cyber Policy, giving cybersecurity the focus and attention intended by Congress. Ashley Manning will lead the office until a Senate-confirmed leader is appointed. President Joe Biden has nominated Michael Sulmeyer for the position.
Why do we care?
NIST is a lynchpin in the US’s approach to technology, so its funding and ability to execute matter.
I continue to wonder about reputational damage. Sure, the stories say the damage is there. I suspect the change will come with increased standards and requirements, not an exodus. That’s good news for the rest of us. Power of the purse.