On November 3rd, the Department of Homeland Security issued BOD 22-01 to all Federal agencies. This is a mandate to resolve many of the Critical Vulnerabilities we are seeing exploited across software and hardware systems. What is interesting about this is that there are timelines established, and this indicates an increased desire for the government to look at compliance as a key component of security issues.
What does this mean? Well some key takeaways I'm seeing from this are...
Compliance is coming
Clearly with a desire to get the federal space fully covered from these vulnerabilities, the next step to securing the United States' Cybersecurity Infrastructure is to improve compliance among the various private sector spaces that work frequently with Federal Government. Some of these groups are likely covered by the BOD 22-01 now, but there is a high likelihood we will see an increase of compliance requirements created and established... and along with that some likely penalties created for those who don't fulfill them.
Cybersecurity IS a growing concern for the DHS
This isn't news with the formation of the Cybersecurity and Infrastructure Security Agency in November of 2018, the DHS is taking seriously the growing credible threats from foreign elements within the United States' cyber infrastructure. There is a growing demand for more direction, and BOD 22-01 is a directive... so that would indicate there will be more to come.
This will likely become more commonplace as threats increase
With the high threat that Cyber attacks represent to the United States, I suspect that these kinds of mandates and directives will become more and more commonplace as time goes on. This isn't the first, but it is a strong course of action with a mandated deadline for many vulnerabilities that INCLUDES non-internet facing systems. We will likely see more of these directives in the future.
What can small businesses do if they are concerned by these threats?
Much like you would go to a mechanic if your car has a problem, or a Dentist if your teeth hurt... if you're concerned about Cybersecurity threats you should go to a company that specializes in these kinds of services. There are resources available through CISA HERE if you want to look through those, but the best sources should be those members of your community who have the knowledge and knowhow to be able to help your business defend from those threats.