The All-Hazards Energy Resilience funding opportunity will be managed by the DOE’s Office of Cybersecurity, Energy Security and Emergency Response, and a senior CESER official said in an interview with FedScoop that the agency is specifically interested in OT-related proposals that explore how one might produce a zero-trust architecture in an electrical or oil and natural gas environment.

“I think the cybersecurity community has come leaps and bounds in the last decade and a half,” the CESER official said. The OT side of the network will become “even more complex as we move to distributed energy kind of resource footprint. And those architectures modernize those capabilities to do cybersecurity and defend from those persistent threats [that] are a little bit more nascent in that kind of energy sector OT field.”

With awards of up to $5 million in funds, the DOE said it’s looking for universities, tribal nations, companies and others to provide solutions for technology meant to protect critical energy infrastructure from all threats, such as malicious cyber attacks and bad actors. 

The DOE’s release acknowledges that the “growing digital landscapes” put existing energy systems at risk for attacks. For example, two department entities were victims of a cyberattack that resulted from a vulnerability in MOVEit file transfer software.

“There are real risks to infrastructure; a lot of research in the world heretofore has been to prevent entry and detect it once it’s there,” the CESER senior official said. “Things are going to happen and when they do, you have to be able to operate your electrical or oil or natural gas infrastructure in a degraded mode, even potentially through that compromise.”

The official said that the research awards are “threat-informed” but could not comment on any specifically targeted infrastructure from bad actors. 

“The entry vectors into the sector are many,” the official said. “There are IT pathways where you’re coming in the IT front door, traversing the network and getting into the OT network. There are other kinds of pathways to enter the infrastructure, all of which are being considered in this funding opportunity announcement, but also in the broader portfolio of research we run in our office.”

The post Energy Department has cyber threats to infrastructure in mind with $70 million funding offer appeared first on FedScoop.

The Government Accountability Office highlighted that the FDA’s medical device cybersecurity formal agreement is five years old and needs to be updated with the help of the Cybersecurity and Infrastructure Security Agency, a move that would improve agency coordination and clarify responsibilities.  

“According to the Department of Health and Human Services (HHS), available data on cybersecurity incidents in hospitals do not show that medical device vulnerabilities have been common exploits,” the GAO report stated. 

“Nevertheless, HHS maintains that such devices are a source of cybersecurity concern warranting significant attention and can introduce threats to hospital cybersecurity.”

The GAO report found that the FDA’s authority over medical device cybersecurity has increased in recent years. This is attributable to December 2022 legislation that mandated that medical device manufacturers submit to FDA their plans to identify and address cybersecurity vulnerabilities for any new medical device that were introduced to consumers starting in March 2023. 

The GAO report also noted that FDA officials are currently implementing new cybersecurity authorities from past legislation and have not yet identified the need for any additional authority. 

According to FDA guidance, if medical device manufacturers do not fix cyber vulnerabilities, the agency can find that the manufacturers have violated federal law and can be penalized through enforcement actions.

The GAO report recommended that the FDA and CISA update their medical device cyber agreement to reflect organizational and procedural changes that have occurred. Both agencies agreed with the recommendations.

The post FDA cybersecurity agreement on medical devices needs updating, watchdog finds appeared first on FedScoop.

This proposed rule would amend the Federal Acquisition Regulation (FAR) to include minimum requirements for cybersecurity contracts that involve federal information systems instead of leaving it up to agencies to set those requirements, according to a Tuesday notice in the Federal Register.

The contract requirements will differ for cloud-based and on-prem systems, which is outlined in the notice. Once the new requirements take effect, agencies would need to update their own requirements to remove any rules that are duplicative — but they could still require any additional rules that go beyond the baseline updates provided in the new FAR language.

Currently, the cybersecurity requirements for such contracts are based on agency-specific policies, which introduces risks including inconsistent security requirements across contracts, additional costs and restricted competition. 

“By standardizing a set of minimum cybersecurity standards to be applied consistently to [federal information systems], the proposed rule would ensure that such systems are better positioned in advance to protect from cyber threats,” the notice states. 

This change is a direct measure called for in the Biden administration’s landmark 2021 cybersecurity executive order. That required the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency to review agency-specific cybersecurity requirements from across the government and then to “recommend to the FAR Council standardized contract language for appropriate cybersecurity requirements” that would be proposed publicly for comment.

The notice Tuesday calls for the government to improve its efforts to identify, deter and respond to cyber threats while also ensuring that products are built and operated securely for a safer cyberspace. 

“In the end, the trust the United States places in its digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is, and to the consequences it will incur if that trust is misplaced,” the notice states. 

It also highlights the recent explosive growth of malicious cybersecurity activity, adding that the threats that the nation faces are costly and predicting that with threats continuing to grow, it could cost $1 trillion over the next decade.

In 2018 the Council of Economic Advisors found that malicious cybersecurity activity cost the national economy somewhere between $57 billion and $109 billion. The administration in the notice also acknowledged that the cost of a single cyber incident to an individual company “can be crippling.”

“It also is essential that the Government—and its contractors—take a coordinated approach to complying with applicable security and privacy requirements, which are closely related, though they come from independent and separate disciplines,” the notice states.

Comments on the proposed rule will be accepted through Dec. 4.

The administration on Tuesday also issued a separate proposed rule to revise the FAR to increase information-sharing on cyber threats and incidents with technology providers.

The post New rule would set governmentwide cyber standards for contracts involving federal information systems appeared first on FedScoop.