What has happened?
The order affects all national information systems in both the public and private sectors and is intended to ensure the security and privacy of the American citizens. This refers to both, systems that process data (information technology (IT)) and systems that run vital machinery (operational technology (OT)), which in Germany is comparable to “Kritische Infrastrukturen” (KRITIS).
The background to the regulation is the realization that step-by-step improvements do not lead to the desired goal with the desired speed. Therefore, a corresponding market power is to be exercised through nationwide procurement and investment. This is done by requiring all U.S. federal information systems to meet or exceed the cybersecurity standards and requirements set in the Executive Order.
But not only that – private sector companies are encouraged to follow the U.S. federal government’s lead and also take steps to increase and align cybersecurity investments.
What content is being discussed?
Core aims of the regulation are:
- Facilitate threat information sharing between government and private sector / remove barriers;
- Stricter cybersecurity standards are to be established / existing standards are to be modernized;
- The software supply chain is under special scrutiny with regard to security (e.g.: Software Bill of Materials – SBOM);
- Establishment of a Cybersecurity Safety Review Board;
- Preparations for responding to cyber incidents (Incident Response and Remediation): development of attack scenarios and responses to them (standard playbooks, i.e., instructions for action);
- Improving the detectability of cybersecurity incidents;
- Improving capabilities to investigate and remediate cybersecurity incidents.
What does it mean?
Initially, the above objectives relate “only” to the procurement of IT systems or infrastructure by the United States Government. We assume that this will also impact suppliers that a) do not supply directly to the government and b) do not have their core business in the US.
- Suppliers that do not supply directly to the United States government are also expected to be confronted with the new requirements from a private law perspective (“Why should we settle for less?”).
- Security is not a purely national challenge, but an international one. If the requirements result in a new “state of the art,” then this state of the art must also be taken into account outside the scope of the regulation.
- The regulation does not only affect medical technology – but also! Specifically, the structure of medical care in the U.S. and the hospitals operated by the armed forces (for both active duty and veterans) results in a large procurement volume.
- Existing requirements are taking on a greater scope; in particular “MDS2” (ANSI/NEMA HN 1-2019: American National Standard – Manufacturer Disclosure Statement for Medical Device Security) as well as currently, for example, the already existing 80001 series of standards, IEC 81001-5-1 as well as IEC TR 60601-4-5, to name just a few in the medical technology sector.
How does the VDE help you?
Regardless of the current news situation, the topic of “security” will continue to occupy us in the future.
And even if – as shown above – you may not be directly affected by the decree at the moment, the regulation shows that security is increasingly becoming the focus of decision-makers.
Security cannot be “tested into” a product at the end of development. This applies not only to operational safety, but also to information security.
We at VDE support you in this task from the very beginning, starting with planning and ending with implementation.
We will be happy to answer your questions and look forward to your comments!