Cyber Security

CISA Announces New Binding Operational Directive to Manage Federal Civilian Agency Threats


Takeaway: The latest directive from CISA will enhance federal agencies’ ability to identify vulnerabilities in their networks to prevent and respond to cybersecurity incidents. On October 3, 2022 the Cybersecurity and Infrastructure Security Agency (CISA) announced Binding Operational Directive (BOD) 23-01 entitled Improving Asset Visibility and Vulnerability Detection on Federal Networks.[1] The aim of BOD 23-01 is “to make measurable progress toward enhancing visibility into agency assets and associated vulnerabilities.”[2] A binding operational directive is a compulsory direction to the executive branch, departments and agencies for purposes of safeguarding federal information and information systems.[3] BOD 23-01 applies to any agencies operating as a Federal Civilian Executive Branch (FCEB) agency such as the Department of Justice, the Department of Education, and the Department of Health and Human Services.[4] The directive also applies to any entity acting on behalf of a FCEB agency that “collects, processes, stores, transmits, disseminates, or otherwise maintains agency information.”[5] BOD 23-01 focuses on (1) asset discovery, or identifying what IP-assets reside on an agency’s networks and detecting their associated IP addresses and (2) vulnerability enumeration, or detecting and reporting vulnerabilities on those assets such as outdated software or missing updates. The directive lists mandatory actions and reporting requirements that FCEB agencies must implement by April 3, 2023. For example, each FCEB agency must perform automated asset discovery every 7 days. FCEB agencies have discretion in determining the method and technology to complete this task, but BOD 23-01 requires that the discovery must cover the entire IPv4 space at minimum. Additionally, each agency must initiate vulnerability enumerations every 14 days. All FCEB agencies must initiate the collection and reporting of performance data within 6 months of the publication of BOD 23-01 in order to allow CISA to automate oversight and monitoring. Collectively, these actions enhance an agency’s ability to automatically detect vulnerabilities and prevent exploitation of any weaknesses in their networks. Read More

Trans-Atlantic Data Privacy Framework: New Data-Sharing Vehicle Is Promising


On March 15, the United States and the European Commission (EU) entered into negotiations to create the Trans-Atlantic Data Privacy Framework (Framework). This effort is the third of its kind showcasing the legal complexity involved in creating a mechanism that fosters secure data flows between the United States and European Union, and provides redress for EU individuals who are targeted by U.S. government surveillance activities. The Framework promises a vehicle through which companies can share data in ways they couldn’t before thereby expanding global business. If the Framework operates as promised and intended, a data flow-reliant market worth $7.1 trillion could be supported and encouraged. Procedural Background Under the General Data Protection Regulation (GDPR), personal data is prohibited from being transferred from the European Economic Area (EEA) to countries outside the EEA. The European Commission has the authority to determine what countries have an adequate level of privacy protection. This analysis takes into consideration whether the country being evaluated has data controllers or processors that compensate for the lack of data protection by way of appropriate procedural safeguards. Between the United States and the EU, there have been two previous data-sharing mechanisms designed to provide a relatively easy “self-certification” method for U.S. companies to satisfy the safeguard requirement, each of which has been invalidated by the Court of Justice of the European Union (CJEU). In October 2015, the CJEU determined that the first mechanism, the Safe Harbor Privacy Principles (Safe Harbor), was invalid in Schrems v. Data Protection Commissioner, Case C362/14, Schrems v. Data Protection Commissioner, 2015 EU:C:2015:650 (Oct. 6, 2015) [hereinafter Schrems I]. In Schrems I, the CJEU found that the Safe Harbor failed to adequately protect the privacy of EU citizens because of the U.S. government’s ability to access personal data for national security purposes. In response to this determination, the United States and EU developed the new EU-U.S. Read More

News & Events

Related News

24 Pietragallo Lawyers named in 2024 Pennsylvania Super Lawyers and Rising Stars
May 17, 2024
Pietragallo is pleased to announce that 24 lawyers have been named to the 2024 Pennsylvania Super Lawyers and Rising Stars list. Read More
Transformative Pro Bono Experiences in The Philadelphia Lawyer
May 16, 2024
An excerpt written by partner Douglas Rosenblum about his personal experience with pro bono work. Pro bono representations have been critical to my development, both personally and professionally. Read More
View More News & Events