Category: US Department of Homeland Security

Source: US Department of Homeland Security

Guidance helps all organizations strengthen security in software development life cycle

WASHINGTON – Today, the Cybersecurity and Infrastructure Security Agency (CISA) released new voluntary cybersecurity performance goals for the information technology (IT) and product design sector. The IT Sector Specific Goals (SSGs) are aligned to Secure by Design principles and will help to protect the sector from cyber incidents, identify and address vulnerabilities prior to product release, improve incident response, and significantly improve software security. CISA worked extensively with the IT Sector Coordinating Council (IT SCC) to develop these goals. Through the IT SCC, subject matter experts, associations, and other key partners provided critical, beneficial input and supported the development process.

While specific to the IT sector, the goals provide software and product developers in all critical infrastructure sectors with minimum foundational practices upon which they should focus their efforts. Recommended actions include:

• Logically separate all software development environments from each other using controls such as network segmentation and access controls.
• Regularly log, monitor, and review trust relationships used for authorization and access across software development environments.
• Require multi-factor authentication (MFA)—ideally phishing resistant MFA—to access all software development environments.
• Establish and enforce security requirements for software products used across software development environments.
• Do not store sensitive data or credentials in source code. Instead, store sensitive data and credentials in an encrypted manner, such as using a secret manager.
• Establish a software supply chain risk management program

“The IT SSGs help critical infrastructure sectors significantly strengthen cybersecurity in the design and development of software and hardware. We encourage organizations to review and implement the goals which will benefit and protect the supply chain including consumers,” said CISA Director Jen Easterly, “The industry collaboration was critical to shaping goals with highest-impact and guiding organizations to prioritize their efforts. We applaud organizations that are choosing to take ownership of the security outcomes of their customers.”

CISA encourages product developers to adopt these SSGs to significantly improve the cybersecurity posture of software products, to include those designed for critical infrastructure services, relied upon by our nation. For more information, visit Cybersecurity Performance Goals on CISA.gov. 

###

About CISA 

As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.

Visit CISA.gov for more information and follow us on X, Facebook, LinkedIn, Instagram. 

Source: US Department of Homeland Security

WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA) today issued the following update on last week’s cybersecurity incident at the U.S. Department of the Treasury:

CISA is working closely with the Treasury Department and BeyondTrust to understand and mitigate the impacts of the recent cybersecurity incident.

At this time, there is no indication that any other federal agencies have been impacted by this incident. CISA continues to monitor the situation and coordinate with relevant federal authorities to ensure a comprehensive response.

The security of federal systems and the data they protect is of critical importance to our national security. We are working aggressively to safeguard against any further impacts and will provide updates, as appropriate.

###

About CISA 

As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.

Visit CISA.gov for more information and follow us on X, Facebook, LinkedIn, Instagram. 

Source: US Department of Homeland Security

Rule will provide greater benefits and flexibilities for U.S. employers and specialty occupation workers, helping to meet U.S. labor needs

WASHINGTON – The Department of Homeland Security (DHS) announced a final rule that will significantly enhance U.S. companies’ ability to fill job vacancies in critical fields, strengthening our economy. The new rule modernizes the H-1B program by streamlining the approvals process, increasing its flexibility to better allow employers to retain talented workers, and improving the integrity and oversight of the program. The rule builds on previous efforts by the Administration to ensure the labor needs of American businesses are met, while reducing undue burdens on employers and adhering to all U.S. worker protections under the law.

“American businesses rely on the H-1B visa program for the recruitment of highly-skilled talent, benefitting communities across the country,” said Secretary of Homeland Security Alejandro N. Mayorkas. “These improvements to the program provide employers with greater flexibility to hire global talent, boost our economic competitiveness, and allow highly skilled workers to continue to advance American innovation.”

“The H-1B program was created by Congress in 1990, and there’s no question it needed to be modernized to support our nation’s growing economy,” said USCIS Director Ur M. Jaddou. “The changes made in today’s final rule will ensure that U.S. employers can hire the highly skilled workers they need to grow and innovate while enhancing the integrity of the program.”

H-1B nonimmigrant visa program allows U.S. employers to temporarily employ foreign workers in specialty occupations, defined by statute as occupations that require highly specialized knowledge and a bachelor’s or higher degree in the specific specialty, or its equivalent. The final rule aims to provide greater flexibilities for employers and workers by modernizing the definition and criteria for specialty occupation positions as well as for nonprofit and governmental research organizations that are exempt from the annual statutory limit on H-1B visas. These changes will help U.S. employers hire the employees they need to meet their business needs and remain competitive in the global marketplace. The rule also extends certain flexibilities for students on an F-1 visa seeking to change their status to H-1B to avoid disruptions in lawful status and employment authorization for those F-1 students. To improve program efficiency, the final rule will allow USCIS to more quickly process applications for most individuals who had previously been approved for an H1B visa. It will also allow H1B beneficiaries with a controlling interest in the petitioning organization to be eligible for H-1B status subject to reasonable conditions.

Finally, the rule strengthens program integrity by codifying USCIS’ authority to conduct inspections and impose penalties for failure to comply; requiring that the employer must establish that it has a bona fide position in a specialty occupation available for the worker as of the requested start date; clarifies that the Labor Condition Application must support and properly correspond with the H-1B petition; and requires that the petitioner have a legal presence and be subject to legal processes in court in the United States.

In order to implement this rule, a new edition of Form I-129, Petition for a Nonimmigrant Worker will be required for all petitions beginning Jan. 17, 2025, which is the rule’s effective date. Because there cannot be a grace period for accepting prior form editions, USCIS will soon publish a preview version of the new Form I-129 edition on uscis.gov.

Today’s rule builds on a previous final rule, announced in January 2024, which has already dramatically improved the H-1B registration and selection process.

Source: US Department of Homeland Security

Final Rule strengthens worker protections and program integrity, increases flexibility for workers, and improves program efficiency

WASHINGTON – The Department of Homeland Security (DHS) announced a final rule that will allow U.S. companies that need seasonal workers to more quickly and efficiently fill those jobs. The rule will modernize and improve the H-2 nonimmigrant visa programs, which allow qualified U.S. employers who are unable to hire qualified U.S. workers to petition for foreign nationals to fill temporary or seasonal agricultural and nonagricultural jobs. The final rule significantly strengthens worker protections by, among other things, imposing new consequences on companies that charge prohibited fees or violate our labor laws, and provides greater flexibility for H-2A and H-2B workers.

“The H-2 programs strengthen our nation’s economy by supporting the seasonal labor needs of employers that rely on temporary workers,” said Secretary of Homeland Security Alejandro N. Mayorkas. “By modernizing and improving this program, we increase protections for our nation’s workers, help maintain economic growth, and better meet the labor demands of American businesses.”

“Our H-2 programs are very important to the U.S. economy. Many employers across the country need additional labor on a temporary or seasonal basis, whether it’s on our farms or in other industries,” said USCIS Director Ur M. Jaddou. “This final rule makes us more efficient in helping U.S. employers fill their temporary or seasonal positions, while also making sure we’re protecting both U.S. workers and the noncitizen workers who help fuel our economy.”

The rule’s provisions span three areas:

Improving Program Efficiency

This final rule removes the requirement that USCIS may generally only approve petitions for H-2 nonimmigrant status for nationals of countries designated as eligible to participate in the H-2 programs, eliminating the need for DHS to compile and publish annual lists of designated countries.

It also simplifies the rules regarding the effect of a departure from the United States on the 3-year maximum period of stay for workers participating in the H-2 programs, by eliminating the “interrupted” stay provisions and instead providing a uniform period of absence from the United States (at least 60 days) to reset the 3-year clock.

Strengthening Worker Protections and Increasing Program Integrity

This final rule revises and clarifies provisions regarding prohibited fees by strengthening the existing bar on charging certain fees to H-2A and H-2B workers, including by imposing new consequences for companies that charge these fees and denying their H-2 petitions in certain circumstances.

The final rule also institutes certain mandatory and discretionary grounds for denying an H-2A or H-2B petition filed by a petitioner who, among other things, has been found to have committed certain labor or other legal violations or misused the H-2 programs.

Under the rule, H-2A and H-2B workers will now have whistleblower protections comparable to the protections that are currently offered to H-1B workers.

The final rule clarifies requirements for petitioners and employers to consent to, and fully comply with, USCIS compliance reviews and inspections. It also clarifies USCIS’ authority to deny or revoke the approval of a petition if USCIS is unable to verify information related to the petition, including where such inability is due to lack of cooperation from a petitioner or an employer during a site visit or other compliance review.

Enhancing Worker Flexibility

The final rule harmonizes and adds new grace periods. Specifically, it:

• Adds a new grace period for up to 60 days following a cessation of employment, during which an H-2 worker may seek new qualifying employment or prepare for departure from the United States without violating their H-2 status or accruing unlawful presence.
• Extends the existing 30-day grace period following certain revocations to a period of up to 60 days and expands the provision to cover all revocations of H-2 petition approvals.
• Affirms that H-2A and H-2B workers are considered to be maintaining their H-2 status for a period of up to 10 days before the petition’s validity period and up to 30 days following the expiration of that period.

The final rule allows for “portability,” meaning that eligible H-2 nonimmigrants can immediately begin to work with a new employer as soon as the employer properly files an extension of stay petition, rather than requiring them to wait until the petition is approved.

The final rule clarifies that H-2 workers will not be considered to have failed to maintain their H-2 status and will not be denied H-2 classification on the sole basis of having taken certain steps toward becoming lawful permanent residents of the United States.

In order to implement this rule, a new edition of Form I-129, Petition for a Nonimmigrant Worker will be required for all petitions beginning Jan. 17, 2025, which is the rule’s effective date.

Source: US Department of Homeland Security

There are more than one million drones lawfully registered with the FAA in the United States and there are thousands of commercial, hobbyist and law enforcement drones lawfully in the sky on any given day. With the technology landscape evolving, we expect that number to increase over time.

FBI has received tips of more than 5,000 reported drone sightings in the last few weeks with approximately 100 leads generated, and the federal government is supporting state and local officials in investigating these reports. Consistent with each of our unique missions and authorities, we are quickly working to prioritize and follow these leads. We have sent advanced detection technology to the region. And we have sent trained visual observers.

Having closely examined the technical data and tips from concerned citizens, we assess that the sightings to date include a combination of lawful commercial drones, hobbyist drones, and law enforcement drones, as well as manned fixed-wing aircraft, helicopters, and stars mistakenly reported as drones. We have not identified anything anomalous and do not assess the activity to date to present a national security or public safety risk over the civilian airspace in New Jersey or other states in the northeast.

That said, we recognize the concern among many communities. We continue to support state and local authorities with advanced detection technology and support of law enforcement. We urge Congress to enact counter-UAS legislation when it reconvenes that would extend and expand existing counter-drone authorities to identify and mitigate any threat that may emerge.

Additionally, there have been a limited number of visual sightings of drones over military facilities in New Jersey and elsewhere, including within restricted air space. Such sightings near or over DoD installations are not new. DoD takes unauthorized access over its airspace seriously and coordinates closely with federal, state, and local law enforcement authorities, as appropriate. Local commanders are actively engaged to ensure there are appropriate detection and mitigation measures in place.

Source: US Department of Homeland Security

During emergency events, the Department of Homeland Security (DHS) works with its federal, state, local, and non-governmental partners to support the needs of the people in the areas that may be impacted.

In such circumstances, U.S. Immigration and Customs Enforcement (ICE) and U.S. Customs and Border Protection (CBP) remind the public that sites that provide emergency response and relief are considered protected areas. To the fullest extent possible, ICE and CBP do not conduct immigration enforcement activities at protected areas such as along evacuation routes, sites used for sheltering or the distribution of emergency supplies, food or water, or registration sites for disaster-related assistance or the reunification of families and loved ones.

At the request of FEMA or local and state authorities, ICE and CBP may help conduct search and rescue, air traffic de-confliction and public safety missions. ICE and CBP provide emergency assistance to individuals regardless of their immigration status. DHS officials do not and will not pose as individuals providing emergency-related information as part of any enforcement activities.

DHS is committed to ensuring that every individual who seeks shelter, aid, or other assistance as a result of a natural disaster or emergency event is able to do so regardless of their immigration status.

DHS carries out its mission without discrimination on the basis of race, religion, gender, sexual orientation or gender identity, ethnicity, disability or political associations, and in compliance with law and policy.

For information about filing a complaint with the DHS Office for Civil Rights and Civil Liberties about these matters, please visit our Make a Civil Rights Complaint page.

Source: US Department of Homeland Security

Actions direct agencies to deploy specific security configurations to Reduce Cyber Risk 

WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA) today issued Binding Operational Directive (BOD) 25-01, Implementing Secure Practices for Cloud Services to safeguard federal information and information systems. This Directive requires federal civilian agencies to identify specific cloud tenants, implement assessment tools, and align cloud environments to CISA’s Secure Cloud Business Applications (SCuBA) secure configuration baselines.

Recent cybersecurity incidents highlight the significant risks posed by misconfigurations and weak security controls, which attackers can use to gain unauthorized access, exfiltrate data, or disrupt services. As part of CISA and the broad U.S. government’s effort to move the federal civilian enterprise to a more defensible posture, this Directive will further reduce the attack surface of the federal government networks.

“Malicious threat actors are increasingly targeting cloud environments and evolving their tactics to gain initial cloud access. The actions required by agencies in this Directive are an important step in reducing risk to the federal civilian enterprise,” said CISA Director Jen Easterly. “While this Directive only applies to federal civilian agencies, the threat to cloud environments extends to every sector. We urge all organizations to adopt this guidance. When it comes to reducing cyber risk and ensuring resilience, we all have a role to play.”

As federal civilian agencies implement this mandate, CISA will monitor and support agency adherence and provide additional resources as required. CISA is committed to using its cybersecurity authorities to gain greater visibility and drive timely risk reduction across federal civilian agencies.

The new Directive can be found at Binding Operational Directive (BOD) 25-01. To learn more about CISA Directives, visit Cybersecurity Directives webpage. 

###

About CISA 

As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.

Visit CISA.gov for more information and follow us on X, Facebook, LinkedIn, Instagram.

Source: US Department of Homeland Security

Provides federal grant programs with tools and resources to support grant recipients with incorporating cybersecurity into their projects

WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA) and Office of the National Cyber Director (ONCD) published a guide today with tools and resources to enable grant-making agencies to incorporate cybersecurity into their grant programs and to enable grant-recipients to build cyber resilience into their grant-funded infrastructure projects. This guide is for federal grant program managers, critical infrastructure owners and operators and organizations such as state, local, tribal, and territorial governments who subaward grant program funds, and grant program recipients.

Given the importance of securing the Nation’s critical infrastructure, the Government has made a historic investment through the passage of the Infrastructure Investment and Jobs Act (IIJA), Inflation Reduction Act (IRA), and Creating Helpful Incentives to Produce Semiconductors (CHIPS) and Science Act. The United States has a unique opportunity and national security imperative to build cyber resilience into this next generation of American infrastructure.

This guide, Playbook for Strengthening Cybersecurity in Federal Grant Programs for Critical Infrastructure, helps all grant-making agencies to incorporate cybersecurity requirements into their respective grant programs. It provides tools and resources the grant program can direct applicants towards to support their ability to meet the requirements. Specifically, this guidance contains:

• Recommended actions to incorporate cybersecurity into grant programs throughout the grant management lifecycle.
• Model language for grant program managers and sub-awarding organizations to incorporate into Notices of Funding Opportunity (NOFOs) and Terms & Conditions.
• Templates for recipients to leverage when developing a Cyber Risk Assessment and Project Cybersecurity Plan.
• Comprehensive list of cybersecurity resources available to support grant recipient project execution.

“We are excited to provide this guidance to grant-making organizations, along with our teammates at the Office of the National Cyber Director,” said Jen Easterly, CISA Director. “As organizations seek to take advantage of historic infrastructure grants, it’s critical to ensure the security and resilience of this next generation of American infrastructure in every community across our nation.”

“ONCD, along with our partners at CISA, continues to advocate for cybersecurity to be incorporated into the foundation and design of the Nation’s critical infrastructure,” said Harry Coker Jr., White House National Cyber Director. “As we make investments in rebuilding and updating our infrastructure through funding such as made available from the Investing in America agenda, we have the opportunity and obligation to build in cybersecurity by design. We need infrastructure projects to be shovel ready and cyber ready. That’s why we’re proud that the guidance released today will serve as a helpful resource to help our partners and recipients build cybersecurity into infrastructure projects from the beginning.”

CISA and ONCD developed this playbook to be a minimal burden on the federal grant awarding process. The recommended guidance and actions are flexible for the recipient while providing a mechanism to support inclusion of baseline cybersecurity best practices.

Federal grant program managers administrating grants, the state governments or others sub-awarding grant program funds, and critical infrastructure owners and operators applying for federal grants are encouraged to review and incorporate this guidance.

The playbook can be found here on CISA.gov.

###

About CISA 

As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.

Visit CISA.gov for more information and follow us on X, Facebook, LinkedIn, Instagram. 

Source: US Department of Homeland Security

A year of growth and transition as America’s Cyber Defense Agency and National Coordinator for Critical Infrastructure Security and Resilience 

WASHINGTON – Today, the Cybersecurity and Infrastructure Security Agency (CISA) released its 2024 Year in Review, which reflects accomplishments across the agency’s broad cybersecurity, infrastructure security and emergency communications missions.  

“I’m proud of what we’ve accomplished this year,” said CISA Director Jen Easterly. “The risk environment continues to change, and CISA continues to grow and rise to the occasion. It’s been a great honor to lead CISA the past three and a half years. I’d like to thank our incredible staff as well as our government, private sector, and international partners for helping us build resilience, reduce risk, and make our country more secure.”  

Throughout the year, CISA focused on leading the national effort to reduce risk to the cyber and physical infrastructure Americans rely on every day and working collaboratively to win and maintain the trust of the agency’s many partners across industry, state and local officials, and the election stakeholder community.   

Just a few of CISA’s efforts over the year include:  

• Protecting Election Infrastructure against Security Risks. This year, thanks to the tireless efforts of the nation’s state and local election officials, our elections were secure and resilient. Since the election infrastructure subsector was designated essential in 2017, CISA has worked extensively with election officials, election technology and service providers, and federal partners across the nation to offer threat briefings and voluntary risk mitigation guidance to support the election infrastructure community’s efforts to manage risks to their systems and infrastructure. This continued work across all levels of government resulted in election infrastructure that has helped increase election security and resilience and strengthen the election community’s ability to deliver safe, secure, free, and fair elections for the American people and a peaceful transfer of power. 
• Mitigating Nation-State Threats. Advanced Persistent Threat (APT) actors—particularly those backed by the governments of China, Russia, North Korea, and Iran—are well-resourced and engage in sophisticated malicious cyber activity that is targeted and aimed at prolonged network and system intrusion. Over the past year, CISA continued to focus on detecting, preventing and mitigating these threats; advanced scalable vulnerability reduction for government and critical infrastructure; and increased awareness, preparedness, and resilience focused on threats and tactics. 
• Raising Awareness of Secure by Design Principles. This year, CISA made meaningful progress to ensure safer and more secure technology products for everyone. This included updating foundational guidance and expanding international partnership on this issue. In May, CISA announced that leading technology companies committed to our Secure by Design Pledge, prioritizing security in their products from the outset. This initiative marks a significant milestone as companies take public responsibility for their customers’ security, and aim to prevent exploitable defects in the design process. To date, more than 250 companies have signed on to the pledge, including some of the largest tech giants in the world. 
• Working to Harness AI’s Potential, Manage its Risks. In our role as the nation’s cyber defense agency and the National Coordinator for security and resilience for critical infrastructure, CISA is managing the opportunities and risks that AI introduces at the nexus of cybersecurity and critical infrastructure. Since releasing CISA’s Roadmap for AI in late 2023, we have hit several major milestones, including completing our first set of annual AI risk assessments for critical infrastructure sectors in January.  In August, CISA established the role of Chief AI Officer, institutionalizing our efforts to use AI for cybersecurity and help ensure critical infrastructure partners design, develop, and adopt AI in ways that are safe and secure.  CISA joined interagency partners to serve as a founding member of the Testing Risks of AI for National Security (TRAINS) taskforce, focused on testing advanced AI models across national security domains.   

 The 2024 Year in Review is in an easy-to-use, interactive web-based format that invites readers to learn about the agency’s work over the past year and dive deeper into each topic through links and videos.   

Read the full report at 2024 Year in Review | CISA  

###

About CISA 

As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.

Visit CISA.gov for more information and follow us on X, Facebook, LinkedIn, Instagram. 

Source: US Department of Homeland Security

Provides updated framework that addresses significant changes in policy and cyber operations

WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA) published the draft National Cyber Incident Response Plan (NCIRP) Update today for public comment on the Federal Register. Through the Joint Cyber Defense Collaborative (JCDC) and in close coordination with the Office of the National Cyber Director (ONCD), this update addresses significant changes in policy and cyber operations since NCIRP was released in 2016.

The NCIRP is the nation’s strategic framework for coordinated response to cyber incidents along four lines of effort: Asset Response, Threat Response, Intelligence Support, and Affected Entity Response. It includes coordination mechanisms, key decision points, and priority activities across the cyber incident response lifecycle. The NCIRP also identifies structures that response stakeholders should leverage to coordinate cyber incidents requiring cross-sector, public-private, or federal coordination; however, it is not meant to be a step-by-step instruction manual.

CISA collaborated extensively with government and industry partners to provide an agile, actionable updated framework that ensures coherent coordination to match the pace of our adversaries.  Key updates in this draft include:

• A defined path for non-federal stakeholders to participate in coordination of cyber incident response;
• Improved usability by streamlining content and aligning to an operational lifecycle;
• Relevant legal and policy changes impacting agency roles and responsibilities; and
• A predictable cycle for future updates of the NCIRP.

“Today’s increasingly complex threat environment demands that we have a seamless, agile, and effective incident response framework,” said CISA Director Jen Easterly. “This draft NCIRP Update leverages the lessons learned over the past several years to achieve a deeper unity of effort between the government and the private sector. We encourage public comment and feedback to help us ensure its maximum effectiveness.” 

The draft is at National Cyber Incident Response Plan Update and public comments can be posted on the Federal Register, CISA-2024-0037.

For more information, read our blog and visit National Cyber Incident Response Plan webpage.

###

About CISA 

As the nation’s cyber defense agency and national coordinator for critical infrastructure security, the Cybersecurity and Infrastructure Security Agency leads the national effort to understand, manage, and reduce risk to the digital and physical infrastructure Americans rely on every hour of every day.

Visit CISA.gov for more information and follow us on X, Facebook, LinkedIn, Instagram.