COMPLIANCE
Simple Solutions for New Regulatory Challenges
By Industry:
Supply chain security, firmware security, and device integrity have become priorities across a wide range of industry standards and regulations.
This has created a security gap as most organizations lack in-house expertise in these critical areas, and their existing cybersecurity tools don’t meet the detailed regulatory requirements for their industry.
Eclypsium is purpose-built to solve these problems, providing organizations with a simple, highly automated platform for ensuring the security of their technology supply chains and the integrity of their devices and underlying firmware.
NIST Guidance on Supply Chain Security and Firmware Integrity
Many industry cybersecurity regulatory standards adopt supply chain security and firmware integrity guidance from NIST, such as the FBI Criminal Justice Information System (CJIS) requirements and Centers for Medicaid and Medicare Services Acceptable Risk Safeguards (ARS).
High-level Security Goals
Executive Order 14028
Improving the Nation’s Cybersecurity
Technical Controls to Implement Those Goals
NIST SP 800-53
Security and Privacy Controls for Information Systems and Organizations.
Detailed Guidance on Key Topics
Supply Chain
NIST SP 800-161
Cybersecurity supply chain risk Management Practices
Integrity
NIST SP 1800-34
Validating the Integrity of Computing Devices
Firmware
NIST SP 800-193
Platform Firmware Resiliency Guidelines
High-Level Direction
At the highest level, Executive Order 14028 Improving the Nation’s Cybersecurity defined a variety of security priorities and gave NIST and other agencies mandates to deliver on those priorities. The Executive Order put a focus on the importance of supply chain security, firmware, and device integrity. You can read more on this topic here (PDF).
Security Controls to Execute the Vision
At the technical level, NIST SP 800-53 defines the actual security controls that should be used to protect systems and assets. While EO 14028 provides the direction, SP 800-53 defines how to do it. SP 800-53 is an incredibly influential document and is the parent document that many industry-specific regulations are based on. And once again, supply chain, integrity, and firmware are key points in the latest revision of SP 800-53. These topics are addressed across many controls and control families with notable examples including SI-7 Software, Firmware, and Information Integrity and an entire new control group (SR) dedicated to Supply Chain Risk Management. Learn more in our blog post.
Detailed Technical Guidance
Security practice is more than just a set of technical controls, so in addition to SP 800-53, NIST also produced detailed guidance on key topics. Not surprisingly, supply chain, integrity, and firmware all received their own special publications. These special publications are listed below along with more information on how organizations can use Eclypsium to implement each of them.
- Supply Chain – NIST SP 800-161 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations. Learn more
- Integrity – NIST SP 1800-34 Validating the Integrity of Computing Devices. Learn more
- Firmware – NIST SP 800-193 Platform Firmware Resiliency Guidelines. Learn more
Industry and Agency Regulations
Federal agencies and regulatory bodies have used these sources to craft detailed policies and requirements that are tuned to their unique needs and risk profiles. Often, regulations begin at a federal agency and then spread to state and local governments as well as the private sector. This is because several regulations focus on the protection of federal data that is shared with non-federal organizations. For example, CJIS regulations define how the FBI’s data must be protected when used by outside agencies. Here are a few key examples:
Defense Industrial Base
NIST SP 800-171 sets detailed requirements for how non-federal organizations must protect Controlled Unclassified Information (CUI). The Defense Industrial Base (DIB) includes all organizations that contract with the DoD. This includes all organizations that contract with the DoD as well as manufacturers that supply products and services to federal agencies. So broadly speaking, SP 800-171 applies to the extended DoD supply chain.
SP 800-171 largely follows the controls defined in SP 800-53 described earlier. As such, supply chain security, system integrity, and firmware are all heavily represented. This includes specific requirements in the areas of Access Control, Configuration Management, Incident Response, Maintenance, Risk Assessment, Security Assessment, System and Communication Protection, and System and Information Integrity.
Eclypsium provides an automated and vendor-agnostic approach to meeting these many requirements. The platform provides scanning and assessment of assets and components to proactively validate their integrity, find and remediate vulnerabilities, and detect and respond to implants and threats.
- Read our white paper to learn more about how Eclypsium can help address NIST SP 800-171 requirements.
Law Enforcement
The FBI’s Criminal Justice Information Services division (CJIS) shares critical data such as fingerprints and criminal histories with a wide range of state and local law enforcement agencies. The CJIS Security Policy defines auditable cybersecurity requirements for how those agencies must protect the FBI’s information.
The CJIS Security Policy heavily relies on security controls defined in NIST’s SP 800-53. As such, device and firmware integrity have become hard requirements for the latest round of CJIS audits.
Eclypsium provides a simple way for law enforcement agencies to meet these new firmware and integrity requirements without the need for specialized skills or time-consuming analysis. Scans can quickly verify the integrity of critical code and assets and provide guidance to remediate any problems that are found.
- Read our blog for more information on how Eclypsium can help address CJIS Security Policy Requirements.
- Read our case study to learn more about how Eclypsium helped Florida Law Enforcement agencies achieve CJIS compliance.
- Download a sample PDF report of an Eclypsium CJIS Security Policy Assessment
Healthcare and Insurance
CMS Acceptable Risk Safeguards (ARS) define how Medicare and Medicaid data must be protected both within the CMS and also when shared with outside organizations such as healthcare and insurance providers.
The technical requirements are based on NIST’s SP 800-53 security controls and other federal regulations such as FedRAMP. The CMS ARS puts a strong focus on firmware and supply chain security. This includes requirements tied to SI-07 – Software, Firmware, and Information Integrity as well as SR – Supply Chain Risk Management.
Once again, Eclypsium provides the key to easily address these new requirements. Automated scans can verify the integrity of all critical code and components within a wide range of asset types. These scans can also validate the authenticity of newly acquired assets and verify that they meet all specifications defined by vendor software bill of materials (SBOMs). Read here for more information on how Eclypsium can help address CMS Security Policy Requirements.
- Read our blog for more information on how Eclypsium can help address CMS ARS Requirements.
Financial Services
As the most heavily regulated industry in the private sector, financial services organizations are unsurprisingly facing increased pressure to improve firmware and supply chain security. Often these changes are the result of updates to the security frameworks that are already in use. For example, NIST’s Cybersecurity Framework (CSF) is one of the most heavily used security frameworks in financial services. The CSF in turn directly references SP 800-53 and its focus on firmware and supply chain security described above.
Additionally, industry-specific best practices such as the FFIEC IT Examination Handbook have been updated with an increased focus on supply chain and firmware security. Section II.C.14 is dedicated to safeguarding against risks and attacks in the technology supply chain including:
- Only making purchases through reputable sellers who demonstrate an ability to control their own supply chains.
- Purchasing hardware and software through third parties to shield the institution’s identity.
- Reviewing hardware for anomalies.
- Using automated software testing and code reviews for software.
- Regularly reviewing the reliability of software and hardware items purchased through activity monitoring and evaluations by user groups.
Likewise, the document calls out the need to closely monitor firmware and low-level code, particularly in the context of vulnerability and configuration management.
Naturally, financial services firms can be subject to a wide range of additional regulatory standards (e.g. PCI-DSS, GLBA, DORA, etc) and audits can vary based on the individual standard and auditor preferences. Eclypsium can provide a consistent way to both secure and document assets at their most fundamental levels.
- Read our case study to learn more about how First Financial achieved FFIEC compliance by securing their firmware.
IT Equipment Manufacturing
The U.S. Office of Management and Budget (OMB) has established enhanced requirements to ensure technology providers are following NIST’s Secure Software Development Framework (SSDF) guidelines. This supply chain security attestation requires technology vendors to be accountable for the security of their whole product—even open source and third-party components that they did not build themselves. The burden falls on the “producer of the end product,” meaning the vendor or manufacturer that packages the components together, not the upstream suppliers or the downstream resellers.
And like other industry requirements, the government specifically calls out that these requirements extend to firmware by specifically defining ‘software’ as “…firmware, operating systems, applications, and application services (e.g., cloud-based software), as well as products containing software.”
Eclypsium vastly simplifies the security attestation process by providing verification and assurance for the software, firmware, and hardware components within IT infrastructure.
- Read our blog for more information on how Eclypsium can help address attestation requirements established by EO 14028 and associated SSDF practices and tasks.
Utilities
Bulk Electric System
The North American Electric Reliability Corporation (NERC) has developed a set of security standards known as Critical Infrastructure Protection or CIP. The CIP defines a detailed baseline of security requirements that apply to all North American utilities that are part of the Bulk Electric System (BES).
The CIP consists of a family of cybersecurity standards focused on key security topics such as asset identification, system security, incident response, and supply chain security. The CIP standards are closely related to NIST’s CyberSecurity Framework (CSF), and NERC has published a detailed mapping (XLS) between CIP standards and the controls defined by NIST’s CSF and SP 800-53. Organizations that do not meet these standards are subject to fines levied by the U.S. Federal Energy Regulatory Commission (FERC).
Additionally, The North American Transmission Forum (NATF) developed CIP-010-3 R1 Part 1.6 specifically targeting “Software Integrity & Authenticity”. The requirement notably defines the issue in the context of supply chain risk management, requiring organizations to develop “security controls for supply chain management for industrial control system hardware, software, and services associated with bulk electric system operations”. Specifically, Part 1.6 requires organizations to:
- Verify software authenticity to ensure that the software being installed in the BES Cyber System is from a legitimate source.
- Verify software integrity to ensure that the software being installed in the BES Cyber System has not been modified from its original obtained source.
Eclypsium provides an automated method to verify software authenticity and integrity as defined by CIP-010-3 R1 Part 1.6. The platform maintains an up-to-date library of valid industry firmware and software and performs cryptographic checks to ensure that the firmware has not been altered or tampered with. The platform can provide ongoing monitoring to identify any unexpected changes after the code or asset has been deployed. Eclypsium likewise can automatically identify vulnerabilities in critical code including code that is not properly signed by the vendor.
Water Systems
In May of 2024, the U.S. Environmental Protection Agency (EPA) announced it was stepping up enforcement of the cybersecurity requirements spelled out in the Safe Drinking Water Act (SDWA) and the America’s Water Infrastructure Act (AWIA). These laws require community water services to perform regular Risk and Resilience Assessments (RRAs) of their infrastructure and develop appropriate response plans.
AWIA Section 2013 states that any water system serving more than 3,300 people must perform an initial Risk and Resilience Assessment, which “must include ‘electronic, computer, or other automated systems (including the security of such systems),’ otherwise known as cybersecurity.” Next, organizations must develop a written Emergency Response Plan (ERP) that addresses both the physical security and cybersecurity of systems and defines a clear strategy for mitigating risks, detecting threats, and responding to incidents.
To provide further guidance, the EPA has published the Water Cybersecurity Assessment Tool and Risk Mitigation Template (xslx). This document also includes cross-references with NIST standards and the NIST Cyber Security Framework (CSF) meant to help water and wastewater utilities with AWIA §2013 compliance.
Eclypsium can directly help water systems meet and document their EPA requirements with simple, automated scans. This includes addressing the following key requirements:
- Firmware integrity monitoring of IT and OT systems
- Vulnerability detection and mitigation of IT, OT, and IoT assets including assessment of integrated code and firmware.
- Device security including maintaining inventory of physical assets and their components and configurations.
- Supply chain security measures to assess the cybersecurity of prospective vendors and services before procurement.
Retail
The Payment Card Industry Data Security Standard (PCI-DSS) applies to any organization that accepts, stores, or processes cardholder data. Version 4.0 of the standard spells out a variety of security controls that apply to customer data as well as the systems and components that handle customer data.
Requirement 5 of PCI-DSS focuses on protection from malware, and specifically notes that this includes any “software or firmware designed to infiltrate or damage a computer system without the owner’s knowledge or consent…” Firmware threats such as rootkits/bootkits, implants, and backdoors certainly apply and provide attackers with stealthy ways to steal or alter cardholder data or to disrupt or damage the availability of payment services.
Requirement 2 likewise requires organizations to maintain secure configurations and to address vulnerabilities in “all system components.” The supplemental document, Best Practices for Maintaining PCI DSS Compliance, calls out the need to maintain a “percentage of all software (including firmware) identified in the inventory that is regularly evaluated for vulnerabilities and associated risk using a consistent risk ranking (e.g., CVSS) based on vendor and industry notification.” The standard also calls out the need to audit assets for default configurations that could put assets at risk. This can include a wide range of low-level configurations such as a device using firmware without proper write protections enabled or using an out-of-date dbx file that could allow attackers to compromise the boot process of the system.
Eclypsium’s platform gives organizations a way to apply these principles consistently across a wide range of devices that handle cardholder data. This could include devices within retail environments, the networking components both in store or in datacenters, as well as the servers and application infrastructure that process and store cardholder data. With automated scans, security teams can verify the integrity and posture of their assets and components far below the level of the operating system.
Other Regulated Industries
NIST publications such as SP 800-53 and the Cybersecurity Framework are used by organizations of all sizes and industries as a way to ensure a comprehensive approach to security. Likewise, many industry-specific regulations are heavily modeled on or reference these core NIST documents.
This means that heavily regulated industries will increasingly need to include supply chain security, asset integrity, and firmware security as part of their security practices. Eclypsium provides the simplest, most comprehensive way to address these emerging needs with a bare minimum of new effort.
