Distilling this week’s 19,642 alerts into the 10 alerts that you care about
Mary Kopczynski, CEO of RegAlytics, breaks down this week’s hot regulatory topics, exclusively for Exiger.
- Regulator of the Week: CISA
- Topic of the Week: CHIPS
- CRS: Semiconductors and AI
- Commerce, NIST, CHIPS: Final Rule
- Partnership for Atlantic Cooperation
- U.S.-Pacific Partnership
- Other Interesting Alerts
My congratulations to the Exiger teams who launched 1Exiger, where they’ve brought the power of all their AI supply chain capability into one incredible user-friendly experience. And, in there, is a handy RegAlytics feed ready for your viewing.
Regulator of the Week: CISA
The (non) regulator of the week is CISA, the U.S. Cybersecurity and Infrastructure Security Agency, the division of Homeland Security that coordinates the U.S. response to cyber threats. Three big alerts. Well, two big ones and one fun one. Because for me, new government action is fun.
CISA: Hardware Bill of Materials Framework
Number one, CISA released the new Hardware Bill of Materials Framework (HBOM) for supply chain risk management, which it developed as part of the public-private ICT Supply Chain Risk Management Task Force. What is an HBOM? Similar to a SBOM, a software bill of materials, a hardware bill of materials is kind of like a list of ingredients – but in this case it is the ingredients that go into your hardware.
Decades ago when it came to security products for the government, typically a company produced every single part, so it knew exactly what risks were in its products. Today, however, most products are created with hardware from third parties and vendors from all over the world delivered via global supply chains, so it’s becoming an emerging risk practice to have Hardware Bill of Materials along with your Software Bill of Materials. The framework CISA put together with the Task Force provides a consistent naming methodology for attributes of components, a format for identifying and providing information about the different types of components, and guidance of what hardware information is appropriate depending on the purpose for which the hardware will be used.
CISA Releases Hardware Bill of Materials Framework (HBOM) for Supply Chain Risk Management (SCRM)
CISA: Memory Safety
Additionally this week, CISA put out an URGENT alert on the need for Memory Safety in software products. For over half a century, software engineers have known about “memory safety vulnerabilities” and in fact, Microsoft reported that approximately 70% of the vulnerabilities year after year, continue to be memory safety issues. Google likewise reported that 70% of its serious security bugs are memory safety problems. This is a problem, and CISA suggests leveraging the three core principals of their “secure by design whitepaper” to reduce memory unsafety. 1. Take ownership of customer security outcomes. 2. embrace radical transparency and, 3. lead security transformations from the top of the organization. So CTOs, I hope you have this on your radar.
The Urgent Need for Memory Safety in Software Products
CISA: Super Bowl Safety
And finally, there’s the fun one. CISA along with the NFL, Allegiant Stadium, and Super Bowl LVIII partners held a tabletop exercise this week to explore, assess, and enhance cybersecurity response ahead of the Super Bowl. Sports events, after all, are high-profile and have been known to be high-value targets for nefarious cyber actors.
CISA, NFL, and Local Partners Conduct Cybersecurity Exercise in Preparation for Super Bowl LVIII
Topic of the Week: CHIPS
The Topic of the Week is CHIPS. No, not the crunchy delightful salty snack of your dreams. I’m of course talking about Creating Helpful Incentives to Produce Semiconductors (CHIPS, get it?) and Science Act enacted by Congress last summer, which provides roughly $280 billion in new funding to the manufacturing of semiconductors in the United States.
FL, MA: CHIPS Funding
For example, in what is now a weekly development, two more states this week, Florida and Massachusetts, made announcements of CHIPS funding. $50M in Florida. $25M to the Florida Job Growth Program and $25M to workforce development programs in semiconductors. Close to $20M in Massachusetts, which will be spent on establishing the Northeast Microelectronics Coalition Hub, which has the express purpose of advancing the microelectronic needs of the Department of Defense, and the state of Massachusetts itself will match with its own $40M.
That’s a lot of money and a lot needs to ensure there is no abuse of funds. That’s one of Exiger’s specialties – supplier due diligence.
CRS: Semiconductors and AI
Then we get to this week’s Congressional Research Service bulletin on Semiconductors and Artificial Intelligence. The CRS is one of the main sources of information that Congress uses to provide context to Senators and House Members on upcoming bills. I use CRS bulletins to get a sense of what’s top of mind in Congress. And wow. It’s rare that I say this, but I feel like this tiny two-page document is a must-read for all Americans and pretty much all human beings to understand what is happening in the race for artificial intelligence power and how semiconductors are a critical component of that power.
Semiconductors and Artificial Intelligence
Commerce, NIST, CHIPS: Final Rule
Finally, the big CHIPS alert of the week comes from a joint federal alert from NIST, the National Institute of Standards and Technology, the CHIPS Program office and the Department of Commerce, which finalized the rule implementing the national security guardrails for CHIPS. The rule elaborates on two core rules about CHIPS, no foreign manufacturing or joint technology or research with foreign entities of concern. And that will be for 10 years AFTER the company receives the funding. Final rule. So they addressed the industry’s concerns, answered questions, clarified different definitions and confirmed there will be notification requirements from the recipients, where they have to tell the government if they’re going to do something in advance to doing it, and there will be clawbacks in the event that the funds are not used correctly.
Partnership for Atlantic Cooperation
What else do you need to know this week? Well, with the UN meetings going on in NYC, there was lots of collaboration all over the world. The U.S. was particularly focused on ocean safety, with the participation in the Partnership for Atlantic Cooperation, which was signed by 32 countries with the purpose of protecting this very important global resource.
U.S.-Pacific Partnership
And it didn’t stop there. The White House formally reaffirmed the U.S.-Pacific Partnership, including a formal acknowledgement on the sovereignty of the Cook Islands and the Island of Niue, which are traditionally a part of New Zealand, with their own governing structure, but now the US is going to treat them independently and set up direct diplomatic relations.
And that’s it this week for Exiger’s Regulatory Roundup. Join me every week no matter where I am for your dose of regulatory news.