Jurisdiction
United States
Region
North America
Requirement
Required *Coming Soon
Policy
Cybersecurity in the Marine Transportation System
Applies to
U.S.-flagged vessels, Outer Continental Shelf facilities, and U.S. facilities subject to the Maritime Transportation Security Act of 2002 regulations
Provision
Sec. 101.650(e)(3)(ii)
Description

(3) Routine system maintenance. Each owner or operator or a designated CySO of a vessel, facility, or OCS facility must ensure the following measures for routine system maintenance are in place and documented in Section 6 of the Cybersecurity Plan: 

(i) Ensure patching or implementation of documented compensating controls for all KEVs in critical IT or OT systems, without delay; 

(ii) Maintain a method to receive and act on publicly submitted vulnerabilities; 

(iii) Maintain a method to share threat and vulnerability information with external stakeholders; 

(iv) Ensure there are no exploitable channels directly exposed to internet-accessible systems; 

(v) Ensure no OT is connected to the publicly accessible internet unless explicitly required for operation, and verify that, for any remotely accessible OT system, there is a documented justification; and 

(vi) Conduct vulnerability scans as specified in the Cybersecurity Plan.

Date
TBD
Organization
U.S. Coast Guard
View source
Jurisdiction
United States
Region
North America
Requirement
Required *Coming Soon
Policy
Federal Information Security Modernization Act (FISMA) 2023
Applies to
Federal agencies, excluding "national security systems"
Provision
Sec. 12(f)
Description
The head of each federal agency must develop and make publicly available a vulnerability disclosure policy for their agency - clearly defining a scope and directions for how to submit informaiton. The head of each agency should coordinate with the Director of CISA in creating the policy. Agencies should not puruse legal action against submitters that made a "good faith effort" to idenitify a vulnerability and report it. The legislation does not apply to national security systems. 
Date
TBD
Organization
Congress / CISA
View source
Jurisdiction
European Union
Region
Europe
Requirement
Required *Coming Soon
Policy
NIS 2 Directive (Directive (EU) 2022/2555)
Applies to
Important and essential entities (as defined, similar to critical infrastructure)
Provision
Article 21.2(e)
Description

2. The measures referred to in paragraph 1 shall be based on an all-hazards approach that aims to protect network and information systems and the physical environment of those systems from incidents, and shall include at least the following: (a) policies on risk analysis and information system security; (b) incident handling; (c) business continuity, such as backup management and disaster recovery, and crisis management; (d) supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers; (e) security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;

Date
October 17, 2024
Organization
European Parliament / Commission / Council
View source
Jurisdiction
European Union
Region
Europe
Requirement
Required *Coming Soon
Policy
NIS 2 Directive (Directive (EU) 2022/2555)
Applies to
EU Member States (and their designated CSIRT) and ENISA
Provision
Article 12(1)
Description

Requires Member States to designate a Computer Security Incident Response Teams (CSIRTs) as the coordinator for CVD. That CSIRT will act as a trusted intermediary between natural/legal persons reporting a vulnerability and the manufacturer of the ICT product or service. ENISA must also develop a European vulnerability database. This provision was adopted on October 17, 2024, and Member States are in the process of implementing these requirements. Full operational status is expected to be established progressively throughout 2025.

Date
October 17, 2024 (ongoing implementation)
Organization
European Parliament / Commission / Council
View source