CISA Community Bulletin December 2024

Cybersecurity and Infrastructure Security Agency sent this bulletin at 12/05/2024 11:11 AM EST

December 2024 Issue

To see the latest CISA Cybersecurity Alerts and Advisories visit Cybersecurity Alerts & Advisories | CISA

Report a Cyber Incident

CISA provides secure means for constituents and partners to report incidents, phishing attempts, malware, and vulnerabilities.

Report a Cybersecurity Incident: Report anomalous cyber activity and/or cyber incidents 24/7 to SayCISA@cisa.dhs.gov or 1-844-Say-CISA.

Report incidents as defined by NIST Special Publication 800-61 Rev 2, to include

Attempts to gain unauthorized access to a system or its data,
Unwanted disruption or denial of service, or
Abuse or misuse of a system or data in violation of policy.

Federal incident notification guidelines, including definitions and reporting timeframes can be found here.

To report anomalous cyber activity and/or cyber incidents 24/7, email SayCISA@cisa.dhs.gov or call 1-844-Say-CISA or 844-729-2472

The CISA Community Bulletin is a monthly publication that shares cybersecurity webinars and workshops, new publications and best practices. In this month's edition:

Announcements
- Give Yourself the Gift of Security
- CISA Awards REMCDP Cooperative Agreement
Partnerships
- Election Infrastructure Incident Response Communications Guide
- CISA and FBI Release Joint Guide on Product Security Bad Practices
Information Exchange
- CISA Deliveres a Critical Infrastructure Risk Framework Presentation in Sendai, Japan
Education and Training and Workshops
- Quarterly ChemLock Trainings
- Upcoming Interagency Security Committee Risk Management Process & Facility Security Committee Trainings

A public service announcement on behalf of DHS Know2Protect Campaign on How to Report Online Child Sexual Exploitation and Abuse (CSEA)

Online child sexual exploitation and abuse (CSEA) is a serious crime that is never the victim’s fault. Stopping exploitation usually requires a victim to come forward to someone they trust — a parent, teacher, caregiver, law enforcement official or another trusted adult. This requires a lot of vulnerability from the victim. It is important to help them gather information to report the crime, choose an option with which they are comfortable and support them through this process.

To submit a report, you can do so through one of the following ways:

Contact your local, state, or tribal law enforcement officials directly. Call 911 in an emergency.
Call the Know2Protect Tipline at 833-591-KNOW (5669). All information received via the Tipline will be reviewed by appropriate personnel and referred to Homeland Security Investigations field offices for potential investigation.
Submit a report with the National Center for Missing and Exploited Children.

Learn More Here

Give Yourself the Gift of Security

Cyber criminals utilize the prime time of the holiday season to collect personal and financial information to compromise data, insert malicious software, steal identities, and take money. Be alert for online shopping scams, which historically spike this time of the year. Remain especially cautious of fraudulent sites posing as reputable businesses, unsolicited emails purporting to be from charities, and unencrypted financial transactions.

There are four easy actions you can take to protect yourself online not just during the holidays but all year round:

Additionally, when shopping online this season, remember to:

Shop from Trusted Websites: Before providing personal or financial information, verify that you're using a reputable, established vendor. Look for URLs that start with "https://" and have a padlock symbol, indicating a secure connection.
Be Cautious of Deals: If a deal seems too good to be true, it may be a scam. When possible, use a credit card or digital payment method rather than a debit card, as these often have better fraud protections.

To learn more about what you can do to improve your online safety during the holiday season, visit cisa.gov/holiday-online-shopping and email us at AwarenessCampaigns@mail.cisa.dhs.gov if you’re interested in partnering with CISA’s Secure Our World program.

Learn More Here

CISA Awards REMCDP Cooperative Agreement

CISA recently awarded $1 million to the Hawaii County Civil Defense Agency for the Rural Emergency Medical Communications Demonstration Project (REMCDP). REMCDP is a competitive grant for CISA to work with communities to examine rural emergency medical communications barriers and identify solutions that enhance existing infrastructure. Hawaii Island does not have a formalized emergency response and communication plan for medical support in its rural communities, which renders these areas vulnerable during natural or man-made hazards. To address these gaps, the REMCDP recipient will partner with community medical facilities, state partners, and non-profit organizations to create the SPROUT UP initiative (Strategize, Plan, Rehearse concepts, Organize, Utilize community resources, Train and conduct exercises of Unified Partnerships) to develop and increase community resilience for Hawaii Island. The Hawaii County Civil Defense Agency aims to create 15 resilience hubs in rural communities, educate more than 10,000 people about the SPROUT UP initiative, conduct 12 community outreach events, train 200 healthcare workers on emergency communications protocols, and provide drills during its two-year period of performance. This grant will fund a medical emergency communications and response network, as well as serve as a repeatable model for other rural communities. For more information, visit the REMCDP webpage.

Learn More Here

Election Infrastructure Incident Response Communications Guide

CISA and the Election Assistance Commission (EAC) released an Election Infrastructure Incident Response Communications Guide which includes the core components of an incident response playbook and outlines the key steps election offices can take to communicate effectively during an incident. The guide also includes customizable templates with instructions and considerations for effective communication, maintaining transparency, and ensuring accurate and timely updates during an election incident.

Learn More Here

CISA and FBI Release Joint Guide on Product Security Bad Practices

On Oct.16, 2024, CISA and the FBI released a joint guide on Product Security Bad Practices. This voluntary guidance provides an overview of product security bad practices that are deemed exceptionally risky, particularly for software manufacturers who produce software used in service of critical infrastructure or national critical functions (NCFs) and provides recommendations for software manufacturers to mitigate these risks.

The bad practices are divided into three categories:

Product properties, which describe the observable, security-related qualities of a software product.
Security features, which describe the security functionalities that a product supports.
Organizational processes and policies, which describe the actions taken by a software manufacturer to ensure strong transparency in its approach to security.

This list is focused and does not include every possible inadvisable cybersecurity practice. CISA is seeking public comment to inform the development of these Product Security Bad Practices, which enumerate exceptionally risky software development activities. Visit the Federal Register to submit comment by Dec. 16, 2024.

This guidance is part of CISA’s global Secure by Design initiative that implements the White House’s National Cybersecurity Strategy by shifting the cybersecurity burden away from end users to technology manufacturers who are most able to bear it.

Learn More Here

CISA Delivers a Critical Infrastructure Risk Framework Presentation in Sendai, Japan

CISA presented a paper on the “Implementation of a Holistic Risk Framework for Critical Infrastructure” at the October 2024 Probabilistic Safety Assessment and Management (PSAM) conference in Sendai, Japan with nearly 1,000 professionals from academia, industry, and government nuclear safety and risk management communities in attendance. This is the second paper CISA has released to the global risk research community that details how CISA leverages National Critical Functions (NCF) as an analytic lens to view critical infrastructure risk. CISA’s presentation generated robust dialogue on how the NCF framing enhances widespread understanding how critical infrastructure services can be degraded due to disruption, underscoring the framework’s value to policymakers and the critical infrastructure risk management community.

CISA Education and Training

CISA offers a variety of free courses and scheduled training events. For a complete list, visit the links below:

Upcoming CISA Training Events

CISA Training Catalog

Quarterly ChemLock Trainings

CISA’s ChemLock program provides the ChemLock training courses every quarter on a first-come, first-serve basis.

ChemLock: Introduction to Chemical Security

This course provides an introduction to identifying, assessing, evaluating, and mitigating chemical security risks. This easy-to-understand overview identifies key components and best practices of chemical security awareness and planning to help kickstart chemical security discussions at your facility.

This course runs 1-2 hours in length and is appropriate for all personnel regardless of their level of involvement with dangerous chemicals.

ChemLock: Secure Your Chemicals Security Planning

This course walks through how to create a tailored, scalable security plan that meets the business model and unique circumstances of a facility. Participants will learn the key elements of a chemical security plan and benefit from examples, lessons learned, and best practices.

This course runs 2-3 hours in length and is designed to help leadership, facility security personnel, and other applicable personnel understand, develop, and implement a facility security plan.

For more information or to request a specific training for your facility, please visit the ChemLock Training webpage.

Learn More Here

Upcoming Interagency Security Committee Risk Management Process & Facility Security Committee Trainings

The Interagency Security Committee (ISC) invites you to participate in its award winning Risk Management Process (RMP) and Facility Security Committee (FSC) Training. This training provides an understanding of the ISC, the ISC Risk Management Process Standard (RMP Standard), and the roles and responsibilities of a Facility Security Committee (FSC). The course fulfills the necessary training requirements for FSC membership and is valuable for executives; managers; and personnel involved in making facility funding, leasing, security, or other risk management decisions. Participants will receive continuing education units through the International Association for Continuing Education and Training upon completion of the course. The ISC offers the training at no cost to participants.

The schedule for upcoming in-person and virtual trainings is below.

In-Person Trainings:

December 3, 2024 – Arlington, VA at 9:00 a.m. ET
January 9, 2025 – Grand Rapids, MI at 8:30 a.m.

Virtual, Instructor-Led Trainings:

December 10-11, 2024 – 9 a.m. – 12 p.m. PT
January 28-29, 2025 – 9 a.m. – 12 p.m. ET
February 4-5, 2025 - 9 a.m. – 12 p.m. CT
March 4-5, 2025 – 9 a.m. – 12 p.m. MT
April 8-9, 2025 - 9 a.m. – 12 p.m. PT
May 13-14, 2025 - 9 a.m. – 12 p.m. MT
June 24-25, 2025 - 9 a.m. – 12 p.m. CT
July 15-16, 2025 - 9 a.m. – 12 p.m. ET
September 9-10, 2025 – 9 a.m. – 12 p.m. CT

For the full list of future trainings visit the ISC training webpage.

Learn More Here

The CISA Community Bulletin is a monthly publication that shares cybersecurity webinars and workshops, new publications, and best practices.

To access past editions of this CISA Community Bulletin newsletter, please visit the CISA Community Bulletin archive.

Having trouble viewing this message? View it as a webpage.

You are subscribed to updates from the Cybersecurity and Infrastructure Security Agency (CISA)
Manage Subscriptions | Privacy Policy | Help

Connect with CISA:
Facebook | Twitter | Instagram | LinkedIn | YouTube