Anonymous Author
Anything is positive. The requirement to report within a certain date is great, but that wouldn't help any of the departments or companies that don't know that they've been breached. So it's not going so far as to say that if you do know about a breach then you have an obligation to report. In California, we already have regulations requiring us to report if any of the consumers’ PII has been stolen, but it's not doing that much to help proactively identify a breach.
1 upvotes
Anonymous Author
The primary thing that I liked about this executive order was that it's using the purchasing power of the US to effect some change. That's probably an over-simplification, but there's certainly a lot of that: Political moves that might move the needle a little bit, but broadly might not do a whole lot. There's a decent amount in the order on effecting change in supply chain security, which is pretty solid. I'm a big believer in NIST and their guidelines, and if people followed those guidelines even directionally it would make a big difference. I was actually pleased to see that it was more NIST-focused to define things in the software supply chain.
0 upvotes