New policies in the US, UK, and EU address expectations on network operators including incident reporting, patching, updates, software bill of materials (SBOM), cybersecurity bill of materials (CBOM), and zero trust architectures (ZTA). This research explores the assumptions, resourcing, and realities of having the designation of “Critical Infrastructure” and the changes in government relationships network operators can expect over the next few years. While this research focuses on the United States, much of this is relevant to other regions, particularly those within the EU or the UK. To address the operational and reporting requirements related to technical and supply-chain threats, network operators must automate several activities including threat identification, protection, detection, incident response and recovery. With ransomware and penetration threats increasing, the regulatory environment is shifting.
This work focuses on how to best prioritize efforts.