How does the new national cybersecurity executive order affect organizations like yours?
In an ambitious leap towards improving the national cybersecurity posture, President Joe Biden issued an Executive Order on improving the Nation’s Cybersecurity on May 12, 2021. The EO outlines a coherent plan for heightening efforts and increasing resources to combat an increasingly determined threat targeting the public sector, the private sector, as well as the security and privacy of the American people.
With recent high-profile cyber incidents such as the Colonial Pipeline attack, the SolarWinds hack, the JBS ransomware, and the exploitation of Microsoft Exchange zero-day vulnerabilities, it’s a gross understatement to say cyber threats are ever-present.
The overarching goal of the new executive order is to modernize national cybersecurity defenses, bring uniformity to cybersecurity standards across all agencies entire federal government, and use the government’s buying power to help the private sector address cyber security threats and vulnerabilities. The executive order will also directly affect government contractors and their cybersecurity requirements.
Here’s a quick look at the general areas addressed in President Biden’s order.
Enhancing Threat Information Sharing
Different government departments, organizations, service providers, and agencies tasked with incident investigations often fail to share information about emerging cyber threats, risks, and ongoing incidents. Whether it’s due to strict adherence to contractual terms or general reticence, the barriers between government and the private sector make it difficult to effectively identify, deter, detect, and respond to the actions and the actors.
Crafting a standard format for sharing intelligence and reporting breaches and requiring IT providers to remove contractual barriers that limit threat information sharing could help improve the national cybersecurity posture and responsiveness. Cybercriminals always trade exploits and share vulnerabilities, so it makes sense for organizations to work with the government to defeat them. Organizations must recognize when they need to report cyber incidents to agencies responsible for investigating and remediating cyber incidents, understand what data should be shared, and find ways to ensure swift and comprehensive reporting.
Creating a Zero-Trust Architecture
The executive order concedes that the federal government still falls short in a number of key areas, including movement to the cloud and data encryption. Previous strategies assumed that everything inside the network is trustworthy and focused on protecting networks from intrusion. The government is now required to modernize its approach to cybersecurity and move to a model that assumes all internal and external network activity is a potential threat. Modernizing national cybersecurity can be achieved by taking steps to:
- accelerate the move to secure cloud services
- adopt security best practices
- streamline access to cybersecurity data
- advance toward zero-trust architecture
- invest in personnel and technology to match the modernization goals
Multi-factor authentication and encryption should be adopted to mitigate risks to sensitive data and systems. In addition, there are directives to develop a federal cloud-security strategy to protect data in the cloud.
Enhancing Security for the Software Supply Chain
As the SolarWinds breach proved, organizations confidently assume a level of security from major service providers. Private companies and government departments are not equipped to detect or prevent attacks in the software supply chain. To improve the security of software products sold or licensed to the government, the order seeks to establish baseline security standards for software development. Developers will be required to make security data publicly available and provide visibility into their products.
The guidelines that improve software supply chain security will include:
- Standards and procedures for secure software development environments
- Automated tools to ensure the integrity of source code supply chains
- Processes to continuously check for known and potential vulnerabilities
- Software Bill of Materials provided to a purchaser
- Vulnerability disclosure program
An “energy star” type of labeling will be created to quickly determine whether software purchased by the government and its contractors was developed securely.
Standardizing Response to Vulnerabilities and Incidents
Having a clear plan for responding to cybersecurity threats and incidents is crucial to minimizing any damaging impact. The plan should include timelines and responsibilities for identifying, reporting, investigating, and mitigating incidents. A cybersecurity playbook will be developed to ensure centralized and coordinated cataloging when responding to vulnerabilities and incidents.
The playbook will:
- incorporate appropriate NIST standards
- define key terms and create a common vocabulary across all agencies
- articulate progress and completion methods
This will ensure agencies are prepared to take uniform steps toward incident identification, mitigation, and response.
Improve Detection, Investigative, and Remediation Capabilities
The executive order also addresses the varying ability of government agencies to detect, investigate, and remediate malicious cyber activity on their networks. Intelligence sharing and the use of an endpoint detection and response system (EDR) will strengthen our collective defense by supporting the proactive detection of cybersecurity threats and incidents. When used with strong data analytics, EDR is one of the strongest elements of a layered defense.
To aid the investigation and remediation of any issues, government agencies and their IT service providers will be required to collect and maintain data, including network and system logs for both on-premises and third party-hosted systems and connects.
They’ll also be required to provide the data upon request to the FBI and the Director of CISA, consistent with applicable law. Policies for log retention and management will be provided to ensure centralized access for the highest-level security operations center. Also, the logs are to be protected cryptographically to ensure integrity once collected and verified.
The EO identifies many changes intended to improve national cybersecurity and the detection, prevention, investigation, and remediation of incidents that pose a risk to our security and privacy. Having the government upgrading more uniformly to the 21st century provides a great opportunity for agencies to defend against modern and sophisticated threats.
We anticipate a cascading impact with this EO, first to federal contractors and then the downstream effect will ripple through the broader private sector, as the guidelines and standards being drafted through the order become industry best practices.
Get a Head Start on Compliance with SCA
Security Compliance Associates is uniquely positioned to help both government entities and the commercial sector prepare to meet the forthcoming guidelines of the Cybersecurity Executive Order 2021. We can assess your current cybersecurity controls and determine areas of improvement. Contact us today at 727-571-1141 to protect your organization from cyber threats and get an early start on compliance.