The Executive Order (EO) on improving the nation’s cybersecurity to support public and private efforts, will help identify, deter, protect against, detect, and respond to persistent and increasingly sophisticated malicious cyber campaigns. What has influenced some of the specific measures used in the Executive Order are the recent cyber espionage campaigns.
Two things are clear from the EO.
- It calls for making federal government systems stronger and safer to prevent them from being targeted. It encourages the use of software with security built in, and it uses the purchasing power of the federal government to try and make that a requirement.
- It sets a goal for more effective federal government responses as well as requires IT providers to report cyber incidents and removes contractual barriers for them to share information with government entities. The EO also standardizes the playbook for different agencies to work together in response to cyberattacks.
The EO issued on improving cybersecurity efforts is a first step taken for the sake of national security and public welfare and to deal with nation-state supply chain attacks.
This need was raised by Sean Joyce, PwC’s Global & US Cybersecurity, Privacy & Forensics leader, when he indicated that the United States needs a more organized approach to cyberthreats. The lag in updating laws and regulations, and not establishing clear corporate responsibility guidelines or adjusting to a digital world, create a number of issues in a boundary-free world.
Already, the government and industry have lagged in updating laws, regulations, corporate responsibilities and adjusting to a digital, boundary-free, world.
Who is affected?
- Federal agencies are expected to update their hardware and software, their technology, to improve security, and to adapt best security practices.
- Federal contractors, including commercial-off-the-shelf (COTS) software providers, with cybersecurity standards integrated into contract terms and being obligated to share more information on cyber incidents.
- The private sector can also expect changes, particularly a focus on software supply chain security and on transparency through proposed consumer security labeling on software and internet of things (IoT) devices. This means that software and IoT device companies should expect new security requirements and assessment standards.
The Biden administration EO outlines a number of cybersecurity objectives the government must meet with a short timeline to do so, which means we can expect a cascading effect, first to federal contractors and then moving on to other industries with new standards having been set and practices adopted.
Federal contractors
The most directly affected by the EO are the providers of IT services to the federal government.
The directives for federal contractors are to increase information sharing for better detection, investigation and remediation.
Enhance information sharing
According to the EO, IT service providers will have to share breach information that could impact government networks. Furthermore, any contractual barriers must be removed. This will enable better defenses for the federal departments and ensure the overall nation’s cybersecurity is improved.
Implications
What the EO mandates is cyber incident reporting. In the past, only defense contractors had requirements for breach reporting (DRAs 252.204.7012 clause), but now with the EO the requirement will extend to all Federal Acquisition Regulation (FAR) contracts.
What this means for contractors is that they will have to organize their data governance frameworks in a way that classifies, manages, and protects sensitive data such as CUI – controlled unclassified information.
Additionally, contractors will have to collect information about threats, vulnerabilities, and incidents and share it all with CISA, FBI, as well as other agencies and boards for investigation.
Federal government networks
The importance of detecting cyber incidents on federal government networks is highlighted by the EO and aims to improve this ability by allowing the development of a government-wide endpoint detection-and-response system, plus improving information sharing within the federal government.
Implications
The additional information helps to proactively identify threats and have all the information necessary to investigate, as well as respond to any incident that takes place.
When you actively search endpoints through proactive threat hunting it reduces cyber risk because it spots all threats, even sophisticated ones. This is thanks to the active search of endpoints with advanced tools, technology, and people.
Federal departments and agencies
The EO calls for the improvement of investigative and remediation capabilities of federal departments and agencies through event log requirements.
Implication
All the information from network and system logs that involves the federal information systems – on-premises systems and connections hosted by third parties like a cloud provider – must be collected and maintained by IT service providers so that they may be given to the government when needed to address a cyber incident.
Federal government systems
To make the systems stronger and safer, modernization of cyber in government will take place through an increase in adoption of security best practices. This will include utilizing a zero-trust security model, a move to secure cloud services, and making use of security tools like multifactor authentication and encryption on a constant basis.
Implications
Due to the software supply chain attacks this past year, there’s a strong desire to adopt zero trust architecture. The EO encourages business leaders to consider it as a leading practice. It is also important to remember that it is only one layer of a defense strategy.
You can expect NIST requirements (NIST 800-53 (FedRAMP), NIST 800-171 (CMMC)) to be updated with zero-trust security requirements and additional focus on CUI.
Another important aspect is cloud security and having a thoroughly thought-out plan and approach to cloud adoption. The EO makes it clear that there’s a need to develop a cloud-service governance framework, a federal cloud security strategy, and cloud-security technical reference architecture documentation.
Furthermore, cloud service providers (CSPs) contractors can anticipate an expansion in the US government market for solutions that support zero-trust principles.
Software supply chain
In the executive order, President Biden has sought to improve cybersecurity in software by establishing baseline security standards for its development. This includes requiring developers to keep track of their software’s security data and release it publicly. The EO establishes a methodical process for developing new and innovative approaches to produce safe software by partnering with the private sector, which uses federal procurement as an incentive. It creates a program to create an “Energy Star” type of label for software products, providing the federal government and the public with information about whether or not the product was developed securely.
Implications
This section of the EO will require the most adjustment from IT providers. In realizing that software is not able to resist attack when recent cyber espionage campaigns hit the US, the EO is ensuring the development of commercial software changes. The intent is to have commercial software built in a way that ensures malicious actors can’t tamper with it and that it is trustworthy to use. Requiring elevated system privileges or direct access to networking and computing resources are two of the areas of focus. Furthermore, software providers will have to share feedback on software supply chain security. The EO calls onto the NIST director to request input within 45 days from the private sector, academia, and others, as well as the federal government to provide new standards, tools and best practices.
The plan is to have the standards, procedures and criteria set up for the development lifecycle of the software so that it may be made with security in the forefront. Those who provide commercially-off-the-shelf (COTS) and non-COTS software will need to meet all requirements, as well as have audits and prove compliance in the following areas:
- separate build and development environments
- mapping and monitoring dependencies and interactions between systems (“trust relationships”)
- conducting and remediating vulnerability scans prior to release
- voluntarily disclosing vulnerabilities
- Software Bill of Materials (SBOM), which includes enumerating and maintaining an inventory of open-source and commercial libraries and components used by the software.
The EO sets up the parts to a consumer labeling program that has its foundation in IoT cybersecurity and software development best security practices. The Federal Trade Commission (FTC) will be defining the process and requirements in the next couple of months.
The EO directs the pilot of a consumer labeling program, based on criteria for IoT cybersecurity and secure software development practices. The process and requirements for this will be defined over the coming months by the Federal Trade Commission (FTC).
Some questions remain, such as limits on access to cutting-edge software or how innovation is affected by the EO. Time will tell.
Better internal government agencies and private sector collaboration
The creation of a Cybersecurity Safety Review Board
A Cybersecurity Safety Review Board (co-chaired by government and private sector leads) is what the EO has established to improve government agencies and private sector collaboration. The board may meet following a significant cyber incident to take an in-depth look at what happened and make tangible recommendations to improve cybersecurity overall.
Implication
The objective is that the Cybersecurity Safety Review Board works like the National Transportation Safety Board’s (NTSB’s) investigations when important transportation accidents and situations take place. It also involves the participation of the private sector. The exact details of all that this will entail has yet to be decided.
A standardized incident response playbook
Create a standard playbook for response to cyber incidents
The creation of a set of rules and procedures, a playbook, will be set up. Also, a set of definitions for cyber incident response by federal departments and agencies is also demanded by the EO. This playbook and list of definitions will make sure that federal agencies meet the necessary requirement to uniformly address, identify and mitigate any threats. The playbook also supports guidance to the private sector with a template for its incident response efforts.
Implication
To have a set playbook used by government agencies is going to speed up responses and investigations of cyber incidents. It permits agencies to analyze vulnerabilities and incidents in a more comprehensive way across the agencies, removing what used to hinder the incident response process and slow everything down. Having a standardized incident response process will lead to a centralized cataloging of cyber incidents. Consequently, this will enable keeping track of all agencies’ progress with incident response, as well as overall success when responding to threats.
If you need support and guidance for the EO get in touch. Schedule your free cybersecurity consultation!