Insights from President Biden’s Executive Order on Cybersecurity
May 12th, 2021, was a historic day in the national cybersecurity landscape. On this day, President Biden issued a comprehensive 32-page regulation dubbed the Executive Order on Improving the Nation’s Cybersecurity.
Influenced by a chain of disastrous cyber incidents, the Executive Order is symbolic of acknowledging that the country is set to experience even more complex threats and progressively significant impacts. It comes just months after recent attacks on the country’s key infrastructure that led to shortages and panic buying.
Attacks on SolarWinds, the Colonial Pipeline, several healthcare providers, and other critical sectors have been quite disruptive. What’s more, they’ve highlighted the principal vulnerabilities in software supply chains, and these are what the EO seeks to address.
Though the requirements defined in the order may be technically applicable to the United States Federal agencies, departments, and their tech suppliers, the directives are also likely to be implemented by broader categories of suppliers and buyers across critical infrastructure. In essence, this will serve as the “north star” for cybersecurity expectations.
Key Directives in President Biden’s Executive Order
Here are the critical cybersecurity objectives on which President Biden’s recent Executive Order is focused:
Zero Obstructions to Sharing Threat Information
The OMB Director will consult with relevant agencies to evaluate and recommend updates to DFARS and the Federal Acquisition Regulation contract requirements and terms for doing business with data processing system providers.
This process aims to eliminate contractual barriers to effective sharing of incident or threat information to bodies charged with investigating and remediating incidents. It also outlines the appropriate reporting procedure by federal contractors.
A Modern Federal Government Cybersecurity Structure
The Federal Government must deploy an advanced approach to cybersecurity. This encompasses the following activities:
- Adopting cybersecurity best practices
- Migration to Zero Trust architecture
- A faster movement to cloud services
- Centralizing and streamlining cybersecurity data access to facilitate analytics for risk identification and management
- Investing in the right talent and technology to meet the modernization objectives
Notably, the EO requires federal agencies to leverage security controls that mitigate risk to systems and sensitive data, including encryption and multi-factor authentication.
A More Secure Software Supply Chain
The EO insists on the need to secure the software used by federal government agencies and its importance to the federal government agencies’ ability to deliver their critical functions. It requires the NIST Director to solicit insights from stakeholders like government agencies, academia, the private sector, and others to create practical guidelines to enhance security.
The guidance includes procedures, standards, and criteria for secure software development. It also comes with comparable processes or automated tools for trustable source code supply chains for code integrity. These will also assess the system for potential and known vulnerabilities then create the appropriate remedies before releasing new versions, updates, and products.
- Furthermore, the guidelines involve:
- Providing each product’s Software Bill of Materials
- Conducting a vulnerability disclosure program
- Confirming your conformity with the relevant software development security best practices
Creation of A Cyber Safety Review Board
This board will adopt a similar model to the National Transportation Safety Board. The Secretary of Homeland Security will establish it alongside decision-makers from the private sector and government agencies. Its goal is to review and assess successful cyberattacks and determine the government agency’s response. It will then issue recommendations for improvements.
Creating A Standardized Cyber Threat Response Playbook for The Federal Government
CISA (Cybersecurity and Infrastructure Security Agency) will coordinate with agencies like the Department of Defense to create a playbook to implement a standardized response procedure. This aims to achieve coordinated and centralized operating procedures and catalogs in response to cybersecurity incidents and threats. The private will significantly benefit from the playbook’s template for appropriate cyber threat response.
Improved Detection of Cyber Incidents and Vulnerabilities Within Federal Government Networks
The EO requires the Federal Government to employ the relevant resources for increased visibility into threat detection within the relevant bodies’ networks. This move requires them to deploy an EDR solution that supports proactive incident detection. EDR security is among the key elements of layered defense, especially when effectively used alongside robust data analytics.
Improved Investigative and Remediation Competencies
Federal Government agencies and their IT partners are tasked with collecting and maintaining data like system and network log information, which are useful for investigation and remediation. Additionally, the government agencies and their outsourced IT vendors must surrender the insights to the FBI and CISA as consistent and necessary with the relevant laws.
The OMB director must also consult with the Secretaries of Homeland Security and Commerce and come up with policies for establishing logging, log management, and log retention requirements. This ensures visibility and centralized access for each agency’s highest-level security activities.
National Security Systems
The secretary of defense must adopt similar implementations to the standardized cybersecurity requirements defined in the EO for National Security Systems. This should happen within sixty days from the day the EO was issued.
What Does the Executive Order Mean for Organizations?
The Executive Order requirements articulate cybersecurity transparency, and companies are now forced to review their third-party contracts. In addition, improved software supply chain security is a primary element in the EO, and organizations now have to verify whether they’re partnering with protected vendors.
This will potentially increase scrutiny of partner risk assessments, fix potential supply chain security gaps, and provide the right remediation policies. Organizations will also be forced to ensure proper contract terms that allow transparent sharing of cyber breach and threat information. Furthermore, comprehensive vendor assessments will assess the adoption of FedRamp guidelines.
Notably, Biden’s administration pledged to ensure all government systems meet or exceed the cybersecurity thresholds and standards. Therefore, companies that supply software products to government agencies must prepare for exceedingly stringent scrutiny of their security to ensure they meet every set requirement.
One of the critical areas to pay attention to is vendor risk management. As a result, entities must re-evaluate vendor contracts and their approaches to cybersecurity to align with the new requirements and meet the eligibility criteria for government contracts.
Working with an experienced cybersecurity and compliance consultant is a great way to ensure your organization complies with the law, and that’s where Intelice Solutions comes in. Reach out for more details on how our services can help maintain compliance and eligibility.