What you Need to Know On The Executive Order to Improve the Nation’s Cybersecurity
May 12, 2021, President Biden signed an Executive Order (EO) to improve the nation’s cybersecurity against increasing and sophisticated cyberattacks and more effectively protect essential government networks. This new Executive Order was broken into nine key sections (with deadlines) for Federal Agencies to implement changes and report back results. The lengthy order details what actions are required and from which Agencies and teams but from a cyber perspective, here are the key takeaways from these sections include:
Section 1: Setting Policy to Collaborate with Private Sector Support
The Order requires that the Federal government make bold and immediate changes to ensure any private sector products are built and operate securely with cybersecurity top of mind for a trusted digital infrastructure.
It required that the private sector adapt to a continuously changing threat environment to ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace. The order specifically outlined the scope of system protection and security, regardless of cloud-hosting, on-prem or hybrid, to be a top priority and essential to national and economic security for a trusted digital infrastructure.
Section 2: Sharing Threat Information to Enable Defense
The administration clearly felt that contractual barriers existed and created inefficiencies for sharing key info that could be used to mitigate attacks and improve security. In this section, the order mandated that necessary steps be taken to accelerate incident deterrence, prevention, and response efforts. In fact, it required outlined Agencies/teams to review contract requirements and language for contracting with IT and OT service providers with recommended updates to such requirements within 60 days of the order.
Section 3: Modernization of Federal Cybersecurity
The cyber threat environment is dynamic and sophisticated. As such, the Order detailed steps to modernize its approach to cybersecurity by adopting security best practices and advancement towards Zero Trust Architecture. This section of the order also covered the need to accelerate movement towards secure cloud services and solutions that centralize and streamline access to cybersecurity data.
Here the administration planned to lean heavy on CISA to modernize its programs, services, and capabilities to be fully functional with cloud-computing environments with Zero Trust Architecture and work to develop security principles governing Cloud Service Providers (CSPs).
Section 4: Security in the Software Supply Chain
The administration vocalized frustration in the development of commercial software citing it lacked “transparency, sufficient focus on the ability of the software to resist attack, and adequate controls to prevent tampering by malicious actors.” The order even coined the term “critical software” as software that performs functions critical to trust (such as affording or requiring elevated system privileges or direct access to networking and computing resources). This was notated as a grave concern with outlined expectations of steps required from Federal agencies to rapidly improve the security and integrity of the software supply chain and even develop new standards, tools, and best practices for compliance. This section was the lengthiest compared to others and more technical in its requirements, also requiring a report be created to address the progress within 1 year to secure the software supply chain.
Section 5: The Establishment of a Cyber Safety Review Board
One of the most significant outcomes of the Order is the establishment of the Cyber Safety Review Board (Board) comprised of both include Federal officials and representatives from private-sector entities. Activities include the review and assessment of cyber incidents, threat activity, vulnerabilities, mitigation activities, and agency responses. The board is expected to provide recommendations to improve cybersecurity and incident response practices upon completion of its review.
Section 6: A Standard Playbook for Responding to Cybersecurity Vulnerabilities and Incidents
Currently, one of the big inconsistencies in the public sector involve variability in how each Agency addresses cybersecurity. The Order outlined this in turn hindered the ability of Agencies to comprehensively address security issues and outlined the need for a more standardized response process. The order is alluded to steps would ensure coordinated and centralized cataloging of incidents and tracking Agencies’ progress. This section again tasked CISA with reviewing and updating the playbook annually and ensuring a common understanding of cyber incidents and the cybersecurity status of an agency.
Section 7: Improving Vulnerability Detection and Incident Response – Early
According to this section of the Order, the Federal government is ready to assign additional resources to maximize early detection of vulnerabilities and incidents on Federal networks. This “identify early” approach hopes to increase visibility into and detection of cybersecurity vulnerabilities and threats to agency involving everything from Endpoint Detection and Response (EDR) to providing recommended procedures related security of mission-critical systems. This section was key as this approach may result in the issuance of additional Orders and Directives as Agencies review and establish security procedures.
Section 8: Improving Remediation Capabilities and Cyber Investigations
One of the primary ways cyber incidents are detected and prevented is by using information from network and system logs. The administration noted that this invaluable information will be essential for Agencies and their IT service providers to collect and maintain and would be collecting recommendations for logging events and retaining other relevant data for agency’s systems and networks. The output of these recommendations will be used to formulate new policies for agencies to establish requirements for logging, log retention, and log management, for the purpose of centralized access and visibility for security operations centers at each Agency. By including this in the Order, the Administration is designing requirements that permit agencies to share log information when appropriate.
Section 9: Adoption of National Security Systems
This section of the Order dictated that National Security Systems requirements be established which are equivalent to or exceed the cybersecurity requirements already outlined but providing exceptions for unique mission needs. These requirements will be codified in a future National Security Memorandum (NSM) but would be exempt until its formal adoption.
The Bottom Line
Clearly, cybersecurity is top of mind for the Administration as they have set an agenda for both public and private sectors to collaborate and work together for a more secure country. As a company that has long provided many agencies security solutions to improve their cyber posture, I commend the order for the forcing industry collaboration and no longer allowing for security to be an afterthought.
Please share your thoughts on the order in the comments below.
About Sure Secure Solutions
A leader in providing innovative IT solutions to the federal government and private sector, Sure Secure is a woman-owned small business specializing in cloud services, web development, cybersecurity, and data analytics. A services provider to an array of federal clients including NASA, USDA, CBP, FEMA and the U.S. Army, Sure Secure Solutions has been recognized as the Small Business Prime Contractor several times and received the Outstanding Performance Award by the NASA Chief Engineer. Sure, Secure Solutions is also the Small Business Prime Contractor of the Year 2016 for SBA Region 3.