The Biden Administration has issued an executive order regarding cybersecurity. This order is part of a series of executive actions that indicate the dire need for improved security. The order seeks to “identify, deter, protect against, detect, and respond to” the various cyberattacks that are reaching both the public and private sectors.
Comprising more than 8,000 words, the order itself begins by stating a fact that all cyber professionals already know: cybersecurity requires far more than government action and calls for a partnership with the private sector to ensure maximum protection. The order requires all federal systems to meet or exceed the requirements outlined in the EO.
Here’s the “high-level” bullet points of the EO. The actions outlined seek to:
- Reform contracts with software providers to ensure greater transparency.
- Implement cybersecurity best practices, including zero-trust and multi-factor authentication.
- Review and create standards for the software supply chain as provided to the Federal Government.
- Establish a Cyber Safety Review Board.
- Tighten government’s response plan (“playbook”) for cyber incidents.
- Implement an Endpoint Detection and Response initiative to improve detection of vulnerabilities and incidents.
- Develop an internal process for logging events and investigating and remediating incidents.
- Implement National Security Systems requirements where they currently are not being used.
THE NUTS AND BOLTS
The order calls for reform on all contracts involving information technology and operational technology service providers contracting for the federal government, in order to remove all contractual barriers that prevent the organizations from sharing threat and incident information on Federal Information Systems. These organizations will be required to collaborate with federal cybersecurity agencies upon observing a cyber threat or incident of any kind.
The order also requires the federal government to implement security best practices. In the order, this includes:
- Advancing toward zero trust architecture utilizing NIST protocol
- Secure cloud services
- Centralize and streamline cybersecurity data to drive analytics
- Invest in technology and personnel to meet these goals
CISA is leading the charge to ensure that federal orgs adopt multifactor authentication and data encryption over the next six months.
Additionally, the director of NIST will be working with the government, academia and the private sector to determine the best way to offer new standards for the software development supply chain for use by the federal government. The deadline on this process is still years away for software developers, but the plan for the guidance is to include standards and procedures regarding implementation of secure environments with multi-factor and risk-based authentication, documented dependencies, data encryption, automation and other steps to improve both transparency and security.
The executive order establishes a Cyber Safety Review Board, composed of government officials and private sector members, who will convene following a significant cyber incident. This can be called upon by the president or by the secretary of Homeland Security whenever they find it necessary.
The remainder of the order focuses on the government’s plan for mitigating and responding, as well as protecting from future cyber attacks internally. For example, the director of CISA along with other federal officials are charged with re-tooling the federal government’s standardized response to a cybersecurity incident or threat, which the EO calls their “Playbook.” This playbook will require all NIST standards to be followed and is meant to describe progress and completion of all phases of incident response.
The order also mandates that agencies deploy an EDR initiative as dictated by the director of CISA. This will also require agencies to develop logging and reporting protocols to ensure the government’s ability to investigate and remediate the issues. In the final main section of the order, the secretary of Defense is expected to adopt these requirements at a minimum within the National Security Systems.
THE TAKEAWAY AND REACTIONS
The next few months are going to be busy for CISA, but the Department of Homeland Security has offered its full-throated support behind the executive order. Secretary Alejandro N. Mayorkas issued a statement yesterday, citing the recent incidents as a reminder of how important a strong cyber infrastructure is.
“Recent cybersecurity incidents impacting SolarWinds, Microsoft, and Colonial Pipeline are a stark reminder that malicious cyber activity can significantly disrupt Americans’ daily lives and threaten our national security. Addressing these risks to our way of life is a shared responsibility that depends upon close collaboration between the public and private sectors.”
Acting Director Brandon Wales of CISA also issued a statement:
“As the nation’s lead agency for protecting the federal civilian government and critical infrastructure against cybersecurity threats, CISA serves a central role in implementing this executive order. This executive order will bolster our efforts to secure the federal government’s networks, including by enabling greater visibility into cybersecurity threats, advancing incident response capabilities, and driving improvements in security practices for key information technology used by federal agencies. And because the federal government must lead by example, the executive order will catalyze progress in adopting leading security practices like zero-trust architectures and secure cloud environments.”
In addition, the Chairman for the House Committee on Homeland Security Rep. Bennie G. Thompson (D-MS) and the Chairwoman of the Subcomittee on Cybersecurity, Infrastructure Protection & Innovation Rep. Yvette D. Clarke (D-NY) released a joint statement, also offering their support for the order. Calling upon the same incidents cited by Mayorkas, the representatives stated that they were pleased with CISA’s access to the resources it needs to be successful.
“Cybersecurity is a national security issue, and we commend the Administration for prioritizing it that way. From the SolarWinds supply chain attack that gave Russian actors access to Federal networks to the Colonial Pipeline ransomware attack that temporarily shut down 5,500 miles of gas pipeline, cyber attacks jeopardize our national and economic security. If nothing else, the cyber incidents that have occurred over the past six months have demonstrated that bold action is required to defend our networks today and in the future. The Executive Order signed by the President today is just that.”