On May 12, 2021, President Biden issued an executive order (EO) on improving the federal government’s approach to cybersecurity. Why should IT professionals care about this document? For one thing, the initiatives outlined in this EO will have impacts to the way federal agencies use IT to accomplish their missions. Inevitably, these new guidelines will become the new standard for all IT organizations.
This is the goal of the EO:
The Federal Government must improve its efforts to identify, deter, protect against, detect, and respond to these actions and actors.
Let’s go through the main points of the executive order.
1. Removing Barriers to Sharing Threat Information
This initiative is aimed at making sure contractors, service providers, and federal agencies are able to share information about cyber security threats. Right now, it is hard to share the threat information between agencies, and the fact that each agency may contract with any vendor only complicates the issue. However, this is not that different from what happens in the commercial world.
This will have very high level oversight. The Director of the OMB (Office of Management and Budget OMB), the Secretary of Defense, the Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence will lead the charge. They will review the federal contract requirements contained in FAR (Federal Acquisition Regulation) and the Defense Federal Acquisition Regulation Supplement. Then they’ll recommend updates to the contract requirements for IT and OT service providers so that they can share data more easily between agencies.
If you support a government agency, expect to see this impact the work you do.
2. Modernizing the federal government’s cybersecurity policies
This initiative will help the Federal Government modernize its approach to cybersecurity. An aggressive plan will be created to move agencies to Zero Trust Architecture, cloud services, and centralized access to data. This centralized access will provide analytics across all agencies that identify cybersecurity risks.
The executive order says that there will be investments in technology and personnel to achieve this goal. This is good news for vendors and job seekers!
3. Enhancing software supply chain protection
The overall goal of this initiative is to rapidly improve the security and integrity of the software supply chain. The priority will be addressing critical software. The government recognizes a “pressing need to implement more rigorous and predictable mechanisms for ensuring that products function securely, and as intended”. This is an obvious reaction to the Solar Winds cyber attack.
Something to look for will be the federal definition of “critical software”. Around July 11 we should see the government’s guidance outlining security measures for critical software. Expect recommendations of applying practices of least privilege, network segmentation, and proper configuration. And early next year we’ll also see an IoT cybersecurity criteria for a consumer labeling program.
It will be interesting to see what else comes from this, as the executive order also mentions being able to verify and trust open source software. What kinds of unintended consequences should we be prepared to face?
4. Establish a Cyber Safety Review Board
The Secretary of Homeland Security and the Attorney General will establish the Cyber Safety Review Board. This board will review and assess significant cyber incidents. This is good from an operational standpoint. It will provide the mechanism for the entire Federal government to react when the IT infrastructure is under attack.
5. Improve Detection of Cybersecurity Vulnerabilities and Incidents
The goal is to create standardized incident response processes to ensure more coordinated and centralized cataloging of incidents. A playbook will be developed for planning and conducting cybersecurity vulnerability and incident response activities. This should be standard process, and it is good to see an executive order laying the groundwork to make it so. Additionally, at an endpoint detection and response (EDR) initiative will be created to do active cyber hunting, containment and remediation, and incident response.
6. Improve the Federal Government’s investigative and Remediation capabilities
This portion of the executive order is all about logging. The order talks about logging from on-premises systems or third parties such as CSPs. The purpose of having a unified logging directive is to gather the data needed to investigate and remediate cyber security incidents. However, since the Federal guidance is to move to cloud platforms will there be a danger of governmental overreach because all log information is available to one system? This unintended consequence will be one to watch.
7. National Security Systems
We should see a National Security Memorandum by the middle of July that details the requirements for National Security Systems.
It is nice to see the Federal Government making cybersecurity a top priority. The executive order really tried to cover everything, from detailed requirements that cover how to ensure the software supply chain is safe to logging, and everything in between. This is important, because the threat actors against our government aren’t script kiddies, they are other nations. Ultimately, we need a unified federal approach to protect our critical systems and information. However, we will have to watch closely for unintended consequences that are bound to happen from consolidating so much data.
So if you work for the Federal Government, a vendor, an MSP, CSP, or any type of service provider you should be familiar with this document. There’s a lot to do!