Whenever the federal government acts on cybersecurity, agencies should take note. Below is a brief summary of the latest executive order (EO) intended to improve national cybersecurity.
Why was the EO written?
With the FireEye Sunburst attack, the SolarWinds compromise, the Colonial Pipeline and JBS Foods ransomware events and the past breaches of several federal agencies, cyberattacks are here and not abating.
The EO issued by President Joe Biden on May 12, 2021, is an effort to:
- Improve the nation’s ability to identify risks and vulnerabilities to its computer systems and those of its private sector partners
- Prevent compromises from occurring to those systems
- Detect exploits as they are occurring, respond to those exploits efficiently and effectively recover from them
The EO is effectively re-writing how the federal government approaches security. With a mandate to improve nearly every aspect of cybersecurity – from incident response and risk management to vendor management – the new EO improves the confidentiality, integrity and availability of our data.
One notable requirement of the EO is to promote threat information sharing with contractors, private sector partners and service providers. Many existing contracts forbid or restrict the sharing of threats and incidents. Federal contractors will now be required to handle data responsibly, share relevant data with specified agencies and collaborate on investigations. Knowing that third-party vendor security is often the vector for a data breach, this is an important step in improving government security.
Modernizing Governmental Cybersecurity
With the ever-changing threat landscape and the constantly increasing sophistication and abilities of malicious actors, the EO requires modernizing federal cybersecurity by improving visibility into threats and ensuring the protection of privacy and civil liberties. Outdated software and technologies need to be upgraded. Along with adopting cybersecurity best practices, the EO requires moving to secure cloud services and improving and centralizing access to data that drives the identification, analysis and management of cybersecurity risks. Notably, it provides funding for the resources needed to achieve these goals.
Zero Trust Architecture, Multi-Factor Authentication and Data Encryption
The EO requires implementing Zero Trust Architecture (ZTA). According to the National Institute of Standards and Technology (NIST), ZTA assumes that no implicit trust is granted to users or assets, regardless of location. In other words, the network is no longer the focus of security. Since so many assets, services, accounts, workflows and other resources are located outside of the network, security is squarely focused on inherently insecure resources such as endpoints.
Multi-factor authentication (MFA) can also significantly improve cybersecurity. In addition to something you know (a password), authenticators are something you have (a fob or app) and something you are (a biometric). By adding the second factor, brute force password hacking becomes a lesser threat.
Finally, by encrypting data both at rest and in transit, the EO ensures the end-to-end protection of data throughout its life cycle. This will provide a greater degree of privacy, confidentiality and integrity.
Secure Software Development and IoT Testing
In response to the lack of transparency about commercial software development and controls, the EO provides requirements for the implementation of mechanisms to ensure that software products operate securely and with integrity. This will include requirements for risk assessments, secure coding controls and a Software Bill of Materials (SBOM) so agencies have transparency into a system’s development. Next, the EO mandates the removal of all software products that do not meet these requirements. The EO additionally requires Internet of Things (IoT) devices and software to include a consumer labelling program indicating the levels of security testing a product has undergone.
National Cyber Safety Review Board and Improved Incident Response
The development of a Cyber Safety Review Board will create what appears to be a national cybersecurity incident response team (IRT). This team will be made up of various federal agencies and private sector partners. The intention is to overhaul and standardize vulnerability and incident response procedures, improve coordination and centralize a catalog of incidents and tracking of agency responses.
It also directs the federal government to improve identification and detection of cybersecurity vulnerabilities. An endpoint detection and response (EDR) initiative will be designed to help with detection, active threat hunting, containment and remediation and incident response. It is intended to include assurances that mission-critical systems are not disrupted; procedures for notifying vulnerable systems’ owners; and the approved techniques for testing these systems for vulnerabilities.
Investigation and Remediation
In addition to the improved intelligence sharing, the EO adds investigation techniques and procedures for remediating discovered risks and vulnerabilities. It specifically addresses event logging and mandates the development of policies and procedures for the types of logs to be maintained, how long they must be retained and how they must be encrypted.
Protection of National Security Systems
NIST defines national security systems as those systems that are specifically used for national security, such as military command and control systems, weapons systems and military intelligence. The EO requires national security systems to adopt controls that are as good as or better than the requirements set forth in the EO.
With the safety and security of every American on the line, the federal government can no longer allow its adversaries to run roughshod through our computer systems, both public and private. Traditionally, the general approach to defending our nation’s systems has been a reactive one, usually countered with an escalation by our adversaries. The new EO may bring about a sea change resulting in a more proactive approach to our cyberdefense capabilities.
Interested in becoming a Featured Contributor? Email topics you’re interested in covering for GovLoop to fea[email protected] And to read more from our Spring 2021 Cohort, here is a full list of every Featured Contributor during this cohort.
Meredith Trimble is a former municipal official and Town Council Acting Chair, who focused on strategic planning, annual budgeting and bonded infrastructure projects. Her government experience also includes posts in both federal and state-level executive branch agencies; Associate Editor of the Federal Election Commission’s FEC Record; and Director of Education for the CT Office of State Ethics. In her current role as a Content Manager, Editorial with Tyler Technologies, Inc., she writes content to help empower those who serve the public. Her current focus is to help facilitate data-enabled organizations and create connections between governments and those they serve.