What’s in President Biden’s Executive Order on Improving the Nation’s Cybersecurity?
On May 12, 2021, President Biden issued an Executive Order on Improving the Nation’s Cybersecurity (the Order). The Order emphasized the current cyberattack landscape targeting the public and private sectors and the need to heighten efforts and increase resources to defend against this threat environment. The Order comes following recent high-profile cyber incidents, such as the Colonial Pipeline ransomware, the SolarWinds attack, and the exploitation of Microsoft Exchange zero-day vulnerabilities. Echoing the National Institute of Standards and Technology (NIST) Cybersecurity Framework’s Five Functions, the Order called for the federal government to improve its efforts to identify, deter, protect against, detect, and respond to these actions and actors. Specifically, the Order states that all Federal Information Systems should meet or exceed certain requirements for cybersecurity. Parts of the Order will also directly affect federal contracts and its supply chain. The following are the general areas addressed in the Order.
Removing Barriers to Sharing Threat Information – The Director of the Office of Management and Budget (OMB) in consultation with other agencies will review and recommend updates to the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement (DFARS) contract requirements and language for contracting with providers of systems that process data (referenced as Information Technology or “IT” in the Order) and systems that run viral machinery (referenced as Operational Technology or “OT” in the Order). The purpose of this process is to remove contractual barriers that limit the sharing of threat or incident information to agencies that are responsible for investigating and remediating cyber incidents. It will also outline required reporting of cyber incidents by federal contractors.
Modernizing Federal Government Cybersecurity – The federal government will be required to modernize its approach to cybersecurity, which includes taking steps to: adopt security best practices; advance toward Zero Trust Architecture; accelerate movement to secure cloud services, including Software as a Service, Infrastructure as a Service, and Platform as a Service; centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks; and invest in both technology and personnel to match these modernization goals. In particular, the Order directs federal agencies to adopt certain security controls known to mitigate risks to sensitive data and systems, including multi-factor authentication (MFA) and encryption.
Enhancing Software Supply Chain Security – Highlighting that the security of software used by the federal government is vital to the federal government’s ability to perform its critical functions, the Director of NIST will solicit input from the federal government, private sector, academia, and others, to generate guidelines that enhance the security of the software supply chain. This guidance will include standards, procedures, or criteria regarding secure software development environments emphasizing the importance of security controls like segmentation, MFA, encryption, and endpoint detection and response tools (EDR). It will also include automated tools, or comparable processes, to maintain trusted source code supply chains, to ensure the integrity of the code. Similarly, it will include the deployment of automated tools, or comparable processes, that continuously check for known and potential vulnerabilities and remediate them prior to the release of new products, new versions, and updates. It will also involve: providing a purchaser with a Software Bill of Materials for each product directly or by publishing it on a public website; participating in a vulnerability disclosure program that includes a reporting and disclosure process; and attesting to conformity with secure software development practices.
Establishing a Cyber Safety Review Board – Modeled after the National Transportation Safety Board, a Cybersecurity Safety Review Board established by the Secretary of Homeland Security and co-chaired by government and private sector leads will be tasked with convening to assess and review significant cyber incidents to determine the federal government’s response and provide recommendations for improvement in responding to cybersecurity incidents.
Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents – A cybersecurity playbook will be developed by the Cybersecurity and Infrastructure Security Agency (CISA) in coordination with other agencies, such as the Department of Defense, in order to implement standardized response processes to ensure centralized and coordinated cataloging and operating procedures when responding to cybersecurity threats and incidents. The playbook will also provide the private sector with a template for cybersecurity response efforts.
Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks – The federal government will employ resources to increase its visibility into the detection of cybersecurity vulnerabilities and threats to agency networks. This includes the deployment of an EDR initiative to support proactive detection of cybersecurity incidents. EDR security is one of the strongest elements of a layered defense when used effectively in a heuristic manner with strong data analytics.
Improving the Federal Government’s Investigative and Remediation Capabilities – Agencies and their IT service providers will be required to collect and maintain data, such as information from network and system logs on Federal Information Systems, relevant to both investigation and remediation purposes. Further, agencies and their IT service providers will be required to provide those data to CISA and the Federal Bureau of Investigation, as necessary and consistent with applicable law. The Director of OMB, in consultation with the Secretary of Commerce and the Secretary of Homeland Security, will formulate policies for agencies to establish requirements for logging, log retention, and log management, which will ensure centralized access and visibility for the highest-level security operations center of each agency.
National Security Systems – Within 60 days of the date of the Order, the Secretary of Defense will be required to adopt the equivalent of the standardized cybersecurity requirements set forth within the Order for National Security Systems.
The Executive Order applies to the federal government and its agencies, as well as impacted federal contractors. While the immediate impact in the private sector will be on government contractors and their supply chains, the downstream effects will likely impact the broader private sector as the cybersecurity standards set forth in the Order become industry best practices. Certain initiatives, such as the increased adoption of zero-trust security and an accelerated movement to secure cloud services, will become more prominent components of network architecture, as organizations follow the example of the Federal Government and its agencies.
For more information on this order, contact the authors of this post. You can also subscribe to this blog to receive email alerts when new posts go up.