Last week, President Biden signed an executive order on improving the cybersecurity posture of the United States. Faced with the constant threat of breaches and ransomware attacks, the nation’s highest office has decided to put into law a cybersecurity compliance initiative.
This is not the first time that our nation’s highest office has addressed this issue. Previously, President Obama signed into law the Cybersecurity Act of 2015. This opened the door for the sharing of cybersecurity threat information between the Federal Government and private entities. However, participation in this program was voluntary.
The difference now is that we are moving from voluntary participation to a requirement. And this order spells out some very specific things to address the need for improvements in our infrastructure.
Along with the expectation of information sharing, and an established standard, this Order brings to the forefront leading practices that many of us in the cybersecurity profession have been sharing with our clients for some time.
Here is how this executive order breaks down:
Section 1 covers the policy itself. It recognizes the existence of cyber threats against both the private and public sectors. It also acknowledges that incremental improvements are not enough. And it is a call for the private sector and the Federal Government to partner together. The first effective step of any compliance program is the policy, and the Order starts here.
Section 2 outlines the plan to remove the barriers that prevent the sharing of threat information. This is the section that will require the largest paradigm shift for American business. Having access to information that others do not have gives an organization an advantage over its competition. However, keeping that information to oneself is proving to be detrimental. The order calls for identifying and lifting any contractual limitations and allows for sharing of threat information.
Section 3 addresses that the Federal Government needs to modernize its cybersecurity and adopt leading practices. These include a zero-trust architecture, Cloud security, multi-factor authentication, and encryption of data (both at rest and in transit). Many of these changes are called to happen within 180 days.
Section 4 addresses concerns in software security. It calls to implement new standards for enhancing the software supply chain, requiring developers to identify criteria to evaluate their security development practices. Standards for more secure software will require more testing before release, but they can minimize the number of vulnerabilities in production code that have allowed malicious actors to exploit and compromise systems. The expectation is that preliminary guidance would be provided within 180 days, and additional guidelines within 360 days.
Section 5 brings up a cybersecurity safety review board that is co-chaired by government and private sector leaders. This board will determine membership eligibility requirements for the private sector’s representative. This board will also establish thresholds for the types of events that will be evaluated. It is modeled after the National Transportation Safety Board, which is used after airplane crashes and other incidents.
Section 6 looks to establish a standardized playbook for responding to cybersecurity threats. Within 120 days, the Secretary of Homeland Security and several government agencies will develop a standard set of operational procedures (a playbook) to be used when planning and conducting a cybersecurity vulnerability and incident response activity. This playbook will:
- Incorporate all National Institute of Standards and Technology (NIST) standards;
- Be used by Federal Civilian Executive Branch (FCEB) agencies; and
- Articulate progress and completion through all phases of incident response, while allowing for flexibility to respond to a variety of incidents.
The section calls out NIST as the guiding principle. While there are many frameworks out there, including ISO/IEC 27001, the Center for Internet Security (CIS), and others, all of these have been mapped in one way or another back to the NIST 800-53 framework. Even the Cybersecurity Maturity Model Certification (CMMC) and Health Insurance Portability and Accountability Act (HIPAA) are based on the NIST framework.
The playbook outlined here is expected to be reviewed periodically and include key terms to provide a consistent understanding of definitions.
Section 7 outlines improving the detection of vulnerabilities and incidents on Federal Government networks. This promotes a managed detection and response (MDR) initiative to support proactive identification of threats – developing and maintaining a memorandum of agreement (MOA) with the Cybersecurity and Infrastructure Security Agency (CISA) for continuous diagnostics and mitigations program. It will also recommend how to conduct threat-hunting activities on FCEB networks without prior authorization from agencies to ensure that mission-critical systems are not disrupted, and it will include procedures for notifying system owners of vulnerable government systems and the range of techniques that could be used for testing.
Section 8 provides the initiative to improve the Federal Government’s Investigative and Remediation Capabilities. It will provide recommendations for requirements of logging and monitoring events and other relevant data within an agency’s systems and networks. This will include the types of logs to maintain, the time period to retain these logs, and how to protect the logs from unauthorized exposure and tampering.
Section 9 calls for the adoption of minimum standards within 60 days. It indicates that the Federal Government shall adopt National Security Systems requirements that are equivalent to or exceed the cybersecurity requirements set forth in this order that is otherwise not applicable to National Security Systems. Such requirements may provide for exceptions in circumstances necessitated by unique mission needs. Such requirements shall be codified in a National Security Memorandum (NSM).
Section 10 provides definitions for a common understanding of terms as it relates to this order.
Finally, Section 11, provides the National Cyber Director (NCD) and the establishment of the related Office within the Executive Office of the President the power to execute these duties.
The Order itself provides a timeline of expectations. It will be interesting to see how these timeframes play out. Regardless, there is now the expectation of cooperation and collaboration between the private and public sectors to better our national infrastructure.