Deconstructing the Executive Order on Improving the Nation's Cybersecurity
On May 12, 2021 President Biden signed the Executive Order (EO) on Improving the Nation’s Cybersecurity to establish additional cybersecurity policies and requirements to address sophisticated malicious cyber campaigns that threaten both the public and private sectors. Several recent catalysts are responsible for this outcome, specifically Solarwinds and Colonial Pipeline hacks.
Zero Friction's team has digested this EO and provides the key observations here for our readers.
The EO outlined nine key sections as follows:
Section 1 establishes the policy scope that includes systems that process data (information technology (IT)) and those that runs the vital machinery that ensures our safety (operational technology (OT)), as well as the expectation for leadership teams across agencies that the prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security.
Section 2 addresses the actions to be taken to remove and reduce the barriers to sharing of threat information by standardizing contract language and requirements via the FAR Council. Section 2 also proposes that the standard contract language be incorporated across all agencies streamlining and reducing the need for agency-specific language. Specifically the changes to apply to the following:
How service providers collect and preserve data, information, and reporting relevant to cybersecurity event prevention, detection, response, and investigation.
How service providers share such data, information, and reporting, as they relate to cyber incidents or potential incidents relevant to any agency with which they have contracted.
How service providers collaborate with Federal cybersecurity or investigative agencies in their investigations of and responses to incidents or potential incidents on Federal Information Systems.
How service providers share cyber threat and incident information with agencies and, where possible, in industry-recognized formats for incident response and remediation.
Section 2 also mandates that cybersecurity reporting model varying with different reporting requirements depending on the severity of the incidents, with most severe incidents to be reported no later than 3 days from initial detection.
Section 3 should stimulate cybersecurity spending across agencies as it outlines the expectation for agencies to:
adopt security best practices;
advance toward Zero Trust Architecture;
accelerate movement to secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS);
centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks;
invest in both technology and personnel to match these modernization goals.
A key takeaway is the shift from static, network-based perimeters to focus on users, assets, and resources per the Zero Trust Architecture model. Furthermore, agency heads are expected to develop and implement Zero Trust Architecture for their agency, requiring a plan, activity schedule, including any required migration toward that goal. Other significant security requirements in this section are the reiteration of prior mandates on their implementation within six months:
Use of multi-factor authentication (MFA)
Use of encryption at rest
Use of encryption in transit
Another key takeaway is the push toward more secure, cloud-based solutions, particularly those that leveraged FedRAMP. Specifically, modernization of FedRAMP through:
automation of FedRAMP lifecycle
allowing relevant frameworks, mapped to FedRAMP authorization process, to be utilized for the relevant portion of the authorization process as appropriate.
Section 4 focuses on changes through NIST-driven guidance and standards to enhance software supply chain security. Specifically, the EO requires for NIST to:
establish new guidelines for critical software that can be used to evaluate software security.
include criteria to evaluate the security practices of the developers and suppliers themselves.
identify innovative tools or methods to demonstrate conformance with secure practices.
A key takeaway for this section is the mandated usage of secure development environment and related security practices including:
separate build environment
audit trust relationship
use of MFA and conditional access
extends to software dependencies, libraries, and development tools
use of encryption
use of automated source code management solutions
use of automated static and dynamic code analysis tools
use of monitoring and alerting systems
Suppliers are required to maintain software update, publish BOM, participate in vulnerability disclosure program, and provide both artifacts and attestation to their compliance to meet the secure development requirements, including any usage of open-source code libraries or solutions.
The EO also mandated a labeling program for IoT to reflect the levels of testing and assessment that a product may have undergone, and tasked NIST with the obligation to define a set of baseline level of secure practices for IoT.
Section 5 establishes a Cyber Safety Review Board to review and assess significant cyber incidents affecting agency Information Systems or non-Federal systems, threat activity, vulnerabilities, mitigation activities, and agency responses. The Board members will include both Federal and private sector representatives and to be convened by DHS following a significant cyber incident - presumably Solarwinds or Colonial Pipeline level scale.
Section 6 tasks CISA with the obligation to standardize the response to cyber vulnerabilities and incidents into a common playbook to be utilized across agencies. The key takeaway is that the Board will serve to centralize and coordinate response to significant cyber event, probably a lesson learned from the Federal agencies' response to the Solarwinds incident.
Section 7 intends to booster agencies capability to have early detection of cybersecurity vulnerabilities and incidents. Our take on this section will be an increase in automation and more significant investments related to the Continuous Diagnostics and Mitigation (CDM) Program to fortify the cybersecurity of government networks and systems.
Section 8 focuses on the Federal Government’s investigative and remediation capabilities. Specifically, it mandates requirements for:
establishing logging events and retaining other relevant data within an agency’s systems and networks.
the types of logs to be maintained.
the time periods to retain the logs and other relevant data
the time periods for agencies to enable recommended logging and security requirements
how to protect logs and periodic verification of integrity throughout their retention.
Lastly, Section 9 broadly addresses National Security Systems for the DoD by setting their security baselines to be no less than that of what defined in the EO without providing any specifics.