Cybersecurity Executive Order Key Points
August 09, 2021 by
Whenever the federal government acts on cybersecurity, public agencies should take note. Below is a brief foray into the latest executive order intented to improve the nation’s cybersecurity.
Why was the executive order written?
Consider the recent string of supply chain compromises on the United States. We are under attack. Just look at the headlines: FireEye Sunburst attack, SolarWinds compromise, the Colonial Pipeline and JBS Foods ransomware events, and the multiple federal agencies that have been breached. The president called the Russian-linked attack on the Colonial Pipeline an act of cyberterrorism. Our adversaries have made it clear they operate outside international law and do so with impunity.
The Executive Order (EO) 14028 issued by the president on May 12, 2021, is an effort to:
- Improve the nation’s ability to identify risks and vulnerabilities to its computer systems and those of its private sector partners
- Prevent compromises from occurring to those systems
- Detect exploits as they are occurring, respond to those exploits efficiently, and effectively recover from them
The EO is effectively re-writing how government approaches security. With a mandate to improve nearly every aspect of cybersecurity, from incident response to risk management and vendor management, EO 14028 improves the confidentiality, integrity, and availability (CIA) of our data.
One notable requirement of the EO is to promote threat information-sharing with contractors and private sector partners and service providers. Many existing contracts forbid or restrict the sharing of threats and incidents. Federal contractors will now be required to handle data responsibly, share relevant data with specified agencies, and collaborate on investigations. Knowing third-party vendor security is often the vector for a data breach, this is an important step in improving government security.
Modernizing Governmental Cybersecurity
With the ever-changing threat landscape and ever-increasing sophistication and abilities of malicious actors, the EO requires modernizing federal cybersecurity by improving visibility into threats and ensuring the protection of privacy and civil liberties. Outdated software and technologies need to be upgraded. Along with adopting cybersecurity best practices, the EO requires moving to secure cloud services; improving and centralizing access to data that drives the identification, analysis, and management of cybersecurity risks; and provides funding for the resources needed to achieve these goals.
Zero Trust Architecture, Multi-Factor Authentication, and Data Encryption
The EO requires implementing Zero Trust Architecture (ZTA). According to NIST, ZTA assumes no implicit trust is granted to users or assets, regardless of location. In other words, the network is no longer the focus of security. Since so many assets, services, accounts, workflows, and other resources are located outside the network, security is squarely focused on those inherently insecure resources, including endpoints.
Multi-factor authentication (MFA) can significantly improve cybersecurity. In addition to something you know (password), authenticators are something you have (a fob, or app), and something you are (biometric). By adding the second factor, brute force password hacking becomes a lesser threat.
Finally, by encrypting data both at rest and in transit, the EO ensures the end-to-end protection of data throughout its life cycle. This will provide a greater degree of privacy, confidentiality, and integrity.
Secure Software Development and IoT Testing
In response to the lack of transparency of commercial software development and controls, the EO provides requirements for the implementation of mechanisms to ensure software products operate securely and with integrity. This will include requirements for risk assessments, secure coding controls, and a Software Bill of Materials (SBOM) so agencies have transparency into a system’s development. In addition, the EO mandates the removal of all software products not meeting these requirements. The EO also requires Internet of Things (IoT) devices and software to include a consumer labelling program indicating levels of security testing a product has undergone.
National Cyber Safety Review Board and Improved Incident Response
The development of a Cyber Safety Review Board will create what appears at first blush to be a National Cybersecurity Incident Response Team (IRT). This team will be made up of various federal agencies and departments, in addition to private sector partners. The intention is to overhaul and standardize vulnerability and incident response procedures, improve coordination, and centralize a catalog of incidents and tracking of agency responses.
It also directs the federal government to improve identification and detection of cybersecurity vulnerabilities. An Endpoint Detection and Response (EDR) initiative will be designed to help with detection, active threat hunting, containment and remediation, and incident response. It is intended to include assurances that mission-critical systems are not disrupted; procedures for notification of vulnerable system’s owners; and the techniques allowed to be used during vulnerability testing of systems.
Investigation and Remediation
In addition to the improved intelligence-sharing, the EO adds investigation techniques and procedures for remediating discovered risks and vulnerabilities. It specifically addresses event logging and mandates the development of policies and procedures for the types of logs to be maintained, duration of retention, and encryption.
Protection of National Security Systems
NIST defines National Security Systems as those systems specifically used for National Security, such as military command and control systems, weapons systems, military intelligence, etc. The EO requires National Security Systems to adopt controls that are as good as or better than the requirements set forth in the EO.
With the safety and security of every American on the line, the federal government can no longer allow its adversaries to run roughshod through our computer systems, both public and private. Traditionally, the general approach to defending our nation’s systems has been a reactive one, usually countered with an escalation by our adversaries. It is hopeful EO 14028 may bring about a sea change and a more proactive approach to our cyberdefense capabilities.