On May 12th, the Biden Administration issued a much-anticipated “Improving the Nation’s Cybersecurity” Executive Order (EO), setting certain standards and requirements to prevent cyberattacks for government agencies, federal contractors, and others.
The EO was in the works prior to the recent cyberattack on the Colonial Pipeline that slowed and snarled the flow of gas on the East Coast for days. Reportedly, it was a ransomware incident. Ransomware attacks are not new, but they are becoming more prevalent as well as more severe. Most of the time, people don't really see the large sums paid to hackers by victim organizations needing access to their encrypted data or wanting to stop a disclosure of sensitive information. But most do see the crippling of vital infrastructure caused by compromised computer systems without which basic services cease to flow.
Some attacks that have affected entities considered to be critical infrastructure have been well-publicized. The SolarWinds breach in 2020, named Sunburst, was a massive compromise of government agencies, including the Department of Energy. In February 2021, ABC News reported that weak cybersecurity controls allowed hackers to access a Florida wastewater treatment plant’s computer system.
As the EO states:
"The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy." The Federal Government must improve its efforts to identify, deter, protect against, detect, and respond to these actions and actors. The Federal Government must also carefully examine what occurred during any major cyber incident and apply lessons learned. But cybersecurity requires more than government action. Protecting our Nation from malicious cyber actors requires the Federal Government to partner with the private sector. The private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace. In the end, the trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is, and to the consequences we will incur if that trust is misplaced.
Generally, the EO will affect the federal government and its agencies. However, some requirements will reach certain federal contractors and influence entities in the private sector.
Among other requirements, the EO directs the following:
- Remove contractual barriers in contracts between the federal government and its information technology (IT) and operational technology service providers. The goal is to increase information sharing about threats, incidents, and risks to accelerate incident deterrence, prevention, and response efforts and to enable more effective defense of government systems and information. As part of this effort, the EO requires a review of the Federal Acquisition Regulation (FAR) concerning contracts with such providers and recommendations for language designed to achieve these goals. Recommendations will include, for example, time periods contractors must report cyber incidents based on severity, with reporting on the most severe cyber incidents not to exceed three days after initial detection. The changes also will seek to standardize common cybersecurity contractual requirements across agencies.
- Modernize the approach to cybersecurity. Some of the technical controls called for in the EO include the following:
- adopting security best practices
- advancing to Zero Trust Architecture
- moving to secure cloud services, including Software as a Service (SaaS)
- centralizing and streamlining access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks
- adopting multi-factor authentication
- adopting encryption for data at rest and in transit (to the maximum extent consistent with federal records laws and other applicable laws)
- Improve software supply chain security. Driven by the effect of the SolarWinds incident (hackers used a routine software update to slip in malicious code that allowed the cyberattack), the EO points to the lack of transparency in software development and asks whether adequate controls exist to prevent tampering by malicious actors, among other things. The EO calls for guidance to be developed that will strengthen this supply chain. This will include potential new standards, procedures, and criteria, such as securing development environments and attesting to conformity with secure software development practices. The EO also requires recommendations for contract language that would require suppliers of software available for purchase by agencies to comply with, and attest to, complying with the guidance developed. Efforts also will be made to reach the private sector. For instance, pilot programs will be initiated by the Secretary of Commerce acting through the Director of National Institute of Standards and Technology (NIST) to educate the public on the security capabilities of internet-of-things (IoT) devices and software development practices and consider ways to encourage manufacturers and developers to participate in these programs.
- Establish a Cyber Safety Review Board. Among the new Board’s duties are reviewing and assessing certain significant cyber incidents affecting Federal Civilian Executive Branch Information Systems or non-federal systems, threat activity, vulnerabilities, mitigation activities, and agency responses.
- Standardize incident response. Standardize the federal government’s response to cybersecurity vulnerabilities and incidents to ensure a more coordinated and centralized cataloging of incidents and tracking of agencies’ progress toward successful responses.
- Improve detection. The EO seeks to improve detection of cybersecurity vulnerabilities and incidents on federal government networks.
- Improve investigative and remediation capabilities. Recognizing it is essential that agencies and their IT service providers collect and maintain network and system logs on federal information systems in order to address a cyber incident, the EO seeks recommendations on the types of logs to be maintained, the time periods to retain the logs and other relevant data, the time periods for agencies to enable recommended logging and security requirements, and how to protect logs. These recommendations also will be considered by the FAR Council when promulgating rules for removing barriers to sharing threat information.
The U.S. government is expected to ramp up efforts to strengthen its cybersecurity, and states likely will continue to legislate and regulate in this area. All businesses, especially federal contractors, can expect pressure to evaluate their data privacy and security threats and vulnerabilities and adopt measures to address their risk and improve compliance.
While the EO is directed towards Federal agencies as well as government contractors, it would be a good practice for all businesses to model their cybersecurity processes, policies, and protocols on these new standards. While it's not a mandate (yet), it's only a matter of time until these become more than just recommendations and rather the standards we should all be held to.
What do you think? Is the EO enough? Should the federal government put into law minimum cybersecurity requirements for all U.S based businesses? Let us know your thoughts in the Comments box below or shoot me an email if you’d like to chat about this in more detail.