The Executive Order on Improving the Nation’s Cybersecurity takes aim at improving information sharing, supply chain security and tackling cyberthreats.
President Biden recently issued an executive order on improving the nation’s cybersecurity. It “is the first of many ambitious steps the administration is taking to modernize national cyber defenses,” according to a White House fact sheet. You can read the full order on whitehouse.gov.
The cybersecurity executive order comes at a time when the country is facing increasingly sophisticated cyberthreats, and the need for coordination between the public and private sector is critical to maintaining an effective cybersecurity posture. While the measures put forth in the order are primarily applicable to the Federal Civilian Executive Branch (FCEB), the administration hopes the improvements in federal network security will serve as an example for shifts in cybersecurity policy across many sectors.
The following provisions will have the most direct impact on IT service providers who contract with the federal government. Transparency might be the theme for these provisions as the government seeks more information about the commercial platforms they rely on to function and keep their data safe.
Information sharing plays a key role in developing an adequate response to cyber incidents and anticipating future threats. However, private sector companies are often reluctant to notify the government that they’ve been a victim of a cyberattack or data breach. There are numerous reasons for this approach, including fear of liability, contract requirements and simply concern over bad publicity.
The executive order seeks to improve the level of information sharing and timeliness of breach notifications for government contractors providing IT services by modifying existing federal acquisition requirements. These changes will require government IT service providers to share relevant threat information with impacted agency customers and collaborate with law enforcement investigations. This policy shift will certainly help the remediation process for cyber incidents where government data is at risk. While this requirement won’t impact non-contractor private sector entities, it may lead to more established information sharing norms and future legislation that would encourage cooperation with government investigators, such as liability protection.
Additional provisions in the cybersecurity executive order that contractors should take note of concerns software supply chain security. The government relies heavily on software platforms from the private sector, but it often does not have insight into how secure those software platforms are. And in many cases, the software providers themselves may not have a complete understanding of their own ecosystem.
To mitigate this, the order calls for the National Institute of Standards and Technology (NIST) to lead development of new software supply chain security standards. This guidance will lay out best practices for secure software development, deployment and upgrades. Commercial software providers will need to publish a “Software Bill of Materials,” participate in a vulnerability disclosure program and attest to their product’s security.
Many commercial entities follow existing NIST guidance on privacy and security even though they aren’t doing business with the government. The new software supply chain security guidance developed under the executive order may take on a similar role for the private sector — an industry standard that companies and consumers look to when evaluating potential vendors.
The following requirements for federal agencies focus on threat detection, response and mitigation. The government’s lead civilian cybersecurity agency, the Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security (DHS), is responsible for securing federal networks. But much like the disconnect between the public and private sectors, there are a lot of barriers between federal agencies themselves, making it difficult for CISA to get a complete picture of network activity and respond to threats accordingly. Biden’s executive order takes steps to unify and synchronize the federal government’s approach to cybersecurity.
Under the order, the government will create a standard cyber response playbook. FCEB agencies will collaborate with DHS to develop a standardized protocol for responding to cyber incidents. All agencies will have to meet a certain level of maturity and preparedness in the event of an attack, an improvement from the current posture where federal agencies vary in their ability to detect and respond to threats and collaborate with DHS. This is another provision that serves to “lead by example,” whereby private sector organizations could adopt or model their response playbook off of the federal government’s.
In conjunction with a standardized playbook, the cybersecurity executive order will enhance government-wide detection capabilities and information sharing. All agencies will implement endpoint detection and response technology, so everyone is on equal footing when it comes to detecting network intrusions. Further, the order will require all federal agencies to log network activity in order to support incident response and remediation. Lack of adequate logging capabilities at certain agencies impedes network monitoring for active threats and remediation following an incident.
This executive order paves the way for meaningful change in the government’s approach to cybersecurity and hopefully setting up the private sector to adopt some of the same practices. As the rollout of the EO continues, the government will be able to leverage its vast IT budget and purchasing power to ensure contractors are meeting cybersecurity standards. The country’s physical safety and security are now inextricably linked to cybersecurity, and the threat must be addressed as such.