The executive order, Improving the Nation’s Cybersecurity, seeks to improve the federal government’s cybersecurity across agencies. One year on, how are these efforts playing out?
One year ago, President Biden signed Executive Order 14028, “Improving the Nation’s Cybersecurity.” Issued in the wake of major cyber breaches, the order aims to enhance federal cybersecurity posture government-wide and to close the gap between agencies with sophisticated cybersecurity through a variety of measures. These include:
Perhaps most notably, the executive order pushes federal agencies to transition to a zero-trust architecture before fiscal year 2025. This transition to zero trust will underpin the government’s efforts to strengthen cybersecurity. Because there is no one size fits all approach to zero trust, multiple agencies are leading the way with guidance and resources for agencies to utilize during their transition. The Office of Management and Budget (OMB) published their Zero Trust Strategy, which offers agencies a zero trust roadmap, and the Cybersecurity and Infrastructure Security Agency’s (CISA) Zero Trust Maturity Model is another complementary zero trust reference guide. For the Department of Defense, there is the Zero Trust Reference Architecture prepared by the Defense Information Systems Agency and the National Security Agency.
While not intended as a quick fix, the order did lay out aggressive timelines for federal agencies to begin complying with various requirements. So how is the government doing when it comes to implementing the cybersecurity executive order one year later? Let’s take a look.
According to a recent survey of 160 federal cybersecurity leaders on the impact of the cyber security executive order, 78% thought the steps outlined in the order were necessary to protect the United States, and 99% thought agencies were progressing against the executive order’s goals. The survey, conducted by Meritalk and underwritten by AWS, CrowdStrike and Zscaler, found that while agency decision-makers support the order’s goals, 67% said the three-year implementation timeline was unrealistic, and just 14% said they had the funding necessary to fully execute all the order’s requirements.
Strong agency leadership is a difference maker when it comes to implementation progress. Respondents who rated their agency’s implementation progress as excellent are “significantly more likely to have their CIO lead zero trust efforts,” according to the survey.
Another survey on federal zero trust efforts from GDIT found that 76% of respondents said their agency “has a formal strategy in place to implement their zero trust approach.” That survey also found that the top three perceived benefits of zero trust are data usability, data breach risk reduction, and reducing the cyberattack surface.
Resource constraints have and will continue to be a challenge for cybersecurity executive order implementation. Agency budgets are just beginning to adjust for and anticipate its requirements, so CIOs, CISOs and other cybersecurity leaders will have to work diligently to ensure timelines are met while still dedicating adequate resources to their daily missions. According to the Meritalk survey respondents, negative impacts of the executive order included “time consuming proof of compliance requirements,” “taken IT staff from other projects” and “created competition between agencies for trained staff or other resources.” Challenges to zero trust adoption highlighted in the GDIT survey included replacing legacy infrastructure, identifying the technologies needed and a lack of IT staff expertise.
Going beyond the sentiment around the cybersecurity executive order, let’s take a look at some of the other milestones reached over the past year.
The order required the Department of Homeland Security to recommend changes to the Federal Acquisition Regulation (FAR) Council regarding new language that would require contractors to report cyber incidents. The FAR Council is considering the DHS recommendations and developing a proposed rule to amend federal contracting requirements. DHS was also tasked with developing language governing cybersecurity requirements for contractors handling Controlled Unclassified Information (CUI).
While the order can only direct the federal government to make cybersecurity improvements, the private sector, especially those who sell to the government, will see an impact. Changes in contracting requirements will act as a forcing function for contractors and their supply chains to enhance their own cybersecurity in order to keep doing business with the government.
The National Institute of Standards and Technology (NIST), along with OMB and CISA, is one of the key organizations responsible for guiding agencies as they transition to a zero trust architecture and implement the cybersecurity executive order.
Just recently, on May 6, 2022, NIST published “Planning for a Zero Trust Architecture: A Planning Guide for Federal Administrators.” The white paper is intended to “help enterprise administrators, system operators and IT security officers understand how the various roles and tasks in the NIST Risk Management Framework (RMF) can be used when moving to a zero trust architecture.”
The cybersecurity executive order also directed NIST to address challenges posed by software cybersecurity.
NIST was tasked with developing a labeling program to inform consumers about the security capabilities of the software they’re purchasing, akin to Nutrition Facts on food products. In February, NIST published its “Recommended Criteria for Cybersecurity Labeling of Consumer Software.” According to NIST, the document addresses: “1) the role of a scheme owner in a labeling program, 2) baseline technical criteria that can inform a label, 3) labeling presentation criteria and 4) conformity assessment criteria.”
Staying in the software security arena, the cybersecurity executive order required NIST to identify practices to enhance the security of the software supply chain. To that end, NIST published “Software Supply Chain Security Guidance” to help federal procurement officials ask the right questions of software vendors regarding their secure development practices.
Over the past year the government has made progress towards the ultimate goal of “Improving the Nation’s Cybersecurity.” There is no doubt that there are many challenges ahead, some known and others yet to be stumbled upon. Cybersecurity is a journey, not a destination, and improvements will always need to be made even after every executive order requirement is checked off. As we’ve hopefully learned by now, our adversaries will keep doing their part to ensure we exist in a “dynamic threat environment” for the foreseeable future.