On May 12, President Joe Biden issued an executive order aimed at defending the U.S. against “persistent and increasingly sophisticated malicious cyber campaigns.” The order requires IT and OT service providers working with the federal government to collect and store data, information and reporting relevant to cybersecurity issues affecting their systems and share that information with U.S. government agencies, including the U.S. Cybersecurity and Information Security Agency (CISA) and the Federal Bureau of Investigation (FBI).
One of the Order’s goals is to modernize federal government cybersecurity by unifying intelligence among the various agencies through information sharing. The Order also directs the federal government to adopt best practices including a Zero Trust Architecture and greater use of secure cloud services (SaaS, PaaS, IaaS). In fact, the migration to cloud technology must adopt Zero Trust architecture, unless it’s impractical. As part of that:
- CISA must develop a federal cloud security strategy and guidance for agencies so the agencies can move closer to Zero Trust architecture
- The Secretary of Homeland Security must develop and issue security technical reference architecture documentation that recommends approaches for cloud migration and data protection for data collection and reporting.
- CISA must develop and issue a cloud service governance framework that identifies a range of services and protections available to agencies based on incident severity and data and processing activities associated with those services and protections.
- Unclassified data will be reviewed for sensitivity so it can be processed and stored accordingly.
- Agencies are required to adopt MFA and encryption for data at rest and in motion to the maximum extent consistent with federal and other applicable laws.
- FedRAMP, associated training and communications must be updated.
- Guidelines must be developed to evaluate software security, including the security practices of the developers and suppliers of the software.
- Software supply chain security must be updated.
- Agencies must be able to demonstrate compliance.
What this means for CISOs
Vendors selling to the U.S. government will be required to meet the yet-to-be determined requirements. While they’ve been outlined in considerable detail, specific approaches, metrics, etc. have not yet been specified yet. However, the government is moving at a “government agile” pace which means draft guidelines or specifications are due generally in 60 to 90 days (though the timelines can differ) with implementation planned shortly thereafter.
The areas covered in the order should be in the purview of enterprises generally. For example, the software supply chain guidance must address:
- Using administratively separate software build environments;
- Auditing trust relationships;
- Establishing multi-factor, risk-based authentication and conditional access across the enterprise
- Documenting and minimizing application dependencies;
- Employing data encryption;
- Monitoring operations and alerts and responding to attempted and actual cyber incidents;
- Providing artifacts that demonstrate conformance (when requested by the purchaser);
- Employing automated tools, or comparable processes, to maintain trusted source code integrity and check for known and potential vulnerabilities;
- Providing artifacts of the execution of the tools and processes and publicly disclosing a summary of the risks assessed and mitigated (when requested by the purchaser);
- Maintaining accurate and up-to-date data about the origin of software code or components and controls and internal and third-party software components, tools and services present in software development processes and performing audits and enforcement of these controls on a recurring basis;
- Providing a purchaser with a software bill of materials for each product or publishing tht information on the vendor’s website;
- Participating in a vulnerability disclosure program that includes a reporting and disclosure process;
- Attesting to conformity with secure software development practices; and
- Ensuring and attending to the integrity and provenance of open-source software used in any portion of a product.
The National Security Agency (NSA) will be publishing minimum vendor standards for testing software source code which will include identifying recommended types of manual or automated testing (e.g., code review tools, static and dynamic analysis, software composition tools and penetration testing). Meanwhile, the Secretary of Commerce will be working with the National Institute of Science and Technology (NIST) and other agencies to define security incentives for IoT vendors.
In addition, the Secretary of Homeland Security and the Attorney General will establish the Cyber Safety Review Board which will be comprised of federal officials and representatives from private sector companies. The Review Board will review and assess cyber incidents including threat activity, vulnerabilities, mitigation activities and agency responses and provide recommendations.
White House hard stance on cyber attacks
President Biden used the Solar Winds incident as the launch point for the executive order. The recent Colonial Pipeline attack was yet another indication that America must be better prepared for cyber warfare, cyber terrorism and other cyberattacks.
The good news is that the entities in charge of protecting America from threats will have to work together in new ways to affect the changes since such agencies can no longer afford to operate in a stove-piped manner. The bad news is the sheer amount of red tape it will take to turn the Order into something that proves effective.