In May 2021, President Biden issued an Executive Order on Improving the Nation’s Cybersecurity. The order states that the federal government must improve its ability to identify cyber threats and better protect against attacks and respond to them. It also acknowledges that a key to enhancing security is a public-private partnership and strengthening a service provider’s cybersecurity role. The order states: “The private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the federal government to foster a more secure cyberspace.”
The order also stresses that the government is ready to make investments now. In the ruling, President Biden writes, “Incremental improvements will not give us the security we need; instead, the federal government needs to make bold changes and significant investments to defend the vital institutions that underpin the American way of life.”
Planned Change and Investment
One of the first actions mentioned is removing barriers to sharing threat information. The order points out that the government contracts with numerous IT service providers that have insights into threats and incident information, including cloud service providers. However, some contracts limit sharing of that information with agencies such as the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI). Recommendations for changing contract language include redefining elements of service providers’ cybersecurity roles to include:
- Collecting and preserving data related to cybersecurity events
- Sharing data with relevant government agencies and any other entity that the Director of the Office of Management and Budget (OMB) directs
- Collaborating with federal agencies in their investigations and response to cybersecurity incidents
The federal government is also mandated to hit milestones for modernizing its cybersecurity. Goals include moving to secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and analytics for identifying and analyzing cybersecurity risks.
Additionally, agencies are ordered to move to Zero Trust Architecture, which the National Institute of Standards and Technology (NIST) defines as “cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.” Zero Trust assumes no user, device or system is trusted, and authentication and authorization are necessary before each session.
The order to modernize cybersecurity also applies to Federal Civilian Executive Branch (FECB) information systems and IT systems operated on behalf of an agency by third-party contractors. In addition, FECB agencies are directed to report on their progress in adopting multifactor authentication (MFA) and data encryption – and provide reports every 60 days until they fully adopt those technologies.
The Executive Order also mandates modernizing FedRAMP, including improving communications with cloud service providers, automation for assessment, authorization, monitoring and compliance, and digitizing documentation that vendors must complete. FedRAMP modernization will also include mapping compliance frameworks into the authorization process.
Mandates for the Software Supply Chain
Recent cyberattacks, such as the SolarWinds hack, have brought the issue of supply chain attacks to the forefront. The executive order points out that commercial software may lack adequate controls to prevent an attack and government agencies have limited visibility into the software’s vulnerabilities.
The federal government is currently working on guidelines for enhancing the software supply chain’s security, such as:
- Using separate build environments
- Auditing trust relationships
- Using MFA and encryption
- Minimizing dependencies on enterprise products
- Using automated tools to maintain trusted source code supply chains
- Participating in a vulnerability disclosure program
The order also requires providing a Software Bill of Materials (SBOM) directly or publishing it on a public website. The National Telecommunications and Information Administration (NTIA) collected public comments to consider when determining the minimum components of an SBOM, such as dependency relationships, components and versions, and cryptographic hash functions of the components. NTIA published a series in 2021 that documented its work to date, noting that the “government and industry are taking up the cause.”
CISA.gov currently has various resources and invites stakeholders to receive updates or participate in education sessions on SBOM topics.
Assume a Larger Government Cybersecurity Role
Service and solutions providers have an opportunity to help agencies meet the new requirements in the order – and to provide systems and services necessary to modernize agencies’ cybersecurity approach. In addition, solutions and services providers who work with the federal government – or are considering expanding their businesses into the government vertical – may also create an edge by aligning with the plans outlined in the order.
Read Executive Order 14028 for more information, implementation timelines, and agencies responsible for governance and review.
