In May 2021, President Biden issued an Executive Order on Improving the Nation’s Cybersecurity. The order states that the federal government must improve its ability to identify cyber threats and better protect against attacks and respond to them. It also acknowledges that a key to enhancing security is a public-private partnership and strengthening a service provider’s cybersecurity role. The order states: “The private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the federal government to foster a more secure cyberspace.”
The order also stresses that the government is ready to make investments now. In the order, President Biden writes, “Incremental improvements will not give us the security we need; instead the federal government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life.”
Planned Change and Investment
One of the first actions mentioned in the order is removing barriers to sharing threat information. The order points out that the government contracts with numerous IT service providers, including cloud service providers, that have insights into threats and incident information. However, some contracts limit sharing that information with agencies such as the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI). Recommendations for changing contract language includes redefining elements of service providers’ cybersecurity roles to include:
- Collecting and preserve data related to cybersecurity events
- Sharing data with relevant government agencies and any other entity that the Director of the Office of Management and Budget (OMB) directs
- Collaborating with federal agencies in their investigations and response to cybersecurity incidents
The federal government is also under a mandate to hit milestones for modernizing its cybersecurity. Goals include moving to secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS), and analytics for identifying and analyzing cybersecurity risks.
Additionally, agencies are ordered to move to Zero Trust Architecture, which the National Institute of Standards and Technology (NIST) defines as “cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.” Zero Trust assumes that no users, device or system is trusted, and authentication and authorization are necessary before each session.
The order to modernize cybersecurity also applies to Federal Civilian Executive Branch (FECB) information systems and IT systems operated on behalf of an agency by third-party contractors. In addition, FECB agencies are directed to report on their progress in adopting multifactor authentication (MFA) and data encryption—and provide reports every 60 days until they’ve fully adopted those technologies.
The Executive Order also mandates modernizing FedRAMP, including improving communications with cloud service providers, automation for assessment, authorization, monitoring and compliance, and digitizing documentation that vendors must complete. FedRAMP modernization will also include mapping compliance frameworks into the authorization process.
Mandates for the Software Supply Chain
Recent cyberattacks, such as the SolarWinds hack, have brought the issue of supply chain attacks to the forefront. The executive order points out that commercial software may lack adequate controls to prevent an attack and government agencies have limited visibility into the vulnerabilities that may exist in the software they use.
The federal government is currently working on guidelines for enhancing the software supply chain’s security, such as:
- Using separate build environments
- Auditing trust relationships
- Using MFA and encryption
- Minimizing dependencies on enterprise products
- Using automated tools to maintain trusted source code supply chains
- Participating in a vulnerability disclosure program
The order also requires providing a Software Bill of Materials (SBOM), either directly or publishing it on a public website. The National Telecommunications and Information Administration (NTIA) collected public comments to take into consideration when determining the minimum components of an SBOM, such as dependency relationships, components and versions, and cryptograph hashes of the components. NTIA is also working on recommendations for the frequency with which SBOMs should be generated and how they should be delivered—including who should have permission to access them.
Assume a Larger Government Cybersecurity Role
Service and solutions providers have an opportunity to help agencies meet the new requirements in the order—and to provide systems and services necessary to modernize agencies’ cybersecurity approach. In addition, solutions and services providers who work with the federal government—or are considering expanding their businesses into the government vertical—may also create an edge by aligning with the plans outlined in the order.
Read Executive Order 14028 for more information, implementation timelines, and agencies responsible for governance and review.