On May 12, 2021, President Joe Biden released an Executive Order on Improving the Nation’s Cybersecurity. In this post, we’ll examine what the order means for public sector cybersecurity teams.
President Biden’s May 12 executive order is split into 10 sections and is also summarized in a fact sheet. Below, we look at each section to understand both the purpose and the output.
The first section of the order spells out the “persistent and increasingly sophisticated and malicious cyber campaigns” facing both the public and private sector, and urges the federal government to:
The policy section states that incremental improvement isn’t enough. Instead, the government must make bold changes and significant investments in cybersecurity on-premise, in the cloud, and in hybrid environments — along with IoT and OT infrastructure. The section names the “prevention, detection, assessment, and remediation of cyber incidents a top priority and essential to national and economic security”.
This section of the order sets up the requirements and actions throughout the rest of the document. The federal government sees a move to the cloud, faster incident response, and shared intelligence among agencies as a top priority that won’t be solved without drastic changes.
The second section deals with current contract terms restricting federal agencies from sharing threat and incident information between agencies, such as the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the rest of the intelligence community.
Since federal agencies work with vendors to identify threats on agency networks and buy threat intelligence feeds, they are contractually unable to share these indicators with other agencies. Section 2 outlines a process to amend contract language to allow sharing of information, and the associated budget changes necessary to update licensing.
This section outlines cybersecurity best practices for the federal government to modernize its approach to cybersecurity, including:
Cloud Security for the Federal Government
Within 60 days, the order requires the head of each agency to update plans to prioritize resources for the adoption and use of secure cloud. The Secretary of Homeland Security will develop and issue a cloud service governance framework based on incident severity, identifying relevant data and processing activities.
Within 90 days, The Director of the OMB will provide guidance to agencies on the federal cloud security strategy. The Secretary of Homeland Security, acting through the Director of CISA, will develop and issue a technical reference architecture documentation recommending approaches to cloud migration and data protection.
The accelerated focus on federal government secure cloud adoption will include changes to FedRAMP, compliance mapping, and the establishment of a framework to collaborate on cybersecurity and incident response activities related to FCEB cloud technology.
Zero Trust and the Federal Government
By July 11, 2021, each agency must develop a plan to implement Zero Trust and provide a report to the OMB and the Assistant to the President and National Security Advisor to budget for Zero Trust implementation.
By August 10, 2021, The Director of the OMB will provide guidance to agencies on federal Zero Trust architecture.
Multi-factor Authentication and the Federal Government
By November 8, 2021, agencies must adopt multi-factor authentication and encryption for data at rest and in transit, to the maximum extent consistent with Federal records laws. Heads of FCEB Agencies will provide reports to the Secretary of Homeland Security through the Director of CISA, the Director of OMB, and the APNSA on their respective agency’s progress in adopting multi-factor authentication and encryption of data at rest and in transit.
Agencies must provide reports every 60 days until the agency has fully adopted, agency-wide, multi-factor authentication and data encryption. Those agencies unable to fully adopt multi-factor authentication and data encryption within 180 days must provide a written rationale to the Secretary of Homeland Security through the Director of CISA, the Director of OMB, and the APNSA.
Incident Response and the Federal Government
By August 10, 2021, The Secretary of Homeland Security, acting through the Director of CISA, will establish a framework to collaborate on cybersecurity and incident response activities related to FCEB cloud technology, to ensure effective information sharing among agencies and between agencies and CSPs.
Data Classification and the Federal Government
By August 10, 2021, the heads of FCEB Agencies, in consultation with the Secretary of Homeland Security acting through the Director of CISA, will evaluate the types and sensitivity of unclassified agency data, and provide to the Secretary of Homeland Security, through the Director of CISA, and to the Director of OMB, a report based on such evaluation. The evaluation will prioritize identifying the most sensitive data under the greatest threat, and appropriate processing and storage.
This section identifies a lack of transparency in the development of commercial software used by the federal government in critical functions. It then establishes required actions to improve the security and integrity of the software supply change, and prioritizes addressing “critical software”.
The Solarwinds hack put a spotlight on the fact that federal cybersecurity is predicated on a distributed risk involving commercial software developers. This section looks to solicit input from the public and private sectors, academia, and others to understand what standards, tools, and best practices can better evaluate software security.
By June 26, 2021, the Secretary of Commerce, acting through the Director of NIST, in consultation with the Secretary of Defense acting through the Director of the NSA, the Secretary of Homeland Security acting through the Director of CISA, the Director of OMB, and the Director of National Intelligence, shall publish a definition of the term “critical software”, reflecting the level of privilege or access required to function, integration, dependencies, performance, and potential from harm if compromised.
By July 11, 2021:
By November 8, 2021, the Director of NIST will publish preliminary guidelines for enhancing software supply chain security.
By May 8, 2022, the Director of NIST will publish additional guidelines that include procedures for periodic review and updating of the guidelines.
By May 12, 2022, software suppliers will be required to comply with secure software development requirements in order to sell to federal agencies, and agencies are directed to remove software not meeting these amended requirements.
This section states that the Secretary of Homeland Security, in consultation with the Attorney General, will create a new Cyber Safety Review Board to assess incidents, mitigation activities, and responses. The Board will include representatives of the Department of Defense, the Department of Justice, CISA, the NSA, and the FBI, as well as representatives from private-sector cybersecurity or software suppliers, as determined by the Secretary of Homeland Security.
Much like the NTSB, this board seeks to understand why significant incidents happened, what mitigation efforts were in place, what failed, and what can be learned and applied going forward.
Incident response procedures vary widely from agency to agency, and section 6 of the order seeks to standardize processes to identify, remediate, and recover from incidents. This section establishes a standard incident response playbook that:
Incorporates NIST standards
Can be used by FCEB agencies
Simply put, establishing a standard playbook that spans all federal agencies will result in operational efficiency and decreased time to remediation.
This section dictates that all federal agencies must deploy an endpoint detection and response initiative to maximize the early detection of vulnerabilities and incidents.
Those agencies that do not yet have an endpoint detection and response solution and initiative in place will be required to do so.
This section outlines the need to collect and maintain data to investigate and remediate threats and incidents. It specifies network and system logs on federal information systems, including both on-premise and third-party hosted systems, and seeks to establish standards for data retention and centralized access of asset data.
When we talk to federal government agencies at Axonius, we often hear how difficult it is to get a full picture of the entire environment to ensure that all assets are effectively covered by security controls and tools. Given this order’s focus on streamlined collaboration across agencies, improving the ability to collect, query, and act on asset data is an urgent priority.
This section is a catchall that dictates:
“The Secretary of Defense acting through the National Manager, in coordination with the Director of National Intelligence and the CNSS, and in consultation with the APNSA, shall adopt National Security Systems requirements that are equivalent to or exceed the cybersecurity requirements set forth in this order that are otherwise not applicable to National Security Systems. Such requirements may provide for exceptions in circumstances necessitated by unique mission needs.”
Section 9 applies increased cybersecurity requirements to those systems deemed critical to national security.
Axonius works with many federal agencies to help them understand the full scope of assets in their environments so they can know any time a device, cloud instance, or user deviates from policy expectations. We recently announced that Axonius secured a contract to support DHS CDM for Group F federal agencies, and just yesterday we published that the Axonius Cybersecurity Asset Management Platform is now available on DLT Solutions GSA Schedule.
Axonius enables federal agencies to accurately and quickly track their assets, achieve a unified view of their environments, and efficiently meet emerging security compliance requirements. Per the sections in the order above, Axonius helps federal agencies:
41 Madison Avenue, 37th Floor
New York, NY 10010