On May 12, 2021, President Joe Biden released an Executive Order on Improving the Nation’s Cybersecurity. In this post, we’ll examine what the order means for public sector cybersecurity teams.
Key Takeaways from the Executive Order on Improving the Nation’s Cybersecurity
- Establishment of the Cyber Safety Review Board, modeled after the National Traffic Safety Board to review and assess significant cyber incidents
- Removal of barriers to threat intel sharing between government and the private sector
- A focus on modernizing federal government security posture, including secure cloud services and zero-trust architecture
- Secure software development standards to improve supply chain security, modeled after the “energy star” label
- Incident response standardization, including standard playbooks and improved detection and remediation capabilities
What Does the Executive Order on Improving the Nation’s Cybersecurity Mean?
President Biden’s May 12 executive order is split into 10 sections and is also summarized in a fact sheet. Below, we look at each section to understand both the purpose and the output.
Section 1: Policy
The first section of the order spells out the “persistent and increasingly sophisticated and malicious cyber campaigns” facing both the public and private sector, and urges the federal government to:
- Identify, deter, detect, and respond to malicious cyber actors
- Apply lessons learned in major breaches to prevent them from recurring
- Partner with the private sector to ensure their products are secure
What Does the Policy Section Mean?
The policy section states that incremental improvement isn’t enough. Instead, the government must make bold changes and significant investments in cybersecurity on-premise, in the cloud, and in hybrid environments — along with IoT and OT infrastructure. The section names the “prevention, detection, assessment, and remediation of cyber incidents a top priority and essential to national and economic security”.
This section of the order sets up the requirements and actions throughout the rest of the document. The federal government sees a move to the cloud, faster incident response, and shared intelligence among agencies as a top priority that won’t be solved without drastic changes.
Section 2: Removing Barriers to Sharing Threat Information
The second section deals with current contract terms restricting federal agencies from sharing threat and incident information between agencies, such as the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the rest of the intelligence community.
What Does the Threat Information Sharing Section Mean?
Since federal agencies work with vendors to identify threats on agency networks and buy threat intelligence feeds, they are contractually unable to share these indicators with other agencies. Section 2 outlines a process to amend contract language to allow sharing of information, and the associated budget changes necessary to update licensing.
Section 3: Modernizing Federal Government Cybersecurity
This section outlines cybersecurity best practices for the federal government to modernize its approach to cybersecurity, including:
- Advancement toward Zero Trust architecture
- Accelerated secure cloud, SaaS, IaaS, and PaaS adoption
- Centralized and streamlined access to cybersecurity data for managing cybersecurity risks
- Investment in both technology and personnel to meet these goals
- Increased incident response collaboration
- Adoption of multi-factor authentication, encryption, and data classification
What Does the Section on Modernizing Federal Cybersecurity Mean?
Cloud Security for the Federal Government
Within 60 days, the order requires the head of each agency to update plans to prioritize resources for the adoption and use of secure cloud. The Secretary of Homeland Security will develop and issue a cloud service governance framework based on incident severity, identifying relevant data and processing activities.
Within 90 days, The Director of the OMB will provide guidance to agencies on the federal cloud security strategy. The Secretary of Homeland Security, acting through the Director of CISA, will develop and issue a technical reference architecture documentation recommending approaches to cloud migration and data protection.
The accelerated focus on federal government secure cloud adoption will include changes to FedRAMP, compliance mapping, and the establishment of a framework to collaborate on cybersecurity and incident response activities related to FCEB cloud technology.
Zero Trust and the Federal Government
By July 11, 2021, each agency must develop a plan to implement Zero Trust and provide a report to the OMB and the Assistant to the President and National Security Advisor to budget for Zero Trust implementation.
By August 10, 2021, The Director of the OMB will provide guidance to agencies on federal Zero Trust architecture.
Multi-factor Authentication and the Federal Government
By November 8, 2021, agencies must adopt multi-factor authentication and encryption for data at rest and in transit, to the maximum extent consistent with Federal records laws. Heads of FCEB Agencies will provide reports to the Secretary of Homeland Security through the Director of CISA, the Director of OMB, and the APNSA on their respective agency’s progress in adopting multi-factor authentication and encryption of data at rest and in transit.
Agencies must provide reports every 60 days until the agency has fully adopted, agency-wide, multi-factor authentication and data encryption. Those agencies unable to fully adopt multi-factor authentication and data encryption within 180 days must provide a written rationale to the Secretary of Homeland Security through the Director of CISA, the Director of OMB, and the APNSA.
Incident Response and the Federal Government
By August 10, 2021, The Secretary of Homeland Security, acting through the Director of CISA, will establish a framework to collaborate on cybersecurity and incident response activities related to FCEB cloud technology, to ensure effective information sharing among agencies and between agencies and CSPs.
Data Classification and the Federal Government
By August 10, 2021, the heads of FCEB Agencies, in consultation with the Secretary of Homeland Security acting through the Director of CISA, will evaluate the types and sensitivity of unclassified agency data, and provide to the Secretary of Homeland Security, through the Director of CISA, and to the Director of OMB, a report based on such evaluation. The evaluation will prioritize identifying the most sensitive data under the greatest threat, and appropriate processing and storage.
Section 4: Enhancing Software Supply Chain Security
This section identifies a lack of transparency in the development of commercial software used by the federal government in critical functions. It then establishes required actions to improve the security and integrity of the software supply change, and prioritizes addressing “critical software”.
What Does the Section on Enhancing Software Supply Chain Mean?
The Solarwinds hack put a spotlight on the fact that federal cybersecurity is predicated on a distributed risk involving commercial software developers. This section looks to solicit input from the public and private sectors, academia, and others to understand what standards, tools, and best practices can better evaluate software security.
By June 26, 2021, the Secretary of Commerce, acting through the Director of NIST, in consultation with the Secretary of Defense acting through the Director of the NSA, the Secretary of Homeland Security acting through the Director of CISA, the Director of OMB, and the Director of National Intelligence, shall publish a definition of the term “critical software”, reflecting the level of privilege or access required to function, integration, dependencies, performance, and potential from harm if compromised.
By July 11, 2021:
- The Secretary of Commerce, in coordination with the Assistant Secretary for Communications and Information and the Administrator of the National Telecommunications and Information Administration, will publish minimum elements for a Software Bill of Materials (SBOM).
- The Secretary of Commerce acting through the Director of NIST, in consultation with the Secretary of Homeland Security, acting through the Director of CISA and with the Director of OMB, will publish guidance outlining security measures for critical software including applying practices of least privilege, network segmentation, and proper configuration.
By November 8, 2021, the Director of NIST will publish preliminary guidelines for enhancing software supply chain security.
By May 8, 2022, the Director of NIST will publish additional guidelines that include procedures for periodic review and updating of the guidelines.
By May 12, 2022, software suppliers will be required to comply with secure software development requirements in order to sell to federal agencies, and agencies are directed to remove software not meeting these amended requirements.
Section 5: Establishing a Cyber Safety Review Board
This section states that the Secretary of Homeland Security, in consultation with the Attorney General, will create a new Cyber Safety Review Board to assess incidents, mitigation activities, and responses. The Board will include representatives of the Department of Defense, the Department of Justice, CISA, the NSA, and the FBI, as well as representatives from private-sector cybersecurity or software suppliers, as determined by the Secretary of Homeland Security.
What Does the Section on Establishing a Cyber Safety Review Board Mean?
Much like the NTSB, this board seeks to understand why significant incidents happened, what mitigation efforts were in place, what failed, and what can be learned and applied going forward.
Section 6: Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents
Incident response procedures vary widely from agency to agency, and section 6 of the order seeks to standardize processes to identify, remediate, and recover from incidents. This section establishes a standard incident response playbook that:
Incorporates NIST standards
Can be used by FCEB agencies
- Articulates progress and completion through all phases of incident response
What Does the Section on Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents Mean?
Simply put, establishing a standard playbook that spans all federal agencies will result in operational efficiency and decreased time to remediation.
Section 7: Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks
This section dictates that all federal agencies must deploy an endpoint detection and response initiative to maximize the early detection of vulnerabilities and incidents.
What Does the Section on Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks Mean?
Those agencies that do not yet have an endpoint detection and response solution and initiative in place will be required to do so.
Section 8: Improving the Federal Government’s Investigative and Remediation Capabilities
This section outlines the need to collect and maintain data to investigate and remediate threats and incidents. It specifies network and system logs on federal information systems, including both on-premise and third-party hosted systems, and seeks to establish standards for data retention and centralized access of asset data.
What Does the Section on Improving the Federal Government’s Investigative and Remediation Capabilities Mean?
When we talk to federal government agencies at Axonius, we often hear how difficult it is to get a full picture of the entire environment to ensure that all assets are effectively covered by security controls and tools. Given this order’s focus on streamlined collaboration across agencies, improving the ability to collect, query, and act on asset data is an urgent priority.
Section 9: National Security Systems
This section is a catchall that dictates:
“The Secretary of Defense acting through the National Manager, in coordination with the Director of National Intelligence and the CNSS, and in consultation with the APNSA, shall adopt National Security Systems requirements that are equivalent to or exceed the cybersecurity requirements set forth in this order that are otherwise not applicable to National Security Systems. Such requirements may provide for exceptions in circumstances necessitated by unique mission needs.”
What Does the Section on National Security Systems Mean?
Section 9 applies increased cybersecurity requirements to those systems deemed critical to national security.
How Can Axonius Help with the Requirements in the Executive Order on Improving the Nation’s Cybersecurity?
Axonius works with many federal agencies to help them understand the full scope of assets in their environments so they can know any time a device, cloud instance, or user deviates from policy expectations. We recently announced that Axonius secured a contract to support DHS CDM for Group F federal agencies, and just yesterday we published that the Axonius Cybersecurity Asset Management Platform is now available on DLT Solutions GSA Schedule.
Axonius enables federal agencies to accurately and quickly track their assets, achieve a unified view of their environments, and efficiently meet emerging security compliance requirements. Per the sections in the order above, Axonius helps federal agencies:
- Understand all devices and cloud assets and their relationship to both security policy expectations, as well as configuration details
- Unify multiple cloud infrastructure providers and compare each to benchmarks like the CIS Benchmarks for cloud asset compliance
- Measure use of multi-factor authentication, user privileges, and the association between users, devices, and the security solutions related to them
- Accelerate incident response investigations by providing comprehensive, contextual information to inform investigations
- Identify all software installed on agency-issued devices to understand vulnerabilities and address unsanctioned software and address patching
- Share asset information across agencies by collecting and correlating user, device, and cloud data