With cyber-attacks moving from small-scale assaults on private businesses to sweeping strikes on national infrastructure, the Federal Government is shifting resources and implementing new rules and regulations to address the growing challenge. On May 12, President Biden signed an executive order entitled Improving the Nation’s Cybersecurity, in which the administration outlined nearly a dozen ways in which federal agencies should modernize and improve their security procedures.
The 34-page executive order comes after a series of high-stakes, high-profile attacks. In December, Reuters first reported that a multi-month campaign by Russian hackers had infiltrated thousands of networks through a vulnerability in SolarWinds network-management software. More recently, the hacking group known as DarkSide hit the Colonial Pipeline with a ransomware attack that shut down fuel supply to parts of the United States, the largest of its kind to date.
While the executive order is not designed to specifically address infrastructure protection, an initiative that is expected to be picked up soon by Congress, it does offer a comprehensive set of changes for Federal Civilian Executive Branch (FCEB) agencies. These changes will impact almost any software company that works with the Federal Government and, in turn, the private sector at large. Let’s take a closer look at how the executive order is structured, the changes that the directive will implement, and how it may impact private-sector businesses in the near future.
Section 1: Policy Changes
The executive order indicates that the “Federal Government must improve its efforts to identify, deter, protect against, detect, and respond to these actions and actors.” Specifically, it directs federal agencies to examine past incidents and any future incidents to improve security, partnering with the private sector to do so.
This will involve bold strategic investments to ensure all information systems in the Federal Government meet or exceed a series of additional standards outlined in the rest of the order. This applies to both information systems (IT) processing data as well as operational technology (OT) which run critical infrastructure. We’re likely to see an increase in cybersecurity investments by the federal government and a growing partnership with key private sector companies qualified to provide such services to the government.
Section 2: Removing Barriers to Sharing Threat Information
The executive order identifies contractual barriers limiting how much information can be shared between IT and OT service providers and the Federal Government. It provides guidance on how to remove those barriers and share more incident information with relevant parties. New language in these contracts will help service providers collect and preserve data, information, and reports related to cybersecurity and share that information with other relevant agencies when deemed appropriate.
The order provides a timeline of 120 days for Homeland Security and Office of Management and Budget (OMB) to implement systems to make this sharing possible. By standardizing this process across all agencies, something that is not in place now, the executive order aims to streamline and improve compliance for both vendors and federal agencies.
Section 3: Modernizing Cybersecurity in Government
Beyond reporting, the executive order lays out the means by which the Federal Government should modernize cybersecurity efforts. This includes making strategic investments in technology and personnel to shore up cybersecurity by:
- Adopting security best practices
- Advancing toward Zero Trust Architecture
- Accelerating movement to secure cloud services including SaaS, IaaS, and PaaS solutions
The executive order directs the heads of each agency to prepare a plan and report to the OMB director how they aim to meet these new requirements. A big part of this will be coordinating to develop ways to prevent, detect, assess, and remediate incidents using cloud technology, with migration to cloud technologies leveraging Zero Trust Architecture. Additionally, agencies have been directed to adopt multi-factor authentication and encryption for all agency data.
Changes to the Federal Risk and Authorization Management Program (FedRAMP) program will establish new security principles governing Cloud Service Providers (CSPs) and an overall Federal cloud security strategy to guide agencies. These updates aim to provide specific recommendations for migration to the cloud and data protection within individual agencies. Additional changes to FedRAMP designed to modernize the program include:
- Training Programs – New training programs will be implemented to ensure agency staff are prepared to manage security-related requests and ensure access to appropriate materials.
- Communication – Communication with cloud service providers will be improved across every stage, including status updates, next steps, and questions for points of contact.
- Automation – Automation will be implemented for a number of key steps, including: assessment, authorization, continuous monitoring, and compliance.
- Digitizing Documentation – Documentation is set to be digitized for vendors.
- Compliance Frameworks – Relevant frameworks will be adopted, mapped to the FedRAMP process, and implemented where appropriate.
Section 4: Enhancing Software Supply Chain Security
The executive order outlines how the federal government must improve security and integrity in the software supply chain, specifically with critical software. The Director of the National Institute of Standards and Technology (NIST) will consult with the heads of agencies as needed to prepare and issue guidance on the best practices for enhancing security in the supply chain. This guidance will include standards, procedures, and criteria that will help to:
- Use separate build environments when appropriate.
- Establish multi-factor, risk-based authentication, as well as the necessary conditional access.
- Employ encryption for all data in Federal Information Systems.
- Monitor alerts, operations, and actions to respond to incidents effectively.
Section 5: Establishing a Cyber Safety Review Board
A new Cyber Safety Review Board will be established by the Secretary of Homeland Security with the Attorney General to review and assess threat activity, mitigation activities, any perceived vulnerabilities, and agencies’ responses to these things over time. When a significant cybersecurity incident occurs, the Board will be tasked with evaluating what happened and why it happened.
The Board will be made up of experts from agencies including the Department of Defense, the Department of Justice, Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA). Additionally, private-sector security experts may be brought in at the direction of Homeland Security to coordinate with the Board and provide insights into specific threats or software vulnerabilities. By coordinating the response to an incident, the Federal Government will have greater insight into why successful breaches occur, how they were resolved, and how to limit similar attacks in the future. Most importantly, that information will be available for all agencies.
Section 6: Responding to Cybersecurity Vulnerabilities and Incidents
A major part of the executive order is standardizing how vulnerabilities and incidents are addressed. Currently, these processes vary dramatically across all agencies. It’s difficult to analyze issues that affect more than one agency effectively. The new playbook will be designed for planning and conducting response activities for Federal Information Systems. It will incorporate relevant NIST standards, be used by all FCEB agencies, and lay out the entirety of the incident response process in detail.
The playbook will also be tasked with defining key terms and using them consistently across all IT and OT operations in the Federal Government. This not only puts all agencies on an equal level but ensures the language used to describe systems, threats to those systems, and the response process are consistent, both in the government and for third-party vendors.
Section 7: Improving Detection
The executive order outlines the means by which detection will be improved to catch incidents and vulnerabilities early on federal networks. Agencies are directed to implement Endpoint Detection and Response (EDR) to ensure proactive detection efforts, active threat hunting, quick remediation and incident response.
CISA will provide guidance on threat-hunting activities on agency networks. This will include recommendations for ensuring critical systems are protected from disruption, an outline of notifications to system owners, and how testing will be conducted.
Section 8: Investigation and Remediation
The order specifically highlights the importance of saving and protecting log data on all federal agency networks to be used in investigating incidents and remediating successful attacks. It emphasizes the importance of keeping this data for both agencies and IT service providers and providing it to CISA and the FBI when necessary.
The Attorney General will provide specific recommendations to OMB on how to log events and retain data from agency systems, which logs to keep, how long to maintain them, and the timeframe for enabling other security measures. Recommendations are also given for how to protect log data, including cryptographic means to protect collected data and regular reviews of that data to ensure integrity.
Section 9: National Security Systems
The executive order outlines the responsibilities of the Department of Defense and Intelligence agencies to adopt National Security Systems (NSS) requirements. Due to the unique and often sensitive nature of NSS, there are likely to be key exceptions from what is outlined in the rest of the executive order, so FCEB agencies and NSS are being treated separately. However, the requirements for NSS will be equivalent to or greater than the recommendations in the executive order that may not otherwise apply to NSS. They are also asked to codify the requirements in a National Security Memorandum (NSM).
Section 10: Definitions
Several definitions relevant to the order are provided, including:
- Federal Civilian Executive Branch Agencies (FCEB Agencies) – These are all agencies except for the Department of Defense and Intelligence Agencies.
- Federal Civilian Executive Branch Information Systems (FCEB Information Systems) – This applies to all information systems in FCEB agencies, excluding NSS.
- Federal Information Systems (FIS) – This refers to any and all information systems operated by an agency or behalf of an agency by a third party contractor or vendor.
What Comes Next
The scope of this executive order is unique, addressing almost every aspect of both FCEB and NSS agency information systems. It’s clear that the Federal Government plans to rapidly overhaul its approach to security because of the disruption, national security risk, and potential harm caused by massive security breaches. We should expect more regulations, rulings from the administration, and potentially new legislation addressing the issue. For private sector companies, whether you work with the government or not, these changes are likely to touch most efforts sooner than later.