Improving the Nation’s Cybersecurity
The White House recently published a Cybersecurity Executive Order, highlighting the critical steps to provide a roadmap- to address the persistent and increasingly sophisticated threats to “American people’s security and privacy”.
A simplified Fact Sheet was also published summarizing the order to help:
· Remove Barriers to Threat Information Sharing Between Government and the Private Sector
· Modernize and Implement Stronger Cybersecurity Standards in the Federal Government
· Improve Software Supply Chain Security
· Establish a Cybersecurity Safety Review Board
· Create a Standard Playbook for Responding to Cyber Incidents
· Improve Detection of Cybersecurity Incidents on Federal Government Networks
· Improve Investigative and Remediation Capabilities
Who will be affected?
- Federal executive agencies (U.S. Department of Agriculture, U.S. Department of Commerce, U.S. Department of Defense, U.S. Department of Education, U.S. Department of Energy, U.S. Department of Health and Human Services, U.S. Department of Homeland Security, U.S. Department of Housing and Urban Development, etc.) will be expected to modernize their technology infrastructure and security practices.
- Federal contractors, companies working with the federal government, and agencies, including but not limited to software vendors and providers, will be expected to include their cybersecurity security standards in new contracts. These organizations will also be required to share more information on cyber incidents regarding attacks on themselves or federal entities.
- The private sector will likely see an increased focus on hardware and software supply chain security. This focus will include new requirements built around providing transparency for the government, as well as consumer, security of software, services, and physical equipment including historically unregulated devices such as the internet of things (IoT).
What does all this mean?
The changes will be wide-reaching and affect organizations that would not have typically expected to be impacted by such requirements. The supply chain attacks that have been prevalent throughout 2021 have caused organizations to consider the implications of what a potential attack would have on their entire supply chain. Many organizations have started to require their partners and vendors to have a security program in place that will “meet or exceed the standards and requirements for cybersecurity” outlined by the Executive Order. Meaning, requirements such as having a formal security program in place with a heavy emphasis on measuring and improving the security posture have become a standard requirement in contracts and agreements across the industry. It is also anticipated that the compliance requirements, such as those around ensuring supply chain contract updates and compliance with those updates will most likely fall on your organization to verify and update as needed.
There will also be new requirements for some organizations to implement new processes and toolsets to be compliant with the Executive Order. This may be due to direct relationships with federal organizations or required by partners, vendors, or contractors that work with the Federal agencies.
The following is a high-level summary of the Executive Order requirements
- Development and adoption of an organization-wide Security policy
- The need for updated contract language designed to ensure Confidentiality, Integrity, and Availability of data and systems. Inclusion of Detection, Prevention, and reporting of security events will be required language.
- Open collaboration and communication between service providers and the federal government
- Development of a security roadmap outlining the steps and milestones required to adopt a Zero Trust Architecture.
- Cybersecurity training for all staff and contractors associated with your organization.
- Developing a Cybersecurity Incident Response Plan and/or security incident playbooks for specific incident types
- The deployment of new Administrative and Technical controls to help protect the organization’s Network, Information Technology, Operational Technology, and Internet of Things (IoT) devices.
This may include but is not limited to:
- A security assessment or audit (security review of systems including vulnerability reporting, configuration review, etc.)
- Multifactor Authentication
- Encrypting data at rest and in motion
- Detection of security vulnerabilities and incidents
- Deployment of Endpoint Detection and Response capabilities that includes containment, remediation, and incident response