2021 cybersecurity executive order: Everything you need to know
President Joe Biden’s administration recently released an executive order on improving the nation’s cybersecurity in the wake of increasingly bold and widely impactful cyberattacks focused on public and private sector targets. The order recognizes the impact on the American people’s security, privacy and business and the role that the federal government plays in setting an example for comprehensive security standards and facilitating its implementation across the rest of the country’s industries.
The executive order also recognizes that reshaping and implementing new cybersecurity standards is not something the federal government can do overnight or on its own. It will have to have the input and participation of the private sector to more effectively protect the country from malicious cyberattacks. However, the cybersecurity executive order provides initial goals, timelines, and, in some cases, the necessary funding to get the momentous task started.
So what exactly does the new cybersecurity executive order include, and what could it mean for other organizations? The federal government must lead by example.
Cybersecurity executive order: What you need to know
Understandably, the new cybersecurity executive order covers a lot of ground and lays out a wide range of expectations for the federal government, but it generally covers six main themes.
Removing barriers to sharing threat information
Section two of the cybersecurity executive order seeks to increase the sharing of threat intelligence information across the federal government and from the IT service providers that facilitate many of their systems.
The executive order tasks the National Security Agency (NSA), Department of Defense (DoD), the Department of Homeland Security (NSA), the Director of National Intelligence (DNI) and the attorney general to develop new procedures and guidelines for the sharing of cyber incident reports between IT service providers and federal departments.
Modernizing federal government cybersecurity
The most notable feature of Section three of the executive order is emphasizing a “zero-trust architecture” for the federal government’s use of cloud services. As part of this, the order mandates the “deployment of multi-factor authentication and encryption” as well as additional security controls recommended by the National Institute of Standards and Technology (NIST) within the Department of Commerce.
This new stance follows recommendations and guidance from the National Security Agency for what a zero-trust security architecture means for the federal government in practice, namely, “a coordinated system management strategy that assumes breaches are inevitable or have already occurred.” With this new perspective on security, federal agencies will now work to apply the principle of “never trust, always verify” users and accounts, helping to further secure data and prevent lateral network movement.
In addition, within six months of the order, federal departments “shall adopt multi-factor authentication and encryption for data at rest and in transit, to the maximum extent consistent with federal records laws and other applicable laws.”
Enhancing software supply chain security
Recognizing the prevalence of the vulnerability that led to the SolarWinds data breach, Section four of the executive order seeks to improve the federal government’s awareness about how the software it uses is made and what comprises it.
In particular, the executive order will require developers to provide great visibility into their software and share their related security data with the public. The cybersecurity executive order also will create a pilot program, modeled off of the Energy Star program, that provides a label that the government and public can use to quickly determine the security controls that went into the design of a piece of software.
Finally, the Department of Commerce will create a list of minimum elements that software suppliers must provide within a Software Bill of Materials (SBOM). This will, according to Forrester, “help organizations manage risk by letting them quickly determine what vulnerable software components are in their products.”
Establishing a cyber safety review board
The executive order also outlined creating a Cyber Safety Review Board that will be co-chaired by government and private sector leaders. The review board will have the authority to convene following a cyber incident to document what happened and make concrete recommendations for improving overall cybersecurity.
Standardizing the federal government’s playbook for responding to cybersecurity vulnerabilities and incidents
Section six of the cybersecurity executive order outlines the need for “a standardized playbook and set of definitions for cyber incident response by federal departments and agencies.”
This incident response playbook will help ensure that all federal departments meet a certain readiness threshold and prepare to take the necessary and coordinated steps to identify and mitigate a cybersecurity threat. The EO also outlines the need for a “government-wide endpoint detection and response (EDR) system” that will help to improve information sharing and detect malicious activity. It is the hope, as stated in the executive order, that the playbook and the EDR will serve as a template for the private sector to follow.
Improving the federal government’s investigative and remediation capabilities
Additionally, sections seven and eight of the executive order create requirements for cybersecurity event log data and its retention, improving an individual organization’s ability to detect and mitigate intrusions faster.
In particular, DHS, the attorney general, and the office of management and budget will develop these recommendations, which will include:
- The types of logs to be captured and stored
- How long to retain the records and related data
- Expectations for implementation
- Standards on how to protect the event logs using encryption
- Requirements to protect applicable privacy laws
The federal government must lead by example
This phrase, “the federal government must lead by example,” written in the introduction of the policy, is perhaps the underpinning of this cybersecurity executive order.
Each level of every federal government department needs to strengthen its cybersecurity standards, adopt multi-factor authentication and data encryption, develop a deeper understanding of secure software development and improve the use of incident detection tools.
While the efforts will begin by focusing first on “critical software” used by the federal government, the same measures will also be required for all software used. Expectations like these will, the executive order hopes, inspire a larger conversation about the need for secure software across the public and private sector as well as increased coordination.
Similarly, the development and implementation of a standardized incident response plan for how the federal government responds to cyber incidents and enhanced logging and incident detection capabilities should also further drive the use of these best practices across all industries.
Looking ahead to the cybersecurity executive order
While the cybersecurity executive order is focused on the federal government in its wording and authority, it will likely have far-reaching downstream impacts on other industries.
In addition to the contractors, suppliers and developers that work directly for the federal government, the broader private security will likely see the benefit of implementing these best practices into their operations.
Although tools such as multi-factor authentication and secure cloud services are more widely known, increased use of incident response plans, incident detection tools, logging and the adoption of zero-trust is likely to follow.
CISA predicts cyber EO will drive progress on zero trust, Federal Computer Weekly
Executive Order on Improving the Nation’s Cybersecurity, The White House
Statement from CISA Acting Director Wales on Executive Order to Improve the Nation’s Cybersecurity and Protect Federal Networks, Cybersecurity and Infrastructure Security Agency (CISA)