The Presidential Executive Order released on May 12, 2021, calls for bold changes in the US Federal Government’s response to criminal and nation-state cyber-attacks. Its targets are both highly prescriptive and aggressive. The sense of urgency is highly positive, sending a global signal that more governmental action is required to meet cybersecurity’s current and future challenges.
Its ambitious timeline, while signaling importance, raise some concerns. Lack of required resources may provide a defensible excuse for lack of accomplishment. The provisions for organizational accountability for missed milestones are vague. If missed milestones lack consequence, there is the risk that the EO will appear more like political posturing than serious policy.
Joint Executive and Legislative action on funding and messaging could address these concerns, but this has not occurred to date. Target dates have already passed without ramifications. Like all too many Federal initiatives, the EO may slide from promising policy to political liability.
That would be unfortunate. The Executive Order is an excellent document and a clarion call for needed action in an urgent situation. It establishes a template for reaction, applicable to both private companies and government entities. The threats it addresses are real and rising, as demonstrated by the recent SolarWinds, Colonial Pipeline, and JBS attacks. If some goals in the EO timeline were unrealistically optimistic, rapid change remains imperative.
Now is the time for action, and past approaches are no longer sufficient.
The Executive Order provides many highly directive orders to government agencies. The following list outlines the contents of the Executive Order, the beginning of a template for any organization to consider in advancing their security posture.
- The US Federal Government and the private sector must respond boldly to adapt to the growing and continuously changing cyber threat.
- The US Government will need to partner with industry to meet the challenge. The government alone cannot protect the nation but needs to begin with its direct accountabilities to secure its computer systems.
- Cybersecurity initiatives must aggressively pursue improving the cybersecurity capability posture not only of IT systems but all the machinery and systems that ensure our safety and the continuity of businesses and the economy (Operational Technology (OT)).
- Contracts must now incorporate cybersecurity expectations of performance for cybersecurity protections, information sharing, and reporting. Performance requirements will change, and expectations will continue to expand as organizations incorporate new lessons learned.
- Expectations for threat intelligence sharing within the government and private entities will continue to grow, and so will some of the protections for such intelligence sharing. Likely, many private businesses may challenge the courts’ expectations for cyber intelligence sharing and reporting requirements; at least, voluntary sharing will continue current patterns. Cyber threat intelligence sharing will become a national priority since preventing and responding to attacks is essential.
- The US Federal Government and the US Department of Defense will immediately investigate adopting a Zero Trust Architecture and approach to cybersecurity.
- The migration to Cloud-based services and a federal cloud-security strategy based on Zero Trust principles and architecture will be strategic
- US FEDRAMP cybersecurity standards will continue to evolve to meet new architectural and process requirements.
- Government agencies will strengthen incident response coordination to protect the Federal Civilian Executive Branch (FCEB) cloud environments,
- Zero Trust assessments will be a short-term and strategic priority to focus on areas and capabilities most urgently in need of cybersecurity risk remediation.
- Organizations must establish new reporting frameworks and collection methods to measure progress against objectives, increasing visibility, and accountability
- The initial prioritized capabilities will be multi-factor authentication and the encryption of data in transit and at rest.
- The Software Supply Chain Security will be considered vital in the US Federal Governments ability to perform critical functions. New guidelines will be published to evaluate software security, include criteria for assessing the developer and suppliers’ security practices, and identify innovative tools or methods to demonstrate conformance with requirements.
- Software supply chain security will now mandate maintaining accurate and up-to-date data on:
- the provenance (origin) of software code or components,
- controls on internal and third-party software components,
- the tools and services present in software development processes, the performance of audits, and the enforcement of established policies.
- System acquisitions will now require a Software Bill of Materials (SBOM)
- New standards/guidelines will be published recommending minimum standards for vendors testing software source code for cybersecurity controls and risk management
- New standards/guidelines are to be released to identify required IoT cybersecurity criteria on consumer labeling.
- A standardized Federal Government Playbook for responding to cybersecurity vulnerabilities and incidents will be developed and rolled out.
- Systems and applications will be migrated to a Continuous Diagnostics and Mitigation Program and no longer rely on systems security based upon periodic reviews and testing.
- The Federal Government will establish new requirements for logging events and standards for defining and retaining relevant data.
ZERO TRUST ARCHITECTURE CONCEPT WITHIN THE EXECUTIVE ORDER
The Zero Trust Architecture security model assumes that a breach is inevitable or has likely already occurred, so it constantly limits access to only what is needed and looks for anomalous or malicious activity. Zero Trust Architecture embeds comprehensive security monitoring, granular risk-based access controls, and system security automation in a coordinated manner throughout the infrastructure to focus on protecting data in real-time within a dynamic threat environment.
This definition is helpful but does not address the specific capabilities necessary to achieve the desired outcome. These capabilities are the key to an effective program and architectural instantiation.
When moving to a Zero Trust Architecture, you must determine:
- What entities can potentially access assets?
- Which assets do they need to access?
- Which assets have the most value/highest impact if compromised?
- What level of risk are you willing to accept?
- Which capabilities are required to achieve your level of acceptable risk?
- What are the policies and architectures required to enable your desired security posture?
The President’s Executive Order on improving the nation’s cybersecurity provides an excellent cybersecurity strategy blueprint. Government entities and private enterprises should immediately develop plans to incorporate its directives into their existing policies, tools, training, and timelines. Because the threats persist while becoming increasingly sophisticated, the response needs to be equally dynamic and innovative. Additional guidelines promised by the EO should be continuously evaluated and considered for adoption.
As the EO says, “incremental improvements will not give us the security we need.” It is time for bold action.