The Cybersecurity Executive Order (EO) was issued on May 12th, 2021. The EO applies primarily to federal agencies and federal systems; however, it also applies to government contractors and subcontractors. All enterprises and organizations should pay attention to the initiatives, both to understand the government’s current definition of “best practices” and the potential basis for future (more far-reaching) laws. While the EO is still being tweaked during implementation, the main provisions will stay the same; for a complete read of the Cybersecurity EO, see Executive Order on Improving the Nation’s Cybersecurity | The White House
The government ecosystem aims to become “cyber-safe.” Cybersecurity personnel, technology, and spending will also increase to support these initiatives. Cybersecurity has become an integral part of all day-to-day activities. In addition, even though the EO is focused on federal agencies and those doing business with the government, it includes stronger collaboration between the private and public sectors.
There are six provisions in the EO which may affect any office. Read on to see what they are.
1. Removing Barriers to Sharing Threat Information
Based on this provision, IT service providers will be able to share information with the government, and they are also required to share certain breach information. This is also intended to strengthen the public sector and private sector partnership to hopefully identify and resolve incidents and breaches quicker.
What’s the takeaway for the enterprise? As we are all aware, fast response and resolution time are critical when dealing with threats, whether they are internal or external. Any information and assistance from a federal level should help enterprises.
2. Modernizing Federal Government Cybersecurity
This is intended to ensure that secure cloud solutions are used and moving towards a zero-trust architecture model. This also includes multi-factor authentication (MFA) and encryption. In terms of modernizing the landscape, the federal landscape has been allocated $3 billion for IT modernization which included $1 billion for the Technology Modernization fund.
What’s the takeaway for the enterprise? Many private sector firms are already using this approach and tools like MFA and encryption to address the cyber-attack risks. All organizations should enact these baseline steps to improve their security posture.
3. Enhancing Supply Chain Security
This ensures that software used by the government is secure and ensures that developers provide more visibility into the software. There is also a pilot program which creates an “energy star” type of label that allows the government to determine if the software was developed securely.
What’s the takeaway for the enterprise? This has the potential to help companies make more-informed decisions on software choices. However, federal contractors should also keep tabs on the pilot program, as government contracts could require only using “approved” software. This could also impact a firm with an existing contract to use software that does not obtain the approved status.
4. Improving Detection of Cybersecurity Vulnerabilities and Incidents
This focuses on creating a cyber playbook to ensure that all federal agencies can coordinate response efforts with the private sector. Government-wide Endpoint Detection and Response (EDR) should be implemented to detect malicious cyber activity.
What’s the takeaway for the enterprise? Endpoint monitoring solutions are becoming common in the private sector, and all organizations should implement EDR. The coordination between the private sector and the federal agencies should help by expanding and coordinating resources.
5. Improve Investigative and Remediation Capabilities
This aims at event logging requirements for federal agencies to ensure better detection, mitigation, and determining an incident’s impact after the fact.
What’s the takeaway for the enterprise? Organizations should compare and perhaps realign their logging procedures and protocols, revising to improve detection and investigation activities.
6. Establish a Cyber Safety Review Board
Using lessons learned, this intends to facilitate concrete recommendations after an incident. According to Cybersecurity &Infrastructure Security Agency (CISA), this has been modeled after the National Transportation and Safety board.
What’s the takeaway for the enterprise? The Cyber review board intends to work in conjunction with the private sector, which should help all groups benefit from lessons learned.
In addition to the measures above, the EO also emphasizes the move to the cloud in any format: infrastructure as a Service (IaaS), platform as a service (PaaS), and software as a service (SaaS). It addresses the prevention and early detection of possible security incidents within the cloud and covers security and encryption for data in transit and at rest. Provisions such as identity and access management using MFA apply to cloud networks.
The Cybersecurity Executive Order has allocated $865 million to CISA alone to improve cybersecurity. About $400 million will be designated for “the implementation of multi-factor authentication, endpoint detection and response, improved logging, and securing cloud systems.” Approximately $50 million will be designated to multi state agencies, $25 million to MFA and $100 million to cybersecurity education and awareness.
J.R. and Anca are writing on behalf of the SCTC, a premier professional organization for independent consultants. Our consultant members are leaders in the industry, able to provide best of breed professional services in a wide array of technologies. Every consultant member commits annually to a strict Code of Ethics, ensuring they work for the client benefit only and do not receive financial compensation from vendors and service providers.