In recent days, it has become apparent that our nation is under silent attack. Whether it be a fuel pipeline, a food processor, a ferry in New England, or a city transit system, it is clear that the United States’ adversaries are stepping up their efforts to exploit weaknesses in our IT infrastructure for nefarious purposes. It is for this reason that President Biden’s issuance of an Executive Order on Improving the Nation’s Cybersecurity takes on special importance.
That order, issued last month, takes some important steps in leveraging federal requirements to assure that “Federal Information Systems … meet or exceed the standards and requirements for cybersecurity” that the order sets forth. Among other things, the Executive Order addresses:
- The removal of contract barriers to facilitate information sharing regarding “threats, incidents, and risks” to deter, prevent, and respond to threats and otherwise defend Federal systems.
- Requirements for IT and communications contractors to report a “cyber incident involving a software product or service provided to such agencies or involving a support system for a software product or service.”
- The modernization of the government’s cybersecurity approach, including use of a Zero Trust Architecture (process that treats everyone as a threat risk) and the acceleration of “movement to secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS); centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks; and invest in both technology and personnel to match these modernization goals.”
- Prioritization of resources for the “adoption and use of cloud technology.” In this regard, DHS, through CISA and in consultation with GSA, “acting through the [FedRAMP]…, shall develop security principles governing Cloud Service Providers (CSPs) for incorporation into agency modernization efforts.”
- For data in transit and at rest, the adoption of multi-factor authentication and encryption.
- For critical software, the identification of practices to enhance the software supply chain and secure development environments, including “auditing trust relationships;” “employing automated tools” in connection with source code supply chains and to identify other vulnerabilities.
- “Maintaining accurate and up-to-date data, provenance … of software code or components, and controls on internal and third-party software components, tools, and services present in software development processes, and performing audits and enforcement of these controls on a recurring basis… .”
- The provision of “a Software Bill of Materials (SBOM) for each product directly or by publishing it on a public website.” The SBOM, among other things, contains the record of “supply chain relationships of various components used in building software,” g. open source code.
- The establishment of a Cyber Safety Review Board to “review and assess, with respect to significant cyber incidents … affecting FCEB [Federal Civilian Executive Branch] Information Systems or non-Federal systems, threat activity, vulnerabilities, mitigation activities, and agency responses.”
- The development of standard operations procedures “to be used in planning and conducting a cybersecurity vulnerability and incident response activity respecting FCEB Information Systems.”
- The use of endpoint detection and response initiative “to identify support proactive detection of cybersecurity incidents within Federal Government infrastructure, active cyber hunting, containment and remediation, and incident response.”
The foregoing list, by no means, is exhaustive of the order’s requirements, regulatory implementation provisions, or ambitious implementation timeframes. For all stakeholders, however, it signals that significant changes are on the (short) horizon, including the potential for the removal of technology, like software, from government systems. It also provides a sense of the breadth and critical importance of issues covered, as well as the urgent need to address them. By so doing, it represents an opportunity for our community to assist government as it works to implement the solutions implicated here. Make no mistake, the President’s Executive Order signaled needed leadership in this area to address the significant vulnerabilities in our systems. For the order to be brought to fruition, however, it will require concerted efforts by all stakeholders, those working with these matters day-to-day, along with those setting policy. It is an opportunity for all of us to be part of the solution that helps safeguard our nation from those who have demonstrated the unending intent to do our nation harm.
The Coalition remains ready to do its part. Members should keep an eye out for upcoming sessions discussing these matters.