Cyber sprint 2021 is off and running. But unlike the 2015 version, the Biden administration is hosting the entire track meet ranging from the 100-meter dash to the marathon.
Thus, agencies have a series of new deadlines to shore up their networks and data, ranging from creating a plan in 60 days to move to a zero trust architecture, to encrypting data at rest and data in transit within the next six months.
President Joe Biden mandated dozens of new steps to address long-standing cybersecurity challenges in a new executive order signed Wednesday.
“Incremental improvements will not give us the security we need; instead, the federal government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life,” Biden wrote in the order. “The federal government must bring to bear the full scope of its authorities and resources to protect and secure its computer systems, whether they are cloud-based, on-premises, or hybrid. The scope of protection and security must include systems that process data (information technology (IT)) and those that run the vital machinery that ensures our safety (operational technology (OT)).”
This is the ninth cybersecurity-related executive order since 2009. Through these orders and along with the Comprehensive National Cybersecurity Initiative (CNCI) issued in 2008, the White House continues trying different approaches to achieve the same goal — securing federal systems.
“These changes are long overdue and will significantly improve cybersecurity across the board,” Jim Lewis, a senior vice president and director of strategic technologies program at the Center for Strategic and International Studies (CSIS), said in a statement. “The EO goes right to the heart of the problem — the mix of poor cyber hygiene and buggy code. Using the government buying power FAR [Federal Acquisition Regulation] to create incentives for better hygiene and code will make life harder for hackers.”
Power of procurement
Biden’s EO boils down public and private sector efforts across a handful of areas.
“We picked five specific things that we said will make life significantly harder for a hacker to hack,” said a senior administration official in a call with reporters. “If they do hack, it’s far harder for them to use the data because the data is encrypted. We said, ‘We’re going to roll those out across the federal government in a tight timeframe as you see in the EO — encryption rolled out in six months. If not, a waiver [is] required that has to be approved by the National Security Council. And what we’re trying to do there is show companies, state, and local: Focus on these five things. They’re usually impactful and, much as we get them done, you can get them done. And follow our lead and move out there.”
The executive order is using the power of federal procurement as well as its ability to bring public and private sector expertise together to try to stem the tide of cyber attacks.
“We zeroed in on the way software is built as a key way to ensure supply chain attacks are harder. We wanted to do so in a way that clearly set the groundwork by including what needed to be in the standard in the EO, but also created a process to bring in the private sector to refine that,” the official said. “We’ve pushed the authority as far as we could and said, ‘Anybody doing business with the U.S. government will have to share incidents so that we can use that information to protect Americans more broadly.’ The third thing I would note is the federal government needs to be a leader in this space.”
Among the ways the White House wants agencies to lead is by requiring contractors to meet new requirements for software development.
The National Institute of Standards of Technology will develop and publish preliminary guidelines to secure software development in six months, and then in a year it will publish additional guidelines including procedures for periodic review process to update the regulations.
“We worked hard to find the best way to set aggressive and achievable efforts within what could be achieved in an executive order; and really to pilot all of these different efforts that have been discussed for a while; and to use the power of federal procurement to say, ‘If you’re doing business with us, we need you to practice really good — really good cybersecurity. And, most importantly, we really need you to focus on secure software development,’” the official said. “Because that not only benefits the government, we’re all using the same software. We’re all using Outlook email. We’re all using Cisco and Juniper routers. So, essentially, by setting those secure software standards, we’re benefiting everybody broadly.”
Turning up requirements for cloud security
Another way the White House wants agencies to lead is through cloud security. The order lays out a series of deadlines for the Office of Management and Budget, the General Services Administration, the Federal Risk Authorization and Management Program (FedRAMP) and the Cybersecurity and Infrastructure Security Agency (CISA) to meet.
These include developing security principles governing cloud service providers (CSPs) for incorporation into agency modernization efforts. The agencies also will develop a federal cloud-security strategy and provide guidance to ensure that risks to agencies from using cloud-based services are broadly understood and effectively addressed, and help agencies move closer to a zero trust architecture.
CISA also will lead the effort to develop a cloud-security technical reference architecture that illustrates recommended approaches to cloud migration and data protection for agency data collection and reporting.
Related to the cloud security requirements, agencies also will have to deploy end point detection and response (EDR) tools to move from reactive to more proactive cyber defenses.
Within 30 days, CISA will provide OMB options for implementing EDR through a shared services approach. Then within 90 days, OMB and CISA “shall issue requirements for civilian agencies to adopt federal governmentwide EDR approaches. Those requirements shall support a capability … of CISA to engage in cyber hunt, detection and response activities.”
The White House also is setting up new processes to share information about cyber incidents with the public and private sectors.
For example, vendors must promptly report any cyber incidents to agencies when they are discovered involving a software product or service provided to the agency customer or involving a support system for a software product or service.
Cyber review board to start with SolarWinds
The EO also creates a cybersecurity safety review board, which will be led by government and private sector experts, and which will convene following a significant cyber incident to analyze what happened and make concrete recommendations for improving cybersecurity.
The administration official said the board’s first efforts will focus on the SolarWinds attack. The group will offer recommendations for how to solidify the board’s work so that for every major incident, it has an approach to review it and share lessons learned.
Reaction from lawmakers and industry has been positive.
Rep. Jim Langevin (D-R.I.) said in a statement the EO tries to address the root cause of many cyber breaches — insecure software.
“By using the purchasing power of the government to demand more of software vendors, we will help improve the security of the entire ecosystem. I am particularly excited to see an emphasis on software transparency. The National Telecommunications and Information Administration (NTIA) has made significant progress in proving the viability of a ‘software bill of materials,’ or ‘ingredient list’ for software,” he wrote. “Putting foundational concepts like SBoM and vulnerability disclosure policies into federal procurement standards will lift everyone’s security, from power companies to small businesses.”
Rick Tracy, chief security officer for Telos Corp., said the push to adopt more secure cloud services, adopt multi-factor authentication and the increased use of zero trust architectures will be important changes.
“These are solid steps to improve federal cybersecurity, as is the order’s objective of establishing a government-wide endpoint detection and response system,” he said. “The order’s requirement that IT providers must now share breach information which could impact government networks is long overdue, as this information is too vital to protecting federal systems for such sharing to be voluntary.”