In light of recent significant attacks targeting the U.S. government, the Biden administration issued an Executive Order (EO) on cybersecurity on May 8, 2021.
Overall, the EO starts to fill in some critical gaps in US government cybersecurity capabilities. The EO is designed primarily to protect Federal infrastructure, but will also have significant impact on private sector service providers (e.g. software providers) who will now be required to meet new security requirements in order to do business with the U.S. government.
What are the most significant issues in the Executive Order?
- The EO focuses on software supply chain security -- including the cybersecurity practices of the developers and suppliers themselves. The software supply chain represents a critical vulnerability for all organizations, including Federal agencies. Recent events impacting SolarWinds, Microsoft Exchange Servers, and Pulse Secure highlight the risks that organizations face. Malicious actors frequently exploit the security programs of IT and software providers in order to gain access to their customers.
The EO creates new requirements for agencies to implement robust software supply chain security programs.Under the EO, Federal agencies will now be required to adopt new standards and tools to ensure the security of their software supply chains, including criteria to monitor and evaluate the security practices of the developers and suppliers themselves. These initiatives will not only benefit the U.S. government agencies that implement the programs but any commercial organization who relies on the same providers.
- The U.S. government is adopting a number of commercial best practices for third party risk management that should lead to reduced risk within the Federal ecosystem. It’s critical for third party vendors and service providers to share information with their customers about any incidents that may impact customer data. Many commercial organizations require in contracts that their service providers disclose these incidents in a timely fashion. Under the EO, the U.S. government is now requiring notification as well — in line with commercial best practices. One key difference is that the US government requirement is for reporting of any incident affecting a commercial service provider, not just an incident that affects US government data.
- The government is hoping to change commercial cybersecurity efforts through contract and incentive programs. In addition to the new software contractual requirements, the EO describes the creation of a labeling/rating program that would promote strong software security. This labeling/rating program would reflect all elements of software testing and assessment and could be useful to commercial organizations who are seeking to do business with software providers who follow best practices and are strong cybersecurity performers.
- The EO acknowledges that despite years of investment, the U.S. government still lacks visibility into vulnerabilities its own infrastructure. The U.S. government has been repeatedly victimized by recent incidents where malicious actors have successfully exploited vulnerabilities within its environment. How can the U.S. government improve its identification of these critical vulnerabilities and remediate them? The EO seeks to maximize the early detection of cybersecurity vulnerabilities and incidents on Federal networks by broadening visibility into and detection of cybersecurity vulnerabilities and threats to agency networks in order to bolster the Federal Government’s cybersecurity efforts. This will likely take the form of new spending and new programmatic efforts to improve their vulnerability management programs.
In the weeks and months ahead, the U.S. government will be extremely active in developing plans and programs to comply with these new requirements. Executives and security professionals alike should examine their programs and these new Federal requirements to consider how their programs could benefit from similar approaches.