“It is the policy of my Administration that the prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security. The Federal Government must lead by example.”
So states the Executive Order (EO) on Improving The Nation’s Cybersecurity! Noble by intent, and certainly appropriate, it has not been my professional experience to find the Federal Government, as expressed by the behavior of any representative agencies I’ve encountered, to be in a position of leadership of thought or action with regard to cyber security. Perhaps this EO is intended to address that experience, and provide some necessary resources to the public and private sectors as they address cyber security threats and vulnerabilities across America. The landscape is changing rapidly, as is the importance of this initiative. The critical infrastructure of the United States is managed by a blend of public and private enterprise. The Colonial pipeline incident is a clear example of such private side sharing. American businesses, and ones participating in the provision, delivery, and support services to our critical infrastructure processes and resources in particular, must pay attention to this EO. More importantly, all of us must view it as a baseline representing the minimum of what needs to be done, now, today, even yesterday, not an endpoint objective for sometime tomorrow.
The EO is built around a 7 point initiative of foundational cybersecurity practices. These are:
- Remove Barriers to Threat Information Sharing Between Government and the Private Sector.
- Modernize and Implement Stronger Cybersecurity Standards in the Federal Government.
- Improve Software Supply Chain Security.
- Establish a Cybersecurity Safety Review Board.
- Create a Standard Playbook for Responding to Cyber Incidents.
- Improve Detection of Cybersecurity Incidents on Federal Government Networks.
- Improve Investigative and Remediation Capabilities.
It also relies upon the guidance of the National Institute of Standards and Technology (NIST) to establish standards for implementing a Zero Trust architecture, guidelines for enhancing software supply chain security, and minimum standards for vendors’ testing of their software source code; the Director of Cybersecurity and Infrastructure Security Agency (CISA) to develop a cloud security reference architecture, and a cloud service governance framework, all while the Director of Office of Management & Budget (OMB) shall begin modernizing the Federal Risk and Authorization Management Program (FedRAMP), to name a few important specifics.
Requirements For Cybersecurity Processes
Let’s briefly look at what each of these 7 practices entails:
Remove Barriers to Threat Information Sharing Between Government and the Private Sector: This intends to enable IT service providers to share information with the government and specifically requires them to share some breach information. By removing any contractual barriers between contractors to the Federal Government, and requiring these providers to share breach information including information about cyber threats, incidents, and risks that could impact Government networks or services, this initiative enables more effective defenses of Federal departments and improves the Nation’s cybersecurity posture and responsiveness as a whole.
Modernize and Implement Stronger Cybersecurity Standards in the Federal Government: This objective directs the Federal government to employ secure cloud services, and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks, as well as a zero-trust architecture. (There’s a lot to unpack just in addressing zero trust implementation, which I’ll attempt in a future article.) The Director of CISA, and the Administrator of General Services acting through FedRAMP, must develop a federal cloud-security strategy and provide guidance to agencies within 90 days of the EO’s issue. It also mandates deployment of multifactor authentication and encryption within 180 days of the EO’s issue. That these measures are an initiative speaks loudly to the Federal Government’s current state of cyber security “preparedness”. There are also a series of steps to be taken within 60 days to upgrade FedRAMP’s cyber security presence.
Improve Software Supply Chain Security: The security of software used by the Federal Government is foundational to its overall cybersecurity posture. The order seeks to improve the security of software by establishing baseline security standards for software development of products sold or licensed to the Federal government. Developers will be required to provide greater visibility into their software and make security data publicly available. It’s up to the Director of NIST to offer standards including requirements to:
- Secure development environments
- Provide artifacts that demonstrate conformance to required processes
- Maintain trusted source code supply chains
- Maintain accurate and current data, provenance of software code, and controls on internal and third-party software components, tools, and services present in software development processes
- Provide a purchaser a Software Bill of Materials
It also initiates a pilot program to create an “energy star” type of labeling so software purchased by the government can quickly determine whether software was developed securely. This program is to be designed to incorporate “practices and criteria” for consumer software as well. This pilot program must be reviewed, including a report to the President, outlining recommendations for improvements to expand and assure its continuance.
Establishing A Cyber Safety Review Board: To be co-chaired by government and private sector leads, this Review Board may convene following a significant cyber incident to analyze what happened and make concrete recommendations for improving cybersecurity. The function and operation of this new board is intended to be modeled after the National Transportation Safety Board, which is used after airplane crashes and other significant transportation incidents across the nation. It would be convened following a significant cyber incident. Exactly what criteria make a cyber incident “significant” are to be determined. Membership includes representatives from the Department of Defense, the Department of Justice, CISA, the NSA, and the FBI, as well as from private-sector cybersecurity or software suppliers selected by the Secretary of Homeland Security. While the board’s findings appear to be limited to advisory, they will likely lead to significant directives for corrective actions by all impacted firms and agencies.
Create A Standard Playbook For Responding To Cyber Incidents: the Secretary of Homeland Security acting through the Director of CISA is charged to create a standardized playbook and set of definitions for cyber incident response by federal departments and agencies. The playbook is to be developed to:
- Incorporate all appropriate NIST standards
- Articulate progress and completion methods through all phases of an incident
- Be updated annually
- Define key terms and use them consistently, including any statutory definitions of those terms, to the extent practicable, creating a common vocabulary across agencies using the playbook
The playbook will ensure Federal agencies meet a certain threshold and are prepared to take uniform steps to identify and mitigate a threat. It will also provide the private sector with a template for its response efforts.
Improve Detection Of Cybersecurity Incidents On Federal Government Networks: Current capability in this regard varies widely across Federal agencies. This effort improves government agencies’ ability to detect malicious cyber activity on federal networks by enabling a government-wide endpoint detection and response system (EDR) and improved information sharing within the Federal government. The Secretary of Homeland Security, through the Director of CISA will provide recommendations for implementing this initiative, designed to be centrally located to support host-level visibility, attribution, and response across participating government information systems. The intent is to support (and in some cases enable) the capability of Homeland Secretary, and CISA to engage in cyber hunt, detection, and response activities.
Improve Investigative and Remediation Capabilities: Finally, this point creates standards for cybersecurity event logs for federal departments and agencies. These are to include recommendations on the types of logs to be maintained, the time periods for retention for logs and other relevant data, and by when agencies are to enable recommended logging and security requirements. Government agency system logs are to be protected by cryptographic methods to ensure integrity once collected and periodically verified against hashes throughout their retention. The standards for these are to be proscribed by 90 days following the issue of the EO.
Implications for Non-Government Companies
Clearly there is a lot here to appreciate. All of these initiatives reflect practices we should, as sound cyber risk and security practitioners, be doing already in substance if not in form. Having the Federal Government upgrading more uniformly to the 21st century only helps our own efforts. If you are a firm providing software or digital services to the Feds, this EO is of particular importance and you should read the detail thoroughly. I’ve only covered the highlights, in my opinion. For those who seek input to shape and form any services missing from your own programs, the guidelines and standards being drafted through this EO will form a useful source for a framework or specification .
There is some implied emphasis upon tightening the security and monitoring of third parties. The software bill of materials, colloquially referred to as the “ingredients list” (like ones on consumer food packaging), provides some insights to open source or third party components, including services, that may come bundled with a product offering. This information can potentially help close a monitoring and diligence hole in current practices. It certainly makes it easier to know if an incident in a third party provider somewhere might be indirectly creating implications for your environment. And the “energy star” security rating system, while probably not perfect, will likely become a marketing feature once determined and offer some additional point of discrimination between competing service providers. At the risk of commoditizing software and services, we’d all likely buy the energy 5 star refrigerator of like features over the 3 or 4 star choice, even if the initial purchase outlay was a bit more. Supply chain security, explicit in these standards and implicit by their creation, is being pointed out as a critical component of this executive order. Many past blogs have focused upon the needs and benefits of attending to third party risk management (TPRM), with cyber risk as a focus. Seeing the Feds do likewise only places additional emphasis upon a cyber risk best practice.
Information sharing, monitoring, enabling better and more informed forensics on incidents leading to continuous improvements are necessary and fundamental. They should have been established years ago. Late is only marginally better than never, and as a country we have a big gap to close to re-establish a protected infrastructure, let alone a protected economy.
A Federal GRC For The Future?
These standards will create a large data pile. Channeling it into useful information that can be analytical, evaluative, and predictive is not really a focal point. It is a shortcoming of the order. There should be a Federal GRC somewhere, possibly at CISA, to associate, repurpose and inform Agency decision makers and Federal policy advisors. That would add considerable value to this initiative. Perhaps as a follow-up for tomorrow. But there is a lesson here for all outside the Federal scope of this executive order. It’s not enough to just gather data, institute monitoring and other practices, and feel safe. Those systems all provide data, they alone do not inform. They do not provide context nor do they necessarily relate data to help identify critical opportunities. It is necessary to take the next step and apply the tools to bring associated and possibly (but not always obviously) unassociated data to bear to create a truer picture of our risk profiles, our vulnerabilities and opportunities. GRC systems with their associated reporting and analytical tools are designed for just these purposes. Employing a centralized GRC service would generate value from all these task related efforts, and provide the risk rewards these programs, and their equivalents in the private sector seek to achieve.
This Executive Order is an opportunity for each and every business, regardless of whether it serves the Federal Government, to revisit its cyber risk practices, and begin to build and improve its processes to inform as well as perform. We are reminded that TPRM and GRC services are critical components that feed and support those efforts. Their implementation and adoption as trusted components of your risk management strategies across your specific enterprises are rapidly becoming existential, not optional. As always though, the choices, opportunities, and the outcomes they enable look positive for tomorrow.
About the Author:
Simon Goldstein is an accomplished senior executive blending both technology and business expertise to formulate, impact, and achieve corporate strategies. A retired senior manager of Accenture’s IT Security and Risk Management practice, he has achieved results through the creation of customer value, business growth, and collaboration. An experienced change agent with primary experience in financial, technology, and retail industries, he’s led efforts to achieve ISO2700x certification and HIPAA compliance, as well as held credentials of CRISC, CISM, CISA.