On May 12, 2021, the Biden Administration signed a cybersecurity executive order that focuses on bolstering the government’s cybersecurity protocols and defenses. It also seeks to strengthen the federal government’s resilience by imposing a wide range of requirements on contractors, agencies and businesses.
Essentially, the executive order establishes additional criteria requiring agencies and businesses to update or implement stronger cybersecurity measures to protect their information systems.
The cybersecurity executive order will directly affect businesses that provide operational technology (OT), information technology (IT) services and cloud computing services including software-as-a-service (SaaS) companies.
President Biden signed the order due to the string of significant cybersecurity attacks targeted against the U.S including SolarWinds, the Russian cyber espionage operation that caused disastrous in the U.S and affected over 100 American companies.
Remove Contractual Barriers between the Government and Private Sector
Contractual barriers prevent IT and OT companies from sharing threat information. The executive order will remove these barriers and require businesses to share breach information with the federal government. The purpose is to facilitate a more vigorous and reliable information-sharing regime.
Previously, only defense agencies and contractors were subject to the requirements regarding breach reporting. Although the Federal Acquisition Regulation (FAR) has implemented and enforced basic safeguarding requirements, it will stop requiring cyberattacks or breach notifications.
The executive order now extends the information-sharing requirements to all IT and OT service providers to the government. Businesses must also collect information on cyber threats, risks, incidents, etc. with the Federal Bureau of Investigation (FBI) and Cybersecurity & Information Security Agency (CISA).
Modernize Stronger Cybersecurity Standards in Federal Government
Another critical point of the executive order is that the federal government will make substantial efforts to develop the best “cybersecurity practice” over the next several months including cloud service solutions, zero-trust architecture, and multi-factor authentication and encryption.
Additionally, the government will modernize the Federal government’s security authorization program for cloud security “FedRAMP” program, providing agencies with state-of-the-art training on cybersecurity and improved communication with businesses that provide cloud services.
Improve Software Supply Chain Security
The Department of Commerce, in collaboration with the National Institute of Standards & Technology (NIST), will develop a robust guidance program to improve software supply chain security requirements and criteria with a focus on “critical software,” which include standards, criteria, procedures for data encryption, multi-factor authentication and other security protocols.
The purpose is to ensure the eligibility of all software programs for federal procurement. NIST will remove all non-compliant software from federal contracts or purchase agreements. Businesses need to redesign legacy software to comply with the new requirements.
Therefore, companies need to focus on the Federal Trade Commission enforcement and keep in mind the labeling regime to ensure the software development process meets or exceeds the established requirements and reflects current practices.
Establish a Cyber Safety Review Board
The Cyber Safety Review Board will convene in the event of significant cybersecurity threats. The board will reflect a public-private partnership focused on cybersecurity, digital defense and gained insights from the data collected.
The Secretary of Homeland Security and private sector representatives will co-lead the safety review board. The government will select representatives from private sector companies based on a specific cybersecurity incident under investigation.
Create a Standard Playbook to Respond to Threats and Incidents
The Department of Homeland Security and other agencies including the Office of Management and Budget, will develop a “Playbook” by September 2021 to establish a standard set of operating procedures.
These procedures aim to plan and conduct cybersecurity threats and incident response activity concerning the Federal Civilian Executive Branch (FCEB) information systems. The Playbook will include all NIST standards. The FCEB agencies will use these standards to streamline the entire process.
Improve Federal Government Networks’ Detection Capabilities
Agencies will make significant efforts to implement endpoint methods to detect incidents early. At the same time, the executive order states that FCEB agencies will create response initiatives to tackle cybersecurity threats and incidents proactively. The preventative approach with aggressive tactics will improve the government networks’ detection capabilities.
This involves active cyber hunting, containment methods, remediation strategies and response to cyber incidents. In collaboration with the Department of Homeland Security, the Office of Management and Budget will define and establish these requirements.
Are You Prepared for President Biden’s Executive Order?
The cybersecurity executive order signed by President Biden focuses on improving the overall digital defense systems in the U.S. Not only does this executive order benefit the federal government but the White House memorandum recommends that all businesses follow suit.
Because the execution of these directives will take some time, the implementation of regulations will ultimately define the impact of this new executive order. How soon will the executive order take effect is another story! However, IT and OT companies need to be ready for the impact on their businesses. Contact Cyber Tech Connection to understand if and how this cyber executive order will affect your business.