Access Alert |President Biden Issues Executive Order of Cybersecurity

Access Alert |President Biden Issues Executive Order of Cybersecurity

On 12 May 2021, President Biden issued an Executive Order (EO) on Improving the Nation’s Cybersecurity aimed at strengthening U.S. federal cyber protections. The EO, which has undergone development for months, lands amid mounting public concern due to a wave of recent high-profile cyberattacks. These include:

  • Last week’s ransomware attack on the Colonial Pipeline;
  • Microsoft Exchange server intrusion uncovered in March; and
  • SolarWinds hack that compromised nine federal agencies late last year.

Indeed, the EO follows multiple lawmaker calls for tighter federal rules and guidance to secure ICT supply chains and critical infrastructure. Just last week, both the House and Senate held hearings on the state of federal cybersecurity and increasing digital attacks.

Part of a promised “whole of government response” by the Biden Administration, the EO requests an overhaul of the federal government’s approach to cybersecurity, in addition to a re-evaluation of agency software acquisitions and existing measures to block cyber threats. Importantly, it targets federal networks, rather than critical infrastructure operated by private entities––such as the Colonial Pipeline. As such, there will most certainly be additional federal and congressional activity to close domestic infrastructure vulnerabilities. Key provisions of the EO, which outline preventive actions for both the federal government and private sector, include:

  • Accelerating federal agency efforts to secure cloud services, including updating existing plans to prioritize resources for adoption and use of cloud technology;
  • Requiring agencies to deploy multi-factor authentication and encryption, as well as endpoint detection and response software;
  • Logging requirements for agencies to retain cyber event and other relevant data on their networks to improve federal investigations and remediation; and
  • New cyber threat incident reporting requirements for ICT service providers who have contracts with the federal government;

The EO also authorizes a line-up of new interagency initiatives to remove barriers to sharing threat information, modernize federal cybersecurity standards, improve software supply chain security, and create a standard federal playbook for responding to cyber threats:

  • The Office of Management and Budget (OBM), Cybersecurity and Infrastructure Security Agency (CISA), and government-wide Federal Risk and Authorization Management Program (FedRAMP) will develop a federal cloud-security strategy to provide guidance, including new policies for restricting agency usage of old, unsupported software;
  • CISA and FedRAMP will also develop principles based on Zero Trust Architecture to govern cloud service provider users in agency modernization efforts;
  • OMB, the Pentagon, the Departments of Justice and Homeland Security, and the Office of the Director of National Intelligence (ODNI) will review and update the Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS) and implement new standardized cybersecurity contractual requirements;
  • OMB and the General Services Administration (GSA) will modernize FedRAMP to ensure agencies are able to manage FedRAMP requests, improve communication with cloud service providers, and incorporate review automation, among others;
  • The National Institute of Standards and Technology (NIST) will develop guidance and standards to enhance software supply chain security regarding secure development environments, software bill of materials (SBOM), and participation in vulnerability disclosure programs, among others;
  • NIST will work with the National Security Agency (NSA) to develop minimum-standard guidelines for vendor testing of software source code;
  • With the Federal Trade Commission (FTC), NIST will also determine the need for a consumer software labeling program or tiered software security rating system;
  • Secretary of Homeland Security Alejandro Mayorkas will lead a new Cyber Safety Review Board––comprising federal officials and representatives from private-sector cybersecurity or software entities––to review and assess significant cyber incidents, threat activity, vulnerabilities, mitigation efforts, and agency responses;
  • Finally, Secretary Mayorkas will lead an interagency task force to develop a standard set of operational procedures to be used in planning and conducting a cybersecurity vulnerability and incident response.

Implications

The EO represents the most significant attempt yet by the Biden Administration to close large cybersecurity gaps that have been exploited in the last year. The order includes both new requirements for agencies and higher standards for vendors. Importantly, it sets the stage for requiring federal contracts to report data breaches and meet new software security requirements. The directive also emphasizes the need for public-private cooperation in developing new cybersecurity standards and processes, as well as mitigating and resolving future attacks.

What Companies Should Do

Cybersecurity companies, companies in designated critical infrastructure sectors, and federal ICT contractors should:

  • Engage with the federal entities identified in the EO to provide feedback on draft processes and procedures;
  • Monitor open and ongoing policy processes to update federal procurement and vendor security rules to ensure that private-sector involvement––critical for rapid threat identification, response, and mitigation––is optimized;
  • Educate policymakers in Congress and the Executive branch about what your company is doing to respond to evolving cybersecurity threat actors and government guidance; and
  • Seek business development opportunities with the US government to reduce cybersecurity vulnerabilities.

Related Articles

COVID, Cyber, and Congress: What’s Next for Federal IT Modernization?

COVID, Cyber, and Congress: What’s Next for Federal IT Modernization?

On 14 July 2021, Access Partnership and BSA | The Software Alliance co-hosted an hour-long discussion on the Biden Administration...

22 Jul 2021 Opinion
Business Day: The West Looks on as Africa Opts for China’s Digital Silk Road Programme

Business Day: The West Looks on as Africa Opts for China’s Digital Silk Road Programme

This article was originally published on Business Day on 18 July 2021. How has the West attempted to counter China’s influence...

19 Jul 2021 Opinion
Preparing for the Green Future: Fit for 55

Preparing for the Green Future: Fit for 55

The much anticipated ‘Fit for 55’ proposal will be introduced on July 14 by the European Commission. Part of the...

14 Jul 2021 Opinion
Smart Grids: The Challenge of Ultra-Reliable Communications

Smart Grids: The Challenge of Ultra-Reliable Communications

In what many are calling a Sustainability Super Year, policymakers are rushing to integrate technical solutions into the value chain...

13 Jul 2021 Opinion