An extract from Joe Biden’s ‘Executive Order on Improving the Nation’s Cybersecurity’, published on the official website of The White House:
“The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy. The Federal Government must improve its efforts to identify, deter, protect against, detect, and respond to these actions and actors…”
“Incremental improvements will not give us the security we need; instead, the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life…The Federal Government must lead by example. All Federal Information Systems should meet or exceed the standards and requirements for cybersecurity set forth in and issued pursuant to this order.”
The Impact of Joe Biden’s Cybersecurity Executive Order
On May 12, US President Joe Biden issued an Executive Order on strengthening the nation’s cybersecurity infrastructure. This order followed a string of high-profile cyber-attacks that have taken place in the last 18 months. This includes those carried out against Twitter, Zoom, Marriott International, Magellan, Toll Group, Garmin, and, most notably, SolarWinds and Colonial Pipeline.
The Executive Order outlines the need to modernize the country’s cybersecurity defences. It opens up channels for sharing information related to cyber threats and data breaches between the government and the private sector. The order also highlights how important it is for organizations to ensure that their supply chains are secure and that their selected vendors meet certain cybersecurity requirements.
This isn’t the first time that a US president has issued an executive order on the state of cybersecurity. Including President Biden, the last five presidents have now announced a new order to protect the country from ongoing online threats. That said, this latest executive order is the most compelling so far and seems to have finally grasped the enormity of the issue.
7 Key Directives of Biden’s Cybersecurity Executive Order
The order lays out seven key directives (listed sections 2-8) for strengthening the nation’s response to cyber-threats and brings compliance to the centre stage. The seven directives outlined in the US Cybersecurity Executive Order include:
- Sec. 2. Removing Barriers to Sharing Threat Information. As we touched on earlier in this post, Biden’s Executive Order seeks to remove barriers and build stronger connections between the government and private sector.
- Sec. 3. Modernizing Federal Government Cybersecurity. Unlike previous iterations, Biden’s Executive Order places a strong emphasis on encryption, securing cloud services and adopting MFA.
- Sec. 4. Enhancing Software Supply Chain Security. The order establishes baseline standards in the development of software sold to the government.
- Sec. 5. Establishing a Cyber Safety Review Board. Much like those that have been so successful in the airline industry, the order establishes a review board which will analyze major cybersecurity incidents to learn from each attack.
- Sec. 6. Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents. A standard playbook will come into effect when responding to cyber incidents.
- Sec. 7. Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks. The order looks to improve the ability to detect malicious cyber activity using a government-wide endpoint detection and response system.
- Sec. 8. Improving the Federal Government’s Investigative and Remediation Capabilities. The order requires cybersecurity event logs for federal departments and agencies.
How will the Cybersecurity Executive Order Impact Organizations Worldwide?
Although the order is for federal agencies and contractors, it affects all companies in the federal supply chain. Given the far-reaching nature of supply chains, it may be the case that your organization is part of the federal supply chain without you even realizing it. If you are a software supplier, hardware supplier or service provider, it is likely that the Executive Order impacts you in one way or another.
The order seeks to improve software supply chain security. By May 2022, further guidelines and processes are expected to be announced which are likely to become new industry standards and have global ramifications. Vendor risk management will take on a new importance. With the spotlight firmly on software supply chains, it is up to organizations to verify that they are working with secure vendors.
As well as increased scrutiny on supply chains, the responsibility will fall on organizations to ensure that vendors have the proper processes in place to ensure that threat and breach information can be shared easily. Many will need to re-visit their existing vendor contracts in order to meet new standards and protect eligibility for government agency contracts.
Further Requirements Set Out in the Executive Order
Another key element of the cybersecurity Executive Order relates to the requirement for vendors to provide an SBOM as part of the federal procurement process. The SBOM details all the components used in the software, including libraries, drivers, firmware, licenses, and operating systems. This measure makes it much easier for federal agencies to pinpoint whether or not they are subject to a vulnerability in one of the listed components.
The benefits of developing and maintaining an accurate list of software components is to better assure trustworthy and reliable software. Companies are given the ability to monitor SBOMS for newly detected vulnerabilities. Early detection of vulnerabilities can prevent unnecessary exploitations in the wild.
Further requirements set out in the Executive Order call for:
- The need to employ automated tools or processes to maintain trusted source code supply chains to ensure code integrity.
- The use of automated tools and processes to check for known and unknown vulnerabilities for remediation.
- Participating in a vulnerability disclosure program that includes a reporting and disclosure process.
- Maintain accurate and up-to-date data and provenance of software code or components, and controls on internal and third-party software components, tools, and services present in the software development process.
- Perform ongoing assessment of these processes and controls.
Safety critical software is developed and utilized across industries such as healthcare, automotive, industrial controls systems, avionics, aviation to name a few and all such industries must start laying the foundations as per the Executive Order in an effort to strengthen heavily interconnected industries from a cybersecurity posture perspective.