President Joe Biden on Wednesday signed an executive order with sweeping requirements aimed at beefing up federal cybersecurity, which tackles overarching issues plaguing the U.S. government, from supply-chain security to outdated security models.
At the top of the executive order’s list are step-by-step measures to modernize federal government security practices, new requirements for federal contractors to report cyber incidents and mandates aimed at enhancing supply-chain security by implementing security essentials for software purchased by the government.
In a statement, the Biden administration pointed to recent cybersecurity incidents - such as the SolarWinds supply-chain hack that roiled enterprises and government agencies, and a recent ransomware attack on the Colonial Pipeline, a key portion of the fuel-delivery network in the eastern United States - as a “sobering reminder” of increasing sophisticated malicious activity from both nation-state actors and cybercriminals.
In the wake of incidents like these, “incremental improvements will not give us the security we need; instead, the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life,” according to the executive order. “The Federal Government must bring to bear the full scope of its authorities and resources to protect and secure its computer systems, whether they are cloud-based, on-premises, or hybrid.”
Incident Reporting Requirements for IT Contractors
The executive order aims to improve how information about threats and incidents is shared by removing contractual “barriers.” According to the Biden administration, the federal government contracts with IT and operational technology (OT) service providers (such as cloud service providers) that have “unique insight into cyber threat and incident information on Federal Information Systems” - however, current contractual restrictions may limit the sharing of such threat data with agencies responsible for investigating cyber incidents.
The executive order strives to overcome this hurdle by mandating that officials review current contract requirements and language for these IT and OT service providers, and ultimately recommend updates ensuring that service providers collect and share cyber incident data to any agency with which they have contracted.
“Removing these contractual barriers and increasing the sharing of information about such threats, incidents, and risks are necessary steps to accelerating incident deterrence, prevention, and response efforts and to enabling more effective defense of agencies’ systems and of information collected, processed, and maintained by or for the Federal Government,” according to the executive order.
Public and private sector collaboration has long been encouraged by government officials and security industry stalwarts alike. The executive order plays into this idea by mandating the development of a cyber incident review board, which will be co-chaired by government and private sector leads and will analyze cyber incidents to make concrete recommendations for improving cybersecurity.
Software Supply-Chain Security Measures
The executive order also takes a hard look at software supply-chain security, with a new mandate that the Secretary of Commerce develop guidelines that will be used to evaluate security for software and the developers and suppliers behind the software. These guidelines may include best practices such as auditing trust relationships and providing a purchaser a Software Bill of Materials (SBOM) for each product, for instance. Once these guidelines are in place, the order also calls for the development of a pilot program that will create an “energy star” type of label for the government to quickly determine whether software has been developed securely.
The executive order also calls for the initiation of pilot programs to educate the public on the security issues around Internet-of-Things (IoT) devices and software development practices, which would create cybersecurity criteria - including better testing - for a consumer labeling program for these devices.
“Too much of our software, including critical software, is shipped with significant vulnerabilities that our adversaries exploit,” according to the Biden administration. “This is a long-standing, well-known problem, but for too long we have kicked the can down the road. We need to use the purchasing power of the Federal Government to drive the market to build security into all software from the ground up."
Modernizing Federal Government Security
Another piece of the executive order revolves around modernizing federal government security by adopting security best practices. Within 180 days, the order will require agencies to adopt multi-factor authentication and encryption “to the maximum extent consistent with Federal records laws and other applicable laws,” for instance. Part of this also includes the development of a plan to secure cloud services, with the executive order directing agencies that use cloud technology to do so in a “coordinated, deliberate way,” in order to better prevent and remediate cyber incidents.
The executive order also pushes for agencies to deploy an endpoint detection and response (EDR) initiative to “support proactive detection of cybersecurity incidents within Federal Government infrastructure, active cyber hunting, containment and remediation, and incident response,” as well as the development of a plan to implement zero trust architecture. Other requirements include the creation of a standard playbook for responding to cyber incidents; taking steps to improve detection of cybersecurity incidents on federal government networks and the improvement of investigative and remediation capabilities via the enforcement of robust and consistent logging practices.
The executive order comes on the heels of various efforts by the government to grapple with widespread cybersecurity issues. This has included the creation of a new task force that has developed a broad set of recommendations to help address the ransomware epidemic; as well as slapping a sweeping set of sanctions against Russian companies for supporting what the Biden administration called “malign behavior” by the Russian government, including the SolarWinds intrusion.
Chris Vickery, director of cyber risk research with UpGuard, said that overall the executive order is a “step in the right direction.”
“I think the overall idea that people should get is that the government is starting to open their eyes a little bit when it comes to security,” he said. Issues addressed by the order, such as supply-chain security, “raises the alarm on something that security professionals have been warning about for a long time,” he stressed.