Cybersecurity Executive Order Observations
If you are an avid follower of current events in the infosecurity space, you will be aware of a number of recent high profile cybersecurity events, particularly in the United States. These events dramatically impacted the operations of the federal government and critical services organizations, as well as private sector companies who use the same software and services as the target groups. This, coupled with events earlier this year around certain monitoring solutions, has prompted the US government to take swift and decisive actions around implementing proactive controls. As evidence of this, on May 12, President Biden signed a cybersecurity Executive Order (EO) aimed at improving efforts to “identify, deter, protect against, detect, and respond to these actions and actors."
The order aims to improve federal security practices and threat intelligence sharing amongst federal agencies and the private sector; enhance software supply chain security, and improve federal security incident response. The requirements of the executive order will initially apply to federal government agencies and software suppliers to the federal government.
The rest of the private sector will be indirectly impacted when commonly used IT and security vendors adjust their products and services. While this influences and impacts agencies in North America, it isn’t a far stretch to anticipate that we will see similar responses at a global scale. Security is quickly becoming a number one priority worldwide.
Cybersecurity Executive Order Observations
Some of the actions are required to occur in the next 30 to 60 days, which is lightning fast by federal government standards, and somewhat unprecedented. Some will occur in a year or more. The security industry will likely be discussing the impact of this Executive Order for years.
Here are some preliminary observations:
- It is good to see bold recommendations such as the Software Bill of Materials (SBOM) circulating within cybersecurity policy areas for some time. Definitions such as “Critical Software” will be important for implementation.
- The order seeks to mandate common security practices across the federal government. This will be a boon to vendors working with multiple agencies. Having common standards will simplify the administrative overhead needed to engage with them. However, the standards will only be MINIMUM standards for each agency. If they have procedures that exceed the EO requirements, they will be allowed to continue using those processes.
- Some of the recommendations, for example encryption requirements, are already contained in various standards and regulations. The explicit inclusion of these in the EO is a good reminder, but must be followed by enforcement.
- Proper funding will be instrumental to success. Nothing in this EO specifies how agencies will fund execution of these directives, although there are requirements to measure how much this costs. Lack of funding and expecting more from overburdened federal IT and security teams may delay implementation of any oversight or operational efforts.
- There is nothing in the executive order that addresses direct action against threat actors. Fortunately, groups such as the Institute for Security and Technology Ransomware Taskforce and the Atlantic Council have suggested policy recommendations which attend to these issues.
The Executive Order and Zero Trust
This Executive Order is receiving attention because it has the potential to raise the security standards, not just of the Federal government but also for the entire private sector. As one of the largest purchasers of IT and security services in the US, whatever the Federal Government wants is often incorporated into products used by the private sector and international partners.
Under the “Modernize Federal Security” section, the EO places an emphasis on cloud computing and Zero Trust (ZT) security controls. As security practitioners know, adhering to a ZT philosophy is a journey, not a destination. Each agency has 90 days to come up with a cloud and ZT architecture plan, supported by the Cybersecurity and Infrastructure Security Agency (CISA) who will create a framework and reference architecture design.
The term “Zero Trust” does not have a common definition. The EO explains Zero Trust as:
“The Zero Trust security model eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses.”
As a first step, agencies will implement encryption and multi-factor authentication (MFA) within 180 days. Most security leaders would nod in agreement that MFA and Encryption are basic security requirements for any organization, and that MFA forms the base of Zero Trust architecture. Many would also agree that their own deployment is not as comprehensive as they would like. Now is a good time for them to accelerate completion of encryption and MFA programs.
Zero Trust doesn’t end with MFA. In order to incorporate “real-time information from multiple sources'' we need a fully integrated technology and security stack, device health visibility with management, and policies to enforce access and incident response actions. Attention must be given to employees, devices, applications and microservices that have their own identities and permissions.
Before a detailed Zero Trust strategy can be created, security leaders will need to understand:
- Business Processes and Employee Roles: What digital assets should employees be accessing, from where, when and how? What may change with Zero Trust? How will this be communicated?
- Device Configurations: What technology and security standards are required for laptops, desktops, servers and mobile devices? What IT and security tools support these requirements?
- Application Authorization: What roles and permissions do applications use, not just for employees, but for APIs and other services? How will Zero Trust policies impact application behavior?
- Threat Intelligence: How will threat intelligence be incorporated into the Zero Trust policies?
The Executive Order does not set a deadline by which initial Zero Trust strategies will be implemented, only that a plan be created. These actions take time, and require the full support of the entire organization. Implementing Zero Trust changes the way the organization works - it touches every employee and every business process.
The federal government will need to embark on a major organizational change initiative in order to achieve the goals of the Executive Order. At the same time, threats are increasing in volume and impact. We will be watching to see how CISA, NIST and other agencies define this journey for Federal agencies, and how this will impact requirements for companies in the federal supply chain.
Try Duo For Free
See how easy it is to get started with Duo and secure your workforce, from anywhere and on any device with our free 30-day trial.