Federal agency chief information security officers (CISOs) talked about several aspects of the Biden administration’s cybersecurity executive order (EO) during a July 15 FedInsider webinar in which they flagged steps agencies should be taking to meet the order’s requirements.
The order, among other steps, gives agencies 180 days to implement multi-factor authentication and encryption for data both at rest and in transit. In combination with role-based access policies, these measures will help enable the migration to zero trust security architectures by controlling who, what, where, when, and how data is accessed.
Steven Hernandez, CISO at the Education Department, explained that this requirement of the order is an affirmation for Federal agencies to get through and cross the finish line with a multi-factor authentication system. The EO, according to Hernandez, highlights how implementing multi-factor authentication and encryption for data dramatically and critically disables an adversary’s ability to harm.
“We at the Education Department have been using tools like multi-factor authentication. But for those agencies who have not made the jump, the EO is that push that they need to cross the finish line and implement these tools,” said Hernandez.
The EO also states that incremental improvements will not provide needed security measures; instead, bold changes and significant investments in cybersecurity, such as leveraging zero-trust principles, need to happen to defend the vital institutions of the United States.
Paul Cunningham, deputy assistant secretary and CISO at the Department of Veterans Affairs, emphasized that this means Federal agencies need to understand, for example, what are zero trust principles and where the agency can implement them. But it does not mean that agencies would have to completely abandon the cybersecurity practices they have used over the last several decades, he said.
“It is asking us to reaffirm our efforts to ensure effective information sharing among agencies and between agencies and cloud service providers,” said Cunningham.
Additionally, the EO points out the growth of connected devices and the resulting increase in cybersecurity concerns, especially with internet of things (IoT) devices.
“There has been an increase in the convergence of personal and professional devices, especially during the pandemic. And this brings in another risk factor into possible cyber incidents,” said Garo Nalbandian, acting CISO of the Nuclear Regulatory Commission (NRC).
The NRC has explicitly implemented various security measures to mitigate cyber risk within their networks regarding IoT devices. The NRC has deployed a guest network limiting the access of IoT devices and isolating them from the corporate network. The agency has also added a next-generation firewall based on user identity, limiting access of IoT devices to authorized users and administrators. And as an added measure, NRC also has employed a network access control solution to identify IoT devices and take preventable actions against unauthorized users.
“And these measures that we have taken collectively help us mitigate unauthorized access to our networks and take preventative actions to secure our networks and reduce harm,” Nalbandian said.