The White House’s much-anticipated cybersecurity executive order (EO) made public late Wednesday takes an ambitious swing at forcing general improvements to cybersecurity nationwide, but issues its most authoritative directions to the Federal government to modernize IT infrastructure and security concepts and practices.
The Top Line
The heart of the marching orders to Federal agencies mostly can be summed up in two directives: move to the cloud, and move to zero trust security architectures.
Beyond that, the order also puts significant new requirements on Federal agencies to deploy endpoint detection and response technologies on their networks, adhere to a standard cyber incident response “playbook,” share cyber information with other agencies, and comply with new cybersecurity event log-keeping requirements.
For the private sector, the order uses the power of the Federal purse to put in place “baseline” security standards in software sold to the government, and also gives the private sector a seat at the policy table for weighing additional requirements. Notably, the order does not impose any particular security requirements on private-sector firms themselves.
“Outdated security models and unencrypted data have led to compromises of systems in the public and private sectors,” the White House said. “The Federal government must lead the way and increase its adoption of security best practices, including by employing a zero-trust security model, accelerating movement to secure cloud services, and consistently deploying foundational security tools such as multifactor authentication and encryption.”
As much as cloud and zero trust have been talked about in recent years – the first only partially adopted thus far by Federal agencies and the second still mostly in the aspiration and planning stages – the new White House order marks a strong new push for agencies to get moving on both.
The EO carries the force of law and can be expected to jump-start Federal agency activity on both fronts to a degree that builds on and surpasses previous policy directives like the CloudFirst and CloudSmart that have steered agencies toward more cloud adoption in recent years.
Based on the language in the EO, the Biden administration has dramatic progress in mind.
“The Federal government must bring to bear the full scope of its authorities and resources to protect and secure its computer systems, whether they are cloud-based, on-premises, or hybrid,” the order says. The EO also casts a wide net to cover both IT systems that process data, along with operational technology (OT) that runs vital infrastructure and machinery.
“It is the policy of my administration that the prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security,” President Biden states in the order. “All Federal Information Systems should meet or exceed the standards and requirements for cybersecurity set forth in and issued pursuant to this order.”
As an overarching goal, the order says the government “must take decisive steps to modernize its approach to cybersecurity, including by increasing the Federal government’s visibility into threats, while protecting privacy and civil liberties.” Specific steps toward that goal include:
- Adopting “security best practices”;
- Advancing “toward Zero Trust”;
- Accelerating “movement to secure cloud services including Software as a Service, Infrastructure as a Service, and Platform as a Service”;
- Centralizing and streamlining “access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks”; and
- Investing “both technology and personnel to match these modernization goals.”
How the government ultimately ends up implementing the provisions of the executive order remains very much in the myriad details of its directives.
Here are some elements of the order that matter most to Federal network operators:
Cloud Service Adoption
Federal agencies will have 60 days to “updated existing agency plans to prioritize resources for the adoption and use of cloud technology as outlined in relevant OMB guidance,” the order states.
“As agencies continue to use cloud technology, they shall do so in a coordinated, deliberate way that allows the Federal government to prevent, detect, assess, and remediate cyber incidents,” the order says, with migration to cloud services incorporating zero trust architecture “as practicable.”
Further, the order directs the Cybersecurity Infrastructure and Security Agency (CISA) and the General Services Administration (GSA) to develop “cloud security principles” governing cloud service providers, and incorporate those into Federal agency modernization plans.
The marching orders also include development of a Federal cloud security strategy within 90 days, the development of cloud security technical reference architecture documentation with recommendations for cloud migration and data protection, and the development of a cloud service governance framework.
Also within 60 days, Federal agencies must “develop a plan to implement Zero Trust Architecture,” the order states.
Those plans will incorporate migration steps recommended by the National Institute of Standards and Technology, and “describe any such steps that have already been completed, identify activities that will have the most immediate security impact, and include a schedule to implement them.”
Multifactor Authentication and Encryption
The order states that Federal agencies have 180 days to adopt “multi-factor authentication and encryption for data at rest and in transit, to the maximum extent consistent with Federal records laws and other applicable laws.”
CISA will be in charge of helping agencies maximize adoption, based on identified gaps in agency implementation, and agency heads that can’t hit the 180-day deadline will have to provide a written explanation for why they can’t do it.
GSA is receiving a 60-day window to begin modernizing the FedRAMP program that will include:
- A new training program for Federal agencies;
- Improved communications with cloud service providers “through automation and standardization of messages at each stage of authorization”;
- Increased automation throughout the FedRAMP lifecycle including assessment, authorization, continuous monitoring, and compliance;
- Digitizing documentation that vendors are required to complete; and
- Mapping other compliance frameworks onto the FedRAMP authorization process and allowing them to substitute for portions of the existing process.
Cyber Response Playbook
The order will mandate creation of a “standardized playbook” and set of definitions that Federal agencies will have to follow for cyber incident response, and ensure that agencies “meet a certain threshold and are prepared to take uniform steps to identify and mitigate” cyber threats.
“Organizations cannot wait until they are compromised to figure out how to respond to an attack,” the White House said. “Recent incidents have shown that within the government the maturity level of response plans vary widely.”
The White House said the response playbook for Federal agencies can also provide a “template” to the private sector for its incident response efforts.
Endpoint Detection and Response
The EO requires government-wide deployment of endpoint detection and response systems on Federal networks – incorporating key objectives of the existing Continuous Diagnostics and Mitigation (CDM) program run by CISA.
At the same time, it orders a “robust” level of cybersecurity information exchange between government agencies.
“Slow and inconsistent deployment of foundational cybersecurity tools and practices leaves an organization exposed to adversaries,” the White House said. “The Federal government should lead in cybersecurity, and strong, Governmentwide Endpoint Detection and Response deployment coupled with robust intra-governmental information sharing are essential.”
Cyber Log Requirements
The order further creates cybersecurity event log requirements for Federal agencies that aim to generate more data to help with incident response.
“Poor logging hampers an organization’s ability to detect intrusions, mitigate those in progress, and determine the extent of an incident after the fact,” the White House said. “Robust and consistent logging practices will solve much of this problem.”
‘First of Many’ Policy Steps
The White House called the executive order “the first of many ambitious steps” it is taking to modernize national cyber defenses.”
“Recent cybersecurity incidents such as SolarWinds, Microsoft Exchange, and the Colonial Pipeline incident are a sobering reminder that U.S. public and private sector entities increasingly face sophisticated malicious cyber activity from both nation-state actors and cyber criminals,” the White House said in a release accompanying the order. “These incidents share commonalities, including insufficient cybersecurity defenses that leave public and private sector entities more vulnerable to incidents.”
“This Executive Order makes a significant contribution toward modernizing cybersecurity defenses by protecting Federal networks, improving information-sharing between the U.S. government and the private sector on cyber issues, and strengthening the United States’ ability to respond to incidents when they occur,” the White House said.
Private Sector Impact
The executive order’s security-improvement directives to the private sector are much less authoritative, as the White House noted that private sector companies “make their own determination regarding cybersecurity.”
Instead of issuing orders requiring the private sector to improve security, the White House said, “We encourage private sector companies to follow the Federal government’s lead and take ambitious measures to augment and align cybersecurity investments with the goal of minimizing future incidents.”
Nonetheless, the language of the executive order includes the need for government-private sector partnership to improve security, stating that “cybersecurity requires more than government action.”
“In the end, the trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is, and to the consequences we will incur if that trust is misplaced,” the order reads.
While avoiding direct requirements for corporate security, the order puts other far-reaching requirements on the private sector as new costs of doing business with the government.
Software Supply Chain Security
On the heels of the SolarWinds Orion and Microsoft Exchange hacks accomplished through software supply chains, the White House order will create “baseline security standards” for the development of software sold to the government. The order also will require developers “to maintain greater visibility into their software” and to make security data publicly available.
“We need to use the purchasing power of the Federal government to drive the market to build security into all software from the ground up,” the White House said.
Beyond directing the development of new standards, the order also will create a “public-private process” to develop “new and innovative approaches to secure software development,” along with a pilot program to create an “energy star” label that rates to what degree software has been developed securely.
“Too much of our software, including critical software, is shipped with significant vulnerabilities that our adversaries exploit,” the White House said. “This is a long-standing, well-known problem, but for too long we have kicked the can down the road.”
Breach Data Sharing
Beyond the marching orders for Federal agencies on cloud and zero trust, the EO takes a stab at improving cyber threat data sharing with the government by requiring “IT Service Providers” to share some cyber breach information with the Feds. It also removes contractual barriers that prevent service providers from sharing breach information.
“IT providers are often hesitant or unable to voluntarily share information about a compromise,” the White House said. “Sometimes this can be due to contractual obligations; in other cases, providers simply may be hesitant to share information about their own security breaches.”
“Removing any contractual barriers and requiring providers to share breach information that could impact Government networks is necessary to enable more effective defenses of Federal departments, and to improve the Nation’s cybersecurity as a whole,” the White House said.
Cyber Safety Review Board
The order also puts the private sector into the policy-making picture by establishing a Cybersecurity Safety Review Board co-chaired by government and private sector officials, that the administration likened to the National Transportation Safety Board that analyzes airplane crashes.
The new board, the White House said, “may convene following a significant cyber incident” to analyze attacks and “make concrete recommendations for improving cybersecurity.”
“Too often organizations repeat the mistakes of the past and do not learn lessons from significant cyber incidents,” the White House said. “When something goes wrong, the Administration and private sector need to ask the hard questions and make the necessary improvements.”
Brandon Wales, CISA’s acting director, called the EO “an important step forward in bolstering our nation’s cybersecurity. As last week’s ransomware attack against the Colonial Pipeline and recent intrusions impacting federal agencies demonstrate, our nation faces constant cyber threats from nation states and criminal groups alike.”
“As the nation’s lead agency for protecting the Federal civilian government and critical infrastructure against cybersecurity threats, CISA serves a central role in implementing this executive order,” Wales said. “This executive order will bolster our efforts to secure the Federal government’s networks, including by enabling greater visibility into cybersecurity threats, advancing incident response capabilities, and driving improvements in security practices for key information technology used by federal agencies. And because the Federal government must lead by example, the executive order will catalyze progress in adopting leading security practices like zero-trust architectures and secure cloud environments.”
Matthew T. Cornelius, an OMB veteran and now executive director of the Alliance for Digital Innovation offered a more mixed reaction.
“If you step back and look at the major elements of the EO – improving information sharing, enhancing software security, better vulnerability management, and centralizing visibility to address cyber risk across the government – the administration is clearly focused on the right priorities,” he said.
“Given all the elements assigned to the key sections, this looks like a ‘shock and awe’ approach regarding the acceleration of America’s cybersecurity detection and rapid response capabilities, for which the Biden team should be applauded,” Cornelius said.
“However, as you look deeper into the actual text, you realize that the EO is a classically malodorous example of ‘drafting by committee.’ There are overlapping, inconsistent, and incongruous timelines, various roles and responsibilities that don’t stand to reason, and a general lack of pruning that substitutes activities for action,” he said.
“As someone who led implementation of EO 13800 in the previous Administration, I would hope that discharging this EO doesn’t devolve into a noxious series of status reports and agency actions just to meet arbitrary deadlines,” Cornelius said. “Instead, a thoughtful, coordinated, and well-resourced execution plan will ensure that the most appropriate and effective elements of the EO are being carried out with clearly articulated goals in mind that drive outcomes, not exercises.”
The tech sector – particularly those with heavy presence in the Federal public sector security and cloud arenas – came out in force today to support the primary aims of the White House cybersecurity executive order.
Among those providing the private sector view to MeriTalk on how the order will play out at the Federal agency level are:
- Steven Kovac, Vice President of Global Government and Head of Compliance at Zscaler, who said the order moves the Federal government into the new “Cloud Secure” era;
- Matt Marsden and Aaron Smith of Tenable, who talked about the order’s focus on enterprise-wide views of government security; and
- Andrew Rubin, CEO at Illumio, who commented on the ascendency of zero trust security concepts as a result of the White House order.
Check out their full comments here.