In an effort to improve the United States’ ability to identify, deter, protect against, detect, and respond to malicious actors and attacks, the President of the U.S. has issued a new Executive Order (EO) to ensure all Federal Information Systems react to meet or exceed the standards and requirements outlined for cybersecurity. To accomplish this, the EO identifies the private sector as a major contributor to helping secure the Nation’s cyberspace.
As outlined in the EO, the scope of protection and security will include 1.) Systems that process data (information technology (IT)) and 2.) those that run the vital machinery that ensures our safety (operational technology (OT)).
The President has stated “the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life. ”
Corsec has outlined high level details associated with the order that could impact future policy, requirements, and operations within the U.S. federal government:
Section 2: Removing Barriers to Sharing Threat Information
- Develop a plan to allow further sharing of insights into cyber threat and incident information from Federal Information Systems by removing service provider contractual barriers – A review of the FAR and DFAR contractual language shall be completed within 60 Days
- Require information and communication technology (ICT) service providers to promptly report cyber incidents to the government – The government shall recommend such language for contacts with ICT service providers within 45 Days. Within 90 Days, procedures for sharing such reports will be agreed upon.
Section 3: Modernizing Federal Government Cybersecurity
- An overview of the steps and solutions needed to help prevent modern and sophisticated attacks on the U.S. federal government; including, Zero Trust Architecture, Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS) solutions – The Government shall create a plan to utilize these technologies within 60 Days while creating a cloud-services governance Framework. Within 90 days the Government shall create a report on the sensitivity of their data with respect to unclassified information. Within 180 days of the date of this order, agencies shall adopt multi-factor authentication and encryption for data at rest and in transit.
Section 4: Enhancing Software Supply Chain Security
- The Federal Government must take action to rapidly improve the security and integrity of the software supply chain, with a priority on addressing critical software – Within 90 Days the Government will implement best practices and other policy standards to improve the software supply chain. Such guidance will include, among other criteria, “employing encryption for data”, and “establishing multi-factor, risk-based authentication and conditional access across the enterprise”. Within 1 year the Government will produce language requiring suppliers of software available for purchase by agencies to comply with, and attest to complying with, any requirements issued pursuant to this section (this will apply to renewals of contracts as well).
Section 5: Establishing a Cyber Safety Review Board
- The Board shall review and assess, with respect to significant cyber incidents affecting FCEB Information Systems or non-Federal systems, threat activity, vulnerabilities, mitigation activities, and agency responses.
Section 6: Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents
- Align agency cybersecurity vulnerability and incident response procedures currently used to identify, remediate, and recover from vulnerabilities and incidents affecting systems – the Government shall develop a set of operational procedures (a playbook) for government wide use within 120 Days. Part of this will be to “incorporate all appropriate NIST standards”
Section 7: Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks
- Increase the effort to increase detection of cybersecurity vulnerabilities and threats to agency networks and gain visibility into incidents through deployment of an Endpoint Detection and Response (EDR) initiative – Within 90 Days the Government will issue requirements for such a system. Among other requirements, “ensure alignment between Department of Defense Information Network (DODIN) directives and FCEB Information Systems directives”
Section 8: Improving the Federal Government’s Investigative and Remediation Capabilities
- Agencies and their IT service providers shall improve collection of information from network and system logs on Federal Information Systems (for both on-premises systems and connections hosted by third parties, such as CSPs) and, when necessary to address a cyber incident on FCEB Information Systems. “Logs shall be protected by cryptographic methods to ensure integrity once collected and periodically verified against the hashes throughout their retention” – Within 90 Days, agencies must establish requirements for logging, log retention, and log management.
Section 9: National Security Systems
- Within 60 Days, the Government “shall adopt National Security Systems requirements that are equivalent to or exceed the cybersecurity requirements set forth in this order that are otherwise not applicable to National Security Systems. Such requirements shall be codified in a National Security Memorandum (NSM).”
Contact Corsec to ask questions, discuss a project, or gain more insight on this post.