In May, President Trump issued a new Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, requiring all heads of executive agencies and departments to modernize and strengthen the cybersecurity utlizied within Federal networks and critical infrastructure.
The Department of Homeland Security’s (DHS) United States Computer Emergency Readiness Team (US-CERT) has taken strides to meet those demands, which fall into three sections: Cybersecurity of Federal Networks, Cybersecurity of Critical Infrastructure, and Cybersecurity for the Nation.
In order to meet the requirements of the new EO and the Framework for Improving Critical Infrastructure Cybersecurity, DHS announced that they have “developed a mechanism to collect these metrics via the DHS CyberScope System. DHS coordinated and provided training sessions with OMB, Federal agencies, and other stakeholders, including all CFO Act (Chief Financial Officers Act) and non-CFO Act agencies to follow suit. On the policy front, DHS, in coordination with the Department of Commerce, is working on a market transparency report examining whether existing Federal policies and practices are sufficient in promoting appropriate market transparency of cybersecurity risk management practices by critical infrastructure entities. On the risk reduction front, Commerce and DHS are identifying and will promote actions to reduce the risks from distributed, automated attacks (i.e., botnets).”
Every Federal agency is expected to fully comply with this Order and implement it accordingly.
As agencies move to comply with this EO, companies currently conducting business directly with the FED must also follow suit. If the companies do not comply, they risk losing the ability to continue conducting business with the Federal government, so what does compliance mean?
The Order, which calls for adherence to the Framework, outlines strict policy for conformance to Special Publication 800-53 Revision 4.
This Special PUB mandates compliance to NIST security and privacy controls for Federal Information Systems and Organizations and ISO 27001 and ISO 15408 (Common Criteria)
The Order calls for the enforcement of cryptographic requirements within the Special PUB as outlined within the FIPS 140-2 validation standard.
Complying with these certifications could take 12-14 months (or longer) from start to finish. The level of effort, associated complexity, and timing requirements will largely depend upon your product’s readiness against FED security hardening requirements and your organizational readiness. If you would like to plan ahead to ensure that the Executive Order does not shut down your FED/Public sector business/revenue opportunities, contact Corsec to discuss a path forward.
Stay up to date with Corsec as we bring you all the most recent updates to the standards, certifications, and requirements. – Subscribe