President Biden’s Executive Order on Cybersecurity
On May 12, 2021, President Joseph Biden gave an executive order to improve the country’s cybersecurity. Although much of the executive order emphasizes strengthening protection for the federal government’s networks, the private sector must equally adapt to the continuously evolving threat environment. As a result, every company must ensure its products are built and operated securely while also partnering with the Federal Government to establish more secure cyberspace.
The Biden-Harris administration expects the private sector to follow the federal government’s example. Some of the highlights of the executive order include:
1: Establishing Software Supply Chain Security
Following the executive order, the federal government will issue guidance identifying best practices to enhance the nation’s software supply chain security. The guidance must address secure software development environments and encompass the following actions:
• Using administratively isolated build environments.
• Establishing risk-based, conditional access and multifactor authentication across the enterprise.
• Properly auditing trust relationships.
• Documenting and minimizing dependence on enterprise products and solutions forming the environment for building, developing, and editing the software.
• Employing effective encryption for all data.
• Monitoring system operations and promptly responding to attempted and successful cyber incidents.
The guidance must similarly look into the creation and deployment of solutions demonstrating utilization of safer development environments and the utilization of automated solutions to manage supply chains for trusted source codes and verify known and unknown vulnerabilities. Additionally, it must highlight remediation of such vulnerabilities before product release and the publication of any discovered and remediated risks.
Besides, the guide also handles the maintenance of accurate and up-to-date information and provenance of software codes, components, and controls.
Other issues that the guidance must address include:
• Regular audits of software development controls.
• Provision for Software Bill of Materials purchasers for each product as expressed in the executive order.
• Participation in vulnerability disclosure programs.
• Assertion to safer software development best practices
• Assertion to the provenance and integrity of all open source software solutions utilized within any product.
Additionally, the executive order demands the creation of pilot programs for any consumer software labels that address security criteria for the Internet of Things (IoT) as well as secure software development best practices. The criteria should reflect increasingly comprehensive testing and assessment levels. The federal government will figure out ways to incentivize developers and manufacturers to participate in the programs.
2: Sharing Threat Information
Another highlight of the executive order is for IT service providers to have contract terms that can prevent the sharing of cyber threat information on government information systems. Within 60 days of the date of the issuance of the Executive Order (July 11, 2021), the Office of Management and Budget, in liaison with other named federal agencies, should make recommendations for necessary contract language changes, including:
• Accurate descriptions of contractors as would be covered by the proposed contract language.
• Service providers collect and secure user data, information, and relevant reporting that can help prevent, detect, respond to, and investigate cybersecurity incidents on all information systems under their control. This includes systems operated on behalf of agencies in line with agencies’ requirements.
• Service providers to share any information, data, and reporting related to cyber incidents or potential cyber incidents relevant to any agency they have contracted directly with and any other entity that the Director of OMB in consultation with the Attorney General, Secretary Of Homeland Security, Secretary of Defense, and Director of National Intelligence, deems appropriate. The sharing must also be consistent with applicable privacy laws, policies, and regulations.
• Service providers to collaborate with Federal cybersecurity or relevant investigative agencies in investigating and responding to incidents or potential attacks on Federal Information Systems. They must further implement technical capabilities, including monitoring networks for cyber threats in liaison with agencies they support.
3: Establishing a Cyber Security Review Board
Presidents Biden’s executive order also demands establishing a Cyber Safety Review Board to assess significant cyber incidents. The board is expected to operate like the National Transportation Safety Board that investigates transportation accidents. The board’s membership will comprise both federal officials and private sector representatives. The board’s primary purpose will be to analyze major cyber incidents and recommend improvements to cybersecurity.
4: Cyber Incident Reporting
Any government contractor providing software or services will be required to report cyber incidents to relevant federal agencies based on a sliding scale of risk assessment. This means that the highest risk requires notice within three days of discovery.
According to the executive order, the term “incident” refers to an occurrence that:
• A: Actually or imminently jeopardizes the integrity, availability, or confidentiality of information or an information system without lawful authority.
• B: Constitutes a violation or imminent violation of law, security procedures, security policies, or acceptable use policies.
Within 45 days (By June 28, 2021), Homeland Security will recommend changes to the FAR in consultation with other mentioned federal agencies. This includes the nature of the cyber incidents that require reporting, the covered government contractors and service providers, periods for reporting according to “graduated scale of severity,” and “effective protections for privacy and civil liberties.”
The same recommendations should be published within 90 days following the recommendations (September 27, 2021) by the FAR Council for public comment.
Our Take as Orion Networks
At Orion Networks, we believe that the Executive Order is an essential step for the Biden administration to enhance cybersecurity at the federal level, including the standardization of cybersecurity policies and requirements among agencies. In addition, it will likely strengthen collaboration and cybersecurity information sharing with government contractors. The agencies charged with rulemaking need to act quickly to meet near-term deadlines and achieve the policy directives.
For more details on how the new directives will affect your cybersecurity policies and best practices, get in touch with Orion Networks! We provide Tech Support and IT consulting for organizations in the Washington DC metro area. Regardless of your company’s size or industry, we can help you with IT support customized to your unique needs. We bring an innovative approach to cybersecurity and network management for small and medium-sized companies. Contact us today to schedule a consultation with our experienced IT engineer!