The Biden administration released a new executive order for cybersecurity on May 12, 2021. Although many know the overarching message of the executive order, it’s also important to know the specific details outlined in each section. As our CEO Sam King remarked, “It gets really specific about the types of security controls they want organizations to adhere to and government agencies to take into account when they’re looking to do business with software vendors in particular.”
As we go through each section, we will intersperse thoughts from Sam King and Chris Wysopal, co-founder and CTO at Veracode, as well as thoughts and statements from Forrester analysts, Allie Mellen, Jeff Pollard, Steve Turner, and Sandy Carielli, from their recently aired webinar, A Deep Dive Into The Executive Order On Cybersecurity.
The first section talks about the overarching policy in the executive order, stating:
“The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy. The Federal Government must improve its efforts to identify, deter, protect against, detect, and respond to these actions and actors.”
It sets the framework for the order, calling “prevention, detection, assessment, and remediation of cyber incidents” a top priority. And if the Federal Government takes ownership of national cybersecurity, it will not only improve security in the public sector, it should also increase regulations in the private sector.
Section 2 removes the barriers to sharing threat information. In other words, IT Service Providers can no longer hide information pertaining to breaches – even due to contractual obligations. And they will have to disclose this information in a timely manner. As Turner expresses in the Forrester webinar, “this section really opens up the door for all of the further technology improvements and the way that we want to improve security holistically as we go down toward significantly modernizing the way that the federal government does cybersecurity.”
Speaking of modernizing the way that the federal government handles cybersecurity, section 3 is specifically aimed at addressing today’s sophisticated cyber threat environment. It sets the groundwork for moving the Federal Government to secure cloud services and a zero-trust architecture. As part of the zero-trust policy, vendors providing IT services to the government will have to deploy multifactor authentication and encryption in a specified time period.
Section 4 enhances software supply chain security. It sets a new precedent for the development of software sold to the government. Developers will be expected to have increased oversight of their software and they will be required to make security data public. Wysopal found “the scope of the software supply chain requirements to be the most notable aspect” of the new executive order, stating, “It’s very comprehensive – all the different aspects of delivering secure software that hasn’t been tampered with by attackers, that has had software assurance practices built into the development pipeline, and notification to the federal government if a vendor has been compromised – because there’s a likelihood that the software was the target.”
This section also proposes that software be ranked or labeled based on its security. As Carielli explains in the Forrester webinar, the software will be labeled with a ranking – like energy star of good housekeeping – proving a vendor’s security standing. Wysopal is a strong proponent of the labeling program, comparing it to programs used in the UK and Singapore on IoT devices. He sees it as a good way to incentivize vendors to secure their products. King agrees, calling the pilot program a great way to increase transparency and accountability.
Sections 5 and 6
Despite all of these new steps in place to prevent cyber incidents, it’s still possible for a breach to occur. That’s where section 5 comes into play. Section 5 establishes a review board – similar to the National Transportation Safety Board – to analyze cyber incidents and propose steps for future avoidance, which Wysopal praises as a welcome addition. There will also be a standard playbook – outlined in section 6 – that will provide response tips for cyberattacks.
Section 7 “improves the ability to detect malicious cyber activity on federal networks by enabling a government-wide endpoint detection and response system and improved information sharing within the Federal government.” And section 8 improves investigation and remediation by requiring federal agencies to maintain a cybersecurity event log.
Sections 8, 9, and 10
The final three sections call for the adoption of the National Security Systems requirements laid out in the Executive Order and provide any outstanding definitions or provisions.
Although the Forrester analysts outlined some potential issues with the executive order during their webinar, like the extra budget and resources that will be needed to fund the cybersecurity requirements, they also noted the potential for the executive order to have a positive effect on the private sector. Pollard estimates that the private sector will likely follow suit in requiring IT vendors to release breach data and follow a zero-trust architecture. He also predicts the private sector will require increased security in the software development lifecycle.
Wysopal recently stated in his blog New Cybersecurity Executive Order: What You Need to Know, “The US government won’t be the last entity demanding more security transparency from software vendors. It's a sign of what’s to come for any organization creating software in any industry.”
What do you think? Will the requirements of the executive order trickle down the private sector?
Keep an eye out for our upcoming blog where Chris Wysopal, co-founder and CTO of Veracode, will give his opinions on how the executive order will impact the consumer market.
In the meantime, visit the Veracode Executive Order page for additional insight on Biden’s executive order.