A review of lessons learned is a key component of any good incident response plan. After the SolarWinds attack, the US Government considered their lessons learned and many of their findings are summarized in the recent The Executive Order on Improving the Nation’s Cybersecurity. This Executive Order (EO) is very detailed and specific and addresses some of the most obvious lessons from SolarWinds. The timing of the EO also comes on the heels of the Colonial Pipeline ransomware attack further solidifying the need to bolster cybersecurity practices.
A Presidential Executive Order is a set of directives for the agencies and organizations that fall under the executive branch of government. With this EO, the President is using the “procurement power” of the federal government to influence change - and in this case, to address cyber security threats to “the public sector, the private sector, and ultimately the American people’s security and privacy.”
How the Cybersecurity EO Affects You
If you are doing business, or planning to do business with the US Government, then take note - the EO is very specific, and sets timelines for government implementation of many IT security practices. Expect to continue to meet FedRAMP, StateRAMP, NIST 800-171/53 or CMMC. These standards may be updated while under review by NIST for their current effectiveness.
If winning a contract with the federal government is not on your radar, the EO is still worth paying attention to because of the security practices it outlines, as well as changes to standards that will impact everyone. Include the security concepts described within this EO on your security roadmap because it is almost guaranteed that the various IT security frameworks will adopt and integrate these concepts. There are also items in the EO that organizations, whether doing business with the government or not, may be called upon to perform. For example, certain companies could be required to submit threat, risk, and security incidents to the Federal Government. Continuing to regularly revisit your IT risk assessment and keeping your incident response plan current is still best practice.
In general, the EO includes steps common to an incident response plan: for preventing, minimizing the impact of an incident, detecting and responding to intrusions, and lessons learned. Think Colonial Pipeline - many of these practices would all have been nice to have had in place!
EO Summary and Highlights
Section 1 - Introduces the EO
Section 2 - Covers concepts related to threat sharing for IT service providers
- If you do business with the US Government, expect to see contract terms updated or amended to allow for more threat information sharing.
- Outlines requirements on collection, preservation and sharing on data incidents.
- Sets the stage for future guidance on how service providers are to share threat, incident and risk data with government agencies, like CISA and the FBI.
Section 3 - Modernizing Cybersecurity within the Federal Government
- Federal agencies will be required to adopt multi factor authentication (MFA) and encryption for data at rest and in transit within the next six months. Expect that if you provide a service to the Federal Government, you will have to implement these too.
- Highlights and puts time targets for agencies to implement more robust continuous monitoring practices, migrate to more secure cloud based solutions, and implement Zero-Trust Architecture.
- Zero-Trust works under the assumption that a breach is inevitable and to address this, implement access controls that hinder bad guys from moving around the network. Adopting a zero-trust architecture may be tricky and time intensive as there are no ‘out of the box’ solutions.
- Calls for changes to FedRAMP, notably in allowing mapping to other frameworks/certifications which may speed up the onboarding of cloud service providers.
Section 4 - Protection of “critical” software solutions (i.e. addressing supply chain risks)
- Expect new guidance from NIST on enhancing supply chain security.
- Watch to see if your solution is defined as “critical” software, and be ready to implement any changes to process or product that come from your government buyer, such as:
- Demonstrating you have security focused development practices (the concept of “security by design”)
- You have strong protections for your source code, and you are testing it regularly
- You will be able to make updates to your legacy software or have a plan to address any gaps
- Be prepared for a “Software Bill of Materials” that will include a set of minimum security specifications for IT solution providers.
- Watch for the guidance around the new labeling of the security level of software - much like the EnergyStar labels for appliances.
Sections 5, 6 7, and 8 - These sections Include a handful of internal processes for government agencies, such as:
- A Cyber Security Review Board will be established composed of government and private-sector advisors. It is chartered to respond and plan for cybersecurity issues. Monitoring activities of the Cyber Security Review Board will allow a better understanding of what future conditions will be required of the private sector.
- Creation of incident playbooks, incident detection, and incident investigations.
- Updates to National Security Systems.