Executive Order 14028, Improving the Nation’s Cybersecurity, signed by Biden on May 12, 2021, mandates different agencies to enhance cybersecurity through various initiatives in the security and integrity of software and data. The order was prompted by numerous high-profile information security and ransomware attacks in 2020/21, including the SolarWinds compromise, MS Exchange server vulnerabilities, and the Pulse Connect Secure targeting public and private sectors. These attacks prompted CISA (Cybersecurity and Infrastructure Security Agency) to issue directives regarding the security framework in the country.
Biden’s executive order emphasizes the need to ease information security barriers as a core principle in national security mandating federal agencies and the public sector to work in unison with the private sector to prioritize the data security and privacy of the American people. Although the government has made incremental improvements in cybersecurity, these do not give US citizens the security needed in networks. More radical and bold changes are required to protect major institutions that govern American lives. A huge amount of investment is required by the federal government to protect and secure its computer systems. The EO 14028 represents one major policy change that helps agencies in public and private sectors standardize cybersecurity.
Who Does the Executive Order 14028 E****ffect
The executive order will impact companies that supply IT products and services to the US government. It spells out the requirements and directives mandatory for all critical software sold to the US government. Companies affected by this order need to figure out how to implement plans in order to meet the new requirements.
The executive order mandates federal agencies to lead the way in security best practices. Then, modernize their approach to tackle the exceedingly sophisticated digital threats. Federal agencies should prioritize cloud adoption, encrypt data, meet expanded logging requirements, identify sensitive data and update the protections for the data, as well as implement multi-factor authentication. Federal agencies are also required to develop and implement a Zero Trust approach. Zero Trust is a conceptual security model established on the tenets of trust where an actor within the network is not inherently trustworthy by the mere fact that they are in the network.
Goals of the Executive Order 14028
The EO includes mandates in seven separate principles and explicitly tasks that the federal government and partners in the public and private sectors must adopt to strengthen the US cybersecurity framework.
1. Improved Transparency Between the Government and the Private Sector
In the previous security framework, the contract terms were limited from sharing threat information with the executive departments and agencies responsible for investigating cyberattacks, including CISA and FBI. In most cases, IT providers won’t share threat information about their networks for privacy reasons. Other times, they cannot share the information due to contractual obligations.
The order constituting numerous measures lifts the communication barriers existing between the government and private sector. There are exemptions to contractual obligation requirements that allow providers to share information about threats and breaches. Further, IT providers can now collect, preserve, and share data in industry-recognized standards by collaborating with Federal cybersecurity and investigative agencies.
2. Enhanced Security in Supply Chain Software
All security software used by the Federal Government is vital to the government’s ability to perform critical functions. However, the development of commercial software has often lacked transparency, adequate controls, and focus on its ability to resist attacks. The lack of transparency in commercial software coupled with the increased high-profile breaches cites the vulnerability on the software supply chain. This includes the SolarWinds, which infiltrated government agencies including all the five branches of the US military, The White House, the Pentagon, National Security Agency, and the State Department. Although conventional techniques comprising phishing and keylogging remain in the industry, supply chain attacks are becoming more common. This created an urgent need to implement rigorous and predictable mechanisms that ensure products function securely as intended.
The EO has raised the security requirements for all the software sold to the federal government. Now, they demand mandating developers become more transparent about the software. Then, make all their security protocols public. It also establishes a framework to continue developing and improving the current security best practices. It also creates a standardization label that approved software developers to develop in compliance with the new security standards.
3. A Cybersecurity Safety Review Board
The EO has established a Cybersecurity Safety Board co-led by players from both the private sector and the government under section 871 of the Homeland Security Act of 2002. Members of the board will be drawn from DOD, DOJ, FBA, NSA, CISA, and those from the private sector. The board always convenes after a significant cyber incident to analyze the incident and make recommendations on future threats. As is the norm, organizations will close communication after a security incident in an attempt to isolate and understand the full impact of the event before a consensus is reached.
The board aims at removing the stigma of firms after cyber-attacks in an effort to acknowledge that cyberattacks are becoming common and bring onboard stakeholders who will create solutions rather than shameful scandals. After analyzing the cyber-attack incidents, the board tables their report about the vulnerabilities and recommendations of incident responses.
4. New Endpoint Detection and Response Systems
From the recent attacks on government networks, the deployment of baseline cybersecurity tools and processes has often been inconsistent across government agencies. To improve detection capabilities in Federal network systems, Executive Order 14028 implements a government-wide endpoint detection and response system. This gives greater visibility into detecting malicious activity by promoting efficient data sharing among all agencies. Federal agencies will implement the EDR to support the proactive detection of cybersecurity incidents within the Federal government’s infrastructure.
5. Event Logging Requirements
Prior to the implementation of the Executive order, the cybersecurity vulnerability response and procedures vary across agencies, thus hindering the standardization of lead agencies in analyzing vulnerabilities and incidents more comprehensively across agencies. Standardized response processes ensure centralized cataloging of incidents and tracking of agencies’ progress toward successful responses. Under the new rule, agencies adopt a consistent event logging procedure to enable investigators to detect and disrupt attacks. Then, identify new market trends when reviewing incidents across multiple incidents.
6. Remodel and Digitize Cybersecurity Standards in the Federal Government
For the federal government to keep pace with the dynamic and increasingly sophisticated cybersecurity environments, some decisive steps need to be undertaken to modernize the government’s approach to cybersecurity. Under the new rule, the Federal government can increase its visibility to threats while protecting privacy and civil liabilities through security best practices. In addition, the government can secure data by moving to cloud services. They must adopt services such as IaaS, PaaS, and SaaS and centralize access to cybersecurity data to drive analytics. In addition, the government works with the Department of Homeland Security and the General Services Administration to develop and issue cloud-based security standards. By investing in technology and manpower, the government will modernize its cybersecurity standards.
7. Standard Operation Procedure for Incidence Response
Organizations have always relied on internal policies and processes for incidence reports in the event of security breaches, which in most instances overlook critical elements in preventing threats, consulting post-threat analysis, and minimizing the impact. The EO now establishes a playbook to increase inter-agency collaboration and communication to improve how these agencies respond to attacks. The Playbook will incorporate NIST standards for use in all federal agencies. Agencies adopting different response procedures only apply those standards if they prove that they meet the requirements outlined in the Playbook.
By establishing standard operating procedures, there are best practices that government agencies will look to when responding to security breaches. Currently, the order does not mandate the private sector to adopt the same SOPs as the government agencies. However, it makes them available to the public for non-governmental organizations to leverage as a model for their security plans.
Implementing Executive Order 14028
The EO stresses the importance of sharing threat and security incident information between service-supporting Federal information systems and investigative agencies. Although the executive order represents a significant challenge to the government and partners in the public and private sectors, Agile IT will help agencies attain full compliance and stay ahead of the evolving cybersecurity landscape. We deliver advanced solutions and capabilities geared towards protecting networks and assets using AI, ML, and other cyber technologies. Our diverse portfolio of solutions delivers high-quality, high-technology products and services to solve the world’s toughest cyber security challenges. Contact us today to review our software solutions.