The Biden administration recently released an Executive Order (EO) on Cybersecurity. The EO addresses the continuous threat of malicious cyber campaigns that have caused harm to the security and privacy of the American people, both in the private and public sectors.
To mitigate these threats, the EO establishes several minimum standards and federal requirements to ensure cross-agency communication. The EO defines their approach across seven broad sections that define agency and private sector actions.
Removing Barriers to Sharing Threat Information.
The Office of Management and Budget (OMB) with the Secretary of Defense, the Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence will review the FAR and DFAR requirements for contracting Information Technology (IT) and Operational Technology (OT) services. It is the administrations intention to ensure service providers:
- Retain and protect all cybersecurity event data.
- Share relevant information with designated agencies,
- Collaborate with federal investigations.
- information and communications technology (ICT) service providers entering into contracts with agencies must promptly report to such agencies when they discover a cyber incident involving a software product or service provided to such agencies or involving a support system for a software product or service provided to such agencies.
- ICT service providers must also directly report to CISA whenever they report to Federal Civilian Executive Branch (FCEB) Agencies, and CISA must centrally collect and manage such information
Modernizing Federal Government Cybersecurity
Cybersecurity threats can be dynamic and sophisticated, and to keep up to date, the Federal Government must adapt and modernize its approach to attacks. Having the visibility to see threats, while protecting privacy and civil liberties, is a necessary step to modernization. Additionally, the Federal Government must adapt security best practices; advance toward Zero Trust Architecture; accurate movement to secure cloud services; centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks; and invest in both technology and personnel to match these modernization goals.
Enhancing Software Supply Chain Security
The EO states as a priority the need to address critical software that must be taken into action and to improve the security and integrity of the software supply chain. Commercial software often lacks transparency, sufficient focus on the ability of the software to resist attack, and adequate controls to prevent malicious actors. Because of this, there is a need to implement more rigorous and predictable mechanisms for ensuring products function securely. One particular concern is the security and integrity of “critical software” – software that performs functions critical to rust. Actions from the Federal Government must be taken to quickly improve the software supply chain critical software.
Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents:
The Federal Government must streamline its cybersecurity vulnerability and incident response procedures to accurately identify, remediate and recover from incidents affecting its systems. Currently, it varies across agencies, which limits the ability to analyze vulnerabilities and incidents more comprehensive.
Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks:
To maximize early detection of cybersecurity vulnerabilities and incidents on the network, The Federal Government shall use all appropriate resources, including the increase of visibility into threats towards agency networks.
As of today, the Security of Defense acting through the National Manager, in coordination with the Director of National Intelligence and the CNSS, and in consultation with the APNSA, has adopted National Security Systems requirements that are equivalent to or exceed the cybersecurity requirements set forth in this order that are otherwise not applicable to National Security Systems.
We, at Coley, support our customers’ contract management needs and keep all appraised of important changes in federal regulations that may affect their processes. The EO will create new opportunities for those in Cybersecurity, Cloud, Training, and Supply Chain. You can identify upcoming opportunities in SAM.gov or using our proprietary FedMap Target tracker tool.