In the aftermath of the SolarWinds and Hafnium incidents in recent months, and as panic buying is sweeping multiple states in the wake of the Colonial Pipeline ransomware attack triggering long lines and emergency declarations, this week President Biden signed an executive order aimed at improving the nation’s cybersecurity. While those in the defense supply chain have already seen the strengthening of cybersecurity requirements with the recent enactment of DFARS 7021 and the Cybersecurity Maturity Model Certification(CMMC), this new cybersecurity executive order will expand this push to the entire federal supply chain and those providing services critical to U.S infrastructure.
This new executive order is going to bring about many changes to the existing Federal Acquisition Regulations (FAR) and has the potential to severely impact software companies and IT service providers.
What are the Goals of Executive Order 14028?
- Removing barriers to sharing threat information between the government and private sectors
- Implementing stronger, more modernized federal cybersecurity standards
- Improving supply chain security
- Establishing a cybersecurity safety review board
- Creating a standard response playbook for cybersecurity incidents
- Improving detection capabilities in federal networks
- Improving detection and investigation capabilities
Remove Barriers to Threat Information Sharing Between Government and the Private Sector
Current contract terms limit the sharing of threat information with executive departments and agencies that are responsible for investigating cyber attacks, such as the CISA, FBI and broader intelligence community. The cybersecurity executive order calls for a review of the Federal Acquisition Regulation (FAR) and Defense Federal Acquisitions Regulation Supplement (DFARS) and provide updates that ensure:
- Service providers collect and preserve data, information, and reporting relevant to cybersecurity event prevention, detection, response and investigation
- Service providers SHARE the information collected with relevant agencies
- Service providers collaborate with Federal cybersecurity and investigative agencies
- Information is shared in industry recognized formats
Modernize and Implement Stronger Cybersecurity Standards in the Federal Government
In order to keep pace (catch up?) with the current threat environment. Federal cybersecurity should adopt industry best practices including Zero Trust Architecture and accelerate movement towards securing SaaS, IaaS, and PaaS solutions. Each agency has 60 days to:
- Update agency plans to prioritize the adoption and use of cloud technology based on OMB guidance
- Develop a plan to implement Zero Trust Architecture in line with NIST Zero Trust Guidance along with a schedule for implementation
Within 180 days, each agency must adopt:
- Multifactor Authentication
- Encryption of data at rest and in transit
Additionally, related improvements to FedRAMP will include:
- Establishing a training plan for meeting FedRAMP requirements, including on-demand videos
- Implementing improved communications
- Automation and standardization of communications
- Digitizing documentation and forms
- Mapping relevant frameworks onto FedRAMP requirements and allowing those frame works to be used in place of relevant portions of the authorization process.
Enhancing Software Supply Chain Security
Citing the lack of transparency in commercial software, a lack of focus on security and tamper proofing within commercial software, and the already observed impacts that can cause, the executive order lays out some pretty strong new controls for companies providing software products to the government. Part of the process of enhancing the security of software used by the government includes creating a definition of “critical software” that accounts for the access needed for the software to function and the risk of harm if compromised.
NIST Guidelines On the Software Supply Chain
NIST will create new guidelines or adapt existing standards for the software supply chain with feedback from Federal, private sector, and academic experts. Within 1 year, the FAR will be amended to remove software that does not meet these guidelines, removing the ability for non-compliant companies to continue selling to the federal government.
These guidelines will cover best practices including:
- Secure software development environments
- using administratively separate build environments
- auditing trust relationships
- establishing multi-factor, risk-based authentication and conditional access
- Documenting and minimizing dependencies on enterprise products that are part of the environments used to develop software
- Encrypting data
- Monitoring operations and alerts and responding to attempted and actual cyber incidents
- generating and providing artifacts that demonstrate conformance
- employing automated tools, or comparable processes, to
- Maintain trusted source code supply chains
- Ensure code integrity
- Check for and remediate known and potential vulnerabilities
- Providing artifacts of the execution of the tools and processes including a summary description of the risks assessed and mitigated
- Maintaining accurate and up-to-date data, origin info on software code or components, and controls on internal and third-party software components, tools, and services present in software development processes
- Providing a purchaser a Software Bill of Materials (SBOM) for each product
- Participating in a vulnerability disclosure program including a reporting and disclosure process
- Attesting to conformity with secure software development practices
- Ensuring the integrity and origin of any open source software used within software products
Consumer Labelling Program
Within 9 months, NIST will also research and provide guidance on a consumer labelling program to inform consumers of the security of IOT devices and software products. This labelling program will be focused on ease of use for consumers, and may include multiple tiers to let consumers know the baseline security and testing assessments the product has undergone. The official talking points compare this to the EnergyStar efficiency ratings system.
Establishing a Cyber Safety Review Board
Using methods identical to the National Transportation Safety Board, the Cyber Safety Review Board will convene following any significant cyber incident to determine and report on threat activity, vulnerabilities, mitigation activities, and agency responses. The board will then advise the Secretary of Homeland Security on recommended improvements to cybersecurity and incident response practices. The board will include members from the DOD, DOJ, CISA, FBI, NSA and representatives from relevant private sector cybersecurity or software suppliers.
Creating a Standard Response Playbook for Cybersecurity Incidents
The standard response playbook aims to increase inter-agency collaboration and communication to improve the abilities of agencies to analyze vulnerabilities and incidents, and ensuring a more coordinated cataloging of incidents and tracking agencies progress towards successful responses. The playbook will incorporate appropriate NIST standards and be required for use by all federal agencies. Agencies with different response procedures will only be able to use those procedures after demonstrating that they meet or exceed those in the Standard Response Playbook.
Improving Detection Capabilities in Federal Networks
This section of the Executive order implements a government-wide endpoint detection and response system and improved information sharing between agencies, including establishing procedures for immediate information sharing between the Departments of Defense and Homeland Security. This is aimed at improving the ability to detect malicious cyber activity across federal networks. Additionally, the Director of the CISA is tasked with determining how existing rules allowing the CISA to threat hunt on federal networks without prior approval are being implemented.
Improving Detection and Investigation Capabilities
Log information is critical in event response. New rules lay out that agencies and their software service providers maintain such data and that they be provided upon request to the Secretary of Homeland Security through the CISA and FBI. Additionally, these logs should be shareable between agencies when needed to respond to a cyber security incident.
The Secretary of Homeland Security has two weeks to recommendations on the requirements for logging events and retaining data in an agency’s system or networks. This guidance must include:
- Types of logs
- Retention periods
- Protection of logs
The Executive Order helps move the Federal government to secure cloud services and a zero-trust architecture, and mandates deployment of multifactor authentication and encryption with a specific time period. Outdated security models and unencrypted data have led to compromises of systems in the public and private sectors. The Federal government must lead the way and increase its adoption of security best practices, including by employing a zero-trust security model, accelerating movement to secure cloud services, and consistently deploying foundational security tools such as multifactor authentication and encryption.