President Biden signed an executive order Wednesday outlining actions to strengthen cybersecurity including requiring baseline security standards in software purchased by the government and requiring compromised companies that contract with the federal government to report breaches for the benefit of others potentially vulnerable in government or industry.
A senior administration official told reporters on a call shortly before the White House announced the order that the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency would be leading the effort to define the details of reporting requirements, which would be on a sliding time scale based on the severity of the incident with the most severe cyber incidents needing to be reported within three days. Within 60 days, the Office of Management and Budget, Defense Department, Justice Department, Office of the Director of National Intelligence, and DHS will review and recommend updates to IT and OT contract requirements.
“Companies need to share information about the incident: the vulnerability, what occurred,” the official said. “We’re really focused on information that’s important to be used to get out information to better help other entities defend themselves.”
The order, which has been in the works since the second week of the Biden administration, says the contract update recommendations would ensure “service providers collect and preserve data, information, and reporting relevant to cybersecurity event prevention, detection, response, and investigation on all information systems over which they have control, including systems operated on behalf of agencies, consistent with agencies’ requirements,” share incident data “relevant to any agency with which they have contracted” with that agency, work with federal investigators, and “share cyber threat and incident information with agencies, doing so, where possible, in industry-recognized formats for incident response and remediation.”
Within 120 days, DHS and OMB should “take appropriate steps to ensure to the greatest extent possible that service providers share data with agencies, CISA, and the FBI as may be necessary for the Federal Government to respond to cyber threats, incidents, and risks.”
“It’s hard to learn from each incident and ensure that, broadly, government and companies have information to protect themselves,” the official said. “So we’ve pushed the authority as far as we could and said, ‘Anybody doing business with the U.S. government will have to share incidents so that we can use that information to protect Americans more broadly.’”
As far as improving its own security posture, the executive order says the federal government “must adopt security best practices; advance toward Zero Trust Architecture; accelerate movement to secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS); centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks; and invest in both technology and personnel to match these modernization goals.” The head of each agency has 60 days to submit its plan to move toward these goals, and agencies are required to progress in cloud technology “in a coordinated, deliberate way that allows the Federal Government to prevent, detect, assess, and remediate cyber incidents.”
DHS and GSA, through FedRAMP, will “develop security principles governing Cloud Service Providers (CSPs) for incorporation into agency modernization efforts.” Within 90 days, a federal cloud security strategy will be developed and guidance delivered to agencies. Within 60 days, DHS is expected to deliver a cloud-service governance framework that “shall identify a range of services and protections available to agencies based on incident severity.” Agencies have six months to “adopt multi-factor authentication and encryption for data at rest and in transit,” or provide “written rationale” why they can’t.
GSA will also have to “begin modernizing FedRAMP” with a new training program for agencies, improving standardized communication, incorporating automation throughout the lifecycle, digitizing and streamlining vendor documentation, and instituting relevant compliance frameworks.
To improve software supply chain security, the order directs the National Institute of Standards and Technology to develop guidelines including “criteria that can be used to evaluate software security, include criteria to evaluate the security practices of the developers and suppliers themselves, and identify innovative tools or methods to demonstrate conformance with secure practices.” The preliminary guidelines are due in six months. A definition of the term “critical software” will be agreed upon by NIST, NSA, DHS, OMB, and ODNI within 45 days, and within the month after that DHS “shall identify and make available to agencies a list of categories of software and software products in use or in the acquisition process meeting the definition of critical software” with security guidelines coming within 60 days after that.
Guidelines will also be issued by NIST within 60 days for recommended “minimum standards for vendors’ testing of their software source code, including identifying recommended types of manual or automated testing (such as code review tools, static and dynamic analysis, software composition tools, and penetration testing).” NIST will also spearhead initiatives to educate the public on the security capabilities of Internet-of-Things (IoT) devices.
“We’re working to bring visibility to the security of software, akin to the way New York brought visibility to cleanliness in New York City restaurants by requiring restaurants to post simple ratings like A, B, C, or D regarding the cleanliness in their windows,” the senior administration official said. “Visibility matters.”
Homeland Security Secretary Alejandro Mayorkas will be responsible for establishing a new Cyber Safety Review Board — with members from the Defense Department, Justice Department, CISA, NSA, FBI, and the private sector (and depending on the incident, OMB) — to review and assess incidents affecting government systems and the private sector, analyzing threat activity, vulnerabilities, mitigation activities, and agency responses. At a minimum, the board would be convened after a cyber incident serious enough to trigger the establishment of a Cyber Unified Coordination Group.
“Recent cybersecurity incidents impacting SolarWinds, Microsoft, and Colonial Pipeline are a stark reminder that malicious cyber activity can significantly disrupt Americans’ daily lives and threaten our national security,” Mayorkas said in a statement late Wednesday on the executive order. “Addressing these risks to our way of life is a shared responsibility that depends upon close collaboration between the public and private sectors.”
In addition to establishment of the cyber review board, he said, the executive order “will empower DHS and our interagency partners to modernize federal cybersecurity, expand information-sharing, and dramatically improve our ability to prevent, detect, assess, and remediate cyber incidents. We look forward to taking immediate steps to implement this Executive Order to help federal government agencies improve their security posture by modernizing programs and systems, developing a standard playbook for incident response.”
The order states that DHS “shall develop a standard set of operational procedures (playbook) to be used in planning and conducting a cybersecurity vulnerability and incident response activity respecting FCEB Information Systems,” with guidance to agencies distributed later by OMB. The playbook will include “a requirement that the Director of CISA review and validate FCEB Agencies’ incident response and remediation results upon an agency’s completion of its incident response.”
To increase “visibility into and detection of cybersecurity vulnerabilities and threats to agency networks,” the executive order calls for an Endpoint Detection and Response (EDR) initiative “to support proactive detection of cybersecurity incidents within Federal Government infrastructure, active cyber hunting, containment and remediation, and incident response.” The order also includes provisions to improve agency collection and maintenance of data on cyber incidents “for both investigation and remediation purposes.”
CISA Acting Director Brandon Wales called the order “an important step forward in bolstering our nation’s cybersecurity” and stressed that his agency “serves a central role in implementing this executive order.”
“This executive order will bolster our efforts to secure the federal government’s networks, including by enabling greater visibility into cybersecurity threats, advancing incident response capabilities, and driving improvements in security practices for key information technology used by federal agencies. And because the federal government must lead by example, the executive order will catalyze progress in adopting leading security practices like zero-trust architectures and secure cloud environments,” Wales said.
“The cybersecurity landscape is constantly changing, and this executive order reflects the need for a sustained commitment and urgent progress,” he added. “We are now moving forward with this same commitment and urgency to implement the president’s executive order to defend against the threats of today and secure against the risks of tomorrow.”
The senior administration official told reporters that those drafting the order looked at recent cyber incidents but asked more broadly, “What are the foundational reasons why incidents occur?”
“So, as we looked, for example, at SolarWinds, you know, we saw the way the SVR compromised SolarWinds in the way they built software. And we said, fundamentally, building software, like building a building, must be done with standards on networks that are segregated, where users have to use multi-factor authentication to log in,” the official said.
Rolling out agency standards in a tight timeframe is critical as “the federal government needs to be a leader in this space,” the official said.
“We worked hard to find the best way to set aggressive and achievable efforts within what could be achieved in an executive order, and really to pilot all of these different efforts that have been discussed for a while, and to use the power of federal procurement to say, ‘If you’re doing business with us, we need you to practice really good — really good — cybersecurity. And, most importantly, we really need you to focus on secure software development.’ Right?”