Seven steps every organization must take to comply with Biden’s cybersecurity order

In May 2021, President Biden issued an executive order (EO) on cybersecurity for the United States. It strengthens the federal government's cybersecurity capabilities and encourages the public and private sectors to develop their defenses.

This blog post is the first in a series intended to dive deeper into this EO and explore what lies ahead. We will cut through the confusion and provide a practical understanding of what this EO means and how you can bring it to life in your organization.

To begin, let’s explore why this order was needed, whom it impacts, and how it works.

Why we need this executive order

You may be tempted to view this order as a direct response to the recent cybersecurity incidents impacting the US government. Still, it drives initiatives that we have needed for a long time.

Against a backdrop of crippling cybersecurity incidents that cause substantial damage, many organizations continue to underinvest in their cybersecurity and take action only after an incident or when forced to by regulations.

That's where this new EO comes in, seeking to increase investment in proactive cybersecurity and create a more cyber resilient government and economy. It outlines an ambitious set of initiatives designed to drive substantive cybersecurity improvements quickly.

Who this executive order impacts

There are four groups that this EO directly or indirectly impacts: federal government agencies, state and local governments, private entities that sell to the government, and the private sector as a whole. Technically, federal agencies are the only groups directly impacted by the EO, but it still has implications for most organizations.

State and local governments must assume that these initiatives will eventually trickle down to all levels of government, so they should take the EO seriously and implement its initiatives.

The federal government is also using its massive purchasing power to influence cybersecurity standards for the private sector, establishing new requirements for any company selling products and services to the federal government.

Finally, the government intends to establish new standards for effective, efficient, trustable cybersecurity. These standards will likely find their way into future regulations and become broadly accepted best practices in the private sector.

The bottom line? This EO impacts everyone. No organization can afford to ignore it simply because they are not explicitly mentioned.

How it works: An overview and section-by-section summary

At its core, the EO focuses on improving US government cybersecurity across four strategic angles:

  • Centralizing the federal government's cybersecurity activities and creating shared standards
  • Creating a collaborative approach by collecting and sharing data and best practices
  • Proactively improving the cybersecurity of government systems and networks
  • Reducing the impact of incidents with a faster, more agile, effective and intelligent response

The EO outlines seven cybersecurity initiatives, each with a broad picture of its objectives, recommendations and practical action steps. Let's explore how they might impact organizations.

Remove barriers to sharing threat information

  • What it means

Agencies must collect, store and share a wide range of cybersecurity incident data with the central government cybersecurity agency.

  • What you need to do

This section changes the existing top-down policy, removing the stigma of breaches and incentivizing agencies to share incident information. From an actionable perspective, it means that agencies will need robust cybersecurity data collection, storage and reporting capabilities.

As a whole, this EO paints a clear picture of what the federal government considers modern, effective, and efficient cybersecurity and a clear set of actions that agencies must take.

Modernizing federal government cybersecurity

  • What it means

Agencies must modernize their digital infrastructure from end-to-end and incorporate new standards such as cloud services, MFA, encryption, Zero Trust and risk profiling.

  • What you need to do

This section mandates an acceleration of the infrastructure, systems and process transformations already underway at most agencies, emphasizing emerging best practices like Zero Trust.

Enhancing software supply chain security

  • What it means

Third-party software suppliers to the federal government must improve their transparency and comply with a new range of internal security standards.

  • What you need to do

While this section primarily relates to software makers that supply the government, it's safe to assume this call for increased transparency, accountability and stricter internal standards will quickly trickle down to any organization that does business with federal agencies.

Establishing a cyber safety review board

  • What it means

This section creates a central government body to monitor threats, analyze incidents, and guide agencies to adapt their security to the dynamic threat landscape.

  • What you need to do

This mandate primarily applies to those involved in the creation of this board. However, all agencies must share data with this body, then rapidly consume and implement its recommendations.

Standardizing the federal government's playbook for responding to vulnerabilities and incidents

  • What it means

Agencies must adopt standardized language and playbooks for cybersecurity incidents to ensure a uniform response to similar incidents across the federal government.

  • What you need to do

Agencies must themselves adopt the standards set by the central cybersecurity body. At the same time, outside organizations must prepare for new language and response patterns to become formal or informal security requirements across industries.

Improving detection of cybersecurity vulnerabilities and incidents

  • What it means

Agencies must develop and deploy comprehensive endpoint detection and response (EDR) security and vulnerability management systems.

  • What you need to do

Agencies must evaluate and fill the gaps in their endpoint and network visibility, detection, threat hunting, containment and incident response capabilities.

Improving the federal government's investigative and remediation capabilities

  • What it means

Agencies must improve their incident data to improve their ability to detect, investigate and mitigate security incidents.

  • What you need to do

Agencies must specifically focus on how they collect, store and make log information available.

Next steps: overcoming barriers to adoption

As a whole, this EO paints a clear picture of what the federal government considers modern, effective, and efficient cybersecurity, and a clear set of actions that agencies must take. However, there are two major barriers to bringing this EO to life:

Budgetary: The recommendations and initiatives set forth are sweeping, and many will require substantial funding to implement.

Operational: While some changes will occur centrally, the remaining requirements require agencies and organizations to evolve and expand their existing cybersecurity capabilities significantly.

In the subsequent blogs in this series, we will outline a practical approach to overcoming these barriers.

If you are looking for help bringing this EO to life in your agency or organization, reach out to Atos today to schedule a free cybersecurity consultation.

By Sachin Varghese, Head - Digital Security Sales NA

Posted on: August 10, 2021

Share this blog article


About Sachin Varghese
Head - Digital Security Sales NA
Sachin leads the Atos digital security sales organization for North America with a commitment to deliver exceptional value and returns for Atos clients. Sachin has more than 20 years of experience in sales, marketing, and business leadership roles. He works closely with CISOs and security leaders to build resilient cybersecurity frameworks and deliver bespoke solutions to secure an organization’s digital journey. Sachin works out of the Atos office in Reston, Virginia.