Seven steps every organization must take to comply with Biden’s cybersecurity order
In May 2021, President Biden issued an executive order (EO) on cybersecurity for the United States. It strengthens the federal government's cybersecurity capabilities and encourages the public and private sectors to develop their defenses.
This blog post is the first in a series intended to dive deeper into this EO and explore what lies ahead. We will cut through the confusion and provide a practical understanding of what this EO means and how you can bring it to life in your organization.
To begin, let’s explore why this order was needed, whom it impacts, and how it works.
Why we need this executive order
You may be tempted to view this order as a direct response to the recent cybersecurity incidents impacting the US government. Still, it drives initiatives that we have needed for a long time.
Against a backdrop of crippling cybersecurity incidents that cause substantial damage, many organizations continue to underinvest in their cybersecurity and take action only after an incident or when forced to by regulations.
That's where this new EO comes in, seeking to increase investment in proactive cybersecurity and create a more cyber resilient government and economy. It outlines an ambitious set of initiatives designed to drive substantive cybersecurity improvements quickly.
Who this executive order impacts
There are four groups that this EO directly or indirectly impacts: federal government agencies, state and local governments, private entities that sell to the government, and the private sector as a whole. Technically, federal agencies are the only groups directly impacted by the EO, but it still has implications for most organizations.
State and local governments must assume that these initiatives will eventually trickle down to all levels of government, so they should take the EO seriously and implement its initiatives.
The federal government is also using its massive purchasing power to influence cybersecurity standards for the private sector, establishing new requirements for any company selling products and services to the federal government.
Finally, the government intends to establish new standards for effective, efficient, trustable cybersecurity. These standards will likely find their way into future regulations and become broadly accepted best practices in the private sector.
The bottom line? This EO impacts everyone. No organization can afford to ignore it simply because they are not explicitly mentioned.
How it works: An overview and section-by-section summary
At its core, the EO focuses on improving US government cybersecurity across four strategic angles:
- Centralizing the federal government's cybersecurity activities and creating shared standards
- Creating a collaborative approach by collecting and sharing data and best practices
- Proactively improving the cybersecurity of government systems and networks
- Reducing the impact of incidents with a faster, more agile, effective and intelligent response
The EO outlines seven cybersecurity initiatives, each with a broad picture of its objectives, recommendations and practical action steps. Let's explore how they might impact organizations.
Remove barriers to sharing threat information
- What it means
Agencies must collect, store and share a wide range of cybersecurity incident data with the central government cybersecurity agency.
- What you need to do
This section changes the existing top-down policy, removing the stigma of breaches and incentivizing agencies to share incident information. From an actionable perspective, it means that agencies will need robust cybersecurity data collection, storage and reporting capabilities.
As a whole, this EO paints a clear picture of what the federal government considers modern, effective, and efficient cybersecurity and a clear set of actions that agencies must take.
Modernizing federal government cybersecurity
- What it means
Agencies must modernize their digital infrastructure from end-to-end and incorporate new standards such as cloud services, MFA, encryption, Zero Trust and risk profiling.
- What you need to do
This section mandates an acceleration of the infrastructure, systems and process transformations already underway at most agencies, emphasizing emerging best practices like Zero Trust.
Enhancing software supply chain security
- What it means
Third-party software suppliers to the federal government must improve their transparency and comply with a new range of internal security standards.
- What you need to do
While this section primarily relates to software makers that supply the government, it's safe to assume this call for increased transparency, accountability and stricter internal standards will quickly trickle down to any organization that does business with federal agencies.
Establishing a cyber safety review board
- What it means
This section creates a central government body to monitor threats, analyze incidents, and guide agencies to adapt their security to the dynamic threat landscape.
- What you need to do
This mandate primarily applies to those involved in the creation of this board. However, all agencies must share data with this body, then rapidly consume and implement its recommendations.
Standardizing the federal government's playbook for responding to vulnerabilities and incidents
- What it means
Agencies must adopt standardized language and playbooks for cybersecurity incidents to ensure a uniform response to similar incidents across the federal government.
- What you need to do
Agencies must themselves adopt the standards set by the central cybersecurity body. At the same time, outside organizations must prepare for new language and response patterns to become formal or informal security requirements across industries.
Improving detection of cybersecurity vulnerabilities and incidents
- What it means
Agencies must develop and deploy comprehensive endpoint detection and response (EDR) security and vulnerability management systems.
- What you need to do
Agencies must evaluate and fill the gaps in their endpoint and network visibility, detection, threat hunting, containment and incident response capabilities.
Improving the federal government's investigative and remediation capabilities
- What it means
Agencies must improve their incident data to improve their ability to detect, investigate and mitigate security incidents.
- What you need to do
Agencies must specifically focus on how they collect, store and make log information available.
Next steps: overcoming barriers to adoption
As a whole, this EO paints a clear picture of what the federal government considers modern, effective, and efficient cybersecurity, and a clear set of actions that agencies must take. However, there are two major barriers to bringing this EO to life:
Budgetary: The recommendations and initiatives set forth are sweeping, and many will require substantial funding to implement.
Operational: While some changes will occur centrally, the remaining requirements require agencies and organizations to evolve and expand their existing cybersecurity capabilities significantly.
In the subsequent blogs in this series, we will outline a practical approach to overcoming these barriers.
If you are looking for help bringing this EO to life in your agency or organization, reach out to Atos today to schedule a free cybersecurity consultation.