Executive Order On Improving the Nation’s Cybersecurity, Examined
This column first appeared in Security Boulevard.
The long-expected Executive Order On Improving the Nation’s Cybersecurity was published Wednesday, May 12, 2021.
My initial reaction is positive. It calls for using multifactor authentication and encryption within Federal agencies after all, things that became established best practices 20 years ago.
The EO is focused on improving cybersecurity for Federal agencies and, in doing so, hopes that the benefits will spread to the rest of the nation.
There are eight major sections to the EO.
Section 1. Policy
The preamble to the Policy section has this truly beautiful line that could have been penned by Amanda Gorman.
“In the end, the trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is, and to the consequences we will incur if that trust is misplaced.”
It goes on to call for “bold changes and significant investment.” Who could object to that?
I have written many times over the last 20 years that the Federal government should lead by example; it should have the best cybersecurity. I was elated to see these words in the President’s voice:
“It is the policy of my Administration that the prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security. The Federal Government must lead by example. All Federal Information Systems should meet or exceed the standards and requirements for cybersecurity set forth in and issued pursuant to this order.”
In 8,200 words, the EO does not mention risk management even once. That is a good sign that policy makers have moved beyond the Rumsfeld-era thinking that seems to have infected NIST. The writers instead refer to modern concepts of zero-trust and endpoint detection and response (EDR).
Section 2. Removing Barriers to Sharing Threat Information
The EO recognizes that Federal contracts for IT and OT products and services need to be updated, and gives OMB 60 days to review the Federal Acquisition Regulation (FAR) and identify language that needs to be updated to require contractors to report cyber incident data to CISA (Cyber and Infrastructure Security Agency).
These requirements are indeed going to be disruptive to providers of IT services, which are not very good at collecting and reporting such data. Some may opt out of selling to the government altogether.
On the Pentagon side:
“(iii) Within 90 days of the date of this order, the Secretary of Defense acting through the Director of the NSA, the Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence shall jointly develop procedures for ensuring that cyber incident reports are promptly and appropriately shared among agencies.”
I can see outlining procedures in 90 days. I can’t see these departments actually sharing information promptly and appropriately in anything less than 900 days.
Section 3. Modernizing Federal Government Cybersecurity
This is, indeed, modern thinking:
“The Federal Government must adopt security best practices; advance toward Zero Trust Architecture; accelerate movement to secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).”
Yet:
“As agencies continue to use cloud technology, they shall do so in a coordinated, deliberate way that allows the Federal Government to prevent, detect, assess, and remediate cyber incidents.”
“Coordinated and deliberate” is not how cloud implementations work. Early adopters jump on new architectures and innovate quickly. The most frequent term I hear is “guardrails” applied to these implementations to ensure they do not stray too far. It would be better if the EO called for establishing guardrails.
And here is a truly remarkable statement:
“Within 180 days of the date of this order, agencies shall adopt multi-factor authentication and encryption for data at rest and in transit …”
Breathtaking. Six months to encrypt data at rest and in motion? And do it in a coordinated and deliberate way? I applaud the sentiment, and I am happy for all the struggling vendors in the data encryption and MFA space. If the agencies start today on an accelerated program, they may have started to evaluate solutions in six months.
Section 4. Enhancing Software Supply Chain Security
Call this the SolarWinds response section. There is a 30-day window (nine days remaining!) to reach out to agencies and the private sector to evaluate standards for secure software development. This one is easy. It’s called BSSIM, and it is right here.
This section is carefully thought out, and it has teeth:
“Following the issuance of any final rule amending the FAR as described in subsection (o) of this section, agencies shall, as appropriate and consistent with applicable law, remove software products that do not meet the requirements of the amended FAR from all indefinite delivery indefinite quantity contracts.”
The message is clear: either software complies with the new requirements, or it is removed.
Sadly, there are tens of thousands of software packages being used within the Federal government. Even doing an inventory is going to be an insurmountable task, let alone deciding if any of them meet the requirements of this EO.
Section 6. Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents
This section calls for standardizing vulnerability and incident response procedures. All good, as long as the best procedures, not the least common denominator, become the standard.
The Secretary of Homeland Security has 120 days to create a playbook for vulnerability management and incident response:
The playbook shall:
i) incorporate all appropriate NIST standards;
ii) be used by FCEB Agencies and
iii) articulate progress and completion through all phases of an incident response, while allowing flexibility so it may be used in support of various response activities.
FCEB = Federal Civilian Executive Branch, that part of the government that is subject to Executive Orders.
Section 7. Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks.
Section 7 is the EDR section.
“FCEB Agencies shall deploy an Endpoint Detection and Response (EDR) initiative to support proactive detection of cybersecurity incidents within Federal Government infrastructure, active cyber hunting, containment and remediation, and incident response.”
Hard not to applaud that.
Section 8. Improving the Federal Government’s Investigative and Remediation Capabilities
Section 8 is the logging section of the EO. It calls for logging everything and retaining and verifying records. It gives the Secretary of Homeland Security only 14 days to come up with requirements.
Section 9. National Security Systems
This section requires the Secretary of Defense to adopt “similar National Security Systems requirements that are equivalent to or exceed the cybersecurity requirements” in the Executive Order.
Section 10. Definitions
Section 10 provides definitions of all the terms used in the EO, and yes, it provides a description of zero-trust which I feel needs to be quoted in full:
“… the term “Zero Trust Architecture” means a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries. The Zero Trust security model eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses. In essence, a Zero Trust Architecture allows users full access but only to the bare minimum they need to perform their jobs. If a device is compromised, zero trust can ensure that the damage is contained. The Zero Trust Architecture security model assumes that a breach is inevitable or has likely already occurred, so it constantly limits access to only what is needed and looks for anomalous or malicious activity. Zero Trust Architecture embeds comprehensive security monitoring; granular risk-based access controls; and system security automation in a coordinated manner throughout all aspects of the infrastructure in order to focus on protecting data in real-time within a dynamic threat environment. This data-centric security model allows the concept of least-privileged access to be applied for every access decision, where the answers to the questions of who, what, when, where, and how are critical for appropriately allowing or denying access to resources based on the combination of sever.”
Section 11 serves to reserve the right of the National Security Director, a still unfilled role, to modify the EO.
What’s Missing?
No additional spending, although this EO will require massive investment to put in place. Of course, the executive branch cannot authorize new spending; it can only move things around. Perhaps any funding for the border wall that was misappropriated can be redirected to making the government more secure?
Thankfully, the Cybersecurity EO does not create any new roles. No czar to make it all work. I think, when you look at all the roles and all the sub-agencies that have been created over the years, perhaps the White House feels they finally have the people and designated roles in place to execute a plan to bring the Federal government up to speed, and into a position to lead by example.