Cyber Security from the Desk of the President
President Biden signed an Executive Order in May 2021 directing federal agencies to take several proactive steps to help the nation defend against cyber security attacks. The Order is drafted with very specific implementation steps, which is a departure from prior orders. Prior executive orders were often purposefully vague, leaving the exact cyber security implementation steps to the agencies. President Biden’s order includes specific requirements for multifactor authentication, Zero Trust Architecture, and encryption, among other requirements.
The Order begins with a policy statement that sets the overall theme and tone for the remainder of the Order. This strong policy states that “prevention, detection, assessment, and remediation of cyber incidents is top priority and essential to the national and economic security.” The Order then details specifics for implementing this policy.
First, the Order requires contractors and sub-contractors (“contractors”) of the government to share threat and attack information with government agencies. Currently, many contracts limit what data these contractors share with the government. The requirement to share direct threat information with agencies will provide a great deal of intelligence for crafting a national strategy to address identified vulnerabilities and threats. This information sharing will be required through forthcoming specifics that will require actions, such as the collection and preservation of threat and attack data according to agency requirements. Contractors will then be required to share the threat and attack data collected in an industry standard format with named agencies that will address the issues. Finally, contractors are also required to collaborate and cooperate in any ensuing investigation into such threat and attack data.
Next, the Order requires agencies to advance toward a Zero Trust Architecture (“ZTA”) and requires ZTA when using specific platforms known as Software-as-a-Service (SaaS), Platform-as-a-Services (PaaS), and Infrastructure-as-a-Service (IaaS). ZTA is a holistic approach to the security of a platform requiring verification of connections to and access of the platform. This will extend to cloud services used by the government and contractors. The implementation of ZTA will also require multifactor authentication (MFA) and encryption of data at rest and in transit. Each agency will be required to provide progress reporting as they implement these requirements.
The Order also implements a software supply chain security framework in response to the Solar Winds hack. As you’ll recall, the Solar Winds hack emanated from a vulnerability in a government software provider. The order requires NIST to develop “standards, tools, and best practices” to protect the software supply chain. Some of the specific requirements mentioned are separate build environments for software used by government agencies, auditing trust relationships, and employing automated tools to maintain a trusted relationship in source code supply chains.
The Order then rounds out with both retrospective and prospective government reviews to address cyber security. From a retrospective approach, the Order establishes a Cyber Safety Review Board (CSRB). The CSRB will review all significant attacks on government agencies, as well as attacks on significant non-Federal systems, which includes threat activity, vulnerabilities, and agency responses. The CSRB will become a government-wide review board to ensure all attacks and threats are known and shared throughout the government and all agencies learn from the after-action reports.
From a forward looking approach, the Order requires the government to employ all necessary resources to maximize the detection of vulnerabilities and threats to its agencies. Notably, the Order directs the Cybersecurity and Infrastructure Security Agency to provide recommendations within 30 days of the Order’s date for options to implement an Endpoint Detection and Response (“EDR”) on all agency networks.
This Executive Order had been in the works for months, but is a very direct response to the most recent attacks against the United States government and to significant national infrastructure, i.e. Colonial Pipeline and JBS. These attacks demonstrated the vulnerability of critical areas of the United States’ economy to cyber-attack, which was a sobering show of the need to harden our infrastructure to such attacks. The implementation of the Order at the agency level is a new approach that will be determinative as to whether the Order can or will reduce the number of cyber-attacks. Ultimately, the proof will be in the eating of the pudding.
 Executive Order 14208 of May 12, 2021, (https://www.federalregister.gov/documents/2021/05/17/2021-10460/improving-the-nations-cybersecurity) (the “Order”).