On May 12, 2021, president Biden issued an Executive Order for improving the cybersecurity of the federal government networks. Following the growing number of malicious attacks on US entities, the executive order calls for a significant modernization of federal and private cybersecurity measures. For example, implementing zero trust architecture across all government agencies and the public sector. Read these FAQs to get clarity into all the requirements of the EO, and how they affect both the public and the private sector.
What is the Purpose of the Cybersecurity Executive Order?
The purpose of the order is to drive modernization of US federal cybersecurity defense. It calls for significant changes to be made so that the government can identify vulnerabilities, mitigate risks and respond to cyber attack incidents. In addition to implementing tools and systems, the EO places values on sharing information, cross-agency and entity collaboration and investigation of past incidents. These are all geared towards mitigating risks and enabling future improvement.
Why Was the Cybersecurity Executive Order Issued?
A growing number of malicious attacks on public and private US entities, including the notorious SolarWinds, Microsoft Exchange and the Colonial Pipeline incident, led to an understanding of the need to protect and secure computer systems better. As a result, the EO was issued, and calls for immediate action and planning across all government agencies and the private sector.
Who is the Cybersecurity Executive Order For?
Due to the nature of the cyberattacks on US entities, the order is targeted both to the public and the private sectors. While the public sector is committed to abiding by it, the private sector is very much encouraged to do so so it can adapt to the continuously changing threat environment.
What Does the Cybersecurity Executive Order Call For?
1. Removing barriers to sharing threat information
Before the EO, IT and OT service providers were wary of sharing threat and breach information. This was due to contract obligations or other reasons. The EO calls for revising contracts and implementing policies to ensure service providers collect data, share information and collaborate with agencies. This is necessary to enable prevention of attacks and effective defense of sensitive information.
2. Implementing stronger zero trust cybersecurity standards in the federal government
The EO calls specifically for the adoption of zero trust architecture as part of the cloud technology migration, as well as deploying MFA, encryption and data collection methods. The transformation to zero trust architecture is necessary to ensure the security of cloud services, including SaaS, IaaS and PaaS, while enabling the agility and scalability the cloud provides.
3. Improving software supply chain security
Establishing baseline security standards for software development that is sold to the government, while requiring developer visibility and making security data available. This section will be powered by federal procurement and its ability to incentivize the market to build security into all software.
4. Establishing a cybersecurity safety review board
Founding a safety review board that will analyze cybersecurity incidents after they happen, to make concrete recommendations for improving cybersecurity. The board will be co-chaired by the government and the private sector. Its goal is to learn lessons from the past to improve the future.
5. Creating a standard playbook to respond to cybersecurity incidents
Standardizing the response process used to identify, remediate and recover from vulnerabilities and incidents. Today, procedures vary among agencies. A consolidated playbook will ensure coordination, tracking and more progress when mitigating risks.
6. Improving the detection of cybersecurity incidents on federal government networks
Dedicating resources and enabling a government-wide endpoint detection and response system for maximizing early detection of vulnerabilities and threats. This includes systems and tools, as well as information sharing.
7. Improving investigation and remediation capabilities
Requiring the logging and data maintenance from networks and systems, and the ability to provide them upon request. This is important for detecting intrusions, mitigating intrusions in progress and post-incident investigation.
When will the EO Become Obligatory?
The sections of the EO set general guidelines and recommendations, and require agencies to develop specific procedures and schedules. The EO sets a deadline for each of them. For example, within 60 days of the issue of the order, every agency head is supposed to develop a plan to implement Zero Trust Architecture, based on the steps the National Institute of Standards and Technology (NIST) has outlined. They are required to describe which steps have already been completed, identify activities that will have the most immediate security impact, and include a schedule to implement them.
How Does the Cybersecurity Executive Order Define “Zero Trust”?
The EO defines the term “Zero Trust Architecture” as “a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries. The Zero Trust security model eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses.”
This means that a Zero Trust Architecture grants users with complete access, but only to the bare minimum they need to perform their jobs. As a result, a device is compromised, zero trust can ensure that the damage is contained.
The EO continues, “The Zero Trust Architecture security model assumes that a breach is inevitable or has likely already occurred, so it constantly limits access to only what is needed and looks for anomalous or malicious activity.
Zero Trust Architecture embeds comprehensive security monitoring; granular risk-based access controls; and system security automation in a coordinated manner throughout all aspects of the infrastructure in order to focus on protecting data in real-time within a dynamic threat environment. This data-centric security model allows the concept of least-privileged access to be applied for every access decision, where the answers to the questions of who, what, when, where, and how are critical for appropriately allowing or denying access to resources based on the combination of sever.”
The Cybersecurity Executive Order and Cyolo
Cyolo is the leading zero trust architecture provider. Cyolo continuously authenticates devices to determine access and ensures the principle of least privilege is implemented. As a result, Cyolo’s zero trust provides users with access to do their jobs while containing and mitigating external and internal threats.
Cyolo provides MFA, advanced user management features, real-time logging and recording capabilities, and an easy to use UI. It takes minutes to implement and is compatible with any network topology and identity infrastructure. In addition, Cyolo does not have access to the organizational data. Not only does this mean Cyolo is the only true zero trust architecture supplier, it also improves performance as a better user experience. Request a demo to learn more: cyolo.io/demo-request.