The cybersecurity Executive Order: An overview of provisions and what public and private-sector organizations should do next
The sophistication and magnitude of cyberattacks are accelerating at unprecedented rates. In response to several recent high-profile cyber events, including the SolarWinds, Microsoft Exchange, and Colonial Pipeline attacks, President Biden signed Executive Order 14028, Improving the Nation’s Cybersecurity, on May 12, 2021. Recognizing that the U.S. “faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy,” the Order expands upon and makes explicit the role of the federal government in investigating cybersecurity incidents by establishing a Cyber Safety Review Board (modeled after the National Transportation Safety Board) to investigate major cyber incidents, among other provisions.
What does CohnReznick think?
Coming on the heels of the high-profile SolarWinds and Colonial Pipeline cyberattacks, the Order is a solid step in the right direction toward strengthening the U.S.’s digital infrastructure. The Order is developing the framework needed for the public and private sectors to work together on the common goal of securing U.S. networks and thwarting growing cyber threats aimed at undermining business operations and public safety. The more noteworthy provisions of The Order include:
- Establishing a Cybersecurity Safety Review Board, co-chaired by both government and private-sector leads who will work together on investigation, analysis, and remediation recommendations after significant cyber incidents.
- Removing barriers to sharing threat intelligence and breach information between the government and private sector by starting the process of modifying FAR and DFARS rule.
- Further securing federal government operations by mandating stronger cybersecurity standards for cloud services, Zero Trust Architecture, and use of multifactor authentication and encryption.
- Improving software supply chain security standards for software sold to the government, which the recent events have shown to be critical.
- Creating a standardized playbook for federal agencies to respond to vulnerabilities and incidents.
An overview of the Executive Order
Building off lessons learned from past cyber incidents, the Order is broken down in nine main sections:
- Removing barriers to sharing threat information
- Modernizing federal government cybersecurity
- Enhancing software supply chain security
- Establishing a Cyber Safety Review Board
- Standardizing the federal government’s playbook for responding to cybersecurity vulnerabilities and incidents
- Improving detection of cybersecurity vulnerabilities and incidents on federal government networks
- Improving the federal government’s investigative and remediation capabilities
- National Security Systems
- General provisions
Read on for highlights from each section, and see the full Order for full details.
Section 2: Removing barriers to sharing threat information
The Order aims to facilitate information-sharing by removing any inhibitive contractual obligations and requiring providers to share breach information. This requires the federal government to review the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement (DFARS) contract requirements and language for contracting with information technology (IT) and operational technology (OT) service providers and recommend updates to the FAR Council and other appropriate agencies. Among other provisions, the Order states that the recommended updates “shall be designed to ensure that” federal government service providers “share cyber threat and incident information with agencies, doing so, where possible, in industry-recognized formats for incident response and remediation.”
Section 3: Modernizing federal government cybersecurity
The Order requires federal government entities to develop a plan to increase the use of secure cloud services, implement a Zero Trust Architecture, and mandate deployment of multifactor authentication, among other improvements. According to the Order, these Zero Trust Architecture plans should:
- Incorporate the migration steps outlined in National Institute of Standards and Technology (NIST) standards and guidance, and describe any that have already been completed
- Identify and include a schedule for implementing activities that will have “the most immediate security impact”
This section of the order also requires the Cybersecurity Infrastructure and Security Agency (CISA) to “modernize its current cybersecurity programs, services, and capabilities to be fully functional with cloud-computing environments with Zero Trust Architecture,” and charges a number of officials with developing “security principles governing Cloud Service Providers (CSPs) for incorporation into agency modernization efforts.”
Section 4: Enhancing software supply chain security
The Order calls on the federal government to identify existing or develop new standards, tools, and best practices for complying with a number of specified standards, procedures, or criteria that “enhance the security of the software supply chain,” related to secure software development requirements, automated tools for checking for and remediating vulnerabilities, disclosing vulnerabilities, and more. “The guidelines shall include criteria that can be used to evaluate software security, include criteria to evaluate the security practices of the developers and suppliers themselves, and identify innovative tools or methods to demonstrate conformance with secure practices,” the Order states, and should be developed with input from not only the federal government but also the private sector, academia, and “other appropriate actors.”
Section 5: Establishing a Cyber Safety Review Board
The Order requires the creation of a Cyber Safety Review Board to review and assess “significant cyber incidents … affecting Federal Civilian Executive Branch (FCEB) Information Systems or non-federal systems, threat activity, vulnerabilities, mitigation activities, and agency responses.”
Section 6: Standardizing the federal government’s playbook for responding to cybersecurity vulnerabilities and incidents
Variability exists among federal agency approaches to cybersecurity. The Order calls for the development of “a standard set of operational procedures (playbook) to be used in planning and conducting a cybersecurity vulnerability and incident response activity respecting FCEB Information Systems,” noting that standardized processes “ensure a more coordinated and centralized cataloging of incidents and tracking of agencies’ progress toward successful responses.” It specifies that this playbook should incorporate all appropriate NIST standards, and “provide a shared lexicon among agencies using the playbook” by defining key terms and using them consistently with any statutory definitions.
Section 7: Improving detection of cybersecurity vulnerabilities and incidents on federal government networks
The Order requires the federal government to use “all appropriate resources and authorities to maximize the early detection of cybersecurity vulnerabilities and incidents on its networks.” For example, FCEB agencies are to deploy an Endpoint Detection and Response (EDR) initiative “to support proactive detection of cybersecurity incidents within federal government infrastructure, active cyber hunting, containment and remediation, and incident response.”
Section 8: Improving the federal government's investigative and remediation capabilities
The Order requires robust audit logging and record-keeping of information from network and system logs on Federal Information Systems – “for both on-premises systems and connections hosted by third parties, such as CSPs” – noting that such information is “invaluable” for investigation and remediation. “It is essential that agencies and their IT service providers collect and maintain such data and, when necessary to address a cyber incident on FCEB Information Systems, provide them upon request to the Secretary of Homeland Security through the Director of CISA and to the FBI, consistent with applicable law,” the Order states.
Section 9: National Security Systems
The federal government is required to adopt National Security Systems requirements “that are equivalent to or exceed the cybersecurity requirements” laid out in the Order that don’t otherwise apply to those systems. These requirements, which can provide for exceptions “in circumstances necessitated by unique mission needs,” will be adopted in a National Security Memorandum (NSM).
While a number of these provisions currently are most relevant and actionable for federal agencies, it is likely that sooner or later their impacts will be felt in the private sector as well. Depending on your type of organization, consider the following actions to be prepared for the executive order directive and to be better prepared for cybersecurity events.
- Private-sector and federal organizations should prepare for increased scrutiny of their information technology products offered or delivered to customers and the products’ inherent cyber hygiene prior to implementation, as well as the product’s ability to thwart cybersecurity threats.
- Private-sector and federal organizations should report Cybersecurity Events to CISA.
- Private-sector and federal organizations should develop plans for business continuity and communications to stakeholders and integrate them with their incident response and/or crisis management plans.
- All parties that collect, store, process, transmit, and use information from Federal Information Systems (for both on-premises systems and connections hosted by third parties, per Section 8 of the Order) should collect and maintain robust audit logs and records of such information. This includes both federal organizations and their IT vendors and service providers.
- Private-sector vendors selling to the federal government should be prepared to demonstrate to federal procurement officials that their products operate securely.
- Private-sector organizations should partner with the federal government to foster a more secure cyberspace by working with CISA to prevent, detect, and report cybersecurity events; with the FBI during cyber incident investigations; and others.
InsightSEC proposes new rules on public company cybersecurity incident reporting, risk management disclosuresBhavesh VadhaniPublic companies could face a tight new timeline for disclosing material incidents, plus mandates to detail how they manage cyber risk. Read more.
InsightNew law requires ‘critical infrastructure’ organizations to report cybersecurity incidents, ransomware paymentsBhavesh Vadhani, Daryouche Behboudi, Deborah NitkaThe Cyber Incident Reporting for Critical Infrastructure Act requires certain entities to report attacks within 72 hours, ransomware payments within 24.
InsightFuture of cannabis – Cannabis Quarterly insights, Q1 2022Read our team’s perspectives on taxation, data strategy, and data privacy (including California’s CPRA) in CohnReznick’s CannaQuarterly newsletter.
InsightSEC proposes cybersecurity rules, incident disclosure for investment funds and advisorsIn addition to strengthening threat management, information protection, and other key areas, the SEC aims to boost board oversight. Read more.
InsightProtect your organization against nation-state cyberattacksAmid federal warnings to boost cybersecurity vigilance, take these steps to understand your capabilities and implement further safeguards.