Biden Signs Executive Order on Improving the Nation’s Cybersecurity
President Joe Biden has signed an executive order (EO) on cybersecurity. The order establishes more stringent security requirements for government contractors, and directs government agencies to use the procurement process to encourage vendors to implement a secure software development process. It also requires government agencies to use multi-factor authentication and encryption. The EO also calls for adoption of a zero-trust security model.
Plenty of fluff in the Executive Order but three very good things: (1) Establishing the Cyber Safety Review Board, modeled after the National Transportation Safety board; (2) 180-day deadline for moving to multi-factor authentication and encrypting data at rest; and (3) the federal government using its buying power to drive higher levels of supply chain security. While deadlines will inevitably be missed, these three things are critical and measurable bar-raisers. The “Zero Trust” mandate less so – until any organization first gets to essential security hygiene then puts strong authentication in place, it is not possible to even come close to implementing “zero trust.”
While the order is codified into regular requirements, take the time to assess your environment and start planning your implementations. Increased cloud adoption and zero trust require supporting monitoring, validation, and assessment processes to make sure that you don’t lower your security or become the victim of the next cloud data breach. Look to NIST and CISA as well as industry analysts to develop guidelines. While it will be incredibly valuable to talk to peer agencies to leverage lessons learned from similar implementations, make sure you clearly understand what type of information and systems they were protecting. Expect vendors to come calling with solutions, verify they are actually aligned with requirements prior to jumping in.
Better than not. However, if top-down executive orders were effective, our government would long since have been more secure than commerce. We may govern top-down but we implement from the bottom up. If government buying power was effective, would there still be the overwhelming market preference for open, general, flexible, and feature rich over security?
William Hugh Murray
Read more in
Gov Infosecurity: Biden's Cybersecurity Executive Order: 4 Key Takeaways