The United States federal government has been acting to strengthen its cyber defenses. The actions taken and planned will not only impose new compliance obligations on governmental bodies, but also on private sector technology and service providers that deal with the government — and for businesses that support these providers. Recently, we hosted a webinar entitled To Form a More Protected Union: Preparing for the Future of Cybersecurity, in which we explored President Biden’s recent Executive Order (EO 14028) to improve national cybersecurity and discussed ways that enterprises can prepare for related changes yet to come. We summarize some highlights below.
Background
In April 2021, the Office of the Director of National Intelligence made its annual report on threat assessments. The report outlined cyber threats from other countries, terrorist organizations, and criminal enterprises, among other risks. President Biden signed the following month. EO 14028 tasks various government agencies with strengthening the nation’s cybersecurity through initiatives related to the government’s t information technology supply chain. Protiviti first wrote about coming changes soon after EO14028 was signed, and provided updated information in our webinar.
Change initiatives related to EO 14028 are grounded in the theory that the weakness of one becomes the weakness of many, and that cybersecurity improvements depend on forging partnerships between the government and the private sector. These efforts are underway with more changes yet to be defined. However, even with many related requirements yet to emerge, business leaders can begin to prepare.
Goals
While new measures refer to the federal government’s software and service providers in particular, EO 14028 will impact any business that supports these providers.
Specific regulatory requirements continue to emerge related to EO 14028’s stated goals to:
- Facilitate threat information-sharing between service providers and the government.
- Adopt stricter security measures (such as Zero Trust Architecture, federal cloud computing strategy and investments in staff’s cybersecurity skills and training).
- Improve security of the software supply chain, including a standard software bill of materials to cover supply chain relationships and other details for each software component.
- Establish a new Cyber Safety Review Board (CSRB) to improve the federal government’s detection and investigation capabilities. This new board will be co-chaired by the government and private business to analyze events and make recommendations that will prevent recurrence. The CSRB will be like the National Transportation Safety Board, which convenes to review airplane accidents and similar incidents.
- Create a standard playbook for improving detection of malicious activity and responding to vulnerabilities and incidents on federal networks.
- Improve investigative and remediation abilities via new event logging requirements.
Timing
EO 14028 sets aggressive timelines for the federal government’s actions – and those of the private sector. Most rule-making related to the order will be completed by the first quarter of 2022. The earliest timelines have focused on government actions to operationalize EO 14028’s requirements. Subsequent timelines will spur requirements implementation for the private sector.
Much has transpired since the order was signed in May of 2021, indicating the importance and urgency of cybersecurity to the current administration.
What organizations can do to prepare
Business leaders can give themselves a head start as they await finalization of regulations that will impact them. Using published materials already available, they can guide internal process and vendor relationship changes as they await final requirements. It isn’t too soon to consider strengthening cybersecurity programs to align with emerging federal expectations. Much of EO 14028’s focus is on contracting, so government providers — and vendors that support these providers — can focus on the security of their own trading relationships.
- Review current contract compliance efforts.
- Ensure trading partners are meeting contract standards.
- Prepare for increased scrutiny of cybersecurity programs by:
- Following the basic cybersecurity recommendations included in EO 14028
- Conforming with regulations referenced in existing contracts
- Confirming that trading partners are meeting expected cybersecurity requirements
- Reviewing business continuity plans and integrate them with incident response planning
- Reviewing incident reporting protocols
- Review regulatory actions already taken and made public, such as:
- These from the National Institute of Standards and Technology (NIST):
- definition of “critical software”
- minimum guidelines for testing software code
- document on Internet of Things (IoT) Non-Technical Supporting Capability Baseline
- draft paper on criteria for a pilot consumer labeling program for IoT devices
- These from the Office of Management and Budget (OMB):
- memo on agency implementation of compliance with NIST critical software guidance
- memorandum to heads of agencies on logging, log retention and log management
- draft of Zero Trust Cybersecurity Principles
- These from the Cybersecurity and Infrastructure Security Agency (CISA):
- and from the National Telecommunications and Information Administration (NTIA), emerging guidance on the Software Bills of Materials
- These from the National Institute of Standards and Technology (NIST):
- Monitor for additional key developments:
- Federal Acquisition Regulation (FAR)-recommended contractual language
- Public-private commitments, such as those following the August 2021 meeting between top administration officials and leaders of companies representing tech, financial services, energy and utilities.
EO 14028 will usher in new compliance obligations for government technology and service providers and will also mean regulatory change for the businesses that support those providers. The rapidity with which actions have emerged from EO 14028 signal the urgency and importance that the current administration places on advancing national cybersecurity. Even as we await the clarity that will come with finalizing every regulatory particular, business leaders can benefit now from following developments and using available information to begin preparations. Our recent webinar and presentation includes resource links to acquaint leaders with the players and particulars behind the coming changes.
Readers may also be interested in these recent blog posts: Log4Shell Frequently Asked Questions, How Zero Trust Can Defend Against Ransomware and Preparing for Cyber Disruption – The Future State of Ransomware.
To learn more about our cybersecurity consulting solutions, contact us.