Preparing For a More Protected Union

The United States federal government has been acting to strengthen its cyber defenses. The actions taken and planned will not only impose new compliance obligations on governmental bodies, but also on private sector technology and service providers that deal with the government — and for businesses that support these providers. Recently, we hosted a webinar entitled To Form a More Protected Union: Preparing for the Future of Cybersecurity, in which we explored President Biden’s recent Executive Order (EO 14028) to improve national cybersecurity and discussed ways that enterprises can prepare for related changes yet to come. We summarize some highlights below.

Background

In April 2021, the Office of the Director of National Intelligence made its annual report on threat assessments. The report outlined cyber threats from other countries, terrorist organizations, and criminal enterprises, among other risks. President Biden signed the following month. EO 14028 tasks various government agencies with strengthening the nation’s cybersecurity through initiatives related to the government’s t information technology supply chain. Protiviti first wrote about coming changes soon after EO14028 was signed, and provided updated information in our webinar.

Change initiatives related to EO 14028 are grounded in the theory that the weakness of one becomes the weakness of many, and that cybersecurity improvements depend on forging partnerships between the government and the private sector. These efforts are underway with more changes yet to be defined. However, even with many related requirements yet to emerge, business leaders can begin to prepare.

Goals

While new measures refer to the federal government’s software and service providers in particular, EO 14028 will impact any business that supports these providers.

Specific regulatory requirements continue to emerge related to EO 14028’s stated goals to:

  • Facilitate threat information-sharing between service providers and the government.
  • Adopt stricter security measures (such as Zero Trust Architecture, federal cloud computing strategy and investments in staff’s cybersecurity skills and training).
  • Improve security of the software supply chain, including a standard software bill of materials to cover supply chain relationships and other details for each software component.
  • Establish a new Cyber Safety Review Board (CSRB) to improve the federal government’s detection and investigation capabilities. This new board will be co-chaired by the government and private business to analyze events and make recommendations that will prevent recurrence. The CSRB will be like the National Transportation Safety Board, which convenes to review airplane accidents and similar incidents.
  • Create a standard playbook for improving detection of malicious activity and responding to vulnerabilities and incidents on federal networks.
  • Improve investigative and remediation abilities via new event logging requirements.

Timing

EO 14028 sets aggressive timelines for the federal government’s actions – and those of the private sector. Most rule-making related to the order will be completed by the first quarter of 2022. The earliest timelines have focused on government actions to operationalize EO 14028’s requirements. Subsequent timelines will spur requirements implementation for the private sector.

Much has transpired since the order was signed in May of 2021, indicating the importance and urgency of cybersecurity to the current administration.

What organizations can do to prepare

Business leaders can give themselves a head start as they await finalization of regulations that will impact them. Using published materials already available, they can guide internal process and vendor relationship changes as they await final requirements. It isn’t too soon to consider strengthening cybersecurity programs to align with emerging federal expectations. Much of EO 14028’s focus is on contracting, so government providers — and vendors that support these providers — can focus on the security of their own trading relationships.

EO 14028 will usher in new compliance obligations for government technology and service providers and will also mean regulatory change for the businesses that support those providers. The rapidity with which actions have emerged from EO 14028 signal the urgency and importance that the current administration places on advancing national cybersecurity. Even as we await the clarity that will come with finalizing every regulatory particular, business leaders can benefit now from following developments and using available information to begin preparations. Our recent webinar and presentation includes resource links to acquaint leaders with the players and particulars behind the coming changes.

Readers may also be interested in these recent blog posts: Log4Shell Frequently Asked Questions, How Zero Trust Can Defend Against Ransomware and Preparing for Cyber Disruption – The Future State of Ransomware.

To learn more about our cybersecurity consulting solutions, contact us.

Carol Beaumier

Senior Managing Director
President - Protiviti Government Services

Perry Keating

Managing Director
Security and Privacy

Subscribe to Topics

Many often overlook the potential impact—both positive and negative—a #TechnModernization project can have on operational #resilience. #ProtivitiTech's Kim Bozzella shares her thoughts with #Forbes Technology Council. https://ow.ly/1FLA50TYIaE

Establishing a scalable #AI #governance framework is crucial for balancing innovation with #risk and #compliance. Dive into our latest ebook, co-authored with #OneTrust, to explore key steps and technologies that will elevate your AI governance strategy. https://ow.ly/QqKy50TVUx3

News reports implied that China has managed to break "military grade" encryption using quantum computers. But the truth is more complicated than that. Protiviti's #quantum expert Konstantinos Karagiannis explains it all to #VISIONbyProtiviti. https://ow.ly/Zb9z50TWNuh

The #IIoT can help organizations collect and analyze data to optimize operations and maximize resources. #ProtivitiTech's Kim Bozzella details how IIoT can yield benefits for businesses and the people they serve with #Forbes #Technology Council. https://ow.ly/V5I250TVLAj

Protiviti has earned the AWS DevOps Competency, which complements our existing Migration and Security Competencies. These competencies reflect Protiviti's ability to deliver comprehensive AWS system integration services. https://ow.ly/Baj550TWR9I

#AWSDevOps #AWSCloud #AWS

Load More