Technology Insights HOME | Perspectives from Our Experts on Technology Trends and Risks

Technology Insights HOME

Perspectives from Our Experts on Technology Trends and Risks.

Search

ARTICLE

4 mins to read

Preparing For a More Protected Union

Perry Keating

Managing Director - Security and Privacy

Carol Beaumier

Senior Managing Director

Views
Larger Font
4 minutes to read

The United States federal government has been acting to strengthen its cyber defenses. The actions taken and planned will not only impose new compliance obligations on governmental bodies, but also on private sector technology and service providers that deal with the government — and for businesses that support these providers. Recently, we hosted a webinar entitled To Form a More Protected Union: Preparing for the Future of Cybersecurity, in which we explored President Biden’s recent Executive Order (EO 14028) to improve national cybersecurity and discussed ways that enterprises can prepare for related changes yet to come. We summarize some highlights below.

Background

In April 2021, the Office of the Director of National Intelligence made its annual report on threat assessments. The report outlined cyber threats from other countries, terrorist organizations, and criminal enterprises, among other risks. President Biden signed the following month. EO 14028 tasks various government agencies with strengthening the nation’s cybersecurity through initiatives related to the government’s t information technology supply chain. Protiviti first wrote about coming changes soon after EO14028 was signed, and provided updated information in our webinar.

Change initiatives related to EO 14028 are grounded in the theory that the weakness of one becomes the weakness of many, and that cybersecurity improvements depend on forging partnerships between the government and the private sector. These efforts are underway with more changes yet to be defined. However, even with many related requirements yet to emerge, business leaders can begin to prepare.

Goals

While new measures refer to the federal government’s software and service providers in particular, EO 14028 will impact any business that supports these providers.

Specific regulatory requirements continue to emerge related to EO 14028’s stated goals to:

  • Facilitate threat information-sharing between service providers and the government.
  • Adopt stricter security measures (such as Zero Trust Architecture, federal cloud computing strategy and investments in staff’s cybersecurity skills and training).
  • Improve security of the software supply chain, including a standard software bill of materials to cover supply chain relationships and other details for each software component.
  • Establish a new Cyber Safety Review Board (CSRB) to improve the federal government’s detection and investigation capabilities. This new board will be co-chaired by the government and private business to analyze events and make recommendations that will prevent recurrence. The CSRB will be like the National Transportation Safety Board, which convenes to review airplane accidents and similar incidents.
  • Create a standard playbook for improving detection of malicious activity and responding to vulnerabilities and incidents on federal networks.
  • Improve investigative and remediation abilities via new event logging requirements.

Timing

EO 14028 sets aggressive timelines for the federal government’s actions – and those of the private sector. Most rule-making related to the order will be completed by the first quarter of 2022. The earliest timelines have focused on government actions to operationalize EO 14028’s requirements. Subsequent timelines will spur requirements implementation for the private sector.

Much has transpired since the order was signed in May of 2021, indicating the importance and urgency of cybersecurity to the current administration.

What organizations can do to prepare

Business leaders can give themselves a head start as they await finalization of regulations that will impact them. Using published materials already available, they can guide internal process and vendor relationship changes as they await final requirements. It isn’t too soon to consider strengthening cybersecurity programs to align with emerging federal expectations. Much of EO 14028’s focus is on contracting, so government providers — and vendors that support these providers — can focus on the security of their own trading relationships.

EO 14028 will usher in new compliance obligations for government technology and service providers and will also mean regulatory change for the businesses that support those providers. The rapidity with which actions have emerged from EO 14028 signal the urgency and importance that the current administration places on advancing national cybersecurity. Even as we await the clarity that will come with finalizing every regulatory particular, business leaders can benefit now from following developments and using available information to begin preparations. Our recent webinar and presentation includes resource links to acquaint leaders with the players and particulars behind the coming changes.

Readers may also be interested in these recent blog posts: Log4Shell Frequently Asked Questions, How Zero Trust Can Defend Against Ransomware and Preparing for Cyber Disruption – The Future State of Ransomware.

To learn more about our cybersecurity consulting solutions, contact us.

Was this article helpful to you?

Thanks for your feedback!

Subscribe to The Protiviti View Blog

To face the future confidently, you need to be equipped with valuable insights that align with your interests and business goals.

In this Article

Find a similar article by topics

Authors

Perry Keating

By Perry Keating

Verified Expert at Protiviti

Visit Perry Keating's profile

Carol Beaumier

By Carol Beaumier

Verified Expert at Protiviti

Visit Carol Beaumier's profile

Carol is a Senior Managing Director in the firm’s Risk and Compliance practice and oversees the firm’s Asia-Pac...

No noise.
Just insights.

Subscribe now

Related posts

Article

What is it about

This blog was originally posted on The Protiviti View. Like companies in other industries, energy and utilities (E&U) organizations want...

Article

What is it about

This blog was originally posted on Forbes.com. Kim Bozzella is a member of the Forbes Technology Council. Here’s a problem...

Article

What is it about

The HITRUST Alliance Common Security Framework (HITRUST CSF) is a cybersecurity framework that helps organizations manage risk and meet regulatory...