Preparing For a More Protected Union

The United States federal government has been acting to strengthen its cyber defenses. The actions taken and planned will not only impose new compliance obligations on governmental bodies, but also on private sector technology and service providers that deal with the government — and for businesses that support these providers. Recently, we hosted a webinar entitled To Form a More Protected Union: Preparing for the Future of Cybersecurity, in which we explored President Biden’s recent Executive Order (EO 14028) to improve national cybersecurity and discussed ways that enterprises can prepare for related changes yet to come. We summarize some highlights below.

Background

In April 2021, the Office of the Director of National Intelligence made its annual report on threat assessments. The report outlined cyber threats from other countries, terrorist organizations, and criminal enterprises, among other risks. President Biden signed the following month. EO 14028 tasks various government agencies with strengthening the nation’s cybersecurity through initiatives related to the government’s t information technology supply chain. Protiviti first wrote about coming changes soon after EO14028 was signed, and provided updated information in our webinar.

Change initiatives related to EO 14028 are grounded in the theory that the weakness of one becomes the weakness of many, and that cybersecurity improvements depend on forging partnerships between the government and the private sector. These efforts are underway with more changes yet to be defined. However, even with many related requirements yet to emerge, business leaders can begin to prepare.

Goals

While new measures refer to the federal government’s software and service providers in particular, EO 14028 will impact any business that supports these providers.

Specific regulatory requirements continue to emerge related to EO 14028’s stated goals to:

  • Facilitate threat information-sharing between service providers and the government.
  • Adopt stricter security measures (such as Zero Trust Architecture, federal cloud computing strategy and investments in staff’s cybersecurity skills and training).
  • Improve security of the software supply chain, including a standard software bill of materials to cover supply chain relationships and other details for each software component.
  • Establish a new Cyber Safety Review Board (CSRB) to improve the federal government’s detection and investigation capabilities. This new board will be co-chaired by the government and private business to analyze events and make recommendations that will prevent recurrence. The CSRB will be like the National Transportation Safety Board, which convenes to review airplane accidents and similar incidents.
  • Create a standard playbook for improving detection of malicious activity and responding to vulnerabilities and incidents on federal networks.
  • Improve investigative and remediation abilities via new event logging requirements.

Timing

EO 14028 sets aggressive timelines for the federal government’s actions – and those of the private sector. Most rule-making related to the order will be completed by the first quarter of 2022. The earliest timelines have focused on government actions to operationalize EO 14028’s requirements. Subsequent timelines will spur requirements implementation for the private sector.

Much has transpired since the order was signed in May of 2021, indicating the importance and urgency of cybersecurity to the current administration.

What organizations can do to prepare

Business leaders can give themselves a head start as they await finalization of regulations that will impact them. Using published materials already available, they can guide internal process and vendor relationship changes as they await final requirements. It isn’t too soon to consider strengthening cybersecurity programs to align with emerging federal expectations. Much of EO 14028’s focus is on contracting, so government providers — and vendors that support these providers — can focus on the security of their own trading relationships.

EO 14028 will usher in new compliance obligations for government technology and service providers and will also mean regulatory change for the businesses that support those providers. The rapidity with which actions have emerged from EO 14028 signal the urgency and importance that the current administration places on advancing national cybersecurity. Even as we await the clarity that will come with finalizing every regulatory particular, business leaders can benefit now from following developments and using available information to begin preparations. Our recent webinar and presentation includes resource links to acquaint leaders with the players and particulars behind the coming changes.

Readers may also be interested in these recent blog posts: Log4Shell Frequently Asked Questions, How Zero Trust Can Defend Against Ransomware and Preparing for Cyber Disruption – The Future State of Ransomware.

To learn more about our cybersecurity consulting solutions, contact us.

Carol Beaumier

Senior Managing Director
President - Protiviti Government Services

Perry Keating

Managing Director
Security and Privacy

Subscribe to Topics

It is important for organizations to fully assess their @Microsoft Power Platform to identify potential gaps and optimize its scalability, security, and supportability across the enterprise. Learn how on February 3rd! Register: https://bit.ly/3ng7h07

#powerplatform #microsoft

A #CISO is obligated to provide #cybersecurity #risk insights in the M&A lifecycle. Read what aspects of a prospective M&A are most important and how to discern common pitfalls during the process. https://lnkd.in/eUDRF7zV

Being aware of the weaknesses in your company’s #SAP landscape is one thing, but you also need to know where to start closing the gaps. Protiviti's Niels Willeboordse and Roy Mutsaers discuss #cybersecurity and the need for a secure roadmap: http://ow.ly/ZRp650HqVUz

In response to the Apache #Log4Shell #vulnerability, #ProtivitiTech compiled a list of FAQs received from clients and strategies pursued in the market. This blog was updated to reflect the most accurate information. https://tcblog.protiviti.com/2021/12/16/log4shell-frequently-asked-questions/

How will President Biden's Executive Order (EO 14028) improve national #cybersecurity? #ProtivitiTech shares insights and ways enterprises can prepare for related changes yet to come: http://ow.ly/AqT250HnWJR

Load More...