What Does President Biden’s Cybersecurity Executive Order Mean for Your Business?
If you are an enthusiastic follower of current events in the Cybersecurity and Infosecurity space, you are well aware of the high-profile cybersecurity events that have taken place, especially in the United States. The recent events in the cybersecurity space greatly impacted federal government operations, as well as the operations of private sector companies that use the same software and services as the groups that were targeted.
As a result of the recent events, the U.S. government was prompted to take immediate and decisive actions around the implementation of proactive controls. On May 12, President Biden signed an Executive Order(EO) that is aimed at improving cybersecurity around the Nation. One of the key missions of the Executive Order is to “identify, deter, protect against, detect and respond to these actions and actors“.
We understand how tempting it may be to gloss over this new order, especially since every recent administration has taken measures similar to this one, but not always to significant effect. This Executive Order; however, deserves your attention. The latest order focuses on implementing key improvements to the networks of federal departments and agencies, many of which do not have the proper safeguards in place despite previous presidential and congressional actions.
What Will The Executive Order Aim To Address?
While it can be considered debatable whether Executive Orders actually have impacts — especially as attacks on federal networks have increased in recent years — we want to evaluate the potential impact of the Cybersecurity Executive Order. The EO is a 34-page document that has 11 sections. Three of the sections are administrative and the other sections make up the heart of the order.
The Executive Order does not aim to address the entire landscape of cybersecurity. However, it does focus on some of the most key aspects with a greater emphasis on the aspects that were central to the more recent attacks and threats. Some actions are required to take place in the next 30 to 60 days. Some key aspects that are covered by the new executive order include the following:
Removing Barriers to Sharing Threat Information
The EO states that IT service providers, OT providers, and cloud service providers have terms that may create barriers to the sharing of cyber threats or information on federal information systems. Sharing timely and practicable threat information that can lead to quick detection and response is supreme. The order states that removing the barriers are critical steps to expediting ”incident deterrence, prevention, and response.”
Within 60 days of the Executive Order, federal agencies will have to make recommendations for contract term changes. The order also requires each agency to prioritize resources for the adoption and use of a secure cloud. Each agency will also need to have a plan to implement Zero Trust Architecture and Multi-Factor Authentication, as outlined in Section 3(Modernizing Federal Government Cybersecurity) of the Executive Order
Any government contractor that provides software or services would be required to report any cyber incidents to all relevant agencies. Homeland Security, alongside other federal agencies, has been directed to recommend changes to the Federal Acquisition Regulation (FAR) including all information about the cyber incident that needs to be reported. This increased visibility and succeeding regulation could increase the focus of IT, OT, and cloud service providers as there will be a requirement to report all relevant cybersecurity events.
Enhancing Software Supply Chain Security
After the Colonial Pipeline hack that impacted nearly half the East Coast’s gasoline supply, President Biden signed the order that will place strict standards on the cybersecurity of any software that is sold to federal agencies. Government officials in the United States called out Colonial Pipeline’s poor defenses and mentioned that there was no way to monitor any outside threats. In the order, President Biden calls out various areas where agencies need to boost their application security capabilities.
By 2022, software suppliers will be required to comply with all software development requirements to successfully sell to federal agencies. Agencies are directed to remove any software that does not meet the new requirements.
Establishing a Cyber Safety Review Board
The Attorney General, along with the Secretary of Homeland Security will be responsible for creating a new Cyber Safety Review Board that will aim to assess threat activity, vulnerabilities, incidents, mitigation activities, and responses. The Cyber Safety Review Board will comprise representatives of the following:
- Department of Defense
- Department of Justice
- CISA, FBI, and NSA
- Representatives from private sector cybersecurity or software suppliers
The board will seek to understand why certain major incidents happen, what measures were in place before the incident, and what can be learned from the incident. The other key points of the Executive Order include the following:
- Creating a Standard Playbook for Responding to Cyber Incidents
- Improving Detection of Cybersecurity Incidents on Federal Government Networks
- Improving Investigative and Remediation Capabilities
What Should You Do Before Creating A New Strategy?
Before your Baton Rouge business can create a detailed strategy regarding the new requirements, everyone in your workplace will need to understand the following:
- Businesses Processes and Employee Roles: Has it been communicated to employees what their roles are and what assets can/cannot be assessed?
- Application Authorization: What roles and permissions are used for each application?
- Device Configuration: What security standards and technology standards are required for your devices?
The actions outlined in the order will take time, and the actions will require support from everyone in your business. Your employees will need to have an understanding of cybersecurity threats and what actions they need to take when one is discovered. Threats are increasing in volume and your business will need to be prepared for anything.
How Can Essential Solutions Help Your Business?
At Essential Solutions, LLC we work with many businesses in Baton Rouge to help them understand the scope of assets in their environments so they can have a better understanding of when any action or device deters from policy expectations. We can achieve a comprehensive view of your environment and ensure your business meets all current and future compliance requirements.
Want to learn more about how your business can be impacted by the latest Cybersecurity Executive Order? We would love to hear from you. Contact us at 225.336.0273 or 800.560.2910. You can also email us at service@esllc.com or schedule a call.