The Executive Order's Affect On Cybersecurity
It's become increasingly clear how substantial cyber threats to government and defense networks demand better safeguards. As a result, President Biden signed an executive order last year to bolster the federal government's cybersecurity posture.
But if the ransomware attack on the Virginia legislature in December 2021 proved anything, it was that these measures were merely a starting point stepping stone to protection against cyberattacks. Following the VA legislature attack, the White House has issued a Memorandum that aims to strengthen the cyber defense of the National Security Systems.
View the entire White House Memorandum on Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems
Granted, these initiatives are primarily for the federal government, but they are likely to gain traction in the private sector, especially among government contractors– and especially if the federal government is given oversight over cyber readiness in the private sector.
So, have you considered how the executive order and this new memorandum might affect your cybersecurity this year and beyond? Schedule an assessment today!
The Effects Are Currently Indirect
Is the government your customer? If yes, these changes affect your business just as much as the federal government because you must show compliance within your service offering.
On the other hand, the federal executive branch has limited capabilities to dictate what contractors in the private sector must do concerning cybersecurity. Still, the Executive Order and the New Memorandum indicate the standards of care and regulatory requirements that cybersecurity contractors in the private sector face where scrutiny is allowed.
The new standards to consider in this case include:
- Secure Software Development: According to the Executive Order, the contractor business must develop software, evaluate its security, and ensure it is protected for use. Additionally, contractors should publicize all security data. This mandate further expects contractors to resolve any vulnerabilities immediately and ensure products or services have a label authenticating the cyber software’s development is secure and under the NIST standards.
- Multi-Factor Authentication: Before accessing the National Security Systems, the contractor must implement multi-factor authentication.
- Encryption: The current encryption systems used by contractors must work for data at rest and in transit. The encryption must additionally meet the CNSA requirements.
- Secure Cloud Services: Contractors are urged to migrate their services into secure cloud spaces and implement a zero-trust architecture. This model reduces the ease of access to data among internal users. The zero-trust architecture prevents cyber attacks that occur on personal networks through unauthorized intrusions, like a phishing attack. Often, these attacks affect the entire network after the actors gain access.
- Incident Response: All cyber incidents must be reported to the National Security Systems to further collaboration among agencies and remove barriers between federal and private cyber contractors. In essence, contractors should send the report to a central authority within the state. The central authority uses the information to identify attacker tactics and inform the cybersecurity industry on efficiently identifying and responding to similar attacks.
Additionally, cybersecurity businesses and government actors will be expected to create and develop secure software only and indicate that the cybersecurity products satisfy the indicated security standards. Communication and cooperation should also be apparent before, during, and after the occurrence of a cyberattack.
You Are Bound To Transparency
What is certain is that the Executive Order and the New Memorandum will shift public expectations and regulatory requirements towards a more transparent approach. This means that federal and private cybersecurity contractors will practice transparency within their offerings.
In a word, contractors (including IT, OT, and cloud providers) that service the federal agencies and departments should collect all the cybersecurity information related to the information systems and preserve them.
If the information collected indicates that there are potential or current cyber incidents that can affect the government networks, then this information needs to be shared with government cybersecurity agencies to help detect and mitigate the incidents.
Additionally, contractors in the IT sector should report any cyber incidents involving a service or software product to the Cybersecurity and Infrastructure Security Agency (CISA) and their agency customers.
Detecting And Responding To Cyber Incidents Will Be A Standard Procedure
Previously, CISA was only responsible for working with contractors to ensure they had the right cyberinfrastructure. CISA is now responsible for creating a standard guideline detailing how contractors respond to cyber incidents following the Executive Order.
This guideline should be updated annually and be used in place of the existing agency practices. Since it is a guideline for federal and private contractors, it provides information on preparing and responding to legal and regulatory expectations if an incident occurs.
According to the Executive Order, contractor businesses can use this guideline to learn how to:
- Improve the detection of intrusions through the creation of cybersecurity event logs
- Determine the depth of historical threats or attacks
- Reduce the risks that are already present
Ultimately, The Theme Is The Same
As the Executive Order first indicated, the federal government's cybersecurity defenses are improved based on strengthening coordination and cybersecurity infrastructure benchmarks among different agencies.
Whether you are a federal or a private contractor, the purpose of the Executive Order and the New Memorandum benchmarks is to strengthen our collective defenses against cybersecurity attacks.
According to the private sector guidelines, the Executive Order and the New Memorandum might include guidelines and mandates that your contractor business already adheres to. The benchmarks in the memorandum can be used as a cheat sheet roadmap to the desired outcomes.
Looking ahead: keep an eye on the possibility that the already limited reach of the Executive Branch might be further diminished to support the New Memorandum. Need more insight? Schedule an assessment today!