The Biden Administration published a new executive order (EO) to strengthen the digital security of U.S. federal government networks.
Published on May 12 by The White House, the executive order covered much of what many media outlets reported would appear in the draft.
This included the issue of supply chain security. For example, the EO stated that the U.S. federal government will begin requiring developers to make security data about their tools publicly available. It also said that the U.S. government will begin leveraging its purchasing power to incentivize the market to develop more secure software solutions going forward.
Tim Erlin, VP of product management & strategy at Tripwire, recognizes the potential impact that this last measure could end up having on the private sector:
In many ways, the Federal Government’s most powerful tool for influencing the private sector is its own purchasing power. By including cybersecurity requirements in purchasing contracts, the Government can influence a wide swath of the private sector.
The executive order didn’t disappoint in other areas, as well. As foretold by earlier reports, the directive included a section on removing barriers that would prevent Information Technology (IT) and Operational Technology (OT) service providers from sharing information about digital attacks with executive departments such as the FBI.
It also mandated the creation of a Cybersecurity Safety Review Board. This new organization will function similarly to the Transportation Safety Review Board in that it will analyze successful digital attacks, identify the root causes of those incidents and provide recommendations to federal agencies going forward.
Some of the EO’s provisions weren’t previously reported, however. Citing the presence of out-of-date security models and unprotected information on federal networks, for instance, the executive order emphasized the importance of government entities using foundational controls such as multi-factor authentication (MFA) to strengthen their digital security.
In Erlin’s mind, such a prescription provides an overarching theme for the EO more generally.
“In many ways, the executive order lays out a back-to-basics approach,” he explained. “While technology advances, core principles like identifying and remediating vulnerabilities, collecting logs and building an incident response plan are all still required. With a nationally sized problem at hand, consistent implementation of basic controls can go a long way towards improving the situations.”
The directive also included information about creating playbooks to help federal agencies defend themselves against digital attacks, implementing cybersecurity event log requirements to help those entities determine the full scope of an attack and rolling out a government-wide Endpoint Detection and Response (EDR) deployment.
Erlin felt there was just one thing that was missing:
It’s unfortunate that this order doesn’t specifically call out the pervasive problem of misconfiguration. While the need to configure systems securely is implied with a Zero Trust architecture, a more specific recommendation around establishing secure configurations would fit well with the language around vulnerabilities and logging.
That doesn’t mean the EO won’t address misconfigurations. It might mean it just needs to take on a bit more shape and be put into practice by the U.S. government first.
Erlin is aware of this fact.
“This executive order should be read as a roadmap for dramatically improving cybersecurity across the government and, insofar as possible, within the private sector,” he conceded. “The executive order outlines a series of actions at various intervals that range from establishing a cybersecurity review board to standardizing contractual language around information sharing. Most of the immediate action stemming from this executive order come from further development of standards and recommendations. We’ll see these roll out at the intervals specified in the order itself.”
For more information about the new EO, check out this FAQs page here.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
