How to be Compliant with Biden’s Cybersecurity Executive Order

On May 12, 2021, in an ambitious step towards improving the Nation’s security, the Biden Administration has instituted an Executive Order on “Improving the Nation’s Cybersecurity”. The goal is to align cybersecurity initiatives and minimize future threats to national security by modernizing cybersecurity defenses in the United States.

The Executive Order was in the works prior to the Colonial Pipeline cyberattack, reportedly a ransomware incident that snarled the flow of gas on the east coast for days.

The ramifications of the Executive Order will mostly affect the federal government and its agencies. However, several of the requirements in the EO will affect certain federal contractors, and also will touch the private sector.

Some sections to keep in mind

• SECTION 2

The Section 2 of the EO requires IT Service Providers to liberally share data breach information with government departments and agencies tasked with investigating cyberattack incidents.

These include:

1. The Cybersecurity and Infrastructure Security Agency (CISA).
2. The Federal Bureau of Investigation (FBI).
3. Sectors of the United States Intelligence Community (IC).

The EO requires all IT service providers in the United States to remove these contractual barriers to increase, and therefore, improve the flow of specific data breach information between the private sector and the United States government.

The Information Technology (IT) will feel most of the effects of the EO, as well as the Operational Technology (OT) providers (including cloud providers) offering services to the United States government.

How to comply with section 2?

To comply section 2 of Biden’s Executive Order, service providers must ensure the availability of cyber threat intelligence with investigation entities. The design of this information workflow should be in accordance with the revised contract requirements of the Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation (DFAR)

• SECTION 3

The Section 3 of the EO is an initiative to modernize the federal government’s cybersecurity programs to ensure relevance as the threat landscape evolves.

The United States Federal Government will endeavor to meet the cybersecurity standards issued in this EO. As a result, the Federal Government will adopt the following initiatives as an example of best practices for the private sector:

1. Implementation of a Zero-Trust Architecture (ZTA).
2. The migration to a more secure suite of cloud services such as Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).
3. Increased visibility into the threat landscape.
4. Centralized and streamlined access to cybersecurity data
5. The use of multi-factor authentication
6. The encryption of all data.
7. Increased investments in both technology and personnel to meet these practices.

How must your Business respond?

To achieve compliance with the section 3, the private sector must mirror the higher security standards pursued by the Federal Government.

1. Prioritize resources for the rapid adoption of more secure cloud technologies.
2. Develop a Zero Trust Architecture (ZTA) implementation plan
3. Support all cloud technology.
4. Modernize cybersecurity programs to ensure full functionality with cloud-computing environments with ZTA.
5. Develop cloud security frameworks
6. Adopt multi-factor authentication and encryption.
7. Establish a collaboration framework for cybersecurity and incident response activities

Motiva can help the private sector comply with Section 3 by addressing the complete management of your cybersecurity

• SECTION 4

On the Section 4 of the EO there is an initiative to lift the security standards of supply chain software to prevent future incidents like the SolarWinds supply chain attack.

The EO will specify the standards of supply chain software adopted by the government to establish a security baseline for the private sector.

Supply chain software must now:

• Facility greater visibility to make security data publicly available
• Implement an ‘energy star’ type of rating that honestly evaluates its level of security to both the government and the general public.
• Ensure their products are shipped without vulnerabilities that can be exploited by cybercriminals.

 

It is expected the U.S. government will ramp up efforts to strengthen its cybersecurity, and we can expect states to continue to legislate and regulate in this area. All businesses, including federal contractors, likely will experience pressure to evaluate their data privacy and security threats and vulnerabilities and adopt measures to address their risk and improve compliance