For years we have seen standards, regulations and legislation arise in the aftermath of a cyber incident or shifts on the technology landscape. Company accounting scandals from Enron, Arthur Andersen and WorldCom paved the way for the US Sarbanes-Oxley Act, increases in payment card fraud prompted the evolution of individual card company standards into the creation of the Payment Card Industry Data Security Standard (PCI-DSS), and the increased use of search engines and social media platforms led the UK to expand existing privacy regulation into the General Data Protection Regulation (GDPR).
Since late last year, there have been several high-profile attacks that have affected both government and the private sector. SolarWinds, Microsoft Exchange, and, most recently, Colonial Pipeline, have been headlines in the news, not just because of the attack types, or who was attacked, but because of the impact that the attacks have had downstream.
In response to these attacks in the US, the White House recently released a new Executive Order on cybersecurity. While this is not a law, and is in most cases applies to the United States Federal Government, it is a good platform to encourage change and improvement in security programs.
Right now, the executive order is broken into different areas that call for various improvements. We have identified those for you below. We know that you may have questions regarding the EO and how it impacts you. ISACA will continue to help members navigate the regulatory landscape with guidance and tools to help you understand, implement, and measure the controls and practices required to safeguard your information assets.
ISACA Summary of US Executive Order on Federal Cyber Security Signed by President Biden on
12 May 2021
This Executive Order is a response to the cyberattacks against federal computer systems and critical infrastructure. The result of the order is to modernize cybersecurity defenses of federal networks, improve information-sharing between the US government and the private sector on cyber issues, and strengthen the United States’ ability to respond to incidents when they occur.
The executive order attempts to prevent another SolarWinds-type breach by setting new security requirements in order to do business with the federal government. The government’s contractors will need to alert the government if they are hacked and share information about any breach or intrusion, and agency contracts will contain standard security provisions, no matter what agency issues them.
The Administration through this order is encouraging private-sector companies to follow the federal government’s lead and take more ambitious measures to augment and align cybersecurity investments with the goal of minimizing future incidents.
The order has the following major components:
Remove Barriers to Threat Information Sharing Between Government and the Private Sector. IT service providers are able to share information with the government and required to share certain breach information if they have a federal contract.
Modernize and Implement Stronger Cybersecurity Standards in the Federal Government. The order speeds up a move by the federal government to secure cloud services and mandates federal systems adopt zero-trust architecture, multifactor authentication and encryption.
Improve Software Supply Chain Security. The order establishes baseline security standards for development of software sold to the government, including requiring developers to maintain greater visibility into their software and making security data publicly available – an initiative commonly referred to as “Software Bill of Materials.” It stands up a public-private process to develop new and innovative approaches to secure software development. There is also an “energy star” type of label so the government (and the public) can quickly discover whether software was developed securely.
Establish a Cybersecurity Safety Review Board. Modeled after the National Transportation Safety Board, a Cybersecurity Safety Review Board, co-chaired by government and private sector leads, will convene following a significant cyber incident to analyze what happened and make concrete recommendations for improving cybersecurity.
Create a Standard Playbook for Responding to Cyber Incidents. The order asks the Department of Homeland Security and Department of Commerce to create a standardized playbook and set of definitions for cyber incident response by federal departments and agencies.
Improve Detection of Cybersecurity Incidents on Federal Government Networks. The order authorizes a government-wide endpoint detection and response system, and event log requirements for federal departments and agencies.
Editor’s note: To learn more about ISACA’s advocacy and government affairs team, visit https://www.isaca.org/why-isaca/about-us/advocacy.