The executive order outlines several steps that agencies and contractors will need to take in the next few months:
- Within 60 days, agency heads need to “update existing agency plans to prioritize resources for the adoption and use of cloud technology” and develop a plan to implement zero-trust architecture.
- Within six months, the National Institute of Standards and Technology is required to publish guidelines on software security for software sold to federal agencies. Those guidelines are required include “criteria that can be used to evaluate software security, include criteria to evaluate the security practices of the developers and suppliers themselves, and identify innovative tools or methods to demonstrate conformance with secure practices.”
- Also within six months, agencies must adopt multi-factor authentication and encryption for data at rest and in transit, “to the maximum extent consistent with Federal records laws and other applicable laws.”
The order also creates a new Cyber Safety Review Board to review significant cyber incidents, akin to the National Transportation Safety Board's role following major transportation accidents.
Speaking at an event May 13 at George Washington University, Brandon Wales, the acting director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, said that “There is far more focus in the current White House in terms of getting positive outcomes out of this executive order ... there is a lot more diligence in terms of follow-up.”
Wales also acknowledged that the executive order is “ambitious, but it’s ambitious because what we have seen is we don't have the time to continue to wait.”