Security

Biden’s Executive Order on Cybersecurity Highlights Zero Trust, Software Security

The expansive executive order comes in the wake of several high-profile cyberattacks and is designed to spur the government into action.

Phil Goldstein

Twitter

Phil Goldstein is a former web editor of the CDW family of tech magazines and a veteran technology journalist. He lives in Washington, D.C., with his wife and their animals: a dog named Brenna, and two cats, Grady and Princess.

On the evening of May 12, President Joe Biden signed a much anticipated executive order on cybersecurity, a signal that federal agencies need to rapidly ramp up their IT security efforts across a wide range of concerns.

The order comes in the wake of several headline-grabbing cyberattacks that have affected government agencies, including the so-called SolarWinds breach, which the Biden administration has attributed to Russian state-sponsored actors.

As part of the order, in direct response to that attack, IT providers entering into contracts with agencies must promptly report to agencies “when they discover a cyber incident involving a software product or service provided to such agencies or involving a support system for a software product or service provided to such agencies.”

“Incremental improvements will not give us the security we need; instead, the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life,” Biden says in the order.

“The Federal Government must bring to bear the full scope of its authorities and resources to protect and secure its computer systems, whether they are cloud-based, on-premises, or hybrid,” he says. “The scope of protection and security must include systems that process data (information technology (IT)) and those that run the vital machinery that ensures our safety (operational technology (OT)).”

The executive order outlines several steps that agencies and contractors will need to take in the next few months:

Within 60 days, agency heads need to “update existing agency plans to prioritize resources for the adoption and use of cloud technology” and develop a plan to implement zero-trust architecture.
Within six months, the National Institute of Standards and Technology is required to publish guidelines on software security for software sold to federal agencies. Those guidelines are required include “criteria that can be used to evaluate software security, include criteria to evaluate the security practices of the developers and suppliers themselves, and identify innovative tools or methods to demonstrate conformance with secure practices.”
Also within six months, agencies must adopt multi-factor authentication and encryption for data at rest and in transit, “to the maximum extent consistent with Federal records laws and other applicable laws.”

The order also creates a new Cyber Safety Review Board to review significant cyber incidents, akin to the National Transportation Safety Board's role following major transportation accidents.

Speaking at an event May 13 at George Washington University, Brandon Wales, the acting director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, said that “There is far more focus in the current White House in terms of getting positive outcomes out of this executive order ... there is a lot more diligence in terms of follow-up.”

Wales also acknowledged that the executive order is “ambitious, but it’s ambitious because what we have seen is we don't have the time to continue to wait.”

PeopleImages/Getty Images