What does President Biden’s Executive Order Improving the Nation’s Cybersecurity Mean for Public and Private sectors?

What does President Biden’s Executive Order Improving the Nation’s Cybersecurity Mean for Public and Private sectors?

The Biden administration released Executive Order 14028, “Improving the Nation’s Cybersecurity” to compel federal agencies and the private sector to effectively respond to ransomware attacks, like the recent Colonial Pipeline and JBS.

The Executive Order is an 18-page document with dozens of action steps defined. Each request in the Order has a fast turn-around time (30 to 60 days in many cases), and the Administration’s direction has the potential to significantly improve how the federal government secures networks and digital communications.

Here is what you need to know:

  • The Executive Order defines what the Biden Administration’s policy will be for cybersecurity going forward. This Executive Order will be a major improvement for all phases and sectors of cybersecurity. The Order states that “the prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security.  The Federal Government must lead by example.  All Federal Information Systems should meet or exceed the standards and requirements for cybersecurity set forth in and issued pursuant to this order.” The earliest directives of this Executive Order are to be implemented within 30 days of signing, early June of this year. All the directives are to be implemented by this time next year.  All agencies are required to submit implementation reports every 60 days.
  • This Order seeks to reduce or eliminate any contractual barriers that prevent anyone from reporting a cyber breach or sharing information on potential cybersecurity threats. The Order states that the government will review the “Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement contract requirements and language for contracting with IT and OT service providers.” Changes will be fully implemented within the year.
  • The single largest section of this order is focused on Enhancing Software Supply Chain Security. The process of software development will be more tightly controlled to include security while in development and a required “Software Build of Materials” (SBOM). All new software being this next year will be required to meet the standards that are being created over the next 180 days. All legacy software must meet new standards or be removed from FAR contracts.
  • The Order also states that the “Federal Government must adopt security best practices,” which includes adopting cloud-based functionality for government systems, using FedRAMP as the vehicle, adopting “Zero Trust Architecture,” implementing multi-factor authentication and encryption standards.  Planning and implementation are to be reported every 60 days back to the President’s office and key agencies.

Onclave’s Perspective: What does this mean for business and government?

The President has now directed the Federal Government to adopt tougher cybersecurity standards – adopting Zero Trust, multi-factor and cloud-based as the cornerstone of these standards and policies.

NOTE: The Executive Order is one part of a coordinated approach. For example, the Department of Homeland Security’s Transportation Security Administration (TSA) announced a Security Directive that will enable DHS to better identify, protect against, and respond to threats to critical companies in the pipeline sector. Here is a link to that directive.

In addition to improving the overall cybersecurity of government networks, the contract provisions within this Executive Order are part of an effort to bring more accountability to private sector suppliers/government contractors for their network security. We have seen this focus in changes to FedRAMP, as well as the Department of Defense creation of the Cybersecurity Maturity Model Certification (CMMC).

Businesses need to reexamine their cybersecurity strategy and review the guidelines set in this Executive Order as well as the NIST Zero Trust Architecture. Within the foreseeable future industry standards and insurance liability will reflect the newly raised bar for cybersecurity.

It is very possible that the standards laid out in the Executive Order will become the de facto standards for business within the next few years. A company that chooses not to adopt these new realities will find its ability to meet these standards will not only impact your ability to work with Federal and state government agencies, but also larger corporations.

Below is a table that illustrates how the Onclave TrustedPlatform™ maps to the Executive Order 14028 security requirements:

Mapping of Onclave TrustedPlatform™ to the Executive Order 14028 – May 2021