Podcast 12.27.21
Alert
Alert
05.19.21
On May 12, 2021, in the wake of the SolarWinds cyberattack and the Colonial Pipeline ransomware incident, President Joe Biden issued the long-awaited “Executive Order on Improving the Nation’s Cybersecurity,” outlining significant changes in cybersecurity requirements for federal government contractors. The Order proposes improving software supply chain security, establishing a Cybersecurity Safety Review Board, creating a consumer labeling program, implementing Zero Trust Architecture and multi-factor authentication, and requiring providers to share breach information that could impact government networks, among other items. Included below is more in-depth information on those components of the Order most relevant to our clients:
Removal of Barriers to Sharing Threat Information
To remove current barriers to information sharing, the Director of the Office of Management and Budget (OMB) will work with the Secretary of Defense, the Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence to review and make recommendations on revising the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement (DFARS). To learn how President Biden’s Executive Order directs sweeping changes to cybersecurity requirements in federal government contracts and calls for the government to “bear the full scope of its authorities and resources,” please view our Government Contracts cybersecurity alert here.
Zero-Trust Architecture
One of the most prominent measures included in the Order is the directive to implement a “Zero Trust Architecture” (ZTA) throughout the federal government. The Order defines a ZTA as a system for “[eliminat[ing] implicit trust in any one element, node, or service and instead requir[ing] continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses.” It limits access and lateral movement, looks for anomalous or malicious activity, and “embeds comprehensive security monitoring; granular risk-based access controls; and system security automation in a coordinated manner throughout all aspects of the infrastructure in order to focus on protecting data in real-time within a dynamic threat environment.” While the Order endorses ZTA, it does not specify what a baseline ZTA looks like.
The Order requires the head of each agency to develop a plan to implement ZTA. Each plan must incorporate migration steps already outlined by the National Institute of Standards and Technology (NIST) and should include any steps already completed and activities that will have the most immediate security impact, along with a schedule to implement them.
The Order also includes a requirement that agencies migrating to cloud technology adopt ZTA specific to that technology. In order to facilitate this transition, the Cybersecurity and Infrastructure Security Agency (CISA) will modernize its current cybersecurity programs, services, and capabilities so that they are compatible with cloud-computing environments with ZTA, and CISA will work with the Secretary of Homeland Security and the Administrator of General Services to work through the FedRAMP program to develop guidance on security principles governing Cloud Service Providers.
Data Encryption and Multi-Factor Authentication
Another measure intended to improve cloud-service cybersecurity is a requirement that agencies adopt multi-factor authentication and encryption for data at rest and transit. Heads of Federal Civilian Executive Branch (FCEB) agencies will begin reporting progress in adopting these security measures 60 days after the order and will continue with those reports until the encryption and authentication measures have been fully adopted. CISA has been charged with taking “all appropriate steps” to facilitate adoption of technologies and processes to be used in implementing these measures.
Protections for Critical Software in the Supply Chain
The Order emphasizes the importance of protecting “critical software.” Critical software is generally defined as “software that performs functions critical to trust (such as affording or requiring elevated system privileges or direct access to networking and computing resources),” but it is currently unclear exactly what the term will cover. A more specific definition will be developed by the NIST in consultation with the National Security Agency (NSA), CISA, Office of Management and Budget (OMB), and Office of the Director of National Intelligence. CISA and NIST will then use that definition to compile a list of software for use by agencies. The two agencies will publish guidelines for critical software that apply least privilege, network segmentation and proper configuration practices.
Within a year after the order, the Secretary of Homeland Security, in consultation with other department heads, will recommend contract language to the FAR council that would require companies supplying software to the government to comply with these new cybersecurity requirements. The FAR Council will then review those recommendations and amend the FAR. Any software products in the supply chain that do not meet the requirements will be removed—legacy software will not be exempt from the more stringent requirements.
NIST will solicit input from the federal government, private sector, and academia in developing new standards, tools and best practices for complying with new software supply chain security requirements and standards.
Improvements to Detection of Cybersecurity Vulnerabilities and Incidents
The Order includes a section devoted to improving detection of cybersecurity vulnerabilities and incidents on federal government networks, stating that the government will “employ all appropriate resources and authorities” to meet that goal. The Order states that FCEB Agencies will deploy an Endpoint Detection and Response (EDR) initiative, which will comply with requirements developed by CISA. Resources will be provided to agencies to enable EDR implementation. This section also requires that agencies will establish or update Memoranda of Agreement with CISA for the Continuous Diagnostics and Mitigation (CDM) program to ensure that object level data are accessible to CISA.
Within 45 days of the order, the Director of the NSA will recommend actions for improving detection of cyber incidents affecting National Security Systems, including recommendations concerning EDR approaches and whether these measures should be operated by agencies or through a centralized service.
Cybersecurity Safety Review Board
The Order establishes a Cybersecurity Safety Review Board (CSRB), to be made up of federal officials as well as representatives from private-sector cybersecurity or software suppliers. The CSRB will review and assess “significant cyber incidents” affecting FCEB Information Systems or non-federal systems, threat activity, vulnerabilities, mitigation activities and agency responses.
The Board’s initial review will relate to the cyber incidents that occurred at the end of 2020, after which the Board will make recommendations on improving cybersecurity and incident response practices as well as on decisions relevant to the makeup and operation of the Board.
Modernization of FedRAMP
One of the steps toward modernizing FedRAMP included in the order is the incorporation of automation throughout the FedRAMP lifecycle, which includes assessment, authorization, continuous monitoring, and compliance. The modernization process will also involve identifying relevant compliance frameworks and allowing them to be used as a substitute for applicable sections of the FedRAMP process, when appropriate.
DEADLINES
Removing Barriers to Sharing Threat Information
Modernizing Federal Government Cybersecurity
Enhancing Software Supply Chain Security
Establishing a Cyber Safety Review Board
Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents
Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks
Improving the Federal Government’s Investigative and Remediation Capabilities
National Security Systems