2021 cybersecurity executive order: Everything you need to know
President Joe Biden's administration recently released an executive order on improving the nation’s cybersecurity in the wake of increasingly bold and widely impactful cyberattacks focused on public and private sector targets. The order recognizes the impact on the American people’s security, privacy and business and the role that the federal government plays in setting an example for comprehensive security standards and facilitating its implementation across the rest of the country’s industries.
The executive order also recognizes that reshaping and implementing new cybersecurity standards is not something the federal government can do overnight or on its own. It will have to have the input and participation of the private sector to more effectively protect the country from malicious cyberattacks. However, the cybersecurity executive order provides initial goals, timelines, and, in some cases, the necessary funding to get the momentous task started.
So what exactly does the new cybersecurity executive order include, and what could it mean for other organizations? The federal government must lead by example.
Cybersecurity executive order: What you need to know
Understandably, the new cybersecurity executive order covers a lot of ground and lays out a wide range of expectations for the federal government, but it generally covers six main themes.
Removing barriers to sharing threat information
Section two of the cybersecurity executive order seeks to increase the sharing of threat intelligence information across the federal government and from the IT service providers that facilitate many of their systems.
The executive order tasks the National Security Agency (NSA), Department of Defense (DoD), the Department of Homeland Security (NSA), the Director of National Intelligence (DNI) and the attorney general to develop new procedures and guidelines for the sharing of cyber incident reports between IT service providers and federal departments.
Modernizing federal government cybersecurity
The most notable feature of Section three of the executive order is emphasizing a “zero-trust architecture” for the federal government’s use of cloud services. As part of this, the order mandates the “deployment of multi-factor authentication and encryption” as well as additional security controls recommended by the National Institute of Standards and Technology (NIST) within the Department of Commerce.
This new stance follows recommendations and guidance from the National Security Agency for what a zero-trust security architecture means for the federal government in practice, namely, “a coordinated system management strategy that assumes breaches are inevitable or have already occurred.” With this new perspective on security, federal agencies will now work to apply the principle of “never trust, always verify” users and accounts, helping to further secure data and prevent lateral network movement.
In addition, within six months of the order, federal departments “shall adopt multi-factor authentication and encryption for data at rest and in transit, to the maximum extent consistent with federal records laws and other applicable laws.”
Enhancing software supply chain security
Recognizing the prevalence of the vulnerability that led to the SolarWinds data breach, Section four of the executive order seeks to improve the federal government's awareness about how the software it uses is made and what comprises it.
In particular, the executive order will require developers to provide great visibility into their software and share their related security data with the public. The cybersecurity executive order also will create a pilot program, modeled off of the Energy Star program, that provides a label that the government and public can use to quickly determine the security controls that went into the design of a piece of software.
Finally, the Department of Commerce will create a list of minimum elements that software suppliers must provide within a Software Bill of Materials (SBOM). This will, according to Forrester, “help organizations manage risk by letting them quickly determine what vulnerable software components are in their products.”
Establishing a cyber safety review board
The executive order also outlined creating a Cyber Safety Review Board that will be co-chaired by government and private sector leaders. The review board will have the authority to convene following a cyber incident to document what happened and make concrete recommendations for improving overall cybersecurity.
Standardizing the federal government’s playbook for responding to cybersecurity vulnerabilities and incidents
Section six of the cybersecurity executive order outlines the need for “a standardized playbook and set of definitions for cyber incident response by federal departments and agencies.”
This incident response playbook will help ensure that all federal departments meet a certain readiness threshold and prepare to take the necessary and coordinated steps to identify and mitigate a cybersecurity threat. The EO also outlines the need for a “government-wide endpoint detection and response (EDR) system” that will help to improve information sharing and detect malicious activity. It is the hope, as stated in the executive order, that the playbook and the EDR will serve as a template for the private sector to follow.
Improving the federal government’s investigative and remediation capabilities
Additionally, sections seven and eight of the executive order create requirements for cybersecurity event log data and its retention, improving an individual organization’s ability to detect and mitigate intrusions faster.
In particular, DHS, the attorney general, and the office of management and budget will develop these recommendations, which will include:
- The types of logs to be captured and stored
- How long to retain the records and related data
- Expectations for implementation
- Standards on how to protect the event logs using encryption
- Requirements to protect applicable privacy laws
The federal government must lead by example
This phrase, “the federal government must lead by example,” written in the introduction of the policy, is perhaps the underpinning of this cybersecurity executive order.
Each level of every federal government department needs to strengthen its cybersecurity standards, adopt multi-factor authentication and data encryption, develop a deeper understanding of secure software development and improve the use of incident detection tools.
While the efforts will begin by focusing first on “critical software” used by the federal government, the same measures will also be required for all software used. Expectations like these will, the executive order hopes, inspire a larger conversation about the need for secure software across the public and private sector as well as increased coordination.
Similarly, the development and implementation of a standardized incident response plan for how the federal government responds to cyber incidents and enhanced logging and incident detection capabilities should also further drive the use of these best practices across all industries.
What should you learn next?
Looking ahead to the cybersecurity executive order
While the cybersecurity executive order is focused on the federal government in its wording and authority, it will likely have far-reaching downstream impacts on other industries.
In addition to the contractors, suppliers and developers that work directly for the federal government, the broader private security will likely see the benefit of implementing these best practices into their operations.
Although tools such as multi-factor authentication and secure cloud services are more widely known, increased use of incident response plans, incident detection tools, logging and the adoption of zero-trust is likely to follow.
Sources
Biden Executive Order Bets Big On Zero Trust For The Future Of US Cybersecurity, Forrester
CISA predicts cyber EO will drive progress on zero trust, Federal Computer Weekly
Executive Order on Improving the Nation’s Cybersecurity, The White House
Statement from CISA Acting Director Wales on Executive Order to Improve the Nation’s Cybersecurity and Protect Federal Networks, Cybersecurity and Infrastructure Security Agency (CISA)
In this Series
- 2021 cybersecurity executive order: Everything you need to know
- Free Valentine's Day cybersecurity cards: Keep your love secure!
- How to design effective cybersecurity policies
- What is attack surface management and how it makes the enterprise more secure
- Is a cybersecurity boot camp worth it?
- The aftermath: An analysis of recent security breaches
- Understanding cybersecurity breaches: Types, common causes and potential risks
- Breaking the Silo: Integrating Email Security with XDR
- What is Security Service Edge (SSE)?
- Cybersecurity in Biden’s era
- Password security: Using Active Directory password policy
- Inside a DDoS attack against a bank: What happened and how it was stopped
- Inside Capital One’s game-changing breach: What happened and key lessons
- A DevSecOps process for ransomware prevention
- What is Digital Risk Protection (DRP)?
- How to choose and harden your VPN: Best practices from NSA & CISA
- Will immersive technology evolve or solve cybercrime?
- Twitch and YouTube abuse: How to stop online harassment
- Can your personality indicate how you’ll react to a cyberthreat?
- The 5 biggest cryptocurrency heists of all time
- Pay GDPR? No thanks, we’d rather pay cybercriminals
- Customer data protection: A comprehensive cybersecurity guide for companies
- Online certification opportunities: 4 vendors who offer online certification exams [updated 2021]
- FLoC delayed: what does this mean for security and privacy?
- Stolen company credentials used within hours, study says
- Don’t use CAPTCHA? Here are 9 CAPTCHA alternatives
- 10 ways to build a cybersecurity team that sticks
- Verizon DBIR 2021 summary: 7 things you should know
- Kali Linux: Top 5 tools for stress testing
- Android security: 7 tips and tricks to secure you and your workforce [updated 2021]
- Mobile emulator farms: What are they and how they work
- 3 tracking technologies and their impact on privacy
- In-game currency & money laundering schemes: Fortnite, World of Warcraft & more
- Quantitative risk analysis [updated 2021]
- Understanding DNS sinkholes - A weapon against malware [updated 2021]
- Python for network penetration testing: An overview
- Python for exploit development: Common vulnerabilities and exploits
- Python for exploit development: All about buffer overflows
- Python language basics: understanding exception handling
- Python for pentesting: Programming, exploits and attacks
- Increasing security by hardening the CI/CD build infrastructure
- Pros and cons of public vs internal container image repositories
- CI/CD container security considerations
- Vulnerability scanning inside and outside the container
- How Docker primitives secure container environments
- Top 4 Zapier security risks
- Common container misconfigurations and how to prevent them
- Building container images using Dockerfile best practices
- Securing containers using Docker isolation
- Introduction to container security
- Top 8 Microsoft Teams security issues
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
General security
Free Valentine's Day cybersecurity cards: Keep your love secure!
General security
General security