No Match Found
President Biden just released an Executive Order (EO) on improving the nation’s cybersecurity to galvanize public and private efforts to help identify, deter, protect against, detect, and respond to persistent and increasingly sophisticated malicious cyber campaigns. Specific measures in the EO reflect lessons learned from recent crises, such as the recent cyber espionage campaigns.
In our view, the EO signals two things.
It calls for making federal government systems stronger and safer so they’re harder to break into. It pushes specific actions to modernize cybersecurity in the federal government, such as zero trust architecture. And it uses the $70 billion information technology (IT) purchasing power of the federal government to impel the market to build security into all software from the ground up.
It sets a goal for more effective and agile federal government responses. It requires IT providers to report cyber incidents and removes contractual barriers for them to share information with government entities. The EO also standardizes the playbook for different agencies to respond together to incidents.
This is a matter of national security and trust. The EO says “the trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is, and to the consequences we will incur if that trust is misplaced.”
This EO is just the first step for dealing with nation-state supply chain attacks. Sean Joyce, PwC’s Global & US Cybersecurity, Privacy & Forensics leader, had raised the urgency of more holistic action: The United States needs a more organized approach to cyberthreats. Already, the government and industry have lagged in updating our laws, our regulations, corporate responsibilities and adjusting to a digital, boundary-free world.
Who is affected?
Federal executive agencies are expected to modernize their technology environment and security practices.
Federal contractors, including commercial-off-the-shelf (COTS) software providers, will likely see new cybersecurity standards built into contract terms. They will be required to share more information on cyber incidents.
The private sector will likely see a focus on software supply chain security, as well as on transparency through proposed consumer security labeling on software and internet of things (IoT) devices. As a result, software and IoT device companies should expect new security requirements and assessment standards.
The Biden administration EO outlines an array of cybersecurity objectives the government must meet, and there’s a short timeline to do so. As with former President Obama’s EO nine years ago, we anticipate a cascading impact, first to federal contractors and then rippling through other industries, as new standards are set and practices are adopted.
We now turn to the implications of the EO for the most directly affected: the providers of IT services to the federal government.
The EO directs the removal of any contractual barriers and requires IT service providers to share breach information that could impact government networks. The aim is to enable more effective defenses of federal departments and to improve the nation’s cybersecurity as a whole.
Short of national data breach legislation, this EO likely goes as far as it can to mandate cyber incident reporting.
Traditionally, only defense contractors have had specific requirements regarding breach reporting (DFARS 252.204.7012 clause). This EO will extend the requirement to all Federal Acquisition Regulation (FAR) contracts. As a result, contractors will need to understand the contract requirements and the ability of their underlying data governance frameworks to classify, manage and protect sensitive data (i.e., controlled unclassified information [CUI].)
In addition, contractors will be expected to collect and share information related to threats, vulnerabilities and incidents collected to share relevant information with CISA, FBI, and other agencies and boards for investigation.
The EO improves the ability to detect malicious cyber activity on federal networks by enabling a government-wide endpoint detection-and-response system and improving information sharing within the federal government.
The intent is to provide greater details to proactively identify threats, as well as having appropriate information to investigate and respond to incidents.
Proactive threat hunting leads to cyber risk reduction. The ability to actively search endpoints and identify sophisticated threats requires advanced tools, technology and people.
The EO creates cybersecurity event log requirements for federal departments and agencies.
IT service providers will be required to collect and maintain information from network and system logs on federal information systems (for both on-premise systems and connections hosted by third parties, such as cloud service providers), and to provide them to the government when necessary to address a cyber incident.
The EO challenges the federal government to lead the way and increase its adoption of security best practices. These practices include employing a zero-trust security model, accelerating movement to secure cloud services, and consistently deploying foundational security tools such as multifactor authentication and encryption.
There’s a strong commitment to zero trust architecture in this EO. The business community has been talking about this, and adoption has accelerated since the software supply chain attacks this past winter, but many executives are still asking if it’s the best thing to do. Seeing zero trust architecture called out in the EO may encourage business leaders to consider it a leading practice. It’s important to think of zero trust architecture as a layer in a layered defense strategy, and not the be-all and end-all of cybersecurity investments.
Federal contractors should expect zero-trust security requirements, as well as further focus on CUI, to be included as new or alternative requirements in NIST requirements (NIST 800-53 (FedRAMP), NIST 800-171 (CMMC)).
There’s also a strong emphasis on getting cloud security right: developing a cloud-service governance framework, a federal cloud security strategy, and cloud-security technical reference architecture documentation. A well-thought-out, step-by-step approach to security can jumpstart cloud adoption.
Also, contractors that are cloud service providers (CSPs) should expect an expansion in the US government market for solutions that support zero-trust principles.
The EO seeks to improve the security of software by establishing baseline security standards for the development of software sold to the government — including requiring developers to maintain greater visibility into their software and making security data publicly available. The EO stands up a concurrent public-private process to develop new and innovative approaches to secure software development and uses the power of federal procurement to incentivize the market. Finally, it creates a pilot program to create an “Energy Star” type of label so the government and the public can quickly determine whether software was developed securely.
This section of the EO will require the most change from IT providers. Recent cyber espionage campaigns underscored an insufficient focus on “the ability of software to resist attack,” as the EO describes it. The development of commercial software is opaque to most, and controls are inadequate to prevent tampering by malicious actors. Of particular concern is the security and integrity of “critical software” — software that performs functions critical to trust, such as affording or requiring elevated system privileges or direct access to networking and computing resources.
Software providers should be prepared to provide input on software supply chain security. The EO specifically directs the NIST director to solicit input within 45 days from the private sector, academia and others, in addition to the federal government, to help identify existing or develop new standards, tools and best practices.
Standards, procedures and criteria will be developed for a secure software development lifecycle. Providers of commercially-off-the-shelf (COTS) and non-COTS software will need to meet, audit/assess and attest to compliance against requirements including:
separate build and development environments
mapping and monitoring dependencies and interactions between systems (“trust relationships”)
conducting and remediating vulnerability scans prior to release
voluntarily disclosing vulnerabilities
Software Bill of Materials (SBOM), which includes enumerating and maintaining an inventory of open-source and commercial libraries and components used by the software.
The EO directs the pilot of a consumer labeling program, based on criteria for IoT cybersecurity and secure software development practices. The process and requirements for this will be defined over the coming months by the Federal Trade Commission (FTC).
Questions remain regarding the impact of these requirements on innovation. Will they limit the government's access to cutting-edge software?
The EO establishes a Cybersecurity Safety Review Board, co-chaired by government and private sector leads. The board may convene following a significant cyber incident to analyze what happened and make concrete recommendations for improving cybersecurity.
This is expected to operate similarly to the National Transportation Safety Board’s (NTSB’s) investigations into major transportation incidents, and it will include participation from the private sector. The details concerning what incidents this review board will participate in have not yet been determined.
The EO calls for a standard set of operating procedures (playbook) and a set of definitions for cyber incident response by federal departments and agencies. The playbook will help ensure that all federal agencies meet a certain threshold and are prepared to take uniform steps to identify and mitigate a threat. The playbook will also provide the private sector with a template for its response efforts.
Standardized playbooks used by government agencies will likely speed up the response and investigative process. Currently, the cybersecurity vulnerability and incident response procedures vary across agencies, hindering the ability of lead agencies to analyze vulnerabilities and incidents more comprehensively across agencies. Standardized response processes could lead to centralized cataloging of incidents and tracking of agencies’ progress toward successful responses.
Great resolve and good ideas in executive orders need to be translated into rules and standards. What are the important milestones?
Cyber, Risk and Regulatory Marketing Lead Partner, PwC US
Cyber & Privacy Innovation Institute Leader, PwC US