Update on the Executive Order on Improving the Nation’s Cybersecurity
New executive orders on cybersecurity are always packed with positive-sounding actions with assigned deadlines. The Biden administration’s EO on improving the nation’s cybersecurity came in the wake of the SolarWinds and Colonial Pipeline attacks. Its major components were a call for MFA, zero-trust and EDR across federal agencies. It also established a cyber safety review board.
There were 47 action items with associated deadlines imposed in the May 12, 2021 cybersecurity executive order. Those deadlines ranged from 14 days to one year with several requirements for ongoing reporting. As of November 8, 2021, 37 of those deadlines have passed.
I have created a Google Sheet that lists all the tasks and deadlines here. Feel free to email me with comments/suggestions.
The first deadline was May 26, 2021. Section 8b of the executive order called on the secretary of the Department of Homeland Security to provide to the director of the Office of Management and Budget (OMB) recommendations on requirements for logging events and retaining other relevant data within an agency’s systems and networks. Did that happen? What are those requirements? If you read deeper you see that the recommendations are to include methods of encrypting all log data as well as making log data available to CISA among others. I know a few smart people that could sit down and design such a system in two weeks. But if two of those people worked on it together it would take at least six weeks. If a working group was assigned to figure out what to log, how to encrypt it, how to use encrypted data and how to share it with specific groups, it would take at least a year.
The OMB published a memo on tiered requirements for logging on August 27, 2021. It “establishes a maturity model to guide the implementation of requirements across four event logging (EL) tiers.
The next major deadline was for the secretary of DHS to provide to the director of the OMB recommendations on options for implementing an EDR initiative, centrally located to support host-level visibility, attribution and response. That was due June 11, 2021.
On October 8, 2021, OMB published a memorandum on this requirement, too. It requires federal agencies:
- Within 90 days, agencies should provide CISA access to current enterprise EDR deployments or engage with CISA to identify future state options.
- Within 90 days, CISA shall develop a process for continuous performance monitoring to help agencies ensure that EDR solutions are deployed and operate in a manner that will detect and respond to common threats.
- Within 90 days, CISA, in coordination with the CIO Council, shall provide recommendations to OMB on ways to further accelerate government-wide EDR efforts.
- Within 90 days, CISA, in coordination with the CIO Council, shall develop and publish a technical reference architecture and maturity model for agency consumption.
- Within 180 days, CISA, in coordination with the CIO Council, shall develop a playbook of best practices for EDR solution deployments to achieve government-wide operational visibility.
On June 26, 2021, the secretary of the Department of Commerce, working with the National Institute of Standards and Technology (NIST), was required to publish a definition of the term “critical software.” NIST published something on June 24, 2021 and updated it on October 13, 2021. You can read the definition here. It is kind of hard to grasp. From my reading, it includes all software that has access privileges and connects to the network. So, pretty much everything except your desktop calculator.
OMB issued this memorandum on August 10, 2021 that spells out agency requirements:
Government-wide implementation of NIST’s guidance for the use of critical software will be released through a phased approach. During the initial implementation phase, agencies should focus on standalone, on-premises software that performs security-critical functions or poses similar significant potential for harm if compromised. Such software includes applications that provide the following categories of services:
- Identity, credential, and access management (ICAM);
- Operating systems, hypervisors, container environments;
- Web browsers;
- Endpoint security;
- Network control;
- Network protection;
- Network monitoring and configuration;
- Operational monitoring and analysis;
- Remote scanning
- Remote access and configuration management
- Backup/recovery and remote storage
You will recognize that SolarWinds software definitely is considered critical.
With just these few examples, it appears that the cybersecurity executive order has kicked off a massive effort to comply in a timely manner. If the agencies are as quick to jump on these new requirements coming out of OMB, and if CISA can handle its assigned tasks, there is finally going to be dramatic improvements in the federal government’s cybersecurity.
The implication is clear. Government spending on cybersecurity is going to increase dramatically. Vendors of MFA, zero-trust and EDR solutions are going to do very well if they have positioned themselves to qualify for government contracts.
Next, I will check in on the progress of the cyber safety review board.
