On May 12, 2021 President Biden signed the Executive Order on Improving the Nation’s Cybersecurity, which we previewed in a recent post, into law. The fifteen-page document includes various cybersecurity enhancement recommendations such as the Software Bill of Materials (SBOM) and review and revision of governmental procedures, such as the Federal Acquisition Regulation (FAR), all with associated timelines for completion. The document is not a straightforward read, and the execution timelines are presented as a measure of days between a referenced milestone, such as the date of the executive order, and the proposed completion date of the presented recommendation. In this review, I have summarized the major sections of the order, but if you are interested in reading the entire executive order on improving the nation’s cybersecurity, you can find the PDF version on our website here.
The major sections in sequential order of appearance in the document are: Removing Barriers to Sharing Threat Information, Modernizing Federal Government Cybersecurity, Enhancing Software Supply Chain Security, Establishing a Cyber Safety Review Board, Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents, Improving Detection of Cybersecurity Vulnerabilities and Incidents on Government Networks, Improving the Federal Government’s Investigative and Remediation Capabilities, and National Security Systems.
Removing Barriers to Sharing Threat Information is mainly aimed at contractors and service providers to the Federal government, and it is noted that by July 12, 2021 the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement (DFARS) contract language and requirements will be reviewed and updates recommended. By October 12, 2021, these proposed updates will be published for public comment. Another interesting note in this section is the timing of the reporting of cyber incidents, based on a graduated scale of incident severity, with the most severe incidents requiring reporting within three (3) days of initial detection.
Modernizing Federal Government Cybersecurity is about moving toward a zero-trust infrastructure, and the Federal government’s adoption of cybersecurity best practices. By August 2021, a federal cloud data security strategy, a technical framework guide for data protection, and an incident response plan will be developed. By November 12, 2021, multi-factor authentication and data encryption will be adopted.
Enhancing Software Supply Chain Security is aimed at enabling transparency of commercial software by revealing the utilized components and associated risks. By July 12, 2021, standards, tools and best practices will be identified to accomplish this transparency mission. By November 12, 2021, based on the initial investigation, the preliminary guidelines will be published. The Secretary of Commerce shall then issue guidance, including standards, procedures or criteria based on the preliminary guidelines by February 12, 2022. This guidance shall include requirements to maintain accurate and up-to-date data of software and third-party components, to provide a Software Bill of Materials (SBOM) to purchasers directly or by publishing to a website, to employ automated tools that check for known and potential vulnerabilities which shall operate regularly or at a minimum prior to product, version or update release, to generate and provide artifacts that demonstrate conformance to the guidance, and others.
Establishing a Cyber Safety Review Board assembles a board of public and private leaders convened by the Secretary of Homeland Security to review and assess, with respect to significant cyber incidents, threat activity, vulnerabilities, mitigation activities, and agency responses.
Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents develops a set of standard operating procedures by September 12, 2021, incorporating all appropriate National Institute of Standards and Technology (NIST) standards, frameworks, and recommendations.
Improving Detection of Cybersecurity Vulnerabilities and Incidents on Government Networks implements a federal cybersecurity incident detection and response system by June 12, 2021.
Improving the Federal Government’s Investigative and Remediation Capabilities provides recommendations of requirements for data logging of cyber incidents by May 26, 2021. Maintenance of data logs and submission to the Secretary of Homeland Security, upon request, is also included.
National Security Systems requires that the Secretary of Defense adopt the equivalent or exceed the recommendations of this executive order by July 12, 2021.
In summary, the executive order offers sweeping recommendations across various areas of Federal government, and we have summarized some of the key points of the major sections in this document. For recommendations on how best to interpret the requirements of the executive order so that you can begin preparing your organization, download our healthcare-specific guide – How to Prepare for the Cybersecurity Executive Order.
Founded in 2019, Vigilant Ops is an innovator in the medical device cybersecurity industry. Led by seasoned medical device cybersecurity experts with more than forty years of combined experience, Vigilant Ops provides medical device manufacturers and hospitals with unprecedented insight into device risk profiles, enabling proactive management of threats before they impact the quality of patient care.