The cyber attack on the Colonial Pipeline may have been the straw that broke the camel’s back when it comes to the federal government and how cybersecurity will be addressed in the future at the national. In an effort to try to deter future attacks, President Biden issued his Cybersecurity Executive Order on May 12. The intent of this order is simple – protect America as a whole from future cybersecurity attacks. However, implementing the order will be anything but simple.
Protecting Cyber Means Contractor Partnerships
To follow through with the executive order, the federal government must partner with its contractors. As the DoD already found out, the computer network systems of many its prime and subcontractors were the weakest links in the supply chain and provided the easiest access for ransomware attacks. In response, the DoD started its CMMC (Cybersecurity Maturity Model Certification) initiative 18 months ago – a process where eventually contractors will have had to have passes a level of cybersecurity assessment commensurate with their criticalness to the supply chain if they want to receive future contracts.
Implementation of cybersecurity recommendations had been voluntary in the past, but because the DoD found contractor access controls were not as strong as they should have been, implementation will be mandatory once the program is up and running – expected in Fall 2021.
Recent Cyber Attacks
Recent ransomware attacks, including Colonial Pipeline, pointed out that across the board, past incremental changes in both the private and government sectors have neither been broad enough or implemented fast enough to protect us; in response, the Federal government is leading the charge with this Cybersecurity Executive Order and shortly in the future will make significant changes mandatory in an effort to secure its computer systems and the systems of its contractors. The end goal is a hardened IT chain; one so hard in fact that it will be more profitable for ransomware attackers to prey on other countries less prepared and more vulnerable. To show the scope of these attacks, of the 423 known ransomware attacks in 2020/21, 370 were against the United States. Clearly, we are too easy of a target, and we pay well.
To that end, the section Enhancing Software Supply Chain Security Section of the Executive Order includes specified timelines:
- 30 Days
- Identify existing (or develop new as necessary) standards, tools, and best practices for complying with the standards and procedures.
- Identify, and make available to agencies, a list of categories of software and software products authorized for use in the acquisition process.
- 45 Days
- Recommend updated contract language to the Federal Acquisition Regulation (FAR) Council.
- Publish the definition of the term “critical software” for inclusion in the forthcoming guidance.
- 60 Days
- Review and make recommendations on contract requirements and language.
- Review agency-specific cybersecurity requirements that currently exist as a matter of law, policy, or contract and recommend changes to the FAR Council standardized contract language.
- Publish guidelines recommending minimum standards for vendor testing of their software, including identifying recommended types of manual or automated testing (such as code review tools, static and dynamic analysis, software composition tools, and penetration testing).
- 90 Days
- The FAR Council reviews recommendations and publishes them for public comment.
- Develop a federal cloud-security strategy and provide guidance to agencies accordingly. Such guidance seeks to ensure that risks from using cloud-based services are broadly understood and effectively addressed.
- Move Federal agencies closer to a Zero Trust Architecture*.
- Issue guidance identifying practices that enhance the security of the software supply chain.
- 120 Days
- Direct federal government service providers to share data with the CISA and the FBI so that the government can better respond to cyber threats, incidents and risks.
- 180 Days
- Adopt multi-factor authentication and encryption for data to the maximum extent consistent with Federal records laws and other applicable laws.
- Publish preliminary guidelines and draw on existing documents as practicable, for enhancing software supply chain security and meeting the requirements laid out in this Executive Order.
- 270 Days
- Identify secure software development practices or criteria for a consumer software labeling program and consider whether such a consumer software labeling program may be operated in conjunction with or modeled after any similar existing government programs, consistent with applicable law.
- 1 Year
- Provide the President a report that reviews the progress made under this section and outlines additional steps needed to secure the software supply chain.
- Publish additional guidelines that include procedures for periodic review and updating of the guidelines.
Good for All – Not Just Target Audience
Though the focus of this executive order targets government and its contractors, all businesses should conform to these new requirements, along with scheduled periodic reviews, to ensure compliance with the latest data security mandates and reduce the threat of a ransomware cyber-attack.
Note, timelines referenced are from the date of the Executive Order – May 12.
* – Zero trust architecture uses zero trust principles to plan industrial and enterprise infrastructure and workflows. Zero trust is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to one that focuses on individual users, assets and resources. In other words move away from the one-size-fits-all mentality.