Wednesday, the White House released an 18-page Executive order on cybersecurity. Although the timing was excellent - the attack against the Colonial Pipeline left many in the Eastern US panicking for gasoline - the document was months in the making and sorely needed. Here ScaleSec breaks down the most important parts of the order and provides steps that you can take immediately to work towards compliance.
What is the Executive order?
This order aims to establish and codify a cybersecurity stance for all software and cloud technology used by the federal government, including third parties. Currently, individual, private-sector frameworks (like SOC 2 and the ISO 27000 series) and multiple, comprehensive federal guidelines (FedRAMP, NIST) cover various organizations, but with different purposes, laws, and requirements. This order clarifies acceptable cybersecurity for many in both the public and private sectors.
I’m in the private sector! This doesn’t affect me.
It can! The order covers third parties, as well as providers to many agencies. If a business isn’t impacted directly, the industry pressure and competition will eventually force compliance in other ways. Proactivity now will be beneficial later; not to mention, security should be a concern for everyone.
What are the specifics? What can I do right now?
The order sets timelines to develop various standards around incident reporting timelines, appropriate encryption practices, environment segregation, auditing, and more. Specifics will become available in the next few months, but several items can be expected:
Adherence to CSP Best Practices
The order mentions the need to standardize the usage of cloud service providers (CSPs) and their role within cybersecurity. Because AWS, Google Cloud, and Azure are authorized for government use under FedRAMP, it wouldn’t be surprising to see mandates that reflect CSPs’ existing security best practices.
- What you can do: Review your cloud architecture. Misconfigurations are a common cause of sensitive data leaks and ransomware. Gap assessments, system inventory, and formal architecture reviews are great ways to find areas for improvement you may otherwise miss. Major cloud providers include native tools to assess your environment quickly (AWS Security Hub, Google Cloud Security Command Center, or Azure Security Center, for example).
MFA, Encryption, Logging
At rest or in transit, data will need to be encrypted. Access to data needs to be restricted to a minimum, and there need to be logs - lots of quality logs.
- What you can do: If you haven’t implemented MFA, encryption at rest and in transit, and standard logging - begin working towards compliance in those areas. Again, it may be easier to follow the best practices set forth by a CSP as a guide to compliance.
A Lot of NIST
The Director of NIST is responsible for many components of the Executive order, including using the “migration steps,…standards and guidance” provided within their Zero Trust Architecture. Further, the Playbook (essentially an SOP of cybersecurity) to be released later this year will “incorporate all NIST standards.”
- What you can do: Review NIST! If you’re unfamiliar with NIST and the associated frameworks, the NIST Cybersecurity Framework (CSF) is a great place to start. CSF offers broad coverage and can be scaled to organizations of all sizes. Additionally it helps you prepare for more stringent and comprehensive NIST frameworks, such as SP 800-53.
Automation is critical to achieve compliance at scale. Endpoint detection, incident response, threat hunting, and deployment pipelines are all within the scope of the order, with deadlines for notification of breaches to be established. If this work is being done manually, it will be exceedingly difficult to comply.
- What you can do: Work towards automation. Easier said than done, but again, work towards best practice. Start by documenting your manual processes. How are threats detected and remediated? Is a pipeline in place? How are updates managed? Even the smallest infrastructure benefits from automation.
The order specifically mentions the right to conduct audits without warning using third-party providers or external agencies.
- What you can do: Conduct a mock audit. While holding an organization immediately accountable to a framework they haven’t used may seem like an exercise in futility, useful lessons can come out of it. ScaleSec frequently uncovers small but critical shortcomings when preparing customers for audit; everything from improper policies and procedures to undocumented deployment processes. Use this close inspection as a stepping stone to improvement.
There’s a lot of content in the Executive order, but the majority of critical information is yet to come. Various deadlines for procedures, requirements, and implementation will occur over the next year, changing the understanding of cybersecurity in the public sector each time. The above action points can be a great first step, though, allowing for a headstart in critical security planning. Remember, security is beneficial to everyone, regardless of business sector!