Deep Dive on the Cybersecurity Executive Order

On May 12, 2021, the White House issued an Executive Order on Improving the Nation’s Cybersecurity. For a quick primer, check out our tl;dr on the Executive Order we released shortly after the announcement. This is a large order with widespread cybersecurity implications for all agencies within the US Government, as well as its suppliers.

Check out our tl;dr on the Executive Order

“The Federal Government must bring to bear the full scope of its authorities and resources to protect and secure its computer systems, whether they are cloud-based, on-premises, or hybrid. The scope of protection and security must include systems that process data (information technology (IT)) and those that run the vital machinery that ensures our safety (operational technology (OT)).” (Section 1)

The Executive Order will drive collaboration and information sharing between the federal government and its suppliers, as well as the adoption of modernized security practices on-premises, in the cloud, and throughout the software supply chain, all with a Zero Trust approach.

It also covers how the Federal Government will continuously enhance cybersecurity practices over time through the establishment of a Cybersecurity Safety Review Board.

When an attacker targets an organization, they look for the weakest point to compromise. If opportunity cannot easily be found due to a stronger security posture, the next step is often to look at where that organization has points of trusted third-party access, such as suppliers, vendors, or other service providers. Not only does this raise the importance of protection and detection at those trusted points, but the entire security posture of that third-party organization can create transitive risk for the target organization. With regards to the Federal government, awareness and understanding of what threats are targeting their trusted third parties allows them to better defend their own resources and data.

Being prepared for, and responding to, attacks by malicious actors is a plight that every single organization–and every user with a system connected to the Internet (and some that aren’t)–must face. Nonetheless, sharing the details of what security events have occurred can come with liability. The incentive to share for the sake of a stronger shared security posture and ability to respond quickly to threats is diminished by liability and the repercussions of disclosing such information. As a result, restrictions and limitations to information sharing are often written into contractual agreements between trusted third parties to mitigate this business risk.

In this Executive Order, the Federal government is disclosing a process in which they will propose and put in place new contractual requirements for both information sharing and supplier cybersecurity requirements. The Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement (DFARS) governs many procurement practices for government agencies. The FAR Council will, in partnership with other parts of the government, review and propose new verbiage to remove the contractual barriers to sharing information. Through FAR updates, the Federal government intends to standardize on a central set of guidelines and requirements for timely information sharing to simplify how suppliers will collaborate on threats with many agencies going forward.

Where possible, the Federal government intends to leverage industry-recognized formats for discussing threat and attack information. The Executive Order states the intent to propose contract language around “the nature of cyber incidents that require reporting” (Section 2. g.i.A), acceptable time periods, “appropriate and effective protections for privacy and civil liberties” (Section 2. g.i.C), and “the type of contractors and associated service providers…” (Section 2. g.i.F) as a few key areas.

In the upcoming months, the FAR Council intends to publish recommendations for standardized contractual changes, which will be open for public commentary.

Modernizing Cybersecurity Practices

Like requirements and guidelines for Information Sharing, a heavy focus was given to cybersecurity practice improvements in the Executive Order. This Order addresses cybersecurity key areas that are core to modern and mature security posture.

Zero Trust

Section 3 starts by stating the need to “advance toward Zero Trust Architecture; accelerate movement to secure cloud services…[and] centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks.” (Section 3.b.ii) The order here calls out to follow “as appropriate, the migration steps that the National Institute of Standards and Technology (NIST)…has outlined in standards and guidance.” This is likely referring to the NIST publication SP 800-207 Zero Trust Architecture (ZTA) released in August 2020.

Cloud Security

The order also addresses the need for a Federal cloud security strategy, which incorporates ZTA practices into its plan. With this cloud security strategy, we can look forward to the publication (for public review) of:

An overall cloud security strategy
A technical reference architecture
A cloud service governance framework

Through these three artifacts, which will be released in upcoming months, it will cover risks posed by using Cloud services, “recommended approaches to cloud migration and data protection” (Section 3.c.ii), and a “framework…[to] identify a range of services and protections available to agencies based on incident severity. That framework shall also identify data and processing activities associated with those services and protections.” (Section 3.c.iii)

In addition to the promise of these guiding documents, the Federal government has directly stated in the order that “within 180 days of the date of this order, agencies shall adopt multi-factor authentication and encryption for data at rest and in transit.” (Section 3.d) Government agencies will be moving quickly to implement these capabilities by November 8, 2021.

Adopt multi-factor authentication and encryption for data by November 8, 2021

FedRAMP

Alongside the development of these guiding cloud security artifacts, the Federal government will begin work to modernize FedRAMP by (Section 3.f.i - Section 3.f.v):

Developing a new FedRAMP training program
Improving communication with Cloud Service Providers (CSPs), with a focus on automation and standardization
Implementing “automation throughout the lifecycle of FedRAMP, including assessment, authorization, continuous monitoring, and compliance” (Section 3.f.iii)
Prioritizing digitization of documentation and onboarding for FedRAMP compliant vendors
Mapping relevant frameworks onto updated FedRAMP requirements in order to simplify the FedRAMP authorization process where possible

This update to FedRAMP will begin within 60 days of this Executive Order (by July 11, 2021), with no timeframe yet for when these updates will be released to the public.

Software Supply Chain Security

As mentioned above, when an attacker targets an organization, they look for the weakest point to compromise. If an opportunity cannot easily be found due to a strong security posture, another common step is to look at what third-party software and tools that organization uses. As evidenced by the SolarWinds attack, successfully compromising a piece of the supply chain can have devastating and far reaching consequences. The more organizations use a tool or piece of software, the farther reach an attacker will have thanks to compromised software.

To address this, the Federal government is looking to its public and private partners. They are soliciting input to “identify existing or develop new standards, tools, and best practices for” a number of key software security objectives (Section 4.b):

Securing software development environments (Sec 4.i)
Employing automated tools:
- to maintain trusted source code (Sec 4.iii)
- that regularly check for and remediate known vulnerabilities (Sec 4.iv)
Tracking origin of software code or components, and controls on all components of internal and 3rd party software
Participating in a vulnerability disclosure program
Providing documentation for and attesting to practices that support these objectives, again with a focus on automation

In 2020, we published an article on Shifting Application Security to the Left, and from that article you will find a number of the examples that the Executive Order calls out for securing software development environments. Specifically, the Executive Order states that we can expect these examples in published guidance (Section 4.e.i.A - Section 4.e.i.F):

“Using administratively separate build environments
Auditing trust relationships
Establishing multi-factor, risk-based authentication and conditional access
Minimizing dependencies on enterprise products that are…used to develop, build, and edit software
Employing encryption for data
Monitoring operations and alerts and responding to attempted and actual cyber incidents”

The Federal government will be publishing minimum standards for vendor software testing. Some examples of what to expect are code review, SAST, DAST, and penetration testing. (Section 4.r) To aid customers and consumers of software in making risk-based decisions about what services they bring into their environment, there will be a framework for labeling and categorizing software that has met a certain standard of security practices. (Section 4.t). This will be a consumer software labeling program, to potentially include a tiered software rating system based on security practices. (Section 4.u) This will include incentive programs, and we can look forward to published public guidance on what practices to follow to develop secure software going forward.

Incident Response Playbook

The Federal government will be re-evaluating and standardizing its internal Playbook, for responding to Cybersecurity Incidents and Vulnerabilities. (Section 6.a) This update to their playbook will incorporate all appropriate NIST standards (Section 6.b). This is likely referring to NIST Cyber Security Incident Handling Guide (Rev 2) published in August 2012, or perhaps we can expect a new Revision of this document as a result of this evaluation and update. The Playbook will define key terms to standardize on language, concepts and process as much as possible to help with a shared lexicon across government agencies, which will further help to improve collaboration. (Section 6.g)

The Executive Order states that the Playbook shall “articulate progress and completion through all phases of an incident response, while allowing flexibility so it may be used in support of various response activities.” (Section 6.b.iii) This broader use and flexibility of incident response process is a great callout. When responding and remediating incidents, while the nuances and specific actions can change with the nature of the incident, the overall flow of how to address and improve your posture remains largely the same. NIST’s Cyber Security Incident Handling Guide covers the high-level steps for Handling an Incident, and remains a framework to aspire to for Incident Response teams across the industry.

The Executive Order goes on to address Detection, and Remediation requirements, including the logging and data requirements to support these functions.

Incident Response - Detection

There will be an increased focus on early and proactive detection, and visibility of cybersecurity vulnerabilities and incidents. (Section 7.a) With this will come a new “Endpoint Detection and Response (EDR) initiative to support proactive detection of cybersecurity incidents…active cyber hunting, containment and remediation, and incident response.” (Section 7.b) EDR is a powerful toolset where Infrastructure-as-a-Service (IaaS) and containerized deployments are employed. To use EDR requires you to be thoughtful about the integration of this software in your CICD pipeline, and how you choose to programmatically build your instances.

Incident Response - Remediation

The executive order states that “network and system level logs on…systems (both on-premise and when hosted by third parties, such as CSPs) is invaluable for both investigation and remediation purposes” (Section 8.a) and this couldn’t be more true. One thing the Executive Order does not mention is that platform level–CSP API and Audit–logging are equally important.

The Federal government will produce “recommendations on requirements for logging events and retaining other relevant data…[to] include” (Section 8.b):

Log types
Retention time periods
Log protection

Here the order explicitly states the need to protect logs by “cryptographic methods to ensure integrity once collected and verified against the hashes throughout their retention. Data shall be retained in a manner consistent with all applicable privacy laws and regulations.” (Section 8.b)

Following these recommendations, expect policies to implement these logging requirements in a centralized and highly visible way, ensuring access to the appropriate entities especially where the Federal government may need to collaborate in the case of a Cybersecurity Incident. These practices will also be evaluated by the FAR Council, and vendors and suppliers could see such requirements proposed in contracts in the future.

Conclusion

What does this mean for you? Are you a part of a government agency? Or a supplier or vendor who does business with the Federal Government? Then you will need to start preparing to meet the explicitly stated and upcoming requirements outlined in this Executive Order. Are you in the Private sector, but do not do business with the Federal government? This Executive Order will still shift the expectation for compliance and security adherence for your business. As outlined in Cybersecurity Executive Order: a tl;dr industry pressure and competition will eventually force compliance indirectly.

Incorporate Zero Trust into your long term roadmap. Incorporate these upcoming Cloud and Software Security requirements into your Cloud practice, Secure SDLC and DevSecOps pipelines. Proactivity now will pay off later!