Where Are We Now With the Executive Order on Cybersecurity?
The past year and a half has been full of news headlines, to say the least, from inflation to war — and let’s not forget the pandemic. But one story that may have been forgotten was the Colonial Pipeline ransomware attack in May 2021. Reaching beyond the headline itself is the incident’s longer-term impact on U.S. cybersecurity, not just for federal government agencies, but also on the security industry as a whole. A culmination of cyber events resulted in the signing of an executive order on cybersecurity that includes provisions to protect against future attacks by uniting public and private efforts behind Zero Trust architecture and multi-factor authentication, also known as MFA in cybersecurity.
Why Did the Biden Administration Release an Executive Order on Cybersecurity?
Here’s a reminder of what led to the executive order. On May 7, 2021, attackers breached the Colonial Pipeline network through an exposed password for a VPN account and began a ransomware attack. That same day, once Colonial Pipeline became aware of the breach, the petroleum pipeline (the largest in the U.S. carrying 2.5 million barrels a day from Texas to New Jersey) was taken offline to reduce risk of exposure to the larger operational network.
As a result of the network going offline, many consumers panicked, driving up gas prices and leading to shortages along the East Coast of the United States. To end the attack, Colonial Pipeline paid a 75- Bitcoin ransom ($4.4M USD) to get their data back. Once the attack ended, the FBI confirmed the hacker group DarkSide as responsible for the attacks. DarkSide is known to be tied to operations in Eastern Europe, although they are not confirmed as connected to an official government entity.
This attack was the proverbial straw that sprung the government into action. Although the Colonial Pipeline attack didn’t have as direct an impact on government agencies as the SolarWinds and Microsoft Exchange attacks of 2020, the impact on critical infrastructure and American citizens drove the Biden administration to issue Executive Order 14028 (EO 14028) on May 12 — just 5 days later — designed to “improve the nation’s cybersecurity and protect federal government networks.”
What Exactly Is EO 14028?
Executive Order (EO) 14028: Improving the Nation’s Cybersecurity serves as a stake in the ground and call to action for government agencies and private firms for “modernizing cybersecurity defenses by protecting federal networks, improving information-sharing between the U.S. government and the private sector on cyber issues, and strengthening the United States’ ability to respond to incidents when they occur.”
In sum, the key points of EO 14028 state that the executive order will:
- Remove Barriers to Threat Information Sharing Between Government and the Private Sector This section of the EO signifies that IT service providers must share information with the government, including details regarding cybersecurity threats and breaches.
- Modernize and Implement Stronger Cybersecurity Standards in the Federal Government
This section is of paramount importance to the executive order, requiring agencies within the Federal Government to secure cloud services used by adopting a Zero Trust security model and deploying multi-factor authentication (MFA) and encryption.
- Improve Software Supply Chain Security
This section of the EO establishes security standards for organizations and developers who create software sold to the government, meaning that providers have new security requirements to implement. It also introduces a pilot program to create a label for software that indicates it was developed securely and according to standards, thus creating a Software Bill of Materials or SBOM.
- Establish a Cyber Safety Review Board
This section establishes a Cyber Safety Review Board to review significant incidents and drive recommendations to improve cybersecurity. This board is similar to the National Transportation Safety Board, which is used after airplane accidents and other incidents.
- Create Standardized Playbook for Responding to Cybersecurity Vulnerabilities and Incidents
This section creates an incidence response playbook for federal departments and agencies. The playbook is designed so all agencies take common steps to identify and mitigate threats. Just as importantly, the playbook will “serve as a template for the private sector to use in coordinating response efforts.”
- Improve Investigative and Remediation Capabilities
This section mandates cybersecurity event log requirements for agencies to detect, mitigate and determine an incident’s extent.
While all of these points are important, there are two that are designed to more quickly accelerate cybersecurity modernization. These include 1) moving the Federal Government to adopt a Zero Trust security model and 2) mandating the deployment of MFA and encryption. As such, federal agencies are required to “achieve certain specific Zero Trust goals by the end of FY 2024.”
The Role of Zero Trust Security and MFA in the Executive Order on Cybersecurity
To support agencies in their transition to Zero Trust, the government’s Cybersecurity and Infrastructure Security Agency (CISA), created a Zero Trust Maturity Model guidelines document.
In it, they use NIST’s definition of Zero Trust and Zero Trust architecture (ZTA):
Zero Trust provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised. ZTA is an enterprise’s cybersecurity plan that uses Zero Trust concepts and encompasses component relationships, workflow planning, and access policies. Therefore, a Zero Trust enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as a product of a ZTA plan.
A critical point of the Zero Trust model is to leverage multi-factor authentication and encryption technologies such as PKI, which uses different factors to verify identity before granting access to software, systems or data. While you may encounter MFA for your company network, accessing your bank account, or even your favorite streaming service, not all Government agencies have implemented this – meaning that private companies that supply these types of solutions and services must ensure their offerings meet the mandate’s requirements. In fact, the EO requires amendments to the Federal Acquisition Regulation (FAR) to align with its requirements, which is designed so that federal agencies only purchase software in compliance with the stricter cybersecurity requirements. To support this, a January 2022 report from the Linux Foundation says that, “Overall, more than 80% of organizations worldwide are aware of this White House executive order and 76% of organizations are considering changes as a consequence of this executive order.”
With the requirement for Federal agencies to achieve Zero Trust goals in 2024, you may wonder – what’s been going on since the Executive Order was issued?
A Month-By-Month Review of Government Actions in Response to the Executive Order on Cybersecurity
While the Colonial Pipeline incident and corresponding Executive Order may have grabbed the headlines, a lot of behind-the-scenes work has taken place since May 2021. The National Institute of Standards and Technology (NIST) issued a white paper providing a definition of critical software along with guidance outlining security measures for critical software defined by NIST and guidelines recommending minimum standards for vendor verification of their software source code. The Office of Management and Budget (OMB) detailed a phased approach for the implementation of the NIST guidance along with a draft Zero Trust architecture strategy that provided a common roadmap for all agencies to achieve the outlined goals by 2024. CISA issues two playbooks related to cybersecurity incident response and vulnerability response relevant to all Federal agencies and related contractors. And those were just the highlights from 2021. To help you digest progress to date, here is a summary of activity by month from Inside Government Contracts or read below for related activities for 2022:
- January 2022: Two key developments kicked off the new year. The first was President Biden’s issuance of National Security Memorandum-8, which outlines requirements for National Security Systems (NSS) that meet or exceed cybersecurity requirements mandated in the original EO. One key takeaway from this memo is that companies who contract with the Department of Defense (DoD) and other national security agencies must meet outlined national security requirements. The second development was the issuance of OMB’s final Zero Trust strategy, which requires agencies to achieve specific Zero Trust goals by September 30, 2024. One key requirement is that MFA must be enforced at the application layer instead of the network layer.
- February 2022: In adherence to Section 4 of the EO, NIST issued its Supply Chain Security Guidance. These guidelines are highly relevant beyond federal agencies in that they impact providers of software to ensure their products meet minimum recommendations.
- March 2022: OMB released a document detailing how agencies should implement its software supply chain security guidelines. Important to the private sector is the requirement to follow best practices that reduce software vulnerabilities.
- April 2022: NIST released three documents providing guidelines that detail how organizations can better secure applications run in the cloud, as well as hardware-enabled security.
- May 2022: In addition to NIST issuing final guidance on supply chain risk management, a House Committee held a hearing to review progress made on implementing the cyber EO.
- June 2022: On June 7, NIST issued its final draft, Engineering Trustworthy Secure Systems, which “provides a basis for establishing a discipline for systems security engineering.”
- July 2022: OMB released its memorandum outlining its cybersecurity priorities to help agencies build their FY 2024 budget submissions. These include areas directly outlined by the EO, including Zero Trust implementation, IT modernization and cross-agency collaboration.
Complying With the Executive Order on Cybersecurity
While the impact from EO 14028 falls most squarely on government agencies, there are implications for the private sector. For software providers, on top of keeping up with evolving requirements from government agencies, one of their biggest actions since the EO was issued is to determine if their products/solutions meet the new cybersecurity specifications — and if not, whether they have the resources to do so ahead of the projected Q1 FY 2023 timeline, in which the General Services Administration (GSA) stipulates that “final Federal Acquisition Regulation (FAR) cases and implementation are to begin.”
For example, recent DoD data shows that only one in four defense contractors meet Pentagon cybersecurity standards to protect U.S. weapons systems from enemy hackers and that “three-quarters of the 220 defense contractors…failed to implement baseline cybersecurity controls.”
Relying on traditional, knowledge-based authentication alone such as a username and password may be easy to use but is not secure. In fact, it was a single stolen password that allowed the takedown of the Colonial Pipeline. While multi-factor authentication is a key component to achieving Zero Trust, it’s important to note that not all MFA models are created the same. Multi-factor authentication that combines what a user knows (a password or PIN), what a user possesses (a PKI- or FIDO-enabled card, key or smartphone) and what the user is (a fingerprint or faceprint), ensures greater security while maintaining a smooth user experience that doesn’t hinder adoption. It’s safe to assume that as the government marches toward its 2024 deadline for implementation, organizations offering solutions should consider how best to meet EO 14028 compliance and limit the risk of security incidents.
What’s Next? Budgets and Mid-Terms Might Delay Progress
As mentioned above, OMB released guidance in July 2022 to all federal civilian agencies outlining the administration’s cross-agency cyber investment priorities for the fiscal year 2024 budget, emphasizing that implementing Zero Trust architecture and IT modernization must be at the top of the list.
The Federal Zero Trust strategy requires agencies to:
- Achieve specific Zero Trust security goals by the end of FY 2024
- Attain a consistent enterprise-wide baseline for cybersecurity “grounded in principles of least privilege, minimizing attack surface and designing protections around an assumption that agency perimeters should be considered compromised”
- Demonstrate their commitment to Zero Trust by reflecting it in their budget requests
- Prioritize technology modernizations that lead with security integrated during the design phase, as well as throughout the system lifecycle
So far, agencies have submitted their Zero Trust plans to OMB, but what stands in the way for the FY 2024 budget requests is a lingering FY 2023 budget that still needs to be hammered out in Congress. As of the time of this blog’s publication, only six of the 12 appropriations bills have passed the House and none have passed the Senate. The likelihood of a Continuing Resolution (CR) being pushed into 2023 is becoming more likely and could stall efforts on drafting a budget for FY 2024.
This stall in the budget process is likely connected to the upcoming midterm elections in November. In the meantime, government agencies continue to implement the technology and mechanisms required by the variety of guidelines and mandates issued.
At this stage, time, budget and the greater cyber landscape will tell how far and how fast the full requirements of the EO are actually implemented. In time we will likely see Inspector General and Government Accountability Office (GAO) reports on adherence, but departments and agencies must recognize that the journey to Zero Trust starts with securing our systems and people.
For more insights on how legislation is affecting the security and identity industry, read the Security & Identity Trends blog. You can also get the latest information on identity and access management delivered to your inbox by subscribing to the IAM blog.