I Read The Entire Cybersecurity Executive Order... Here's What You Need To Know
Cybersecurity is hard enough. Doing it across federal agencies is a mammoth task.
As you probably know, the US experienced a cyber-attack against its critical infrastructure. In response to the attack, President Biden signed an executive order to improve our cybersecurity posture. I read the entire document, here is what you need to know.
Zero-Trust Architecture has center stage
Multi-Factor Authentication Will Be Standardized
Security expectations when doing business with the government is dramatically increasing, including a Software Bill Of Materials
Executive support of information security is essential
This a really brief run down of the executive order from my perspective, a fractional CISO for startups, geared towards startup executives and leaders looking to improve their security.
Many more people and organizations with more time may have written something deeper and thorough so feel free to read those. This summary and the executive order itself may be particularly important to you if you ever plan on doing business with the federal government.
Zero Trust Architecture
If you’ve been reading this newsletter and my other rants/posts on LinkedIN for a while, you’ll know that I’ve been talking about Zero Trust for quite some time. It’s a complicated topic for the uninitiated and although it’s a buzzword, it’s so important in the implementation of least privilege throughout your ecosystem.
In the executive order, they were nice enough to create a “definitions” section, and I like their definition of the term:
the term “Zero Trust Architecture” means a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries. The Zero Trust security model eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses. In essence, a Zero Trust Architecture allows users full access but only to the bare minimum they need to perform their jobs. If a device is compromised, zero trust can ensure that the damage is contained. The Zero Trust Architecture security model assumes that a breach is inevitable or has likely already occurred, so it constantly limits access to only what is needed and looks for anomalous or malicious activity. Zero Trust Architecture embeds comprehensive security monitoring; granular risk-based access controls; and system security automation in a coordinated manner throughout all aspects of the infrastructure in order to focus on protecting data in real-time within a dynamic threat environment. This data-centric security model allows the concept of least-privileged access to be applied for every access decision, where the answers to the questions of who, what, when, where, and how are critical for appropriately allowing or denying access to resources based on the combination of sever.
In lamen’s terms, access and privileges will be reviewed and scrutinized much more closely and where you may have been given admin access previously, that decision will (should) no longer be taken lightly.
Multi-Factor Authentication (MFA) Is A Minimum
One of the most significant sections of the executive order is the requirement for all federal agencies to adopt multi-factor authentication within six months (180 days) of the order being signed. Along the same lines, Google announced recently that they will be making MFA standard for all one day.
Sometimes enabling MFA will save you $$$ on your cyber insurance.
The takeaway is that MFA is no longer merely an option. It’s a requirement and should be fundamentally available everywhere.
Software Bill Of Materials
This was probably the most interesting portion of the order. Software companies will be required to publish a “Software Bill of Materials” (SBOM) detailing the elements used to create and deliver the software product. The details of what should be in this SBOM are still not clear, but the idea of it is seems very promising and as a security practitioner responsible for reviewing the security of 3rd parties it would make my job a lot easier. I can ask specific questions about their tech stack instead of keeping things general.
Unfortunately, I don’t expect this SBOM to be very detailed aside from providing a list of open source and closed source software. Here is what I would require if it were up to me:
Language used for developing software
Modules used and version numbers
Infrastructure presence
Datacenters in use
Cloud platforms in use
Operating Systems and versions in use in production
Bonus:
Infrastructure diagram with networking layout
The Secretary of Commerce is supposed to publish the minimum elements of a SBOM within 60 days of the executive order, so let’s see.
Centralization And Executive Support Matter
In the executive order there was a mandate to create a Cyber Safety Review Board tied to Sec 871 from the Homeland Security Act of 2002, so the board will last 2 years, unless renewed. Also, in there is reference to an executive order in 2016 related to cybersecurity that President Obama had signed. I did not get a chance to read that order, but I am curious what is there that is different this time around.
Centralizing information security initiatives is generally a good thing. It helps ensure initiatives are managed and establishes some level of consistency. In the order as well is a mandate for federal agencies to provide a report on some of the above directly to the Assistant to the President and National Security Advisor (APNSA). The review board also will be reporting or in direct contact with the APNSA.
Additionally, executive support of infosec is paramount so that it gets the attention it deserves. However, nothing is foolproof and I think the takeaway for me here is that we must continually iterate, otherwise we’ll get stagnant and fail. I see a lot of past security initiatives, and I wonder what the effectiveness of these initiatives was in the practical sense. If this executive order is followed through well with consistency and a modern security mindset then I see a lot of hope happening here.
A Software BOM is good. A services BOM is better. With whom are you outsourcing your storage, compute, identity, NLP, pattern recognition, etc? Who else touches my data or APIs or network or devices under your auspices? Give me something to audit and crawl to find data breaches, identity vulnerabilities, outages, etc.