September 13, 2021

Last Updated on January 19, 2024

In an effort to bolster US national security and protect our economy, President Biden’s recent “Executive Order on Improving the Nation’s Cybersecurity” will likely drive new security practices across both the private and public sectors. What changes does it advocate or mandate for government agencies—and potentially their corporate business partners?

To offer expert commentary on all aspects of the Executive Order, a recent episode of The Virtual CISO Podcast features Scott Sarris, EVP of Digital Transformation and Cybersecurity Advisory Services at Aprio. John Verry, Pivot Point Security CISO and Managing Partner, hosts the show as always.

According to Scott, “The Executive Order allows for information security policies that reflect a more aggressive posture in dealing with the security risks that the government faces.”

As the order states upfront, “The Federal Government must lead by example. All Federal Information Systems should meet or exceed the standards and requirements for cybersecurity set forth in and issued pursuant to this order.” That’s a tall order (pun intended) for federal agencies.

The new/emphasized practices and approaches fall mostly under these major areas:

  1. Making it easier to gather and share threat intelligence, especially with the government’s own IT/OT service providers (e.g., cloud service providers). Many of the barriers are contractual, and the order mandates that the appropriate agencies move swiftly to recommend changes to current Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS) contract language. As Scott comments, the order doesn’t directly address the challenges associated with the gargantuan amounts of data involved in the effort.
  1. “Modernizing” FedRAMP and moving it in the direction of Zero Trust Architecture. This includes five specific directives, ranging from “digitizing and streamlining documentation that vendors are required to complete” to “identifying relevant compliance frameworks, mapping those frameworks onto requirements in the FedRAMP authorization process, and allowing those frameworks to be used as a substitute.” Scott and John both see this emphasis on FedRAMP as an indication that, despite criticism, the program is here to stay and will be significantly improved.
  1. Putting more focus on cloud governance (aka “cloud ops”) to create fewer avoidable vulnerabilities, especially in areas like provisioning and initial configuration/setup. “How do we get the level of governance there that we can be comfortable with, that assures us that the right things are done at each stage of the development and integration to a platform?” Scott posits.
  1. Moving towards a Zero Trust Architecture. Zero Trust is a better model for information security that “perimeter defense,” and its time has come. This Executive Order puts strong emphasis on “advancing towards Zero Trust Architecture” for federal agencies, starting with a plan to implement Zero Trust per recent NIST guidance. “This represents an acknowledgement that traditional, perimeter-based security has been dead for a while,” asserts Scott.
  1. Improving the government’s cyber detection, incident response, investigation and remediation capabilities. The order devotes three sections to these issues and references them throughout. This includes creating a standardized incident response “playbook” for federal agencies based on NIST guidance and deploying an “Endpoint Detection and Response (EDR) initiative across federal government infrastructure that includes active cyber hunting.

What’s Next?

Here’s Scott’s summation of the order overall: “I read it as executive guidance, setting expectations from the executive branch to the rest of government, on to the agencies, on what their expectations were to move them out of a paradigm that clearly is not working. To drive that into the private sector specifically in the critical infrastructure space.”

Looking for some related content about the Cybersecurity Executive Order? Check out this post: The Cyber Executive Order: What Does It Say about Zero Trust? – Pivot Point Security

Listen to the podcast episode all the way through: EP#58 – Scott Sarris – The Cybersecurity Executive Order: What You Need to Know – Pivot Point Security