September 8, 2021

Last Updated on January 15, 2024

President Biden’s recent “Executive Order on Improving the Nation’s Cybersecurity” covers a lot of ground and advocates “bold changes and significant investments.” But what do the 7,000-plus words in the order really add up to? Are new compliance mandates coming for the public and/or private sectors? What is the Executive Order likely to mean for your organization?

To unpack the top takeaways from the Executive Order, a recent episode of The Virtual CISO Podcast features Scott Sarris, EVP of Digital Transformation and Cybersecurity Advisory Services at Aprio. John Verry, Pivot Point Security’s CISO and Managing Partner, hosts the show.

Scott’s overall impression of the Executive Order is distinctly positive:

“When I read the Executive Order, I started reading the policy section and I interpreted it not as coming from the President of the United States, but really as a directive from the executive of a large organization setting the overarching strategy and expectations to his constituents; in this case, the federal government agencies. I believe it did a very good job establishing those expectations in that policy section to drive the speed of government to adopt information security policies and approaches that reflect a more aggressive posture in dealing with those security risks the government faces. I was actually pretty happy to see it.”

John likewise is encouraged by the order’s overall tone and approach: “I’m not a big believer in government mandating what we should do. But to me, the one thing that came out of it was the recognition by our government that our national defense and the security of our government sector is directly proportional to the security of our private sector. That if we don’t work together—and that might mean some mandates on their part—that we can’t be the US anymore. We can’t be viable, right? In order to sustain our sovereignty, if you will, we need to understand that we are at cyber warfare and that the government is saying, “We recognize this. And we are going to start to exert our influence on, not only our own cyber posture, but also the cyber posture of anyone that does business with the government.” Which largely involves the vast majority, I think, of our economy.”

Yet, Scott notes, the tone of the order is moderate, not authoritarian: “Like you, I’m not a big fan of government dictating everything. However, I found it interesting that the approach as you pedal through this document, is one of directing the federal government and the executive branch to contract and to engage with knowledgeable third parties to do things like collect information about cyber attacks and logs and other things, versus dictating that they will provide it in any case. I didn’t find it very aggressive in its posture. I thought there was kind of a moderate tone to their approach.”

“If you think about it, you could destabilize a government by destabilizing the significant private companies within that country,” John reflects. “I think they’re looking at [that] here and saying, ‘Okay, we have to clean up our own house. We have to make sure that the folks that we’re working with clean up their houses because we’re interdependent.’”

What’s Next?

“The message I was left with was, ‘Get ready for some overt guidance from the federal government on your security posture. CMMC and FedRAMP are not our last shots across your bow,’” quips John. “As always, it’s going to be a fun next few years as this evolves, I think.”

Looking quick and comprehensive overview of the Cybersecurity Executive Order? Check out this post: FedRAMP and CMMC – Here’s How They Relate – Pivot Point Security

Or listen to the podcast episode all the way through: EP#58 – Scott Sarris – The Cybersecurity Executive Order: What You Need to Know – Pivot Point Security