How to be Compliant with Biden's Cybersecurity Executive Order in 2023

In an ambitious effort to improve the Nation’s security posture, President Joe Biden has instituted an Executive Order to improve cyber threat information sharing between the U.S Government and the Private Sector. The goal is to align cybersecurity initiatives between the Government and Private Sector to increase resilience against national security threats, like the cybercriminals responsible for the Colonial Pipeline cyberattack.

The US government will lead by example and aim to exceed all of the information security standards in the EO when applying them to all of its government systems.

This post provides a compliance framework for industries most affected by the EO - IT services software service providers. As such, only the Sections of the EO that are relevant to these industries are addressed. For the complete Executive Order, refer to the official publication from the White House.

Who is Impacted by Biden’s Cybersecurity Executive Order?

Biden’s cybersecurity EO impacts three primary classes of attack vectors, chosen for their high potential of facilitating a national security crisis if compromised.

  • Federal government agencies - US federal agencies will need to modernize their cybersecurity practices in line with the evolving cyber threat landscape.
  • Federal Contractors - All federal government vendors, including software security and critical software providers, will need to update their contract terms to reflect the increased cyber incident information-sharing directives in this EO.
  • The Private Sector - The private sector, especially IT service providers, will need to increase the security of their supply chain to mitigate supply chain attacks.

The greatest impact of this EO will be felt by IT service providers, including cloud-hosting providers, for government agencies. These entities will be required to honestly disclose their cybersecurity threats and data breach history with the federal government before procurement is finalized.

Section 2: Cyber Threat Information Sharing Barriers Between Government and Private Sectors Must Be Removed

Section 2 of the Cybersecurity Executive Order requires IT Service Providers (including cloud providers) to liberally share data breach information with government departments and agencies tasked with investigating cyberattack incidents.

These include:

  • The Cybersecurity and Infrastructure Security Agency (CISA).
  • The Federal Bureau of Investigation (FBI).
  • Sectors of the United States Intelligence Community (IC).

Until now, IT providers could withhold specific cyber incident information with the above entities. This was either due to contractual restrictions or a reluctance to admit the internal security negligence that led to their data breaches.

Biden’s Executive order forces all IT service providers in the United States to remove these contractual barriers to increase and, therefore, improve the flow of specific data breach information between the private sector and the United States government. By doing so, the United States government can adjust its cyber defenses to evolving nation-state attacks to accelerate its remediation and response efforts.

This order especially impacts all Information Technology (IT) and Operational Technology (OT) providers (including cloud providers) offering services to the United States government because of their intimate knowledge of Federal Information Systems.

How Should You Respond?

To achieve compliance with section 2 of Biden's Executive Order, service providers must ensure the availability of cyber threat intelligence with investigation entities. The design of this information workflow should be in accordance with the revised contract requirements of the Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation (DFAR) - refer to Section 2(b)-(l) of the Cybersecurity Executive Order.

How UpGuard Can Help

UpGuard supports compliance with section 2 of Biden’s Cybersecurity Executive Order by identifying cyber risks likely to facilitate data breaches, both internally and across the vendor network. This level of attack surface visibility allows government agencies and IT services to understand their data breach risks so that they can be communicated in a manner that complies with the EO’s communication standards.

To expedite the consolidation of relevant data, the UpGuard platform can generate instant executive reports summarizing all levels of security risks threatening data safety.

Excerpt from a detailed vendor report generated on the UpGuard platform
Excerpt from a detailed vendor report generated on the UpGuard platform.

IT service providers can host these reports, and any other relevant cybersecurity information, on a Shared Profile to streamline the cyber threat communication process and, therefore, procurement processes with federal government agencies.

Shared Profile by UpGuard
Shared Profile by UpGuard allows service providers to host commonly requested security documentation.

Request a free trial of UpGuard >

Section 3: Modernizing Federal Government Cybersecurity

Section 3 of the Cybersecurity Executive Order is an initiative to modernize the federal government’s cybersecurity programs to ensure relevance as the threat landscape evolves.

The United States Federal Government will endeavor to meet or exceed the cybersecurity standards issued in this Executive Order. As a result, the Federal Government will adopt the following initiatives as an example of best practices for the private sector:

How Should You Respond?

To achieve compliance with the section 3 standards of the Cybersecurity Executive Order, the private sector must mirror the higher security standards pursued by the Federal Government.

This can be achieved through the following transition framework:

  • Prioritize resources to rapidly adopt more secure cloud technologies.
  • Develop a Zero Trust Architecture (ZTA) implementation plan in accordance with the migration steps outlined by the National Institute of Standards and Technology (NIST). This plan should include an implementation schedule.
  • Support all cloud technology with solutions that prevent, assess, detect and remediate cyber threats.
  • Modernize cybersecurity programs to ensure full functionality with cloud-computing environments with Zero Trust Architecture.
  • Develop cloud security frameworks that meet the standards of the documentation created by the Secretary of Homeland Security - refer to Section 3(c)(i) - (iv) of the Cybersecurity Executive Order.
  • Adopt multi-factor authentication and encryption for all data at rest and in transit.
  • Establish a collaboration framework for cybersecurity and incident response activities to facilitate improved data breach information sharing.
  • Transition to digital vendor documentation for enhanced accessibility and more efficient risk assessment processes.
To assist with implementing a Zero-Trust model, CISA has developed free resources for Zero-Trust maturity, which can be accessed here.

How UpGuard Can Help

UpGuard can help the private sector comply with Section 3 of the Cybersecurity Executive Order by addressing the complete lifecycle of cyber threat management.

This includes:

  • The detection and remediation of internal and external data leaks before they develop into data breaches.
  • The detection and remediation of all security vulnerabilities, both internally and throughout the third-party network.
  • The end-to-end management of all third-party risk assessments
  • The centralization of threat analytics for streamlined cybersecurity risk management.
  • The complete digitization of all vendor documents for streamlined third-party risk management, including pre-loaded questionnaires and custom questionnaire builders.

Request a free trial of UpGuard >

Section 4: Enhancing Software Supply Chain Security

Section 4 of the Cybersecurity Executive Order is an initiative to lift the security standards of supply chain software to prevent future incidents that mirror the SolarWinds supply chain attack.

The Executive Order will specify the standards of supply chain software adopted by the government to establish a security baseline for the private sector.

Supply chain software must now:

  • Facility greater visibility to make security data publicly available
  • Implement an ‘energy star’ type of rating that honestly evaluates its level of security to both the government and the general public.
  • Ensure their products are shipped without vulnerabilities that can be exploited by cybercriminals.

How UpGuard Can Help

UpGuard can help the private sector strengthen their security and prevent supply chain attacks by:

  • Identifying and remediating third-party data leaks before they develop into data breaches.
  • Identifying and remediating all security vulnerabilities, both internally and throughout the vendor network, to prevent third-party breaches.
  • Evaluating the security postures of all vendors with security ratings.

Request a free trial of UpGuard >

Section 7: Improve the Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks.

Section 7 of the Cybersecurity Executive Order is an initiative to improve cyber threat activity detection in government and private sector networks.

The federal government will lead by example for the private sector by deploying an Endpoint Detection and Response (EDR) initiative to support the early detection of cybersecurity incidents.  

This EDR initiative will:

  • Be centrally located to support host-level vulnerability visibility.
  • Support cyber threat hunt, detection, and remediation activities.

How UpGuard Can Help

UpGuard can help the private sector comply with section 7 of the Cybersecurity Executive Order by:

  • Detecting data leaks to support the hunt for potential cyber threats
  • Managing the complete remediation of all data leaks linked to both the internal and third-party threat landscape.
  • Offering a Third-Party RIsk management solution supported by cybersecurity experts for efficient scale security efforts.
  • Centralizing all data leak and vulnerability intelligence for streamlined security posture communication.
  • Offering host-based vulnerability detection to locate and identify vulnerabilities in servers, workstations, and other network hosts.

Request a free trial of UpGuard >

Section 8: Improving the Federal Government’s Investigative and Remediation Capabilities

To assist cyber incident investigations and remediation efforts, system log information, both internal networks and third-party connections, must be collected and maintained. This information should also be readily available to investigative entities upon request.

How UpGuard Can Help

UpGuard can help government entities and the private sector comply with Section 8 of the Cybersecurity Executive Order by offering a single platform capable of end-to-end cyber threat management, from vulnerability detection through to complete remediation for both the internal and vendor attack surfaces.

UpGuard Supports Compliance with Biden's Cybersecurity Executive Order

UpGuard can continuously monitor the attack surfaces of federal agencies and their private contractors to detect potential attack vectors threatening the security of critical infrastructures and sensitive government databases.

Besides offering a Vendor Risk Management solution for addressing supplier security risks, UpGuard can also detect and shut down data leaks - including ransomware blog leaks - to further reduce the potential of data breaches resulting from compromised third-party suppliers.

Request a free 7-day trial of UpGuard >

Free

UpGuard logo in white
UpGuard free resources available for download

Ready to see
UpGuard in action?