In an ambitious effort to improve the Nation’s security posture, President Joe Biden has instituted an Executive Order to improve cyber threat information sharing between the U.S Government and the Private Sector. The goal is to align cybersecurity initiatives between the Government and Private Sector to increase resilience against national security threats, like the cybercriminals responsible for the Colonial Pipeline cyberattack.
The US government will lead by example and aim to exceed all of the information security standards in the EO when applying them to all of its government systems.
This post provides a compliance framework for industries most affected by the EO - IT services software service providers. As such, only the Sections of the EO that are relevant to these industries are addressed. For the complete Executive Order, refer to the official publication from the White House.
Who is Impacted by Biden’s Cybersecurity Executive Order?
President Biden’s cybersecurity EO (Improving the Nation’s Cybersecurity) impacts three primary classes of attack vectors, chosen for their high potential of facilitating a national security crisis if compromised.
- Federal government agencies - US federal agencies will need to modernize their cybersecurity practices in line with the evolving cyber threat landscape.
- Federal Contractors - All federal government vendors, including software security and critical software providers, will need to update their contract terms to reflect the increased cyber incident information-sharing directives in this EO.
- The Private Sector - The private sector, especially IT service providers, will need to increase the security of their supply chain to mitigate supply chain attacks.
The greatest impact of this EO will be felt by IT service providers, including cloud-hosting providers, for government agencies. These entities will be required to honestly disclose their cybersecurity threats and data breach history with the federal government before procurement is finalized.
The order by the Biden administration also enforces new standards on development practices by software development companies servicing the federal government, which includes the use of encryption and multifactor authentication (MFA). The US government plans to implement a labeling system for tracking the cybersecurity resilience of third-party software solutions used in federal networks, similar in concept to credit ratings or conventional cybersecurity rating methodologies.
Section 2: Cyber Threat Information Sharing Barriers Between Government and Private Sectors Must Be Removed
Section 2 of the Cybersecurity Executive Order requires IT Service Providers (including cloud providers) to liberally share data breach information with government departments and agencies tasked with investigating cyberattack incidents.
- The Cybersecurity and Infrastructure Security Agency (CISA).
- The Federal Bureau of Investigation (FBI).
- Sectors of the United States Intelligence Community (IC).
Until now, IT providers could withhold specific cyber incident information with the above entities. This was either due to contractual restrictions or a reluctance to admit the internal security negligence that led to their data breaches.
Biden’s Executive order mandates all IT service providers in the United States to remove these contractual barriers to increase and, therefore, improve the flow of specific data breach information between the private sector and the United States government. By doing so, the United States government can adjust its cyber defenses to evolving nation-state attacks to accelerate its remediation and response efforts.
This order especially impacts all Information Technology (IT) and Operational Technology (OT) providers (including cloud providers) offering services to the American government because of their intimate knowledge of Federal Information Systems.
How Should You Respond?
To achieve compliance with section 2 of Biden's Executive Order, service providers must ensure the availability of cyber threat intelligence with investigation entities. The design of this information workflow should be in accordance with the revised contract requirements of the Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation (DFAR) - refer to Section 2(b)-(l) of the Cybersecurity Executive Order.
How UpGuard Can Help
UpGuard supports compliance with section 2 of Biden’s Cybersecurity Executive Order by identifying cyber risks likely to facilitate data breaches, both internally and across the vendor network. This level of attack surface visibility allows government agencies and IT services to understand their data breach risks so that they can be communicated in a manner that complies with the EO’s communication standards.
To expedite the consolidation of relevant data, the UpGuard platform can generate instant executive reports summarizing all levels of security risks threatening data safety.
IT service providers can host these reports, and any other relevant cybersecurity information, on a Shared Profile to streamline the cyber threat communication process and, therefore, procurement processes with federal government agencies.
Section 3: Modernizing Federal Government Cybersecurity
Section 3 of the Cybersecurity Executive Order is an initiative to modernize the federal government’s cybersecurity programs to ensure relevance as the threat landscape evolves.
The United States Federal Government will endeavor to meet or exceed the cybersecurity standards issued in this Executive Order. As a result, the Federal Government will adopt the following initiatives as an example of best practices for the private sector:
- The implementation of a Zero-Trust Architecture (ZTA).
- The transition to a more secure suite of cloud services such as Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).
- Increased visibility into the threat landscape.
- Centralized and streamlined access to cybersecurity data for an analytics-driven approach to identifying and managing cybersecurity risks.
- The adoption of multi-factor authentication across all accounts.
- The encryption of all data, both at rest and in transit, to the maximum extent possible.
- Increased investments in both technology and personnel to meet these initiatives.
How Should You Respond?
To achieve compliance with the section 3 standards of the Cybersecurity Executive Order, the private sector must mirror the higher security standards pursued by the Federal Government.
This can be achieved through the following transition framework:
- Prioritize resources to rapidly adopt more secure cloud technologies.
- Develop a Zero Trust Architecture (ZTA) implementation plan in accordance with the migration steps outlined by the National Institute of Standards and Technology (NIST). This plan should include an implementation schedule.
- Support all cloud technology with solutions that prevent, assess, detect and remediate cyber threats.
- Modernize cybersecurity programs to ensure full functionality with cloud-computing environments with Zero Trust Architecture.
- Develop cloud security frameworks that meet the standards of the documentation created by the Secretary of Homeland Security - refer to Section 3(c)(i) - (iv) of the Cybersecurity Executive Order.
- Adopt multi-factor authentication and encryption for all data at rest and in transit.
- Establish a collaboration framework for cybersecurity and incident response activities to facilitate improved data breach information sharing.
- Transition to digital vendor documentation for enhanced accessibility and more efficient risk assessment processes.
To assist with implementing a Zero-Trust model, CISA has developed free resources for Zero-Trust maturity, which can be accessed here.
How UpGuard Can Help
UpGuard can help the private sector comply with Section 3 of the Cybersecurity Executive Order by addressing the complete lifecycle of cyber threat management.
- The detection and remediation of internal and external data leaks before they develop into data breaches.
- The detection and remediation of all security vulnerabilities, both internally and throughout the third-party network.
- The end-to-end management of all third-party risk assessments
- The centralization of threat analytics for streamlined cybersecurity risk management.
- The complete digitization of all vendor documents for streamlined third-party risk management, including pre-loaded questionnaires and custom questionnaire builders.
Section 4: Enhancing Software Supply Chain Security
Section 4 of the Cybersecurity Executive Order is an initiative to lift the security standards of supply chain software to prevent future incidents that mirror the SolarWinds supply chain attack.
The Executive Order will specify the standards of supply chain software adopted by the government to establish a security baseline for the private sector.
Supply chain software must now:
- Facility greater visibility to make security data publicly available
- Implement an ‘energy star’ type of rating that honestly evaluates its level of security to both the government and the general public.
- Ensure their products are shipped without vulnerabilities that can be exploited by cybercriminals.
How UpGuard Can Help
UpGuard can help the private sector strengthen their security and prevent supply chain attacks by:
- Identifying and remediating third-party data leaks before they develop into data breaches.
- Identifying and remediating all security vulnerabilities, both internally and throughout the vendor network, to prevent third-party breaches.
- Evaluating the security postures of all vendors with security ratings.
Section 7: Improve the Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks.
Section 7 of the Cybersecurity Executive Order is an initiative to improve cyber threat activity detection in government and private sector networks.
The federal government will lead by example for the private sector by deploying an Endpoint Detection and Response (EDR) initiative to support the early detection of cybersecurity incidents.
This EDR initiative will:
- Be centrally located to support host-level vulnerability visibility.
- Support cyber threat hunt, detection, and remediation activities.
How UpGuard Can Help
UpGuard can help the private sector comply with section 7 of the Cybersecurity Executive Order by:
- Detecting data leaks to support the hunt for potential cyber threats
- Managing the complete remediation of all data leaks linked to both the internal and third-party threat landscape.
- Offering a Third-Party RIsk management solution supported by cybersecurity experts for efficient scale security efforts.
- Centralizing all data leak and vulnerability intelligence for streamlined security posture communication.
- Offering host-based vulnerability detection to locate and identify vulnerabilities in servers, workstations, and other network hosts.
Section 8: Improving the Federal Government’s Investigative and Remediation Capabilities
To assist cyber incident investigations and remediation efforts, system log information, both internal networks and third-party connections, must be collected and maintained. This information should also be readily available to investigative entities upon request.
How UpGuard Can Help
UpGuard can help government entities and the private sector comply with Section 8 of the Cybersecurity Executive Order by offering a single platform capable of end-to-end cyber threat management, from vulnerability detection through to complete remediation for both the internal and vendor attack surfaces.
UpGuard Supports Compliance with Biden's Cybersecurity Executive Order
UpGuard can continuously monitor the attack surfaces of federal agencies and their private contractors to detect potential attack vectors threatening the security of critical infrastructures and sensitive government databases.
Besides offering a Vendor Risk Management solution for addressing supplier security risks, UpGuard can also detect and shut down data leaks - including ransomware blog leaks - to further reduce the potential of data breaches resulting from compromised third-party suppliers.
For an oveview of how UpGuard helps you effectively manage your attack surface to reduce the risk of data breaches, watch this video: