New Cybersecurity Executive Order: What It Means for Federal Agencies

The Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity includes guidance on third-party risk management and the need to adopt proven security practices to gain visibility of security threats across network and cloud infrastructure. Here we highlight six key provisions and offer guidance on how federal agencies can prepare.

On Jan. 16, the Biden Administration released the Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity. In an era of escalating threats, it is important for the U.S. government to take steps toward a more secure digital infrastructure. The EO is being released in the wake of cyberattacks, such as Salt Typhoon, from China-based threat groups supported by the People’s Republic of China, which, as recently as last week, breached the U.S. Department of the Treasury.

The EO is intended to build off President Joseph R. Biden’s previous EO 14028 and focuses on the nation’s ability to address key threats and defend against continued cyber campaigns targeting the United States and Americans, as well as ensuring the security of the services and capabilities most vital to the digital domain.

As the Biden Administration comes to a close and President Donald J. Trump is sworn in on Jan. 20, it’s important to remember that cybersecurity is not a partisan issue, but a national security concern. Similar to our collaboration during the first Trump Administration, Tenable stands ready to engage with the incoming team to assess and defend critical networks in government and throughout enterprise to protect Americans and ensure the resilience of our critical infrastructure.

While the EO is aimed at government agencies, many of the principles behind it are equally relevant to private sector organizations looking to improve their security posture. It includes guidance on third-party management practices, adopting proven security practices to gain visibility of security threats across networks and cloud infrastructure, and securing communications networks. It also provides recommendations on combating cybercrime and fraud, promoting security with artificial intelligence (AI) and aligning policy to practice.

Below we highlight six key provisions of the EO and offer recommendations on how to prepare to meet the requirements.

6 key provisions of the Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity

1. Operationalizing transparency and security in third-party software supply chains

The EO mandates federal agencies adopt more rigorous third-party risk management practices to ensure the safety and security of the software providers operating within the federal government. It calls for:

• Software providers to submit secure software development attestations and high-level artifacts to validate the attestations to the Cybersecurity and Infrastructure Security Agency (CISA).
• The establishment of National Institute of Standards and Technology (NIST) guidelines and security practices for safe and secure software procurement, which will be incorporated into the Secure Software Development Framework (SSDF) and ultimately the White House Office of Management and Budget Memorandum M-22-18. It will include practices, procedures, controls and implementation examples.
• Federal agencies to comply with the guidance in NIST Special Publication 800-161 Revision 1 to integrate cybersecurity supply chain risk management programs into broader risk management activities.
• CISA and the General Services Administration to issue recommendations to agencies on the management of open source software.

How to prepare: Start with an inventory of all third-party providers working with your agency. How much visibility do you have into the level of risk these providers present? Is their software integral to your agency’s ability to function? Can it access sensitive data, such as personally identifiable information (PII)? Does it offer an opportunity for an attacker to gain entry or move laterally within your infrastructure?

2. Improving the cybersecurity of federal systems

This section of the EO focuses on adopting proven security practices in order to gain visibility of security threats across networks and strengthen cloud security. Key call-outs in this section include:

• Identity and access management (IAM): Identity and access management practices are critical and should be implemented into an agency's broader security strategy.
• Cloud security: In order to secure federal data in the cloud, The EO requires cloud services providers in the FedRAMP marketplace to produce baselines with specifications and recommendations for agency configurations of cloud-based systems.
• Space security: The security of space systems must be enhanced to adapt to evolving threats. The EO mandates that agencies take steps to continually verify that federal space systems have the requisite cybersecurity capabilities through actions like continuous assessments, testing, exercise and modeling and simulation.

How to prepare: Audit your identity and access management systems. Are you considering user privileges in your overall risk profile? Consider how much access and visibility your security team has into your cloud infrastructure. Does your agency have continuous processes to manage identity and privileges across cloud environments? At what stage is security brought into your cloud deployments? It should be incorporated into the entire process, from ideation to system development and deployment. Are you performing continuous monitoring of IAM, cloud and space systems (if applicable)? Many third-party contracts pre-date supply chain risk-management reviews. Do your contracts account for security requirements and support?

3. Securing federal communications

The EO emphasizes the importance of securing our communication networks from cyberattacks and sets forth guidelines and procedures to ensure the security of federal communications. Key points include:

• Strong identity authentication and encryption must be implemented.
• Encrypting DNS traffic is critical.
• Email messages, as well as modern communications such as voice and video conferencing and instant messaging, must be encrypted in transport and where practical use end-to-end encryption.
• Quantum computers pose significant risk to national security. Agencies should require post-quantum cryptography in applicable product categories as defined by CISA.
• The federal government should protect and audit access to cryptographic keys with extended lifecycles. Guidelines will be developed by NIST and FedRAMP requirements will be updated to incorporate those guidelines.

How to prepare: Evaluate your identity authentication and encryption capabilities for all forms of communication, from DNS to email systems. Are you following NIST SP 800-63 Digital Identity Guidelines? Are there gaps in your systems that need to be addressed? Are there product categories within your systems that would require post-quantum cryptography? Non-quantum compliant cyphers will increasingly pose risk as quantum technologies radically redefine encryption.

4. Solutions to combat cybercrime and fraud

With the growing demand for digital services, it is essential for agencies to adopt digital identity verification solutions that ensure secure access, enhance accessibility and prevent fraud. This section of the EO encourages the safe and secure use of digital identity documents to access public benefits programs that require identity verification. It states that NIST will issue implementation guidance and the Treasury will develop a pilot program to notify individuals when their identity information is used to request a payment from a public benefits program.

How to prepare: Evaluate your digital identity verification strategy. How are you preventing digital identity fraud? What key performance indicators (KPIs) do you use to track the effectiveness of your program? Have you considered a more rigorous verification strategy that verifies identities at the front end? Are you using a holistic identity verification approach that validates multiple aspects of someone’s identity?

5. Promoting security with and in artificial intelligence (AI)

AI is emerging as a game changer in the ongoing battle for federal cybersecurity. As such, the EO calls on the federal government to accelerate the development and deployment of AI, specifically as it relates to improving the cybersecurity of critical infrastructure. The EO further establishes a pilot program on the use of AI to enhance cyber defenses of critical infrastructure and accelerates research at the intersection of AI and cybersecurity.

How to prepare: Evaluate how AI can be implemented in your security strategy in order to reduce risk. Do you have guidelines for using AI in your agency? Have you experimented with AI security tools? Are there ways you can leverage AI to reduce the pressure on your security teams?

6. Aligning policy to practice

This section of the EO focuses on modernizing federal IT infrastructure and networks to better defend against cyberattacks and reduce cyber risk. It focuses on developing guidance to help agencies share and exchange cybersecurity information, obtain enterprise-wide visibility, and prepare to be held accountable for enterprise-wide cybersecurity programs. It further focuses on promoting the adoption of evolving cybersecurity practices, such as the migration to zero trust and ensuring agencies can identify, assess and respond to risk presented by IT vendor concentration.

How to prepare: Assess how much visibility you currently have into your IT infrastructure. Are you able to continuously assess vulnerabilities and misconfigurations in your on-premises and cloud environments with the added context of identity and access privileges so you always have an up-to-date view of your risk? Do you have a way to quickly generate reports that you can share with other agencies?

Conclusion

The Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity addresses some of the most pressing concerns in cybersecurity, including the safety of the software supply chain, the need for improved visibility across systems such as identity and access management and cloud infrastructure, the need to protect communications with end-to-end encryption, and the promise of AI to aid in cybersecurity efforts. The provisions it provides offer a blueprint for improving cybersecurity for government agencies while providing sound guidance for private-sector organizations to consider in their efforts to reduce cyber risk.