Aiming to improve cybersecurity in the United States, President Biden signed an executive order (EO) on May 12, 2021. Although the EO focuses on U.S. federal departments’ and agencies’ cybersecurity, it will likely result in standards that will change the way the private sector manages cybersecurity within the United States and globally.

This cybersecurity EO was signed soon after the world experienced a series of widespread cybersecurity incidents such as the SolarWinds supply chain attack, the Microsoft Exchange zero-day vulnerability attacks and the ransomware attack that caused the Colonial Pipeline shutdown. A few notable items in the EO are a requirement for government agencies to apply a Zero Trust model to their networks, encouraging information sharing between the government and the private sector and the adoption of a software bill of materials (SBOM).

WHAT’S INCLUDED IN THE EO?

At a high level, the executive order addresses the following main topics:

1. Removing barriers to sharing threat information: According to a White House fact sheet on the EO, “Removing any contractual barriers and requiring providers to share breach information that could impact government networks is necessary to enable more effective defenses of federal departments, and to improve the nation’s cybersecurity as a whole.”

2. Modernizing federal government cybersecurity: The EO will drive the federal government to adopt a Zero Trust model and require the use of secure cloud systems, multi-factor authentication and encryption.

3. Enhancing software supply chain security: The National Institute of Standards and Technology will work with the federal government, the private sector, academia and other appropriate parties to identify existing or develop new standards, tools and best practices. This will require that software vendors make their security data publicly available and include a SBOM, which is a formal record containing the details and supply chain relationships of various components used in building software. The EO also calls for a pilot program that will use an “Energy Star-style” label on products that meets government requirements for cybersecurity.

4. Establishing a cybersecurity safety review board: Much like the National Transportation Safety Board, the Cybersecurity Safety Review Board will be co-chaired by federal government and private sector cybersecurity leaders and will conduct post-incident analysis. The cybersecurity board will also make recommendations on how to prevent similar incidents in the future.

5. Standardizing the federal government’s playbook for responding to cybersecurity vulnerabilities and incidents: Today, incident response procedures can vary greatly between agencies. The EO calls for a standardized playbook for cybersecurity incident response and provides a template for the private sector to use in their incident response measures.

6. Improving detection of cybersecurity vulnerabilities and incidents on federal government networks: The EO calls for an improved endpoint detection and response system that will increase the detection of malicious activity on federal networks and allow for a quick response when coupled with information sharing between government agencies.

7. Improving the federal government’s investigative and remediation capabilities: The EO puts in place a set of event log requirements which will help detect anomalous behavior and help to determine what happened and how it happened.

HOW DOES THIS IMPACT U.S. BUSINESSES?

While the executive order does not apply to all private sector companies, this effort could lead to nationally and globally adopted cybersecurity standards. In the near term, companies that sell computing products to the U.S. government will need to pay particular attention to the supply chain requirements, including an SBOM for software products and the pilot program for an Energy Star-style label to put on products that meet government requirements for cybersecurity. In a short blog on the topic, cybersecurity expert cybersecurity expert Bruce Schneier stated, “I’m a big fan of these sorts of measures. The U.S. government is a big enough market that vendors will try to comply with procurement regulations, and the improvements will benefit all customers of the software.”

NOTE: This is an article that I wrote for the Security Industry Association’s blog.