The Biden administration’s Cybersecurity Executive Order (Cyber EO) issued in May 2021 marks the Federal government’s most determined effort yet to not only propose – but also to enforce through sustained government-wide action – the kinds of fundamental changes needed to advance civilian agency cybersecurity, defeat sophisticated attacks on government networks, and in the process, take a giant leap forward in the cause of IT modernization.
The Cyber EO sets a new tone for Federal policy on cybersecurity – gone are the days of aspirational policy goals. The administration’s order has more than enough specificity, regulatory bite, and top-down backing to force major shifts in how the civilian Federal enterprise remakes its cybersecurity footing.
Moreover, the Cyber EO’s marching orders to Federal agencies are imbued with urgency and put agencies – both implementing agencies and the agencies that need to help them get there – on short and highly visible leashes for concrete progress.
The order’s ultimate impact and payoffs won’t be fully evident for years to come, for two main reasons – the timeline to execute on some of the order’s directives is long, and staying ahead of adversaries and protecting critical networks is a task that has no end.
Top-Line Directives
At the heart of the Cyber EO’s instructions to Federal agencies are two core directives: move to the cloud, and move to zero trust security architectures.
Beyond that, the order places requirements on Federal agencies to speed the deployment of endpoint detection and response (EDR) technologies on their networks, make progress on adoption of multi-factor authentication (MFA) and encryption technologies, adhere to a standard cyber incident response “playbook,” share cyber information with other agencies, and comply with new cybersecurity event log-keeping requirements.
For the private sector, the order uses the power of the Federal purse to put in place “baseline” security standards in software sold to the government and gives the private sector a seat at the policy table for weighing additional requirements.
Six-Month Progress Report
Six months in, where do we stand? Here’s a rundown on the government’s key points of progress on major portions of the order, and what some of the most astute private sector security providers think about its pace and its promise.
Zero Trust Migration
There are nearly as many definitions of zero trust as there are security solutions providers, but Federal IT officials’ simple definition is: 1) moving away from a “castle and moat” perimeter-based network defense; 2) and, moving toward security architecture that relies on least-privilege, least-access, constant evaluation of network users accessing sophisticated analysis of network and user data to continually confirm and re-confirm access privileges.
The practical goals of the strategy are to make it much more difficult for unpermissioned users to access systems in the first place, and to prevent adversaries from undertaking successful lateral movements within systems if initial access is gained. The concepts for zero trust are not particularly new, but executing the necessary changes in network architecture is a complex process that will take years to play out.
As a top-level target, the Cyber EO gives Federal agencies a three-year window to make those necessary architecture changes and accelerate their efforts by then moving “towards a shared baseline of early zero trust maturity.”
At the more granular level, the Cyber EO gave Federal agencies 60 days to develop plans to implement zero trust security architectures, tracking with implementation guidance …….
Source: https://www.meritalk.com/articles/cyber-eo-special-report/