ABOUT EO 14028
This article is the first in a series we’ll be publishing that discusses Executive Order 14028, how
More transparency between government and private sector
The EO includes a number of measures that will remove communication barriers between government and industry with respect to threats and breaches. Often IT providers are unwilling to share threat information about their own networks for privacy reasons. Other times, providers are actually not able to share this information due to contractual obligations. The EO provides exceptions to those kinds of contractual obligations and requires providers to share information when a breach occurs that could affect government networks.
Enhanced security of software supply chain
If recent high-profile breaches like SolarWinds are any indication, malicious cyber actors have their crosshairs set on a novel potential vulnerability: the software supply chain. While more traditional techniques like phishing and keylogging may not yet be behind us, supply chain attacks are becoming more and more common. The EO raises security requirements for any software sold to the federal government and mandates that developers provide more transparency into their software and make security protocols public. Additionally, the EO establishes a public/private working group to continue to innovate and improve upon current security best practices in software development. Third, the EO creates a new “badge” or label that approved software developers can apply to their products in marketing literature, websites, etc., letting consumers and the greater public know that their product was developed in compliance with these new security standards.
A new cybersecurity safety board
EO 14028 creates a new board, co-led by private sector and government figures that will meet after a significant cyber event or breach to analyze the incident, learn from it, and make recommendations on how to mitigate future threats. Understandably, some organizations tend to “circle the wagons” and close off communication after breaches in an attempt to isolate and understand the full impact of the event before communicating about it. Being the victim of a cyberattack can feel embarrassing or like a failure for security professionals. This board aims to de-stigmatize cyberattacks and treat them like problems to be solved and lessons to be learned, rather than shameful scandals that should be hidden from the public for as long as possible.
Real timeline to zero trust
Perhaps the most impactful component of the EO is a real timeline towards agencies adopting Zero Trust architecture. Most security protocols assume that if you have the credentials to access a certain network, you can be trusted to work in it. Simply put, Zero Trust removes that assumption with multi-factor authentication and more expansive data encryption. Within 60, 90, and 180 days of the order being issued, agencies will be required to first, update their existing plans to adopt cloud technology. Then second, work with the Department of Homeland Security (DHS) and the General Services Administration (GSA) to develop and issue cloud-based security standards. And finally, actually adopt and implement some of the Zero Trust architecture described above.
Standard operating procedures for incident response
Many organizations have relied on internal policies and processes in the wake of cyber breaches that sometimes overlook critical elements in stopping the threat, minimizing impact, and performing post-event analysis. The EO establishes a set of standard operating procedures (SOPs) that government agencies will look to if they are breached. This playbook gives government entities their best chance to respond to attacks effectively with a mature, thoughtful approach based on guidance from the top security experts in the country. While the EO does not mandate that the private sector adopt these same SOPs, they will be available for non-government organizations to leverage as a model for their own security plans.
A new endpoint detection and response system
Analysis of recent cyberattacks on government networks has shown that the deployment of baseline cybersecurity tools and processes has often been inconsistent or too slow. EO 14028 establishes a new, government-wide Endpoint Detection and Response (EDR) system that gives greater visibility into detecting malicious activity and empowers more efficient data sharing across government in the event of a cyberattack.
Event log requirements
By now, the picture must be fairly clear that prior to President Biden signing this EO, responses to cyber-attacks varied greatly and lacked consistency. That inconsistency has been found to flow down to processes as specific as event logging. EO 14028 mandates that agencies adopt a consistent event logging process that will allow investigators and analysts to detect and disrupt attacks, minimize damage in cases of successful breaches, and identify trends when looking at events across multiple incidents.
While EO 14028 represents a significant challenge to government and their cybersecurity partners in the public sector, PacSec is uniquely positioned to help the federal government attain full compliance and stay ahead of the ever-evolving cyber threat, bringing more than two decades of experience defending cyber interests globally and delivering advanced capabilities honed from protecting the largest and most attacked mission-critical networks and assets using trusted AI/ML and full-spectrum cyber technologies. Our solutions and services ensure an adaptive defense strategy, sustainable threat protection, and a mature security posture. Our diverse portfolio of solutions delivers superior-quality, high-technology products and services to solve the world’s toughest challenges in the defense, intelligence, homeland security, civil, and health markets.
