EO: Halfway to Implementation
Biden's cyber Executive Order: Halfway to implementation
In mid-August, federal agencies passed the 90-day threshold to take action on the second set of requirements of President Biden’s executive order (EO) on cybersecurity. Signed in May of this year (2021), the EO gives agencies three key waypoints (60, 90, and 180 days) from the date of signing, giving agencies both a framework and set of deadlines towards implementing a number of modernized cyber protocols. In a previous post, we broke down the details included in the first 60-day period and shared some off-the-record anecdotes we’ve heard from cyber experts and industry observers around the first stage outlined in the EO. In this entry, our goal is the same; to share more specifics of the actions agencies are required to execute at the 90-day mark and also to include some observations we’ve made as agencies move into the second half of this process and look towards the final stage at 180 days: full implementation.
Standardized after-incident reporting
Whereas the first and final stages outlined in the EO at 60 and 180 days place a great deal of action at the feet of rank-and-file agencies of all ilk, interestingly, the 90-day threshold earmarks most of the major actions at this stage for agencies in the executive branch. For example, the first item we’ll look at falls to the responsibility of the Department of Defense (DOD), National Security Agency (NSA), Attorney General’s office (AG), Department of Homeland Security (DHS), and the Office of the Director of National Intelligence (ODNI). The executive office at each of these agencies is mandated to “jointly develop procedures for ensuring that cyber incident reports are promptly and appropriately shared among agencies.” Many industry observers see this mandate as a potential “sleeper” pick for items in the EO with the greatest potential for immediate impact. Put differently, while an order to formalize a reporting process may not turn heads, it is a badly needed layer of accountability that can have an impact far beyond administrative convenience—more on that below.
While these reporting standards have not yet been released at the time of this writing, we will update this space with relevant links and/or analysis when these guidelines for consistent reporting become available.
Cloud security strategy & reference materials
Again, in the second portion of the 90-day requirements that we’re highlighting here, the EO mandates that a handful of larger executive agencies work together to form a plan that can then filter down to the rest of the government. In this case, the agencies responsible are the Office of Management and Budget (OMB), DHS, the Cybersecurity and Infrastructure Agency (CISA), and the General Services Agency (GSA). This mandate revolves around developing a cloud security strategy that can be applied uniformly across the federal government. Not only does the EO require these agencies to create a strategic plan, but also to provide reference material, technical documentation, architecture schematics, and detailed instructions illustrating best-practice methods for cloud migration and data protection. In other words, this section lays out “what to do” in terms of cloud security and also “how to do it.”
Again, neither the details of this plan or the relevant documentation are available at the time of this writing, but we will be eagerly awaiting those details and will update this article as soon as those specifics become available.
Incident response collaboration plan
Finally, the second phase of EO compliance marked at 90-days after signing lays out a requirement for the heads of DHS, CISA, AG, FBI, and GSA to develop a framework for a response plan that keys on collaboration between agencies in the event of cyber-attacks. This plan is not only intended to create clear paths for inter-agency communication and data-sharing but it is also required to include a way for Cloud Service Providers (CSPs) in the public sector to play an important part in responses as well.
Standardization means risk & consequences for attackers
The ideas here around standardization and a consistent, government-wide approach to reporting, cloud security, and cyber incident responses, while not necessarily easy to execute, probably seem fairly elementary. In other words, it’s hard to imagine a cogent argument for why the government should not standardize protocols outlined by the top cyber minds in the world. But as PacSec leaders have conversations with industry colleagues and customers in government alike, it has become clear that standardization is not simply an administrative exercise meant to create efficiencies and improve reporting to senior leaders. No, in fact, the process of standardizing cyber protocols as outlined at the 90-day threshold has much more kinetic potential: it creates the specter of real risk and speedy consequences for cyber attackers should they continue to engage in malicious activity. When we consider that the U.S. intelligence community (IC) as well as domestic law enforcement agencies like the FBI, have considerable, full-spectrum cyber capabilities of their own, the picture starts to become clear. If the government can’t provide concise, accurate, and standardized responses to cyber-attacks, the ability to respond, punish and deter becomes that much harder for American cyber warriors. When this component of the EO is completed successfully, American cyber countermeasures stand a much greater chance of success and malicious cyber actors will be forced to think twice before their next attack.
Stay tuned for more material breaking down the EO and how PacSec can help your organization cruise to the implementation finish line in another just 90 days from now.
