Executive Order on Improving the Nation's Cybersecurity
Executive Order Key Points
- Remove Barriers to Threat Information Sharing Between Government and the Private Sector
- The EO ensures that IT Service Providers are able to share information with the government and requires them to share certain breach information.
- Modernize and Implement Stronger Cybersecurity Standards in the Federal Government
- The EO helps move the Federal Government to secure cloud services and a zero-trust architecture, and mandates deployment of multifactor authentication and encryption within a specific time period.
- Improve Software Supply Chain Security
- The EO will improve the security of software by establishing baseline security standards for development of software sold to the government, including requiring developers to maintain greater visibility into their software and making security data publicly available.
- It also creates a pilot program to create an "energy star" type of label so the government — and the public at large — can quickly determine whether software was developed securely.
- Establish a Cyber Safety Review Board
- The EO establishes a Cyber Safety Review Board, co-chaired by government and private sector leads, with the authority to convene following a significant cyber incident to analyze what happened and make concrete recommendations for improving cybersecurity. This board is modeled after the National Transportation Safety Board, which is used after airplane accidents and other incidents.
- Create Standardized Playbook for Responding to Cybersecurity Vulnerabilities and Incidents
- The EO creates a standardized playbook and set of definitions for cyber vulnerability incident response by federal departments and agencies. The playbook will ensure all federal agencies meet a certain threshold and are prepared to take uniform steps to identify and mitigate a threat and serve as a template for the private sector to use in coordinating response efforts.
- Improve Detection of Cybersecurity Incidents on Federal Government Networks.
- The EO improves the ability to detect malicious cyber activity on federal networks by enabling a government-wide endpoint detection and response (EDR) system and improved information sharing within the Federal Government.
- Improve Investigative and Remediation Capabilities
- The EO creates cybersecurity event log requirements for federal departments and agencies to improve an organization's ability to detect intrusions, mitigate those in progress, and determine the extent of an incident after the fact.
CISA's Role in the EO
- Remove Barriers to Threat Information Sharing Between Government and the Private Sector
- CISA will work with OMB to recommend contract language that makes sharing critical data easier, including breach notification thresholds and frameworks, and requires implementation of improved security measures across federal contractors.
- CISA and our interagency partners will also develop procedures for ensuring that cyber incident reports are shared quickly among federal agencies, enabling faster response.
- Modernizing and Implementing Stronger Cybersecurity Standards across the Federal Government
- Cloud security is critical to the security of our federal networks. To improve our cloud security, CISA will support efforts ranging from developing a federal cloud security strategy and a cloud service governance framework to refining the process for coordination and collaboration on cybersecurity and incident response for cloud technology to foster better understanding of roles and responsibilities as well as visibility.
- CISA will also work with the General Services Administration (GSA) and OMB to modernize the Federal Risk and Authorization Management Program (FedRAMP) to help agencies implement a standardized approach to cybersecurity that takes into account the rapidly changing threat landscape and facilitates agility in solution adoption.
- Stronger cybersecurity standards must be built in at all levels of an agency's planning. Through the EO, CISA will use its authority to drive adoption of multifactor authentication and encryption for data at-rest and in-transit within six months and will also work with NIST as they develop an initial list of secure software development lifecycle standards for software purchased by the Federal Government and minimum testing requirements for software source code.
- Improve Software Supply Chain Security
- Recent incidents have highlighted the importance of the integrity of our software supply chain. The EO directs CISA to leverage our organic expertise to assist NIST in not only developing criteria for designating "critical software" and guidelines for required security measures for all software used by the Federal Government, but in also facilitating a national dialogue on the security of software used by federal agencies because strong cybersecurity is truly a collective effort.
- We will assist the Department of Commerce in the development of a software bill of materials requirement for products eligible for federal procurement and provide support to the FAR Council in developing regulations for the procurement of software for the Federal Government.
- Finally, CISA will build on our deep experience to assist the Federal Trade Commission in developing pilot programs to provide guidance and tools to the public on the security of internet of things (IoT) devices and software development practices.
- Establish a Cyber Safety Review Board
- CISA will support the establishment of the Cyber Incident Review Board. The Board will review actions related to the Federal Government cybersecurity incidents and related supply chain compromise activity and provide the Secretary of Homeland Security with recommendations for improving cybersecurity and incident response practices.
- Create Standardized Playbook for Responding to Cybersecurity Vulnerabilities and Incidents
- Being prepared and formalizing a standardized plan for how the Federal Government responds to cyber vulnerabilities and incidents will continue to improve the speed and efficiency with which we can respond to cyberattacks. The EO directs CISA to develop an interagency playbook to lay out actions to be taken and specific roles and responsibilities across the interagency.
- Improve Detection of Cybersecurity Incidents on Federal Government Networks
- Early detection of anomalous activity on a federal network means that we can assess the activity immediately, investigate the cause, share information and activate a response sooner. Under the improve detection pillar of the EO, CISA will work with agencies to provide additional insight for the Continuous Diagnostics and Mitigation (CDM) Program, continue the implementation of the persistent cyber hunt, detection, and response capability that was authorized in the most recent National Defense Authorization Act; and work with OMB to ensure that new EDR efforts are adequately resourced and implemented across agencies.
- Improve Investigative and Remediation Capabilities
- Understanding the anatomy of an incident is critical to understanding how to mitigate the impacts as well as how to also stop future attacks that could use the same tactics, techniques and procedures.
- CISA will support OMB in developing and issuing a policy requiring logging, log retention, and log management across federal agencies to improve visibility across the federal landscape.
- Building on the need for increased visibility into the movements in and out of federal networks, CISA will also work with OMB to design and facilitate the implementation of EDR tools, funded in part by the American Rescue Plan (ARP).
Section 3(c)(ii): Cloud Security Technical Reference Architecture
CISA, in collaboration with the United States Digital Service (USDS) and FedRAMP, developed the Cloud Security Technical Reference Architecture (TRA) in accordance with Section 3(c)(ii) of the Executive Order 14028. As the Federal Government continues to transition to the cloud, this TRA will be a guide for agencies to leverage when migrating to the cloud securely. The document explains considerations for shared services, cloud migration, and cloud security posture management.
Zero Trust Maturity Model
Executive Order (EO) 14028, "Improving the Nation's Cybersecurity" pushes agencies to adopt zero trust cybersecurity principles and adjust their network architectures accordingly. To help this effort, the Cybersecurity and Infrastructure Security Agency (CISA) developed a Zero Trust Maturity Model to assist agencies as they implement zero trust architectures. The maturity model complements the Office of Management and Budget's (OMB) Zero Trust Strategy, designed to provide agencies with a roadmap and resources to achieve an optimal zero trust environment.
CISA's Zero Trust Maturity Model is one of many roadmaps for agencies to reference as they transition towards a zero trust architecture. The maturity model, which include five pillars and three cross-cutting capabilities, is based on the foundations of zero trust. The maturity model assists agencies in the development of their zero trust strategies and implementation plans and presents ways in which various CISA services can support zero trust solutions across agencies.
Applying Zero Trust Principals to Enterprise Mobility
Among several measures, President Biden's Executive Order on Improving the Nation's Cybersecurity (EO 14028) requires federal civilian agencies to establish plans to drive adoption of Zero Trust Architecture. The Office of Management and Budget (OMB) issued a zero trust (ZT) strategy document in response to the Cybersecurity EO that requires Federal agencies to achieve certain specific ZT goals by the end of Fiscal Year 2024.
To support federal agencies and other organizations on their journey toward zero trust, CISA has published Applying Zero Trust Principles to Enterprise Mobility. This new publication highlights the need for special consideration for mobile devices and associated enterprise security management capabilities due to their technological evolution and ubiquitous use.
Section 6: Standardizing the Federal Government's Playbook for Responding to Cybersecurity Vulnerabilities and Incidents
Working together across all federal government organizations has proven to be an effective model for addressing vulnerabilities and incidents. To this end and pursuant to Section 6 of E.O. 14028, CISA has developed two playbooks: one for incident response and one for vulnerability response. These playbooks provide federal enterprise with a standard set of procedures to identify, coordinate, remediate, recover, and track successful mitigations from incidents and vulnerabilities affecting the Federal Civilian Executive Branch (FCEB) systems, data, and networks. Building on lessons learned from previous incidents and incorporating industry best practices, these playbooks evolve the federal government's practices for cybersecurity response by standardizing shared practices that bring together the best people and processes to drive coordinated actions. Although select processes contained in the playbooks only apply to federal agencies, the broader incident and vulnerability response practices described are useful to all organizations in both the public and private sectors.
The standardized processes and procedures described in these playbooks:
- Facilitate better coordination and effective response among affected organizations;
- Enable tracking of cross-organizational successful actions;
- Allow for cataloging of incidents to better manage future events; and
- Guide analysis and discovery.
Agencies should use these playbooks to help shape overall defensive cyber operations to ensure consistent and effective response and coordinated communication of response activities. These playbooks enable FCEB entities to focus on criteria for response and thresholds for coordination and reporting. A standardized response process ensures that agencies, including CISA, can understand the impact of confirmed malicious cyber activity as well as critical and dangerous vulnerabilities across the federal government.
- The Incident Response Playbook:
- Provides a standardized response process for cybersecurity incidents and describes the process and completion through the incident response phases as defined in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-61 Rev. 2.
- Describes the process FCEB agencies should follow for confirmed malicious cyber activity for which a major incident has been declared or not yet been reasonably ruled out.
- The Vulnerability Response Playbook:
- Standardizes the high-level process agencies should follow when responding to urgent and high priority vulnerabilities, but it should not be considered a replacement for existing vulnerability management programs.
- Addresses vulnerabilities that could be observed by the impacted agency, CISA, industry partners, or others in the related mission space
Additional Resources
- M-21-31 Operational Guidance
- Executive Order on Improving the Nation's Cybersecurity
- Statement from CISA Acting Director Wales on Executive Order to Improve the Nation's Cybersecurity and Protect Federal Networks
- FACT SHEET: President Signs Executive Order Charting New Course to Improve the Nation's Cybersecurity and Protect Federal Government Networks
- No Trust? No Problem: Maturing Towards Zero Trust Architectures
- Cloudy With a Chance of Migration: Helping Agencies Make the Move to the Cloud
- CISA Releases the Cloud Security Technical Reference Architecture and Zero Trust Maturity Model for Public Comment