How the Executive Order might impact your organization
On May 12, 2021, the President issued the Executive Order on Improving the Nation’s Cybersecurity (Executive Order). Although the Executive Order focuses on Federal Civilian Executive Branch (FCEB) agencies, it also looks to help secure the federal supply chain. Understanding the potential longer term potential impact that the Executive Order has for commercial entities can help you get a head start on securing your environment.
What Commercial Entities Need to Know About the Executive Order
Commercial entities may not be entirely exempt from the Executive Order’s requirements. Depending on your company’s industry vertical, you may have stringent requirements to follow. For example, technology companies in the supply chain may need to offer greater transparency into their software.
In the alternative, even companies not supply technology may need to gain greater visibility into how their technology stack can compromise the supply chain.
Three sections of the executive order should give organizations pause:
- Establishment of Cyber Safety Review Board
- Improving detection of vulnerabilities and incidents
- Creation of Software Bill of Materials (SBOM)
Section 5: Cyber Safety Review Board
The creation of the Cyber Safety Review Board indicates a move toward creating an overarching set of best practices that will reach down through the entire supply chain. As outlined in the Executive Order, the Cyber Safety Review Board will set cyber evaluation criteria and thresholds for the types of cyber events that need evaluation.
According to the Executive Order, the Cyber Safety Review Board will consist of:
- It consists of Federal intelligence agencies
- Cybersecurity Infrastructure and Security Agency (CISA)
- Department of Justice (DOJ)
- Private-sector cybersecurity and software companies
Regardless of whether your company sits in the FCEB supply chain or not, the integration of security agencies and private-sector partners will likely have a more significant impact. The inclusion of private-sector software companies will likely include those that deliver business-critical applications and operating systems. Fundamentally, this has ramifications for commercial enterprises outside the FCEB supply chain.
Section 7: Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks
This section focuses on the need for FCEB agencies to manage endpoint vulnerability risk and use Endpoint Detection and Response (EDR) tools to enhance threat detection across federal networks.
Additionally, this section incorporates enhanced information sharing under the Continuous Diagnostics and Mitigation (CDM) Program.
Setting a series of best practices at the federal level hints at standardization across the private sector.
Software Bill of Materials
One of the furthest reaching portions of the Executive Order, the Software Bill of Materials (SBOM), will be a formal record of all components used in building software. Its goal is to enable companies to trace third-party software components, like open-source code, to ensure that software reflects and responds to newly discovered vulnerabilities.
Fundamentally, this aligns with current hardening practices. However, from the enterprise perspective, this can be a two-fold concern:
- First, software companies will need to monitor their source code and open-source code repositories continuously.
- Second, commercial enterprises will need to perform vulnerability or license analysis during risk evaluation continuously.
The Future is NIST
The Executive Order tasks the National Institute of Standards and Technology (NIST) is drafting standards to meet Executive Order compliance requirements, including new Zero Trust best practices.
Additionally, CISA will be heavily involved, which means that NIST Special Publications will continue to guide Executive Order compliance, the way it drives CDM compliance.
Finding lower-level technical controls that align with these will be the easiest way to streamline compliance and start preparing for the future.
Security Lies in Configurations
Fundamentally, meeting the new requirements driven by the Executive Order will mean setting security baselines and maintaining secure configurations.
As you look into the compliance crystal ball, building on the foundation of NIST 800-53 gives you a way to think about the future by starting with the past. Given the short 60-, 90-, and 180-day timelines contained in the Executive Order, FCEB agencies won’t start from scratch, and this means neither should you.
Relying on checklists and baselines like Security Technical Implementation Guides (STIGs) and CIS Benchmarks give you a way to get a head start with best practices.
Automation to Mitigate Supply Chain Risk
Whether or not your commercial organization is within the FCEB supply chain, you should be aware of the changes coming. Likely, the federal supply chain’s reach will lead to long-term changes in how companies need to monitor and document security.
SteelCloud’s ConfigOS automation streamlines technical control configuration management. Our solution scans your environment, remediates conflicts, and documents waivers in the span of a few hours. Get your team up and running with our easy-to-use solution in four hours, even without deep technical knowledge.
Leave a comment