Full Report
The Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity includes guidance on third-party risk management and the need to adopt proven security practices to gain visibility of security threats across network and cloud infrastructure. Here we highlight six key provisions and offer guidance on how federal agencies can prepare.On Jan. 16, the Biden Administration released the Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity. In an era of escalating threats, it is important for the U.S. government to take steps toward a more secure digital infrastructure. The EO is being released in the wake of cyberattacks, such as Salt Typhoon, from China-based threat groups supported by the People’s Republic of China, which, as recently as last week, breached the U.S. Department of the Treasury.The EO is intended to build off President Joseph R. Biden’s previous EO 14028 and focuses on the nation’s ability to address key threats and defend against continued cyber campaigns targeting the United States and Americans, as well as ensuring the security of the services and capabilities most vital to the digital domain.As the Biden Administration comes to a close and President Donald J. Trump is sworn in on Jan. 20, it’s important to remember that cybersecurity is not a partisan issue, but a national security concern. Similar to our collaboration during the first Trump Administration, Tenable stands ready to engage with the incoming team to assess and defend critical networks in government and throughout enterprise to protect Americans and ensure the resilience of our critical infrastructure.While the EO is aimed at government agencies, many of the principles behind it are equally relevant to private sector organizations looking to improve their security posture. It includes guidance on third-party management practices, adopting proven security practices to gain visibility of security threats across networks and cloud infrastructure, and securing communications networks. It also provides recommendations on combating cybercrime and fraud, promoting security with artificial intelligence (AI) and aligning policy to practice.Below we highlight six key provisions of the EO and offer recommendations on how to prepare to meet the requirements.6 key provisions of the Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity1. Operationalizing transparency and security in third-party software supply chainsThe EO mandates federal agencies adopt more rigorous third-party risk management practices to ensure the safety and security of the software providers operating within the federal government. It calls for:Software providers to submit secure software development attestations and high-level artifacts to validate the attestations to the Cybersecurity and Infrastructure Security Agency (CISA).The establishment of National Institute of Standards and Technology (NIST) guidelines and security practices for safe and secure software procurement, which will be incorporated into the Secure Software Development Framework (SSDF) and ultimately the White House Office of Management and Budget Memorandum M-22-18. It will include practices, procedures, controls and implementation examples.Federal agencies to comply with the guidance in NIST Special Publication 800-161 Revision 1 to integrate cybersecurity supply chain risk management programs into broader risk management activities.CISA and the General Services Administration to issue recommendations to agencies on the management of open source software.How to prepare: Start with an inventory of all third-party providers working with your agency. How much visibility do you have into the level of risk these providers present? Is their software integral to your agency’s ability to function? Can it access sensitive data, such as personally identifiable information (PII)? Does it offer an opportunity for an attacker to gain entry or move laterally within your infrastructure?2. Improving the cybersecurity of federal systemsThis section of the EO focuses on adopting proven security practices in order to gain visibility of security threats across networks and strengthen cloud security. Key call-outs in this section include:Identity and access management (IAM): Identity and access management practices are critical and should be implemented into an agency's broader security strategy.Cloud security: In order to secure federal data in the cloud, The EO requires cloud services providers in the FedRAMP marketplace to produce baselines with specifications and recommendations for agency configurations of cloud-based systems.Space security: The security of space systems must be enhanced to adapt to evolving threats. The EO mandates that agencies take steps to continually verify that federal space systems have the requisite cybersecurity capabilities through actions like continuous assessments, testing, exercise and modeling and simulation.How to prepare: Audit your identity and access management systems. Are you considering user privileges in your overall risk profile? Consider how much access and visibility your security team has into your cloud infrastructure. Does your agency have continuous processes to manage identity and privileges across cloud environments? At what stage is security brought into your cloud deployments? It should be incorporated into the entire process, from ideation to system development and deployment. Are you performing continuous monitoring of IAM, cloud and space systems (if applicable)? Many third-party contracts pre-date supply chain risk-management reviews. Do your contracts account for security requirements and support?3. Securing federal communicationsThe EO emphasizes the importance of securing our communication networks from cyberattacks and sets forth guidelines and procedures to ensure the security of federal communications. Key points include:Strong identity authentication and encryption must be implemented.Encrypting DNS traffic is critical.Email messages, as well as modern communications such as voice and video conferencing and instant messaging, must be encrypted in transport and where practical use end-to-end encryption.Quantum computers pose significant risk to national security. Agencies should require post-quantum cryptography in applicable product categories as defined by CISA.The federal government should protect and audit access to cryptographic keys with extended lifecycles. Guidelines will be developed by NIST and FedRAMP requirements will be updated to incorporate those guidelines.How to prepare: Evaluate your identity authentication and encryption capabilities for all forms of communication, from DNS to email systems. Are you following NIST SP 800-63 Digital Identity Guidelines? Are there gaps in your systems that need to be addressed? Are there product categories within your systems that would require post-quantum cryptography? Non-quantum compliant cyphers will increasingly pose risk as quantum technologies radically redefine encryption.4. Solutions to combat cybercrime and fraudWith the growing demand for digital services, it is essential for agencies to adopt digital identity verification solutions that ensure secure access, enhance accessibility and prevent fraud. This section of the EO encourages the safe and secure use of digital identity documents to access public benefits programs that require identity verification. It states that NIST will issue implementation guidance and the Treasury will develop a pilot program to notify individuals when their identity information is used to request a payment from a public benefits program.How to prepare: Evaluate your digital identity verification strategy. How are you preventing digital identity fraud? What key performance indicators (KPIs) do you use to track the effectiveness of your program? Have you considered a more rigorous verification strategy that verifies identities at the front end? Are you using a holistic identity verification approach that validates multiple aspects of someone’s identity?5. Promoting security with and in artificial intelligence (AI)AI is emerging as a game changer in the ongoing battle for federal cybersecurity. As such, the EO calls on the federal government to accelerate the development and deployment of AI, specifically as it relates to improving the cybersecurity of critical infrastructure. The EO further establishes a pilot program on the use of AI to enhance cyber defenses of critical infrastructure and accelerates research at the intersection of AI and cybersecurity.How to prepare: Evaluate how AI can be implemented in your security strategy in order to reduce risk. Do you have guidelines for using AI in your agency? Have you experimented with AI security tools? Are there ways you can leverage AI to reduce the pressure on your security teams?6. Aligning policy to practiceThis section of the EO focuses on modernizing federal IT infrastructure and networks to better defend against cyberattacks and reduce cyber risk. It focuses on developing guidance to help agencies share and exchange cybersecurity information, obtain enterprise-wide visibility, and prepare to be held accountable for enterprise-wide cybersecurity programs. It further focuses on promoting the adoption of evolving cybersecurity practices, such as the migration to zero trust and ensuring agencies can identify, assess and respond to risk presented by IT vendor concentration.How to prepare: Assess how much visibility you currently have into your IT infrastructure. Are you able to continuously assess vulnerabilities and misconfigurations in your on-premises and cloud environments with the added context of identity and access privileges so you always have an up-to-date view of your risk? Do you have a way to quickly generate reports that you can share with other agencies?ConclusionThe Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity addresses some of the most pressing concerns in cybersecurity, including the safety of the software supply chain, the need for improved visibility across systems such as identity and access management and cloud infrastructure, the need to protect communications with end-to-end encryption, and the promise of AI to aid in cybersecurity efforts. The provisions it provides offer a blueprint for improving cybersecurity for government agencies while providing sound guidance for private-sector organizations to consider in their efforts to reduce cyber risk.
Analysis Summary
# Regulation/Compliance: Cybersecurity Executive Order for Federal Agencies
## Overview
This summary pertains to the requirements stemming from the recent Cybersecurity Executive Order (EO) issued by the U.S. Federal Government, which mandates specific, accelerated improvements in cybersecurity practices, particularly focusing on supply chain risk management, Zero Trust architecture adoption, and standardized reporting.
## Key Details
- Issuing Authority: Executive Branch of the U.S. Federal Government (The White House)
- Effective Date: Varies based on specific component mandates within the EO, but generally requires rapid implementation.
- Jurisdiction: U.S. Federal Executive Branch agencies.
- Status: In Effect (Mandates are being formalized and implemented across agencies).
## Requirements
### Mandatory Requirements
1. **Zero Trust Architecture (ZTA):** Federal agencies must develop and execute plans to implement Zero Trust architecture across their environments.
2. **Software Bill of Materials (SBOM):** Agencies must develop processes to consume and utilize SBOMs for software procured or developed, establishing a secure software development supply chain.
3. **Modernizing Security (NIST Alignment):** Agencies are mandated to take immediate steps to improve their security posture, often guided by the NIST Cybersecurity Framework (CSF) and specific NIST guidance (e.g., for ZTA).
4. **Cloud Security Requirements:** Enhancement of security requirements for cloud-based services utilized by the federal government.
5. **Incident Reporting:** Must establish clear capabilities to detect, prevent, and respond to cyber incidents, with mandated, standardized reporting timelines to CISA (Cybersecurity and Infrastructure Security Agency).
### Recommended Practices
1. **Exposure Management:** Utilizing advanced tools to gain comprehensive visibility across the entire IT environment (including cloud, OT/IoT, and traditional assets) to reduce overall cyber risk.
2. **Automation in Remediation:** Employing automated processes (like patch management) to shorten Mean Time to Remediate (MTTR).
## Affected Organizations
- Industries: U.S. Federal Executive Branch Agencies.
- Organization Size: All sizes within the specified agencies are affected equally.
- Geographic Scope: United States Federal Government IT infrastructure.
## Compliance Timeline
* **Immediate Action:** Start development/refinement of ZTA implementation roadmaps and enhancement of incident reporting protocols.
* **Ongoing Requirement:** Comprehensive adoption of SBOMs for new software procurements.
* **Final deadline:** (Specific final deadlines for full ZTA and reporting standardization acceleration would be detailed in subsequent OMB/CISA directives, implied to be aggressive.)
## Implementation Guidance
### Assessment Phase
- Conduct a thorough assessment of current security postures against ZTA principles and NIST CSF recommendations.
- Inventory all software assets to determine where SBOMs can be implemented or requested from vendors.
### Implementation Phase
- Accelerate the transition to Zero Trust security models.
- Integrate vulnerability management solutions that offer comprehensive exposure visibility across all operational technology (OT), IT, and cloud assets.
- Streamline security and IT collaboration to automate patching and remediation workflows.
### Validation Phase
- Utilize continuous monitoring and reporting mechanisms mandated by the EO to prove adherence to new security standards.
- Ensure incident response plans align with the new, accelerated reporting structure to CISA.
## Technical Requirements
1. **Zero Trust Controls:** Implementation focused on granular access control, identity verification, and micro-segmentation.
2. **Vulnerability Scanning:** Continuous and comprehensive scanning capabilities (e.g., utilizing tools like Nessus Expert) to maintain visibility over the modern attack surface.
3. **Software Supply Chain Transparency:** Capacity to ingest, analyze, and act upon data provided via Software Bills of Materials (SBOMs).
## Penalties & Enforcement
* **Fines:** While not explicitly detailed in the EO blog summary, non-compliance by federal agencies typically results in budgetary scrutiny, high-level reporting to Congress, and mandatory remediation oversight by the Office of Management and Budget (OMB) and CISA.
* **Other Consequences:** Significant reputational damage for the agency CISO/CIO; potential risk score degradation impacting agency ratings.
* **Enforcement:** Direct enforcement by CISA and OMB through required progress reports and mandatory audits/assessments.
## Related Standards
- **NIST Cybersecurity Framework (CSF):** The EO heavily relies on CSF alignment for overall security posture enhancement.
- **NIST SP 800-207:** Specific guidance relevant to implementing Zero Trust Architecture.
- **SLCP (Secure Software Development Lifecycle):** Directly relates to the demand for SBOM usage and secure software practices.
## Resources
- Official Documentation: (The original Executive Order document and subsequent OMB/CISA directives—not provided directly in the text summary).
- Guidance Documents: Specific guidance related to SLCGP (Supply Chain Risk Management) requirements.
- Tools: Exposure management platforms and comprehensive vulnerability scanners (like those offered by Tenable) are suggested to meet visibility requirements.
## Practical Recommendations
1. **Prioritize ZTA Roadmap:** Immediately define and resource the agency's path toward ZTA implementation as directed.
2. **Enhance Visibility:** Deploy solutions capable of providing holistic exposure management across IT, Cloud, and OT environments to meet stringent reporting needs.
3. **Engage Vendors:** Develop contractual requirements to ensure all procured software includes an SBOM where applicable.
4. **Improve MTTR:** Focus on automating patching and remediation processes to comply with implicit expectations for faster incident containment.