On May 12, U.S. President Joe Biden signed an executive order that is intended to help modernize the federal government’s cybersecurity practices. This sweeping announcement follows last week’s Colonial Pipeline cyberattack, as well as other security challenges that have affected federal agencies in the past several months including the SolarWinds hack, an Exchange Server vulnerability, and a Russian espionage operation.
The 34-page document, which is unusually long for an executive order, highlights a number of important requirements. Here are three key takeaways:
Expect the order to impact both public and private sector
The obvious and most immediate impact of this executive order will be to U.S. federal agencies, which are directly impacted. Private sector organizations in the U.S., and around the world, are likely to be affected by this order as well, as it has been crafted with a an eye toward establishing cybersecurity standards for companies that sell software services to the federal government. As many software vendors seek to sell the U.S. Government, and still others supply technology to those vendors, we expect to see a trickle-down effect from this order being that is broader than its initial focus.
Identity is becoming the new perimeter
The traditional perimeter remains an important defense for a cyberattack, but the proliferation of devices and work-from-home has placed significant stress on this security stalwart. The fact that multifactor authentication and identities are specifically called out in the executive order simply reinforce that the White House sees them as a critical component of a pragmatic, modern security strategy. In order to lock down and protect your organization in today’s environment, you need to recognize what identities must be protected, and then apply, manage, enforce, and report on the policies associated with them. This will help optimize your defense, slow down hackers if they gain access to your network, and lock away privileged accounts. As the order summarizes: there should be multiple ways to confirm identity and detect cyber threats rather than depending primarily on firewalls to keep hackers out.
Zero Trust becoming a must have
A supplementary White House fact sheet states: “The Executive Order helps move the Federal government to secure cloud services and a Zero Trust architecture, and mandates deployment of multifactor authentication and encryption with a specific time period.” Zero Trust being prominently called out is telling. This practice of eliminating vulnerable permissions, and unnecessary and excessive access, in favor of specific-rights delegation and provisioning (with granularity) helps protect the organization on an ongoing basis as variables change – further reducing risk and limiting potential damages. As the FedScoop article stated this week: “Zero Trust security is no longer just an option for federal agencies.”
While policy is not a panacea, this executive order issued by the White House to bolster the United States’ cybersecurity practices is an important step forward in helping protect what matters most to the U.S. and its citizens, and we applaud the spirit and recommendations.
- Executive Order on Improving the Nation’s Cybersecurity (The White House)
- FACT SHEET: President Signs Executive Order Charting New Course to Improve the Nation’s Cybersecurity and Protect Federal Government Networks (The White House)
- Biden cyber executive order reignites push to cloud, zero trust (FedScoop)