Issued in May 2021, the announcement of President Biden’s Executive Order on Cybersecurity made big headlines because it facilitates the exchange of information among federal agencies and the private sector. Specifically, the Biden Executive Order requires government suppliers to share cyber incident and threat information with applicable government agencies and extends the data exchange to the private sector. To accomplish this, one of the first goals of the order was to establish a review board to focus on significant cyber events that occur in the public and private sectors.
The impetus for the creation of this board was the increased threats against America’s infrastructure such as the attack on the Colonial Pipeline and the SolarWinds compromise that raised awareness of the impact a supply chain attack could have on our nation. These incidents in recent years led to the conclusion that cybercrime is clearly a national security threat that must be addressed.
What is the Cyber Safety Review Board’s Purpose?
This board created as a result of the Biden Executive Order on cybersecurity is called the Cyber Safety Review Board (CSRB). It now reviews major cyber incidents and makes recommendations for improvement. The board operates under the guidance of the Cybersecurity and Infrastructure Security Agency (CISA) of the US Department of Homeland Security (DHS) and consists of members from the private and public sectors. The CSRB’s goal is to acquire valuable information on how to defend against cyber threats and share that knowledge to improve overall national cybersecurity.
Who are the Board Members?
Current board members are from cybersecurity concerns such as Google, Microsoft, and Palo Alto Networks as well as government agencies. Current members include:
- Heather Adkins, Senior Director, Security Engineering, Google (Deputy Chair)
- Dmitri Alperovitch, Co-Founder and Chairman, Silverado Policy Accelerator and Co-Founder and former CTO of CrowdStrike, Inc.
- John Carlin, Principal Associate Deputy Attorney General, Department of Justice
- Chris DeRusha, Federal Chief Information Security Officer, Office of Management and Budget
- Chris Inglis, National Cyber Director, Office of the National Cyber Director
- Rob Joyce, Director of Cybersecurity, National Security Agency
- Katie Moussouris, Founder and CEO, Luta Security
- David Mussington, Executive Assistant Director for Infrastructure Security, Cybersecurity and Infrastructure Security Agency
- Chris Novak, Co-Founder and Managing Director, Verizon Threat Research Advisory Center
- Tony Sager, Senior Vice President and Chief Evangelist, Center for Internet Security
- John Sherman, Chief Information Officer, Department of Defense
- Robert Silvers, Under Secretary for Policy, Department of Homeland Security (Chair)
- Bryan Vorndran, Assistant Director, Cyber Division, Federal Bureau of Investigation
- Kemba Walden, Assistant General Counsel, Digital Crimes Unit, Microsoft
- Wendi Whitmore, Senior Vice President, Unit 42, Palo Alto Networks
The CSRB’s focus on centralizing information provides a comprehensive assessment of vulnerabilities, how they are exploited, and what can be done to prevent them.
What Has the CSRB Accomplished in its First Year?
When Biden’s Executive Order on Cybersecurity was initially issued, the board’s first task was to assess the cyber activities of December 2020 which included the SolarWinds compromise. Since its initial creation, the board’s focus has shifted to the Log4j flaw (CVE-2021-44228) which has been assigned a CVSS score of 10 and a MITRE value of Critical.
What Is Log4j?
Log4j is a Java-based logging utility that is widely used in front-facing applications. The logging library was developed by the Apache Software Foundation and is an open-source solution. The flaw allows hackers to execute code on vulnerable machines or compromise applications that use Apache’s Log4j utility.
Why is the Board Investigating?
Log4j has been widely used as a logging library for web-based applications. Organizations of all sizes from Amazon and IBM to an independent website designer use the library, making its potential impact far-reaching. CISA has recommended mitigation tactics and Apache has issued patches. However, new vulnerabilities connected to Log4j are being identified. Since the CSRB lacks the ability to require companies to submit information, the board is constrained in its ability to provide a comprehensive evaluation. However, it plans to deliver its report this summer which is expected to provide the following:
- Assessment of threats associated with the Log4j library
- Review of actions taken during attacks
- Outcomes of defense strategies
Some critics of the CSRB believe it should operate like the National Transportation and Safety Board (NTSB) where accidents must be reported and cooperation is required by law. Many believe that organizations will limit their reporting of cyber events to minimize financial and reputational impacts, making a comprehensive analysis impossible. We’ll have to give the CSRB time to share its upcoming report to determine if its lack of subpoena power is indeed a hindrance to successfully achieving its goals.
What Else Has Biden’s Cybersecurity Executive Order Achieved?
Biden’s Cybersecurity Executive Order listed 46 actions to be carried out by the federal departments of Commerce, Homeland Security, Defense, Office of Management and Budget, National Security Agency, the Federal Bureau of Investigation, and other government entities. Many of these actions were designed to strengthen the nation’s cyber defenses.
Of the 46 identifiable actions, 19 have been addressed. Most efforts have focused on defining requirements and creating infrastructures that:
- Recommend Logging Requirements. DHS was to develop a list of requirements for logging events and retaining the data.
- Enhance Software Supply Chain Security. The National Institute of Standards and Technology (NIST) was to identify existing tools that improve software supply chain security. Where needed, NIST should develop new standards for tools.
- Recommend Detection and Response Options. CISA was to recommend ways to implement extended detection and response capabilities.
- Identify Required Components of Incident Reports. DHS and the NSA were to define the components of an incident report.
- Define Critical Software. NIST, NSA, CISA, OMB, and national intelligence were to define what’s classified as critical software.
- Provide Minimal Requirements for Software Bill of Materials. The Department of Commerce was to publish a list of the elements required in sBOMs.
- Outline Security Measures for Critical Software. NIST and CISA were to outline what security measures should be present in critical software.
- Minimum Standards for Source Code Testing. NIST and NSA were to deliver a document that stipulates the minimum testing standards a vendor’s source code must meet.
- Standardize Contract Language for Cybersecurity Requirements. CISA and NSA with help from OBM were to review existing cybersecurity requirements and recommend standardized contract language for their implementation.
- Define Cloud-Service Governance Framework. CISA was to develop and issue a cloud-service governance framework.
- Stipulate a Diagnostics and Mitigation Program. CISA should have access to agency data relevant to cybersecurity analysis including object-level data.
- Publish Security Principles for Cloud Computing. CISA was required to develop security principles for cloud service providers with a specific focus on zero-trust architecture.
These efforts set the groundwork for developing stronger security standards moving forward.
The remaining activities continue to form the foundation for meeting the primary objectives of the Biden Executive Order on Cybersecurity. These goals are will harden national security defenses by:
- Removing barriers to data sharing
- Modernizing cybersecurity standards in the federal government
- Improving software supply chain security
- Creating a standard for responding to cyber events
- Improving the federal government’s detection, investigation, and remediation capabilities
Standardizing cybersecurity requirements throughout the federal government can minimize the burden contractors carry when working for multiple government agencies. It also facilitates the analysis and containment of cyber incidents because data is easily shared in a common format. Through collaboration and cooperation, the federal government will ensure its national security.
Does Biden’s Executive Order Impact Government Contractors?
People have differing opinions on how Biden’s order will impact the DoD’s Cybersecurity Maturity Model Certification (CMMC) framework. Some analysts see the order delaying the implementation of CMMC as the DoD works to incorporate new standards. Others view the order as reinforcing what the CMMC is trying to achieve. A few even suggest that the CMMC may become the maturity model for all government agencies working with small businesses.
What is CMMC?
CMMC is a security standard to ensure the protection of classified and unclassified protected information from cyberattacks. A maturity model assumes that organizations are at different maturity levels of cybersecurity. The model starts with the minimal acceptable level of security and provides guidance on how companies can progress to the next level. The ultimate goal is to achieve and maintain a strong security framework. CMMC was initially released in late 2019; however, CMMC was overly complex and difficult to correlate to other government standards. The accreditation and certification components were not implemented, so the DoD began work on CMMC 2.0. According to the CMMC director, the DoD plans an interim rule release in May 2023 with CMMC requirements appearing in contracts 60 days later.
What Does the Executive Order Mean to CMMC?
At this point, the Executive Order’s impact on CMMC is unknown. Some delays may be possible as the DoD tries to incorporate mandated changes into its standard. For now, businesses should pursue their CMMC 2.0 cybersecurity compliance with the knowledge that some adjustments may be necessary, especially in the area of data sharing.
Will Biden’s Executive Order Impact Private Businesses?
Biden’s Executive Order may not directly impact every private business; however, it requires any company doing business with the federal government to comply with the updated security standards. Organizations that supply goods or services to businesses that are government contractors must also meet security standards. One goal of the Executive Order is to secure the US supply chain. The Biden Executive Order does provide insight into four areas that could impact private businesses. These include:
- Cloud Technologies. The Executive Order prioritizes the adoption and use of cloud technologies for storing data. It also encourages the deployment of security tools for cloud-based architectures.
- Data Logging. Policies for data logging, retention, and management are to be created to ensure access to critical data during and after a cyberattack. Most companies do not retain logs for more than 30 to 90 days. Yet it takes over 200 days on average to detect a breach or compromise. Businesses should reassess their data retention policies.
- Software Supply Chain Security. Enhanced security standards will be established for all vendors providing software to the federal government. You should ensure that the software vendors that you use are adhering to stringent security standards.
- Incident Reporting. Government agencies must adhere to a federally approved incident response plan that outlines actions to follow during a significant cybersecurity event. Companies should develop an incident response plan or reassess their existing ones.
As businesses look to improve their security posture, they should keep these areas in mind as they could become requirements in the future. Contact us today to learn about the benefits of working with a trusted cybersecurity partner.
How to Stay Informed on Progress of Biden’s Executive Order
The CSRB does not have a website. Information pertaining to the board’s actions can be found on the CISA website. Here, you will find updates on CRSB board members as well as general and media resources. Additionally, most government agencies have a section on their website regarding cybersecurity measures. Updates regarding the executive order may be presented there. It can get difficult to find updated information when it’s shared across multiple government websites. The reality is that talking with someone with deep knowledge in the field of cybersecurity is just easier. Let’s talk soon to get you up to speed on cyber compliance areas to focus on to protect your business.