CYBERSECURITY: Implementation of Executive Order Requirements Is Essential to Address Key Actions
SCALE
-
-
An average of approximately 31,492 incidents per year for fiscal years 2017 through 2022 were reported by responsible Government bodies. In fiscal year 2022, agencies reported experiencing 30,659 incidents.
COMPLIANCE FOCUS
-
-
The Federal Information Security Modernization Act of 2014
-
-
Executive Order 14028
-
-
National Cybersecurity Strategy and its associated implementation plan
PERFORMANCE ASPECT
-
-
leadership and oversight requirements
-
-
addressing challenges identified in implementing the Order
DEFINING what should be considered “critical software”; IDENTIFYING key practices that enhance the security of supply chain software; supplying contract LANGUAGE to require agency supply chain partners to perform these key practices. [And in longer term:] develop GUIDELINES that contain criteria for evaluating the software security practices of developers and suppliers; require developers and suppliers to identify TOOLS for demonstrating conformance with secure practices to agencies and others that purchase the software.
the implementation plan gave responsibility to agencies in areas such as harmonizing baseline cyber requirements for critical infrastructure and further designating federal agency responsibilities for coordinating the activities of critical infrastructure sectors. If effectively implemented, the strategy and implementation plan could potentially address the challenge of cybersecurity risks to critical infrastructure.
focus on government-wide implementation of technologies generally considered to be emerging technologies, as part of improving overall federal cyber resilience . For example, the order directs agencies to use zero trust architecture practices to facilitate more secure use of cloud technologies. The order requires implementation of pilot programs to inform the public on the security capabilities of Internet of Things devices and software development practices. It also requires the adoption of endpoint detection and response approaches to detect, hunt, and respond to cyber incidents
collection and dissemination of incident data. Specifically (…) remove communication barriers between service providers by detailing when service providers must record and share information on cyber threats and incidents with agencies. (…) develop a standard playbook to be used by agencies when planning and conducting cybersecurity vulnerability and incident response activities.
Lack of a “cyber culture” where agencies prioritize cybersecurity as an essential part of agency mission and operations. [Chief information security officers] considered this area as one of the most significant and challenging to implement overall. (…) agencies were left alone to develop and maintain their own cyber capabilities, despite other agencies across the government sharing the same objectives. (…) The order requires leadership and oversight agencies to collaborate with agency heads to enact several of its requirements, such as the implementation of multifactor authentication and encryption, and appropriate processing and storage solutions for each agency’s sensitive data.