Explained: Executive Order on Improving the Nation's Cybersecurity

It's often said that government policies can't keep up with technology. Yet, in a time where technology evolves quickly, cybersecurity is growing in importance to stand up against increasingly sophisticated malicious attacks. 

In May of 2021, under President Biden, the White House issued an executive order to improve the nation's cybersecurity. While the order with issued over a year and a half ago, the implications are just as important today. 

In this article, we'll review the cybersecurity executive order and talk about what it means for you. 

What is The Executive Order on Improving the Nation's Cybersecurity? 

Executive Order 14028, issued by President Biden on May 12, 2021, was designed to improve the nation's cybersecurity efforts.  

This executive order was prompted by the 2021 Colonial Pipeline hack that caused a fuel shortage and $5 million in ransom being paid. The order requires government agencies to strengthen cybersecurity and the software supply chain. 

While this executive order mainly affects government agencies and federal contractors, the repercussions are expected to trickle down to the private sector. 

Let's take a look at some of the key points from the executive order and what they mean for you: 

Improvements to Better Detect, Report, and Remediate Cybersecurity Risks 

The executive order aims to bring transparency and communication to federal groups and systems – including contractors. 

Some examples of this include: 

• Requiring IT service providers to share data breach information that could have an impact on government networks 
• Create and government-wide detection and response system to share information on malicious cyberactivity 
• Establishes a cybersecurity event log and requires federal departments and agencies to use it when addressing a cyber incident 

What It Means For You 

These points in the executive order will affect government agencies and federal contractors. Contractors and IT service providers (for both on-premises systems and connections hosted by third parties, such as cloud service providers) will be required to collect and share information related to cyber threats, vulnerabilities, and incidents to share with government agencies for investigations and, when necessary to address a cyber incident. 

Modernizing The Federal Government's Cybersecurity and Supply Chain Software 

In addition to the emphasis on transparency of information, the executive order works to modernize cybersecurity software. 

Some examples of this include: 

• Increasing the government's adoption of security best practices, such as employing a zero-trust security model, accelerating the move to secure cloud services, and deploying foundational security tools 
• Improving software security by establishing security standards for developing software sold to the government — including requiring developers to make security data publicly available. 
• Encourage the standards being implemented for the government to incentivize the market by creating a pilot program to create an "Energy Star" type of label so the government and the public can quickly determine when the software was developed securely 

What It Means For You 

This executive order identifies Zero-Trust Security Requirements as a key adoption for success. Therefore, federal contractors need to learn and adopt zero-trust security protocols or alternative requirements in NIST requirements (NIST 800-53 (FedRAMP), NIST 800-171 (CMMC)). 

NIST Special Publication 800-53 requires “the developer of the system, system component, or system service to provide the following training on the correct use and operation of the implemented security and privacy functions, controls, and/or mechanisms.” This means developers should get application security training while giving organizations the freedom to choose the modality of the training. 

For added security in the software supply chain, providers of commercially off-the-shelf (COTS) and non-COTS software will need to meet compliance against requirements including: 

• separate build and development environments 
• mapping and monitoring dependencies and interactions between systems 
• conducting and remediating vulnerability scans before release 
• voluntarily disclosing vulnerabilities 

Improve Collaboration Between Government Agencies and the Private Sector 

While many of the initiatives in the executive order outline changes to government agencies and federal contractors, there are outlined strategies for collaboration between government agencies with the private and academic sectors. 

The executive order establishes a Cybersecurity Safety Review Board to convene around significant cyber incidents to analyze what happened and recommend improvements. 

In coordination with the Cybersecurity Safety Review Board, the executive order calls for a standard set of operating procedures for cyber incident response to ensure that all federal agencies are prepared to take uniform steps to identify and mitigate a threat.  

What It Means For You 

The Cybersecurity Safety Review Board, also referred to as The Cyber Safety Review Board, was established by the Secretary of Homeland Security and operates similarly to the National Transportation Safety Board (NTSB). 

Composed of highly respected cyber security leaders from the federal government and the private sector, the board serves in an advisory capacity to review cyber security incidents and provide learned lessons and go-forward recommendations. 

While the Cybersecurity Safety Review Board has more impact on the private sector, it's expected that the previously stated standard operating procedures will influence the private sector with a template for its threat response efforts.   

Are You Following Orders? 

Has the Executive Order on Improving the Nation's Cybersecurity affected your business? Visit our resource center for more articles, guides, and infographics on application security and secure coding training. 

Are you looking for an AppSec education solution? Try Our Training today to see our lessons firsthand.