Following the massive SolarWinds attack that affected several federal agencies and private companies late last year, U.S. President Joe Biden announced in early 2021 his intentions to issue an Executive Order (EO) mandating that all software vendors that work with the federal government report breaches to relevant government partner agencies.
The White House published the finalized EO in mid-May, citing persistent and sophisticated cyber-attacks that threaten both public and private sectors.
The EO also highlights the current administration’s commitment to improving cybersecurity processes to discover, deter and protect, defend, and respond to these attacks, citing it as a top priority and essential to national and economic security.
The administration noted there have been a number of contractual and other barriers between organizations that work with federal agencies and agencies responsible for investigating breaches such as the FBI, the Intelligence Committee, and the Cybersecurity and Infrastructure Security Agency (CISA).
The EO intends to eliminate those barriers and increase information sharing between these organizations and agencies about threats, incidents, and risks, as well as streamline common security practices such as vulnerability identification and remediation, endpoint detection, and cloud security.
First, what happened during the SolarWinds Attack?
In December 2020, FireEye discovered a supply chain attack in which attackers gained entry into SolarWinds software’s Orion system. From there the attackers believed to be a Russian intelligence agency, rapidly distributed malware across the supply chain.
It’s believed the infiltration began sometime in early 2020, which put customer data at risk for companies such as Microsoft and Intel, as well federal agencies including the Department of Energy, Department of Homeland Security, State Department, the Treasury, and the National Nuclear Security Administration.
When SolarWinds sent out routine updates to its software in 2020, those updates likely contained hacked code that gave attackers a backdoor into customers’ systems. Once in, attackers installed additional malware to spy on them. SolarWinds noted in early 2021 as many 18,000 customers had installed updates that could make them vulnerable to an attack.
A History of Breaches
Officials are still working through the full impact of the SolarWinds breach, some saying it decreases confidence in knowing if—or when—those affected networks will be secure, which could possibly take years. But it’s certainly not the first time the federal government has had to deal with the fallout from data breaches.
In 2006, the U.S. Department of Veteran Affairs had a security event when someone stole a laptop containing sensitive VA data. That put data for more than 26 million veterans at risk and resulted in a $20 million settlement in a class-action lawsuit.
In 2009, the National Archives and Records Administration (NARA) announced it had a security event after it sent a defective hard drive out to a contractor for repairs in 2008. That hard drive exposed data for about 76 million veterans.
In 2011, Science Applications International Corporation (SAIC), the company that handled security for the government's Tricare program experienced a breach that potentially exposed data for nearly 5 million patients who received care from military hospitals and clinics. Tricare, which was previously called the Civilian Health and Medical Program of the Uniformed Services, is a healthcare program within the U.S. Department of Defense Military Health System. At the time, it was one of the largest healthcare breaches on record and represented an intersection of the healthcare industry and federal government. The breach was the result of computer backup tapes stolen from a SAIC employee’s vehicle.
In 2015, the Office of Personnel Management (OPM), which handles government employee, contractor, and some civilian federal agency records, discovered security events that exposed unencrypted data for nearly 21.5 million people. The breaches may have originated as far back as 2013 and were undetected. Some reports say OPM knew about the breach in 2014 but didn’t make it public, but the attack escalated later that year and wasn’t made public until 2015.
That same year some 191 million U.S. voters experienced record exposure when a misconfiguration in the U.S. Voter Database exposed those records on the internet.
In light of these high-profile security incidents, and as data breaches are increasing across all industries, it’s easy to see why cybersecurity changes are needed, with some industry leaders saying they’ve been a long-time coming.
|In light of these high-profile security incidents, and as data breaches are increasing across all industries, it’s easy to see why cybersecurity changes are needed, with some industry leaders saying they’ve been a long-time coming.|
A Look Into the Executive Order (EO)
The Executive Order spans more than 8,000 words in its current form. Here are some highlights:
Within 45 days:
- Secretary of Homeland Security, together with the Secretary of Defense (acting through the Director of the National Security Agency (NSA), the Attorney General, and Director of OMB), should make recommendations about contract language including which types of cyber events mandate reporting, types of information regarding these events that require reporting for response and remediation
- Protections for privacy and civil liberties
- Reporting time periods based on a graduated scale for severity, noting the most severe events must be reported within three days of detection
- National Security System reporting requirements
- Contractor and associated service provider types covered by the changes
- Within 90 days of recommendations about contract language, the FAR Council should review recommendations and publish them for public comment
Within 60 days:
- The Director of the Office of Management and Budget (OMB) working together with the Attorney General, Secretary of Defense, Secretary of Homeland Security, and the Director of National Intelligence, should review the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement contract requirements for IT and OT service providers to make recommendations about requirement changes related to data collection and preservation, information, and reporting for cybersecurity events including prevention, detection, response, and investigation.
- Service providers:
- Are expected to share this data with relevant federal agencies, such as the contracted federal agency partner
- Should collaborate with federal cybersecurity and investigative agencies about any incidents related to Federal Information Systems
- Use industry-recognized formats for sharing information about incident response and remediation
- Review agency-specific cybersecurity requirements that currently exist as a matter of law, policy, or contract and make recommendations to the FAR Council standardized contract language for appropriate cybersecurity requirements
- Develop the related contract language and publish it for public comment
Within 90 days:
- The Defense Secretary, et al., should develop procedures that ensure cyber incident reports and promptly shared among appropriate agencies
- Standardize a common language for cybersecurity requirements for unclassified system contracts across all agencies to improve compliance for vendors
Within 120 days:
- Secretary of Homeland Security and Director of OMB should take steps to ensure service providers share data with agencies, CISA, and the FBI as necessary so the federal government can respond to threats, incidents, and risks.
- For service providers that contract with federal agencies, they must report when they discover a cyber event related to software or services involving or supporting a federal agency or system
- Under some conditions, service providers must report to CISA
After the public comment periods for the contract language changes and the FAR is updated, agencies are expected to update their agency-specific cybersecurity requirements to remove anything that duplicates FAR requirements.
In addition to the above requirements, the EO outlines requirements for federal agencies, including:
- Adopting security best practices
- Centralizing and streamlining cybersecurity data access to help facilitate analytics to help identify and manage cybersecurity risks
- Making investments in tech and personnel to support these goals
Cloud Security Evolution
Cloud security will also get more attention as part of the EO requirements. The EO indicates that as part of FedRAMP, the government should develop a federal cloud security strategy and support organizations through implementation; and develop and issue a cloud-security technical reference architecture documentation that details recommended approaches for cloud migration and data protection.
We’re also likely to see a cloud-services governance framework within the next 60 days and within 180 days, a push toward multi-factor authentication adoption, as well as encryption standards for data at rest and in transit.
Supply Chain Security
Another focus of the EO is related to supply chain security, which we’ve recently seen the impacts of related issues from SolarWinds during the last year.
Agency directors are responsible for working with the National Institute of Standards and Technology (NIST) to gather input from federal agencies, the private sector, academia, and others to identify existing or develop new standards, tools, and best practices for complying with the standards, procedures, or criteria related to supply chain security. We may see additional standards or requirements for the supply chain, such as a push toward the use of automated tools for a range of practices including vulnerability identification and remediation.
|We may see additional standards or requirements for the supply chain, such as a push toward the use of automated tools for a range of practices including vulnerability identification and remediation.|
Other EO Highlights
In addition to the above requirements, the EO also indicates there will be a new Cyber Safety Review Board (CSRB) that will be responsible for reviewing reported major cybersecurity events. The board will likely include federal officials as well as others from the private sector, for example privately held software or cybersecurity companies.
Right out of the gate, the CSRB is expected to take a look at some cyber breaches from late 2020 and from there make recommendations on ways to improve cybersecurity practices.
There is also a push toward federal implementation of a Zero Trust Architecture and secure cloud services for Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS). The intention here is to remove implicit trust among elements or services to limit opportunities for lateral movement and privilege escalation. What that will ultimately look like has yet to be determined, but will likely include NIST guidance and recommendations.
Endpoint detection is also included in the EO where CISA will likely drive requirements through development on an Endpoint Detection and Response (EDR) plan to facilitate more EDR implementation.
Another interesting mandate will be related to vulnerability discovery and response. We can anticipate within the next 120 days seeing a standardized playbook to guide agencies in their handling of FCEB Information System vulnerabilities and response.
We anticipate these mandates will replace the use of non-disclosure agreements between tech services providers and federal partner agencies, and the new requirements are likely to be seen soon in upcoming Requests for Proposals (RFPs) and Requests for Information (RFIs).
Preparing for Requirements
While we expect to see more details of the EO-related changes made public in the coming weeks and months, this process, from review to feedback, and finally publication, is likely to span much longer.
Reading through the EO is a great first step to help your organization begin to understand expectations for working with the federal government in the near future. You can find the full EO here: https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity.
While you may be inclined to take a wait-and-see approach, preparation today can help your organization be ready for the changes once they’re formally rolled out.
In this blog, we mentioned how we can anticipate some of these changes to align with existing cybersecurity frameworks such as FedRAMP and NIST CSF. A great step in the right direction is to check your compliance with these existing frameworks, identify which controls, if any, you haven’t implemented, and evaluate where you have existing gaps so you can make plans to remediate them well before these changes become federal mandates.
If you need help, here are a few resources:
- NIST CSF Compliance Guide: https://www.apptega.com/compliance-guides/nist-csf-compliance-guide/
- FedRAMP Compliance Guide: https://www.apptega.com/compliance-guides/fedramp-authorization-guide
- NIST 800-171 Compliance Guide: https://www.apptega.com/compliance-guides/nist-800-171-compliance-guide/
- NIST 800-53 Compliance Guide: https://www.apptega.com/compliance-guides/nist-800-53-compliance-guide/
- CMMC Compliance Guide: https://www.apptega.com/compliance-guides/cmmc-compliance-guide/
If you have additional questions or need help preparing for the new cybersecurity executive order changes, connect with an Apptega advisor today. We’ll be happy to help evaluate your existing cybersecurity program and help you make plans to improve your security posture by streamlining your framework and controls processes, policies, and management. We can also show you how a cybersecurity framework management solution like Apptega can automate many of the manual, repetitive functions you deal with today and help ensure you’re always compliant and have deep insight into your framework performance.