This week, I had the opportunity to participate in an event marking the one-year anniversary of President Biden’s “Executive Order on Improving the Nation’s Cybersecurity.” Since issuance of the executive order (EO), federal agencies have made great strides towards implementing its requirements, which aim to improve the cybersecurity posture of federal agency networks and impose new secure software development practices for vendors supplying technology to government agencies.
The order engaged multiple support agencies to help deliver on these requirements: the Cybersecurity and Infrastructure Security Agency (CISA), Office and Management and Budget (OMB), and the National Institute of Standards and Technology (NIST) to name but a few. While significant progress has been made, headwinds are emerging that may slow important work still left to be completed.
Supply Chain Security
A closely watched piece of the Executive Order is Section 4 – Supply Chain Security. While it directly impacts security requirements for a subset of technology purchased by the federal government – called “critical software” – the impacts are sure to be felt more widely beyond federal procurement. The federal government is, of course, a significant consumer of technology developed by the private sector. It is also a regulator of critical infrastructure owners and operators, who may eventually be required to adopt software that meets federal agency procurement requirements. And federal government actions send strong signals to the private sector about managing cybersecurity risk. This effort will likely bring currently nascent concepts, like IoT labeling and software bills of material (SBOMs) into the mainstream over the next few years.
Zero Trust in the Cloud
Another element of the Executive Order was the Section 3 requirement for agencies to move to the cloud and implement a Zero Trust strategy, and to complete that strategy by 2024. CISA, OMB, and NIST have created a helpful series of documents (some are still in draft), including a zero trust strategy, zero trust architecture design, maturity model, and other guidelines. Agencies have responded by creating their own strategic plans. As is always the case, some agencies are further along than others. Few agencies expect to “be complete” by 2024, and many face similar challenges:
- Leadership engagement – agencies most advanced in executing their strategy have regular senior oversight of their zero trust programs, meeting weekly to review progress. We see this in the private sector as well. Zero Trust is a philosophy that requires senior level engagement to support the organizational and culture changes that emerge from these efforts.
- Technology debt – the variety of functions that federal agencies manage mean there are a wide variety of technologies in use. Some of these technologies are old—old enough that products used to support zero trust cannot integrate with them. For now, agencies will need to segment old technology from zero trust and cloud transformation efforts. In time, agencies will need to find other ways to upgrade these technologies.
- Financial resources – implementing zero trust doesn’t mean rip and replace, unless you are working to a short deadline. It does mean investing in training for staff to help them understand how to work in a zero trust environment, and investing in new products like policy engines, that can help manage zero trust activities. Federal agencies are mostly finding those funds from existing budgets and by delaying other projects. The lack of explicit financial support is slowing them down.
- Technical security expertise – a challenge across many sectors, federal agencies face a technical security skills gap and struggle to compete for talent with higher paid industries. Steps are being taken to try to improve this, but those activities (e.g., changing pay grades, increasing access to internship opportunities, etc.) take time to implement – time the agencies don’t have. In the meantime, agencies will need to rely on vendors and partners to provide skilled resources to support their efforts – with funds they don’t have.
The EO is determining baseline practices that will have impact beyond federal agencies. The use of risk-based frameworks, voluntary consensus standards, and transparency is highly effective in dynamic threat environments where technology is changing and malicious actors are adapting their behaviors in real time. There are certainly common-sense baseline requirements the government should be advancing both as a buyer, user, and regulator of technology (e.g., multifactor authentication and encryption of data). The Executive Order offers significant promise in that regard. Effective implementation of those requirements will be key. How much of this all would benefit from a statutory structure with fixed mandates, particularly for non-Federal organizations, is an open question.
Despite these challenges, there have been improvements in the cybersecurity posture of agencies as they implement what they can, when they can. The direction of change is positive; it is the speed of change that needs attention so agencies can deliver according to the Executive Order directives. The broader security community is here to help – securing the federal government helps the entire ecosystem of security risk across all industries. I applaud CISA and other agencies for aggressively reaching out to the private sector in the past year and look forward to continued partnership in the years to come.