What is Executive Order 14028 on Improving National Cybersecurity?


Executive Order 14028 (EO), Improving the Nation's Cybersecurity, issued by Joe Biden on May 12, 2021, directs several agencies to improve cybersecurity through various software and data security and integrity measures. Several high-profile information security and ransomware assaults in 2020/21 triggered the order, including the SolarWinds hack, MS Exchange server vulnerabilities, and the Pulse Connect Secure attack that targeted both public and private sectors.

Cybersecurity and Infrastructure Security Agency (CISA) issued guidelines about the country's security framework as a result of these assaults. This is a large policy document with 74 executable directives that span 15 pages. There are 45 directives with deadlines, several of which are dependent on the execution of other directives.

Who Are Affected by Executable Order 14028?

Companies that provide IT goods and services to the US government would be affected by this Executable Order. This new order, however, is more than a set of IT rules. In both the EO's preface and the accompanying EO FACT Sheet, the authors regularly mention Operational Technology (OT). It then shifts its attention to a broader phrase, Critical Software, and lays out a set of rules and directions that will apply to all software supplied to the US government.

The presidential order directs government entities to set the standard for optimal security procedures. Then, to combat the increasingly complex digital dangers, they must update their strategy.

Federal agencies should make cloud adoption a priority, encrypt data, satisfy extended logging standards, identify sensitive data and upgrade data safeguards, and use multi-factor authentication.

Federal agencies must likewise create and implement a Zero Trust strategy. The notion of Zero Trust is based on the concept of trust, and it states that an actor in a network is not automatically trustworthy just because they are part of it.

What are the Requirements for Executable Order 14028?

In the sequence, there are four main requirements−

The first step is to make sure that all government contracts requiring IT and IT security companies to share threat intelligence and report events are in place. Section 2 of the order amends the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation (DFAR) to ensure that cyber event data is preserved and cyber occurrences are reported to the Cybersecurity and Infrastructure Security Agency (CISA), and investigations are cooperative.

The second criterion is for civilian government agencies to be brought up to Fortune 1000 levels. The parts that follow explain how to meet these requirements −

  • Cloud adoption, zero trust, and multi-factor authentication are all pushed in Section 3.

  • CISA is tasked under Section 6 with creating an incident response playbook.

  • Endpoint detection and reaction are required under Section 7. (EDR).

  • Section 8 outlines the standards for logging.

  • The national security systems are discussed in Section 9.

The third major demand is that the federal government's software is made more secure. Section 4 of the bill mandates that the National Institute of Standards and Technology (NIST) set standards and that the Office of Management and Budgeting (OMB) enforces them. The development environment is heavily emphasized, as is vulnerability checking.

The order's last key purpose is to research why occurrences occur and share the results. The Cyber Safety Review Board will be in charge of investigations. This new organization, similar to the National Transportation Safety Board, will be tasked with examining Solar Winds and providing a long-term solution.

What are the Main Principles of Executable Order 14028?

The Executable Order contains requirements in the form of seven discrete principles and duties that the federal government as well as its public and private sector partners have to follow in order to enhance the US cybersecurity system −

Improved Transparency

The order, which includes a number of steps, removes communication obstacles between the government and the business sector. Contractual duty constraints are exempted in some cases, allowing providers to exchange information concerning risks and breaches. Furthermore, by partnering with federal cybersecurity and investigative organizations, IT providers may now gather, retain, and exchange data under industry-recognized standards.

Supply Chain Software with Improved Security

One of the EO's key emphasis appears to be on software supply chain security. About a third of the policy statements in the paper are related to supply chain security. This comes as no surprise after the SolarWinds attack in December, which infiltrated all five divisions of the US military, as well as the Pentagon, State Department, National Security Agency, White House, and a plethora of other high-profile targets. This EO's tone was destined to be defined by such widespread disarray.

Establishment of a Cybersecurity Safety Review Board

Under Section 871 of the Homeland Security Act of 2002, the EO established a Cybersecurity Safety Board, which is co-led by private-sector and government participants. Members of the board will come from the Department of Defense, the Department of Justice, the Federal Bureau of Investigation, the National Security Agency, CISA, and the business sector. After a major cyber event, the board always meets to assess the situation and provide suggestions for future threats.

Endpoint Detection and Response Systems

Executive Order 14028 establishes a government-wide endpoint detection and response system to increase detection capabilities in Federal network systems. Facilitating effective data exchange among various authorities provides more visibility into identifying hostile activities.

Requirements for Event Logging

Standardized response methods guarantee that events are catalogued centrally and that agencies' progress toward successful responses are tracked. In order to allow investigators to detect and prevent assaults, the new regulation requires agencies to use a uniform event recording approach.

The other two principles of the Executable Order 14028 relate to "Revising and digitizing the federal government's cybersecurity standards" and "Incident Response Standard Operating Procedure".

Conclusion

Government ICS/OT software vendors (or suppliers to a firm that provides the government) have some work ahead of them. In the next 365 days, the software security information that these organizations are expected to provide to clients will shift dramatically. It's worth noting that the new EO requirements only apply to "software bought after this order's date." Companies will not have six or twelve months to comply after the new regulations are released.

Any software sold today must adhere to the yet-to-be-determined regulations retroactively to May 12, 2021. When service providers, whether IT or OT, must comply with the new contracting arrangements is unclear in the Executive Order. Based on prior FAR rule change processes, we may expect the public comment period to finish in late December 2021 and the FAR Final Rule to be issued in late 2022.

Contracts signed after that date will be subject to the new data-sharing rules.

This massive executive directive is expected to significantly alter the federal government's approach to cybersecurity, affecting everyone who sells IT or IT security to the federal government. Because the federal government is the world's largest consumer of IT and IT security, there will be spill-over effects on other suppliers.

Updated on: 09-Jun-2022

132 Views

Kickstart Your Career

Get certified by completing the course

Get Started
Advertisements