President Biden's Executive Order calls for an extensive
reassessment and revamping of the federal government's
cybersecurity defenses and incident response capabilities,
establishing benchmarks that may inform standards among private
entities.
Following the 2020 cyberattack on numerous United States
government agencies, President Biden issued an "Executive Order on Improving the Nation's
Cybersecurity" ("EO") that seeks to strengthen
public and private sector cybersecurity defenses and incident
response capabilities. The federal government reforms in the EO
center around three key themes: modernization, accountability, and
resilience.
First, the EO directs agencies to modernize their information
technology ("IT") systems by prioritizing the use of
cloud services, utilizing multifactor authentication, and adopting
encryption technologies for data at rest and in transit. As part of
this effort, the Cybersecurity and Infrastructure Security Agency
("CISA") within the Department of Homeland Security will
update standards governing the agencies' use of cloud services,
which could impact the offerings provided by cloud service
providers and other IT government contractors. The EO also directs
agencies to utilize guidance from the National Institute of
Standards and Technology to migrate toward "Zero Trust
Architecture," a framework that limits employees' data and
network access to the bare minimum needed to perform their jobs.
Second, the EO increases accountability among federal civilian
agencies by giving CISA access to agency network data to conduct
vulnerability testing, and creating a "Cyber Safety Review
Board," which is tasked with considering mitigation activities
and agency responses for any significant cyber incident involving either
the government or private sector entities. The Board will
include representatives from private sector cybersecurity entities
and software suppliers and will provide recommendations for
improving incident response.
Third, the EO directs the federal government to develop a
standardized incident response "playbook" in order to
quickly identify, mitigate, and remediate threats. Federal agencies
are also required to keep event logs, in order to increase their
ability to detect and mitigate incidents.
While it will take some time for the government to implement
these requirements, once they do, these benchmarks may inform
evolving expectations for private cybersecurity protections.
Accordingly, private entities should review the updated CISA
standards and the new incident response playbook when issued and
consider whether and to what extent to incorporate them into their
Information Security Programs.
This Alert is the third in a series on
the contents of President Biden's Executive Order on Improving
the Nation's Cybersecurity. Prior
Alerts address the EO's new cybersecurity
contract language for civilian government
contractors and the EO's provisions regarding a cybersecurity labeling regime for consumer
products.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
Gloss