In May 2021, the White House signed an executive order (EO) aimed at improving the nation’s cybersecurity across the public and private sectors. Throughout the following year, federal and commercial organizations adapted to new security requirements around zero-trust architecture (ZTA), threat information sharing, and supply chain risk management.
Now, just over one year since the EO was signed into law, we consider how the cybersecurity landscape has changed as a result. Specifically, we examine:
- The increased emphasis on ZTA, threat information sharing between organizations, and system integrity in the manufacturing sector.
- The ongoing compliance challenges faced by the Cybersecurity and Infrastructure Security Agency (CISA) and various federal agencies.
- How both the public and private sectors can prepare for the continuing evolution of cybersecurity standards.
What’s Changed?
Zero-Trust Architecture
The Guidance
In January 2022, The Office of Management of Budget (OMB) issued a memo laying out a strategy to move the government to fully embrace ZTA in accordance with the Cyber EO.
At the same time, CISA released information to help agencies manage the shift to ZTA: the Cloud Security Technical Reference Architecture and Zero-Trust Maturity Model.
Finally, agencies were given deadlines of:
- 30 days to appoint an organizational ZTA lead.
- 60 days to build implementation plans.
- The end of 2024 to achieve five specific ZTA goals derived from the “five pillars” of CISA’s zero-trust model.
The Change
- In accordance with the EO, we’ve seen a widespread push to modernize existing network security and user and device access across federal agencies. This has expanded the use of PKI, PIV, and Non-Person Entity (NPE) credentials, improving the establishment and maintenance of trusted access.
- Agencies are grappling with ZTA implementation for mobile devices as hybrid and remote work situations become increasingly commonplace. While full implementation of Zero Trust principles will take time to ensure strategic alignment, the nation’s strides in this area have been significant.
Threat Information Sharing
The Guidance
- The EO seeks to remove barriers to sharing cyber-relevant information, requiring federal security partners and service providers to share certain breach data with executive-level departments.
- The EO also requires providers to share that data with the agencies responsible for investigating and remediating incidents (namely CISA, the FBI, and the Intelligence Community).
- Finally, the EO emphasizes sharing threat information between agencies to improve security postures, with a reporting structure under CISA.
The Change
- In March 2022, the president signed into law the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), expanding cyber reporting requirements for a wide range of public and private organizations.
- also provides certain liability protections to these reporting entities.
- CIRCIA requires CISA to aggregate and share certain cyber-relevant data with other government agencies, the U.S. Congress, competitive intelligence companies and service providers, and the public, including CISA’s assessment of the threats and information shared.
- CISA is establishing its Joint Cyber Defense Collaborative (JCDC) to improve collaboration and information sharing through public and private partnerships.
- Agencies are navigating the collection of cyber-relevant data under the EO logging and M21-31 guidelines – as well as how they consume, use, and share threat information – while aligning with CISA’s High Value Assets program. CISA has also taken steps to improve its guidance for agencies and service providers regarding the types of cyber-relevant data needed to identify potential threats. Through programs such as its Extensible Visibility Reference Framework (eVRF), CISA is helping agencies identify telemetry data requirements and gaps that align with modern digital environments, as well as how they use cloud-based services.
System Integrity in the Manufacturing Sector
The Guidance
- The EO directed The National Institute of Standards and Technology (NIST) to solicit input from the private sector, academia, government agencies, and others to develop new standards, tools, best practices, and other guidelines to enhance software supply chain security.
- The EO assigned NIST to work on two labeling efforts related to consumer Internet of Things (IoT) devices and consumer software, with the goal of encouraging manufacturers to produce – and consumers to be informed about – products created with greater consideration of cybersecurity risks and capabilities.
The Change
- NIST consulted with the National Security Agency (NSA), OMB, CISA, and the Director of National Intelligence (DNI) to define “critical software” in June 2021.
- NIST published guidance outlining security measures for critical software and guidelines recommending minimum standards for vendors’ testing of their software source code in July 2021.
- NIST issued preliminary guidelines in November 2021, based on stakeholder input and existing documents, for enhancing software supply chain security.
- In February 2022, NIST issued additional guidance identifying practices that enhance software supply chain security, with references to standards, procedures, and criteria, followed by a cybersecurity practice guide focused on information and system integrity in industrial control system (ICS) environments.
- Manufacturers are increasingly connecting their operational technology (OT) systems to their information technology (IT) systems to increase productivity and efficiency. As a result, the scope of exploitable cybersecurity vulnerabilities has grown exponentially. The NIST practice guide features example solutions and how-to guidance to help organizations detect and prevent malicious attacks.
- NIST released a summary report on its progress towards the goals laid out in the EO in July 2022.
Where Are We Headed
Perhaps the most critical takeaway from the past year’s developments is that the EO does not represent a one-off event, but the beginning of an ongoing effort to improve our national cybersecurity posture and infrastructure. Through implementing the mandates outlined in the EO, we have learned that any significant improvement to our cybersecurity infrastructure entails a marathon, not a sprint.
ECS stands ready to help our customers navigate evolving compliance standards, with the expertise to help your organization defend its networks, develop secure applications, and consistently meet new and evolving federal guidelines.