How to Meet Biden’s Executive Order on Cybersecurity Requirements
On May 12, 2021, President Biden issued an executive order designed to improve the nation’s cybersecurity and to better protect federal government networks. The Executive Order on Improving the Nation’s Cybersecurity calls for stronger and more layered data security as part of a focus on data-centric security architecture centered around the principals of zero-trust.
What is the Executive Order on Improving the Nation’s Cybersecurity?
Executive Order 14028 essentially tasks the U.S. federal government, in cooperation with private industry, with investing in significant and bold changes in cybersecurity to enhance the nation’s cybersecurity stance. This latest order reflects the high priority the current administration is placing on cybersecurity in reaction to, and in defense of, attacks targeting the nation’s supply chain and infrastructure.
The order stipulates a number of ways the government will encourage more transparency around cybersecurity, enhance reporting requirements, and details the technologies needs for enhanced cybersecurity (such as encryption, data classification, digital rights management (DRM) and more) as part of its move toward a more data-centric security environment – an approach that emphasizes locking down the data itself.
Who is Impacted by the Cybersecurity Executive Order?
The Federal government does not act alone. Thousands of private sector contractors will be impacted by these new software requirements. Under the new order, if contractors provide software solutions to the federal government, they must meet the security measures defined by the National Institute of Standards Technology (NIST). These measures include securing software development environments, automating how vulnerabilities are detected, and maintaining a “Software Bill of Materials” for all software products purchased and used (basically providing detailed supply chain relationship records).
Meeting these criteria can mean the difference in securing a lucrative government contract or being passed over in favor of NIST-approved solutions providers. The NIST requirements are to be enacted in about 120 days from the bill’s signing (fall of 2021). After about one year, any software that does not meet the standards must be removed from agency use and can no longer benefit from indefinite delivery, indefinite quantity contracts, or blanket purchase agreements.
Where can I learn more about Biden’s Executive Order on Cybersecurity?
A fact sheet from the White House boils down this executive order in brief, easy-to-digest terms. You can also read the complete Executive Order on Improving the Nation’s Cybersecurity, which provides more specifics on the following initiatives:
Details on removing barriers to sharing threat information
Modernizing federal government cybersecurity
Enhancing software supply chain security
Establishment of a cyber safety review board
Standardizing the federal government’s response to vulnerabilities
Improving the detection of cybersecurity vulnerabilities and incidents on federal government networks
Improving the federal government’s investigative and remediation capabilities
How Does This Executive Order Impact Your Tech Stack?
If you’re an IT or cybersecurity leader working for the government or federal agencies, this order has your name on it, or at the very least, should have you ensuring that software you use in your governmental work meets the criteria set forth in the order. Organizations that meet or exceed the new government order expectations should be more secure in securing or maintaining their contracts.
Accelerated (within 180 days) adoption of multi-factor authentication, encryption of data at rest and in transit, and a goal of zero-trust architecture are also at the top of the initiative list.
Does Your Organization Fit into Zero-trust or Data-centric Architecture?
To meet the higher standards of this executive order, and of the standards many private entities will soon adopt after the federal government, organizations need to be utilizing software solutions that can address the security concerns outlined and move towards a more zero-trust mindset and architecture, which assumes the stance of not trusting anyone who accesses your network and putting up the layers of security to prevent intrusion or access from unapproved users.
HelpSystems has curated a full suite of data-centric security solutions to meet these standards, including:
Data classification: Know what data needs elevated data security is important to keep business flowing. Applying a data classification solution can help eliminate the many false positive alerts while addressing compliance and governmental requirements for responsible data protection.
Encryption: This critical layer of protection alone is not enough to form a complete data-centric security perimeter, but it plays a huge role in its success, greatly reducing the risk of a breach. Only authorized parties with a symmetric or asymmetric key can read or access data transferred or stored on an internal system.
Secure file transfer: Managed file transfer (MFT) delivers a secure, automated way to transfer data and collaborate both within and outside your organization, eliminating risk of human error, backed by strong encryption protocols. Pairing MFT with Adaptive DLP adds an additional layer of security and ensures that any sensitive data is redacted or sanitized before being sent.
Digital rights management (DRM): After all the other layers of protection are applied – data classification, encryption, data loss prevention and secure file transfer, DRM steps in to protect files and unstructured data wherever they may travel, with tracking and auditing functionality and the ability to revoke access at any time.
See How to Address Data Security Challenges
See how the integrated data-centric solutions from HelpSystems can help your organization meet the rapid implementation of more stringent requirements for doing business with the federal government and its agencies. This on-demand webinar explores the suite approach to data-centric, zero-trust models of security.