Legal Updates

New Federal Cybersecurity Guidelines – How Does Your Organization Stack Up?

Cyber

In the wake of recent cybersecurity incidents of historical significance on May 12, 2021, President Biden issued an executive order to improve the federal government’s efforts to “identify, deter, protect against, detect, and respond” to cybersecurity incidents.[1]  

President Biden’s executive order is far more comprehensive than past government efforts in the realm of cybersecurity,[2] nevertheless the government has also used this moment as a call to action for the private sector to step up its game.[3] After all, a significant chunk of our critical infrastructure is owned and operated by private entities.[4] 

So what does our federal cybersecurity future entail?

President Biden’s order includes the following objectives:

  • Easier Sharing of Threat Information Across Government Agencies and the Private Sector. Because the federal government relies on various IT and operational technology service providers for many of its systems, the executive order mandates the removal of all contractual barriers to disclosing cybersecurity incidents to executive departments and agencies charged with investigating and remediating such incidents.[5] In its place, new contract language will be adopted to ensure that service providers collect and preserve relevant data, share that data, collaborate with the federal government, and quickly report cybersecurity incidents within set timeframes.[6]
  • Adopt Zero Trust Architecture. Zero Trust Architecture is a “strategic initiative that helps prevent successful data breaches by eliminating the concept of trust from an organization’s network architecture.”[7] In other words, you cannot trust that all of the software and data on your organization’s network is secure. Pursuant to that, the government will migrate to using secure cloud-based technology.[8] In doing so, the government’s cloud service providers will be required to adhere to a yet-undefined set of security principles and documentation requirements.[9] Furthermore, multifactor authentication and data encryption will be required across the government.[10]
  • Enhance Software Supply Chain Security. Like anyone these days, the government relies on software to carry out its day-to-day activities and critical functions. From software we are all familiar with, like Microsoft Word and Excel, to specialized software only known by specific professionals, like SolarWinds among the IT industry. But how do we know the software is secure? How was the software developed? What controls did the software developer have in place to prevent “tampering from malicious actors”?[11] Has the software been rigorously tested to resist attack? To remediate these issues, the government has called on government leaders, individuals in the private sector, academics, and other appropriate individuals, to collaborate and establish a set of minimum security standards for the development of software sold to the government.[12] Part of this initiative envisions the creation of a pilot program “to create an ‘energy star’ type of label so that government – and the public at large – can quickly determine whether [the] software was developed securely.”[13]
  • Establish a Cyber Safety Review Board. The order establishes a Cyber Safety Review Board comprised of government and private sector individuals.[14] The board will function much like the National Transportation Safety Review Board (“NTSB”). Whereas the NTSB investigates every aviation accident in the U.S. to develop safeguards from future accidents, the Cyber Safety Review Board will likewise investigate cybersecurity incidents to bolster our defenses.[15]
  • Develop a Standard Cyber Incident Playbook. By now we’ve all heard of the National Security Council’s playbook containing various strategies and tactics for dealing with pandemics.[16] Similarly, the Cyber Incident Playbook will detail standard operating procedures to facilitate a coordinated and centralized approach in the event of a major cybersecurity incident.[17]

So how does your organization stack up?

Many of the measures announced by the executive order are already widely used as cybersecurity best practices, such as the use of multifactor authentication and data encryption, but some are less common.

Akin to the Cyber Incident Playbook, your organization can and should develop an incident response plan that identifies an incident response team, how to assess the scope of the incident, how to contain the breach, and who should be notified. Your incident response team should also conduct a post-incident root-cause analysis to understand how the incident occurred, develop lessons learned, and recommend measures to prevent future incidents – similar to the function of the government’s Cyber Safety Review Board.

If your organization has implemented similar robust cybersecurity policies and procedures – that’s great news. The bad news is that it still may not be enough. Security experts lament that President Biden’s executive order would most likely fail to prevent attacks similar to recent high profile security events.[18] So even if your organization’s cybersecurity measures stack up to the government’s, we all still have a lot of work to do to protect ourselves, our organizations, and our country.

 

 

 

[1] Executive Order On Improving the Nation's Cybersecurity, 2021 WL 1905908, at 1. 

[2] David E. Sanger & Julian E. Barnes, Biden Signs Executive Order to Bolster Federal Government’s Cybersecurity, N.Y. Times, May 12, 2021, at 2.

[3] Press Release, The White House, Fact Sheet: President Signs Executive Order Charting New Course to Improve the Nation’s Cybersecurity and Protect Federal Government Networks, (May 12, 2021), at 2, https://www.whitehouse.gov/briefing-room/statements-releases/2021/05/12/fact-sheet-president-signs-executive-order-charting-new-course-to-improve-the-nations-cybersecurity-and-protect-federal-government-networks/.

[4] Id.

[5] Executive Order On Improving the Nation's Cybersecurity, 2021 WL 1905908, at 1-2. 

[6] Id. at 2.

[7] Paloalto Networks, What is a Zero Trust Architecture, https://www.paloaltonetworks.com/cyberpedia/what-is-a-zero-trust-architecture.

[8] Executive Order On Improving the Nation's Cybersecurity, 2021 WL 1905908, at 1-3. 

[9] Id.

[10] Id. at 1-3, 5.

[11] Id. at 6.

[12] Id. at 6-11.

[13] Press Release, The White House, Fact Sheet: President Signs Executive Order Charting New Course to Improve the Nation’s Cybersecurity and Protect Federal Government Networks, (May 12, 2021), at 2, https://www.whitehouse.gov/briefing-room/statements-releases/2021/05/12/fact-sheet-president-signs-executive-order-charting-new-course-to-improve-the-nations-cybersecurity-and-protect-federal-government-networks/.

[14] Executive Order On Improving the Nation's Cybersecurity, 2021 WL 1905908, at 1-3. 

[15] Id.

[16] See generally, Dan Diamond & Nahal Toosi, Trump team failed to follow NSC’s pandemic playbook, Politico, (Mar. 25, 2020, 8:00 PM), https://www.politico.com/news/2020/03/25/trump-coronavirus-national-security-council-149285.

[17] Executive Order On Improving the Nation's Cybersecurity, 2021 WL 1905908, at 12-13. 

[18] David E. Sanger & Julian E. Barnes, Biden Signs Executive Order to Bolster Federal Government’s Cybersecurity, N.Y. Times, May 12, 2021, at 2.

Topics: Cybersecurity Cyber Cyber Incident Playbook Federal Cybersecurity Guidelines

Subscribe to the E-Discovery Newsletter