New Federal Cybersecurity Guidelines – How Does Your Organization Stack Up?

In the wake of recent cybersecurity incidents of historical significance on May 12, 2021, President Biden issued an executive order to improve the federal government’s efforts to “identify, deter, protect against, detect, and respond” to cybersecurity incidents.[1]  

President Biden’s executive order is far more comprehensive than past government efforts in the realm of cybersecurity,[2] nevertheless the government has also used this moment as a call to action for the private sector to step up its game.[3] After all, a significant chunk of our critical infrastructure is owned and operated by private entities.[4] 

So what does our federal cybersecurity future entail?

President Biden’s order includes the following objectives:

• Easier Sharing of Threat Information Across Government Agencies and the Private Sector. Because the federal government relies on various IT and operational technology service providers for many of its systems, the executive order mandates the removal of all contractual barriers to disclosing cybersecurity incidents to executive departments and agencies charged with investigating and remediating such incidents.[5] In its place, new contract language will be adopted to ensure that service providers collect and preserve relevant data, share that data, collaborate with the federal government, and quickly report cybersecurity incidents within set timeframes.[6]

• Adopt Zero Trust Architecture. Zero Trust Architecture is a “strategic initiative that helps prevent successful data breaches by eliminating the concept of trust from an organization’s network architecture.”[7] In other words, you cannot trust that all of the software and data on your organization’s network is secure. Pursuant to that, the government will migrate to using secure cloud-based technology.[8] In doing so, the government’s cloud service providers will be required to adhere to a yet-undefined set of security principles and documentation requirements.[9] Furthermore, multifactor authentication and data encryption will be required across the government.[10]

• Enhance Software Supply Chain Security. Like anyone these days, the government relies on software to carry out its day-to-day activities and critical functions. From software we are all familiar with, like Microsoft Word and Excel, to specialized software only known by specific professionals, like SolarWinds among the IT industry. But how do we know the software is secure? How was the software developed? What controls did the software developer have in place to prevent “tampering from malicious actors”?[11] Has the software been rigorously tested to resist attack? To remediate these issues, the government has called on government leaders, individuals in the private sector, academics, and other appropriate individuals, to collaborate and establish a set of minimum security standards for the development of software sold to the government.[12] Part of this initiative envisions the creation of a pilot program “to create an ‘energy star’ type of label so that government – and the public at large – can quickly determine whether [the] software was developed securely.”[13]

• Establish a Cyber Safety Review Board. The order establishes a Cyber Safety Review Board comprised of government and private sector individuals.[14] The board will function much like the National Transportation Safety Review Board (“NTSB”). Whereas the NTSB investigates every aviation accident in the U.S. to develop safeguards from future accidents, the Cyber Safety Review Board will likewise investigate cybersecurity incidents to bolster our defenses.[15]

• Develop a Standard Cyber Incident Playbook. By now we’ve all heard of the National Security Council’s playbook containing various strategies and tactics for dealing with pandemics.[16] Similarly, the Cyber Incident Playbook will detail standard operating procedures to facilitate a coordinated and centralized approach in the event of a major cybersecurity incident.[17]

So how does your organization stack up?

Many of the measures announced by the executive order are already widely used as cybersecurity best practices, such as the use of multifactor authentication and data encryption, but some are less common.

Akin to the Cyber Incident Playbook, your organization can and should develop an incident response plan that identifies an incident response team, how to assess the scope of the incident, how to contain the breach, and who should be notified. Your incident response team should also conduct a post-incident root-cause analysis to understand how the incident occurred, develop lessons learned, and recommend measures to prevent future incidents – similar to the function of the government’s Cyber Safety Review Board.

If your organization has implemented similar robust cybersecurity policies and procedures – that’s great news. The bad news is that it still may not be enough. Security experts lament that President Biden’s executive order would most likely fail to prevent attacks similar to recent high profile security events.[18] So even if your organization’s cybersecurity measures stack up to the government’s, we all still have a lot of work to do to protect ourselves, our organizations, and our country.

DISCLAIMER: The information contained in this blog is not intended as legal advice or as an opinion on specific facts. For more information about these issues, please contact the author(s) of this blog or your existing LitSmart contact. The invitation to contact the author is not to be construed as a solicitation for legal work. Any new attorney/client relationship will be confirmed in writing.