Making sense of the EO on Improving the Nation's Cybersecurity
Decluttering and simplifying the official executive order to analyze the bold actions and the gaps in the order.
Here is the original EO (around 8000 words): Original Executive Order
The following is a distillation of the executive order to bring out the main actions outlined in the order and assess any gaps. This simplification of the EO is organized as:
Policy Summary
Bold Action 1-8 Summaries and any accompanying Critique
Critique
References to the various agency names have been removed and replaced by “Federal Agencies”. Please refer to the original EO for details around which agency will do what. The purpose of this simplification is to simplify and summarize the actions, not necessarily identify the actors.
Your feedback and additional commentary is invited.
Policy Summary
The trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is, and to the consequences we will incur if that trust is misplaced.
Instead of incremental improvements the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life.
The scope of protection and security must include information technology (IT) operational technology (OT).
Appointment of the National Cyber Director (NCD) and the establishment of the related Office within the Executive Office of the President who will oversee the bold actions (detailed in subsequent sections).
Bold Action 1: Removing Barriers to Sharing Threat Information
Overall summary
This action identifies the following major thrust areas:
Contractual language updates to increase cyber threat and incident sharing by IT/OT service providers as they discover them.
Contractual language updates to increase cyber threat and incident sharing about the software and services provided by ICT companies.
Contractual language updates to increase compliance for unclassified system contracts implemented by disparate agencies.
Summary of Challenge 1:
Current contract terms between Federal Government and IT/OT service providers , including cloud service providers limit the Federal Government’s access to and insight into cyber threat and incident information on Federal Information Systems.
EO Guidance to alleviate this challenge:
In 60 days: Review Federal contract requirements to and recommend updates to Data Collection and Preservation, Data Sharing & Reporting, Collaboration in Incident Investigation & Response, Standardization of Threat & Incident Information.
In 90 days: Publish proposed contract updates for public comment.
In 120 days: Sharing of cyber threat & incident information with Federal agencies, CISA and FBI commences as required.
Summary of Challenge 2:
ICT service providers do not promptly report when they discover a cyber incident involving a software product or service provided to agencies or involving a support system for a software product or service provided to such agencies.
As such CISA is unable to centrally collect and manage such information. Cyber incidents involving software product or service are poorly shared between agencies.
EO Guidance to alleviate this challenge:
In 45 days: Review and update contract language to identify the nature of cyber incidents that require reporting, the types of information about cyber incidents that need to be reported, the time-frame in which the reporting should occur on a graduated scale of severity.
In 90 days: Publish proposed contract updates for public comment and subsequently adopt the updates.
Critique
✅ ICT service providers are not incentivized to provide security vulnerability and incident information to their customers. This guidance is a step forward in creating a contractual obligation to force the ICT service providers to declare security vulnerabilities and incidents as they are discovered.
❌ This information is critical to proactively discover “supply chain” type issues. The implementation of the EO should connect this information to securing the software supply chain.
❌ Will the National Cyber Director be accountable to ensure this information is not just used to promptly mitigate issues in the affected software but also to proactively identify supply chain type issues that could have broader impacts?
Summary of Challenge 3:
Current cybersecurity requirements for unclassified system contracts are largely implemented through agency-specific policies and regulations, including cloud-service cybersecurity requirements, making it difficult to create a common comprehensive compliance framework for unclassified system contracts.
EO guidance to alleviate this challenge:
In 60 days: Recommend standardized contract language to include cybersecurity requirements for all unclassified systems.
In 120 days: Publish proposed contract language for public comment and subsequent adoption of language by agencies.
Critique
❌ The EO should do more to also mandate an always up-to-date centralized inventory of unclassified systems without which determining overall risk is impossible.
Bold Action 2: Modernizing Federal Government Cybersecurity
Overall summary
This action identifies the following major thrust areas:
The Federal Government must modernize its approach to cybersecurity without eroding privacy and civil liberties.
Disjointed cloud technology strategy among agencies creates a challenge to detect, assess, remediate and prevent cyber incidents.
Summary of Challenge 1:
The Federal Government must modernize its approach to cybersecurity without eroding privacy and civil liberties.
EO guidance to alleviate this challenge:
In 60 days:
Every agency head will update agency plans to prioritize resources for the adoption & use of cloud technology based on “relevant guidance”
Every agency head will develop a plan to implement Zero Trust Architecture and will identify a plan for actions that will have most immediate security impact.
Critique:
✅ The guidance around ZTA is very specific and actionable.
❌ Implementing ZTA is a major undertaking that even the best run enterprises are challenged to implement. Without explicit public private partnership, this guidance is difficult to implement.
❌ While The guidance around every agency updating its plan to prioritize adoption of cloud technology is indeed a bold step in making the Federal Government cloud-native, it also requires careful planning that will likely take more than 60 days. In addition, this is one area where a top-down fundamental framework is needed to succeed. A good step forward here is to create a consortium of the major cloud service providers and include them in the development of a time-based plan to increase adoption of cloud in the Federal Government.
Summary of Challenge 2:
Disjointed cloud technology strategy among agencies creates a challenge to detect, assess, remediate and prevent cyber incidents.
EO guidance to alleviate this challenge:
In 60 days: Begin modernizing the FedRAMP by establishing a training program for agencies to manage FedRAMP requests, improve communications with Cloud Service Providers through automation and standardization of messages at each stage of authorization, making the FedRAMP process more automated, digitization of documentation.
In 60 days: Develop and issue a cloud-service governance framework that covers services and protections available to agencies for security incidents.
In 90 days: Develop a Federal Cloud Security strategy through FedRAMP.
In 90-days: Through FedRAMP establish a framework to collaborate on cybersecurity and incident response activities between agencies and CSPs.
In 90 days: Heads of agencies to report on their agency’s unclassified data and identify the most at-risk data.
In 180 days: All agencies to adopt MFA and encryption for data at rest & in transit.
Critique:
✅ FedRAMP is already a widely accepted operational construct and enhancing it to consolidate cloud technology strategy for the Federal Government ensures that cloud service providers are not burdened with yet another program.
✅ Modernizing FedRAMP is a much anticipated and required move.
✅ Collaboration with Cloud Service Providers for Cloud Security is called out and required for dealing with Cloud Security comprehensively.
❌ The updated FedRAMP construct will need to be rolled out aggressively and attentively to existing as well as new service providers. Service Providers should be incentivized to comply and there should not be any opportunity for Service Providers to claim exceptions: what if the government was able to provide financial incentives for Service Providers to invest in this compliance.
❌ There is no mention of the how this MFA mandate will affect Americans. Attention needs to be called out explicitly to ensure the MFA implementation does not create a new divide - the digital haves and have nots.
Bold Action 3: Enhancing Software Supply Chain Security
Summary of Challenge:
The development of commercial software often lacks transparency, sufficient focus on the ability of the software to resist attack, and adequate controls to prevent tampering by malicious actors.
EO guidance to alleviate this challenge:
In 30 days: Solicit input from the Federal Government, private sector, academia, and other appropriate actors to develop a comprehensive criteria to evaluate overall software security and a mechanism for service providers to demonstrate conformance with criteria.
In 45 days: Publish a definition of “critical software” and within 30 days of the definition, make a list of “critical software” in use or in acquisition available to federal agencies.
In 60 days: Publish guidance outlining security measures for “critical software” that agencies need to account for existing software and new software that will be procured.
In 60 days: Publish minimum standards for vendors’ testing of their applications (code review, static analysis, dynamic analysis, software composition analysis, and penetration testing).
In 60 days: Publish minimum elements of “Software Bill of Materials” that software providers will have to declare.
In 180 days: NIST to publish preliminary guidelines for enhancing software supply chain.
In 270 days: Issue guidance to vendors to comply with practices to enhance software security supply chain including: secure software development environments, ensuring source code integrity, regular application security testing & remediation, ensuring software provenance, publishing SBOM, ensuring provenance of open source components.
In 270 days: Identify secure software development criteria for a consumer software labeling program.
In 270 days: Identify IoT cybersecurity criteria for a consumer labeling program and a set of measures can be taken to maximize manufacturer participation.
At 1 year mark: NIST will publish additional guidelines based on review of existing activities.
At 1 year mark: Update and enforce Federal contract language to comply with above said requirements. Implement strict compliance with above said requirements for existing and new vendors.
At 1 year mark: Provide update to President on progress.
Critique:
✅ Ample public private partnership.
✅ Focus on “critical software” creates bias of action instead of boiling the ocean.
✅ Application security focus is key since Applications are the largest attack vector for adversaries.
✅ Enforcing vendors to publish Software Bill of Materials either on demand or online is an important step that will force vendors to take accountability.
❌ Important rollout milestones are at the 270 day and 1 year mark. More immediate milestones need to be created by taking a risk-based approach to rolling out the milestones.
Bold Action 4: Establishing a Cyber Safety Board
Overall summary
The EO calls for the establishment of a Cyber Safety Review Board (Board), pursuant to section 871 of the Homeland Security Act of 2002 (6 U.S.C. 451). The Board shall review and assess threat activity, vulnerabilities, mitigation activities, and agency responses. The board shall convene following a significant cyber incident or at any time deemed necessary. The board shall provide updates & recommendations to the President via the Secretary of Homeland Security.
The Board’s membership shall include Federal officials and representatives from private-sector entities and participation of others on a case-by-case basis depending on the nature of the incident under review. The Secretary of Homeland Security shall biennially designate a Chair and Deputy Chair of the Board from among the members of the Board, to include one Federal and one private-sector member.
The Board, whose life will be extended every 2 years, will at the outset identify gaps in and recommendations to the board’s composition, mission, scope, responsibilities, governance structure, administration and budgets.
Bold Action 5: Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents
Overall summary
The cybersecurity vulnerability and incident response procedures currently used to identify, remediate, and recover from vulnerabilities and incidents affecting their systems vary across agencies, hindering the ability of lead agencies to analyze vulnerabilities and incidents more comprehensively across agencies.
EO guidance to alleviate this challenge:
In 120 days: Develop a standard set of operational procedures (playbook) to be used in planning and conducting a cybersecurity vulnerability and incident response activity.
The Director of CISA, in consultation with the Director of the NSA, shall review and update the playbook annually, and provide information to the Director of OMB for incorporation in guidance updates.
The Director of CISA review and validate Federal Agencies’ incident response and remediation results upon an agency’s completion of its incident response. The Director of CISA may recommend use of another agency or a third-party incident response team as appropriate.
To ensure a common understanding of cyber incidents and the cybersecurity status of an agency, the playbook shall define key terms for consistency.
Critique:
❌ The 120 day milestone should be accelerated with the participation of industry experts who have experience with implementing such playbooks at global scale.
Bold Action 6: Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks.
Overall summary
This section of the EO outlines the following challenges:
The early detection of cybersecurity vulnerabilities and incidents on Federal networks is inadequate and needs to be improved.
CISA has limited access to agency data that are relevant to a threat and vulnerability analysis, as well as for assessment and threat-hunting purposes.
Better alignment between Department of Defense Information Network (DODIN) directives and FCEB Information Systems directives is required.
Summary of Challenge 1:
The early detection of cybersecurity vulnerabilities and incidents on Federal networks is inadequate
EO guidance to alleviate this challenge:
In 30 days: Provide recommendations on options for implementing an EDR initiative, centrally located to support host-level visibility, attribution, and response.
In 45 days: Recommend appropriate actions for improving detection of cyber incidents affecting National Security Systems, including recommendations concerning EDR approaches and whether such measures should be operated by agencies or through a centralized service of common concern provided by the National Manager.
In 90 days of receiving the recommendations: Issue requirements to adopt Federal Government-wide EDR approaches.
Critique:
❌ Given post-covid realities of occasional or frequent remote work and the stated direction to adopt cloud rapidly, the EDR initiative should be expanded XDR.
Summary of Challenge 2:
CISA has limited access to agency data that are relevant to a threat and vulnerability analysis, as well as for assessment and threat-hunting purposes.
EO guidance to alleviate this challenge:
In 75 days: Agencies shall establish or update Memoranda of Agreement (MOA) with CISA for the Continuous Diagnostics and Mitigation Program to ensure object level data, are available and accessible to CISA.
In 90 days: The Director of CISA shall provide a report describing how authorities granted under section 1705 of Public Law 116-283, to conduct threat-hunting activities on FCEB networks without prior authorization from agencies, are being implemented. This report shall also recommend procedures to ensure that mission-critical systems are not disrupted, procedures for notifying system owners of vulnerable government systems, and the range of techniques that can be used during testing of FCEB Information Systems.
Summary of Challenge 3:
Better alignment between Department of Defense Information Network (DODIN) directives and FCEB Information Systems directives.
EO guidance to alleviate this challenge:
In 60 days: Establish procedures for the Department of Defense and the Department of Homeland Security to immediately share with each other Department of Defense Incident Response Orders or Department of Homeland Security Emergency Directives and Binding Operational Directives applying to their respective information networks.
Bold Action 7: Improving the Federal Government’s Investigative and Remediation Capabilities
Overall summary
To address cyber risks or incidents, upon request, agencies will be required to provide logs as needed and appropriate, with other Federal agencies.
In 14 days: Provide recommendations on requirements for logging events and retaining other relevant data within an agency’s systems and networks.
In subsequent 90 days: Formulate policies for agencies to establish requirements for logging, log retention, and log management, which shall ensure centralized access and visibility for the highest level security operations center of each agency.
❌ Log management & centralization is the first of many steps to improve investigative and remediation capabilities. Beyond log management, the EO should outline Federal security incident and event management (SIEM) initiatives, security operations center (SOC) initiatives and security operations, automation & response (SOAR) initiatives.
Bold Action 8: National Security Systems update
In 60 days: Adopt cybersecurity requirements outlined in this EO into National Security Systems.
Critique
The EO emphasizes "bold changes and significant investments to defend the vital institutions that underpin the American way of life". However, the EO focuses on only Federal institutions and not on the myriad of other systems that make up the American way of life. With this critical exclusion, American’s may still remain vulnerable to cyber threats and incidents in their daily lives.
The EO states that "the trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is, and to the consequences we will incur if that trust is misplaced". The EO attempts to cover many more aspects of cybersecurity than it actually does. The details of the EO stress transparency more than any other aspect outlined in the thumbnail. There is more to be desired as far as "trust" and "consequences" are concerned.
The scope of the EO covers IT, OT and ICT systems and services. It misses a critical element of the eco-system, the Citizenry, who are ultimately the affected. The implementation of the plans that are produced pursuant to the EO have to ensure that the American way of life remains seamless and inclusive - it should not create a new divide: digitally secure and digitally insecure.
The EO asks to “bring to bear the full scope of its authorities and resources to protect and secure its computer systems”. However, much of the EO focuses on exercising expanded contractual terms and obligations. While this is a significant first step, the EO falls short to create incentives that promotes acceleration of the EO’s vision. In addition, the EO falls short in articulating penalties for behavior that puts Americans at greater cyber risk.
The EO is a plan for a plan. The overall approach for its scope is sound and does create bias for action to develop an actionable plan. There are clear milestones that are reasonably aggressive given the size of the Federal machinery that needs to be mobilized. The EO rightly emphasizes and expands the role of FedRAMP and NIST to facilitate the implementation of some of the bold actions. The EO also identifies a handful of Federal organizations that will play important roles in the development of a plan pursuant to the asks of the EO. However it falls short of clearly assigning ultimate accountability & authority to one agency or leader. The EO, however, nominally calls for the appointment of the National Cyber Director and the establishment of a related Office within the Executive Office of the President.
The EO provides in-depth details for one bold action: Enhancing Software Supply Chain Security. It seems natural considering the most recent breaches (excluding the Colonial Pipeline ransomware attack). In the remaining bold actions, while there are call outs to initiatives like ZTA, EDR & MFA, the overall treatment of these remaining bold actions is not holistic.
All the agency and agency heads in the EO are unlikely to have the necessary subject matter expertise to effectively execute on the actions identified in the EO. Much like developing vaccines for the pandemic, the best way to accelerate the implementation of this EO is investing heavily in developing an explicit public private partnership. While the EO highlights the need for public-private partnership, it does so only sporadically and insufficiently.
While there are a handful of places where the EO explicitly takes a risk-based prioritization approach to implementing the bold actions, the EO does not prescribe a systematic risk-based approach to implementing all the bold actions.
In summary, the EO is a much required first step. It is a good first step but needs quick follow-through on its stated goals. It is important that this EO is succeeded by addendums and amendments to make the EO effective to the extent that it meets its stated goal to make our digital infrastructure trustworthy and transparent with bold changes and significant investments to defend the vital institutions that underpin the American way of life.