Wednesday, May 12, 2021

Cybersecurity Executive Order – 5-12-21

Today President Biden published an Executive Order on Improving the Nation’s Cybersecurity on the White House web site. The time clock on the deadlines set forth in the EO will start when the official copy of the EO (probably as EO #14027 [actually EO #14028]) is published in the Federal Register, probably later this week. According to a White House Fact Sheet, the purpose of this long awaited EO is to “improve the nation’s cybersecurity and protect federal government networks.”

Federal Cybersecurity Leadership

The EO is targeted at protecting federal networks, it does not set any cybersecurity requirements for critical infrastructure to implement. Rather, Biden expects that, since the federal government is a major consumer of network devices and services, the requirements set forth will trickle down to the private sector as minimum best practices and thus raise the level of cybersecurity across the country.

Setting Standards

The order does not directly establish any standards. Instead, it directs various federal agencies (including, CISA, NIST, and OMB) a large number of standards that will be incorporated in federal acquisition and DOD acquisition regulations. There is, however, a rather high-level of technical requirements in the EO that the President expects to see implemented. This can be seen in the definition of ‘Software Bill of Materials’ found in §10(j):

“(j) the term “Software Bill of Materials” or “SBOM” means a formal record containing the details and supply chain relationships of various components used in building software.  Software developers and vendors often create products by assembling existing open source and commercial software components.  The SBOM enumerates these components in a product.  It is analogous to a list of ingredients on food packaging.  An SBOM is useful to those who develop or manufacture software, those who select or purchase software, and those who operate software.  Developers often use available open source and third-party software components to create a product; an SBOM allows the builder to make sure those components are up to date and to respond quickly to new vulnerabilities.  Buyers can use an SBOM to perform vulnerability or license analysis, both of which can be used to evaluate risk in a product.  Those who operate software can use SBOMs to quickly and easily determine whether they are at potential risk of a newly discovered vulnerability.   A widely used, machine-readable SBOM format allows for greater benefits through automation and tool integration.  The SBOMs gain greater value when collectively stored in a repository that can be easily queried by other applications and systems.  Understanding the supply chain of software, obtaining an SBOM, and using it to analyze known vulnerabilities are crucial in managing risk.”

Goals for the EO

According to the Fact Sheet, the EO will:

• Remove barriers to threat information sharing between government and the private sector,

• Modernize and implement stronger cybersecurity standards in the federal government,

• Improve software supply chain security,

• Establish a cybersecurity safety review board,

• Create a standard playbook for responding to cyber incidents,

• Improve detection of cybersecurity incidents on federal government networks, and

• Improve investigative and remediation capabilities.

Improving Investigation and Remediation

A quick look at the requirements within this section of the Order will provide some level of insight into how the order attempts to accomplish the overall goals. I will be doing a similar analysis for the remaining requirements in subsequent blog posts.

Section 8 of the EO addresses the standards needed for network and systems logs on Federal Information Systems. Paragraph (a) establishes that it “is essential that agencies and their IT service providers collect and maintain such data and, when necessary to address a cyber incident on FCEB Information Systems, provide them upon request to the Secretary of Homeland Security through the Director of CISA and to the FBI, consistent with applicable law.”

Paragraph (b) gives DHS (in consultation with DOJ and OMB) 14-days to provide OMB with “recommendations on requirements for logging events and retaining other relevant data within an agency’s systems and networks.” Those recommendations will include:

• The types of logs to be maintained,

• The time periods to retain the logs and other relevant data,

• The time periods for agencies to enable recommended logging and security requirements,

• How to protect logs, and

• Requirements to ensure that, upon request, agencies provide logs to the Secretary of Homeland Security through the Director of CISA and to the FBI, consistent with applicable law [this last is found in §8(e)].

Paragraph (c) gives OMB (in consultation with DOC and DHS) 90-days from receipt of the recommendations above to “formulate policies for agencies to establish requirements for logging, log retention, and log management, which shall ensure centralized access and visibility for the highest level security operations center of each agency.”

No comments:

/* Use this with templates/template-twocol.html */