President Biden’s Executive Order has both immediate actions and wait-and-see topics for agencies

The sweeping EO release by President Joe Biden on May 12^th 2021 has a lot of meat in it, which we explored in a previous blog. It should spur a lot of activity by agencies trying to meet several immediate requirements. However, some of the requirements will have to wait for actions from the DOD, OMB, DHS and CISA specifically. I’ve highlighted actions that agencies will need to take a wait-and-see approach vs actions they should jumpstart now.

What Federal agencies CANNOT act on yet.

• Information sharing by Service Providers: This action puts the onus on vendors that work with the Federal Government. Agencies can push their vendors to act on this, but ultimately it will reside with the service providers to make the proper adjustments here. 
• Modernizing FedRAMP:  GSA will update the FedRAMP program that offers agencies  government-wide ATOs of cloud providers.
• IoT security reform:  This action places new reporting standards on security measures for vendors such as FitBit, Roku, Apple, Ring and others as far as what is communicated to all customers, both Federal Agencies and citizen end users.
• Cyber Safety Review Board:  This requirement’s goal is to establish groups from both agencies and industry to manage responses to major issues such as the recent SolarWinds, Exchange and Colonial Pipeline  attacks. Agencies cannot do this alone and will need further direction on how to work with industry to create these groups as well as the desired outcomes from this effort. 
• Standardization of response to threats and vulnerabilities:  While the EO sets this as an initiative, there must be more specific guidance regarding new policies and response procedures for agencies to follow. Agencies should hold tight until this guidance is provided. 

There are a few items that the agencies need to wait on for further guidance, but can take some actions now to prepare or get ahead of the curve.

• Cloud Security: There is no doubt the requirements will be around configuration management and policy enforcement.
• Supply chain risk management: While agencies need to wait for the new guidance on contracts with vendors, they can start creating a list of all vendors and points of contact now.  It will be important later.
• Logging all, yet-to-be-determined, data for a, yet-to-be-determined, retention time: Agencies will need to ensure they have a logging base that can be expanded both in storage and ingestion depending on the new guidance.  

EO Requirements that agencies CAN and SHOULD  act on now:

• Zero Trust architecture plan:  Zero trust isn’t a tool, but an overall approach and framework. Agencies should assess their overall security architecture, their assets, information and people to determine the best approach for improving security, without negatively impacting operations. Most importantly, what tools are providing security artifacts now and what Policy Enforcement Points (PEPs) are in the environment that can be utilized in a Zero Trust architecture.  Moving from tools to architecture will require a lot of foundation work first. 

• Multi-Factor Authentication (MFA):  This must be implemented across the board,  not just for administrator and privileged accounts.  

• Encryption:  For now, data at rest now is broadly applicable.  While it used to be just for HVAs, now the EO has set this as a requirement for everything.  

• Endpoint Detection and Response (EDR):  While most agencies have EDR in some form or fashion, the EO has now stated it’s necessary to have an assessment of features and to be “centrally located”, which has to be defined.

In future blogs, I’ll address based on my experience working with agencies over the last two decades, as the best approaches for  meeting the requirements in each of the areas that agencies can start to address.