Zero trust security is no longer just an option for federal agencies.
The Biden administration issued a long-awaited cybersecurity executive order Wednesday that, among other things, requires federal agencies to develop an implementation plan for a zero-trust architecture for security.
This mandate falls under a larger push to modernize federal cybersecurity in the wake of the recent cyberattacks that have compromised federal agencies through the exploitation of software made by contractor SolarWinds and flaws in Microsoft’s Exchange software.
“The Executive Order helps move the Federal government to secure cloud services and a zero-trust architecture, and mandates deployment of multifactor authentication and encryption with a specific time period,” reads a fact sheet about the order. “Outdated security models and unencrypted data have led to compromises of systems in the public and private sectors. The Federal government must lead the way and increase its adoption of security best practices, including by employing a zero-trust security model, accelerating movement to secure cloud services, and consistently deploying foundational security tools such as multifactor authentication and encryption.”
Within 60 days, agency heads must update their existing plans “to prioritize resources for the adoption and use of cloud technology” and issue a new plan on moving to zero trust, in line with National Institute of Standards and Technology (NIST) guidance.
On top of that, the Office of Management and Budget will work over the next 90 days with the Department of Homeland Security and General Services Administration to develop and issue a federal cloud-security strategy and guidance.
And, within 180 days, civilian agencies will need to “adopt multi-factor authentication and encryption for data at rest and in transit, to the maximum extent consistent with Federal records laws and other applicable laws.”
Modernizing federal cybersecurity is just one element of the larger EO. It also calls for increased sharing of threat information between the government and private sector, and for the development of baseline software supply chain security standards for any software sold to the federal government.
“The current market development of build, sell and maybe patch later means we routinely install software with significant vulnerabilities into some of our most critical systems and infrastructure,” a senior Biden administration official told reporters. “The cost of the continuing status quo is simply unacceptable.”
Additionally, the order calls for the creation of a national Cybersecurity Safety Review Board, akin to the National Transportation Safety Board, and the creation of a playbook for responding to cybersecurity incidents. With that, the administration orders agencies to “employ all appropriate resources and authorities to maximize the early detection of cybersecurity vulnerabilities and incidents on its networks” through improved endpoint detection and response measures.
Democrats on the House Homeland Security Committee applauded Biden’s executive order.
“Cybersecurity is a national security issue, and we commend the Administration for prioritizing it that way. From the SolarWinds supply chain attack that gave Russian actors access to Federal networks to the Colonial Pipeline ransomware attack that temporarily shut down 5,500 miles of gas pipeline, cyber attacks jeopardize our national and economic security,” said Reps. Bennie G. Thompson, D-Miss., and Yvette D. Clarke, D-N.Y. “If nothing else, the cyber incidents that have occurred over the past six months have demonstrated that bold action is required to defend our networks today and in the future. The Executive Order signed by the President today is just that.”