by Steve Brady

In the wake of the Russian attacks in December and the more recent Colonial Pipeline Ransomware attack, President Biden issued the Executive Order on Improving the Nation’s Cybersecurity. Aimed at strengthening the U.S. government’s cybersecurity posture, the Executive Order primarily establishes a set of actions that federal agencies must take. It also leverages the purchasing power of the federal government to benefit all IT users, including state and local governments, businesses and individuals.

The Executive Order on Improving the Nation’s Cybersecurity specifically requires federal agencies to explore and develop plans to implement a zero-trust architecture throughout their environment.

As far as strategic initiatives for federal IT, the order once again requires agencies to move more resources into the cloud. It also specifically requires agencies to explore and develop plans to implement a zero-trust architecture throughout their environment.

Two items directed at the federal government are for the Cybersecurity and Infrastructure Security Agency (CISA):

1. Incident Response Playbook - CISA is to develop an incident response "playbook" for all federal agencies to use to address future cybersecurity incidents.
2. Cyber Safety Review Board - CISA is directed is to create a new Cyber Safety Review Board that government can dispatch to investigate major cybersecurity incidents, similar to how the National Transportation Safety Board responds to high-profile transportation accidents.

One item in this order that has received a lot of media attention is the new requirement for a Software Bill of Materials (SBOM) that will be required as part of the procurement process for "critical software." Such software “performs functions critical to trust (such as affording or requiring elevated system privileges or direct access to networking and computing resources).”

The Department of Commerce has been working with industry to provide insight into the components that are included in completed software products, but participation has been voluntary. This order requires the Department of State to develop a standard for what information must be included in an SBOM and how that information must be presented. These requirements will then be included in the Federal Acquisition Regulation.

While the Software Bill of Materials (SBOM) requirement is only required for critical software procured by the federal government, there is an expectation that vendors will publicly share their information, when available.

While the SBOM will only be required for critical software procured by the federal government, there is an expectation that vendors will publicly share their information, since they are already putting in the effort to collect it.

REFERENCE

The White House | Executive Order on Improving the Nation’s Cybersecurity | https://tinyurl.com/nzn7j8jd