The Biden administration’s Cybersecurity Executive Order (Cyber EO) issued in May 2021 marks the Federal government’s most determined effort yet to not only propose – but also to enforce through sustained government-wide action – the kinds of fundamental changes needed to advance civilian agency cybersecurity, defeat sophisticated attacks on government networks, and in the process, take a giant leap forward in the cause of IT modernization.
The Cyber EO sets a new tone for Federal policy on cybersecurity – gone are the days of aspirational policy goals. The administration’s order has more than enough specificity, regulatory bite, and top-down backing to force major shifts in how the civilian Federal enterprise remakes its cybersecurity footing.
Moreover, the Cyber EO’s marching orders to Federal agencies are imbued with urgency and put agencies – both implementing agencies and the agencies that need to help them get there – on short and highly visible leashes for concrete progress.
The order’s ultimate impact and payoffs won’t be fully evident for years to come, for two main reasons – the timeline to execute on some of the order’s directives is long, and staying ahead of adversaries and protecting critical networks is a task that has no end.
At the heart of the Cyber EO’s instructions to Federal agencies are two core directives: move to the cloud, and move to zero trust security architectures.
Beyond that, the order places requirements on Federal agencies to speed the deployment of endpoint detection and response (EDR) technologies on their networks, make progress on adoption of multi-factor authentication (MFA) and encryption technologies, adhere to a standard cyber incident response “playbook,” share cyber information with other agencies, and comply with new cybersecurity event log-keeping requirements.
For the private sector, the order uses the power of the Federal purse to put in place “baseline” security standards in software sold to the government and gives the private sector a seat at the policy table for weighing additional requirements.
Six-Month Progress Report
Six months in, where do we stand? Here’s a rundown on the government’s key points of progress on major portions of the order, and what some of the most astute private sector security providers think about its pace and its promise.
Zero Trust Migration
There are nearly as many definitions of zero trust as there are security solutions providers, but Federal IT officials’ simple definition is: 1) moving away from a “castle and moat” perimeter-based network defense; 2) and, moving toward security architecture that relies on least-privilege, least-access, constant evaluation of network users accessing sophisticated analysis of network and user data to continually confirm and re-confirm access privileges.
The practical goals of the strategy are to make it much more difficult for unpermissioned users to access systems in the first place, and to prevent adversaries from undertaking successful lateral movements within systems if initial access is gained. The concepts for zero trust are not particularly new, but executing the necessary changes in network architecture is a complex process that will take years to play out.
As a top-level target, the Cyber EO gives Federal agencies a three-year window to make those necessary architecture changes and accelerate their efforts by then moving “towards a shared baseline of early zero trust maturity.”
At the more granular level, the Cyber EO gave Federal agencies 60 days to develop plans to implement zero trust security architectures, tracking with implementation guidance developed by the National Institute of Standards and Technology (NIST).
In early September 2021, both the Office of Management and Budget (OMB) and the Cybersecurity and Infrastructure Security Agency (CISA) issued key draft guidance documents that provide the next set of road maps for agencies to transition to zero trust, again emphasizing the three-year migration timeline.
OMB has collected public feedback on its Zero Trust Strategy Draft, and CISA has done the same with its draft Zero Trust Maturity Model. The final versions of those three guidance documents are not yet public but should provide more definitive guidance when they are.
At the same time, OMB ordered agencies to build in commands from its guidance document into their existing zero trust implementation plans, and to designate zero trust implementation leads for each agency.
Perhaps more importantly over the longer term, OMB also ordered agencies to tie implementation plans into their budget and planning cycles for FY2022-2024, and to work on reprioritizing funding for FY2022 “to achieve priority goals or seek funding from alternative sources, such as agency working capital funds or the Technology Modernization Fund.”
The OMB draft strategy acknowledges that the shift to zero trust principles won’t happen overnight. OMB said it expects that “moving to a zero trust architecture will be a multi-year journey for agencies, and the Federal government will learn and adjust as new technologies and practices emerge.”
“The purpose of this strategy is to put all Federal agencies on a common roadmap by laying out the initial steps agencies must take to enable their journey toward a highly mature zero trust architecture,” OMB continued. “This recognizes that each agency is currently at a different stage of maturity, and ensures flexibility and agility for implementing required actions over a defined time horizon. The strategy also seeks to achieve efficiencies for common needs by calling for government-wide shared services, where relevant.”
Thus far, private sector IT leaders are giving the administration good reviews on the first six months of implementing the Cyber EO, and shared further steps the Feds can take.
“The President’s EO lays out a fairly aggressive schedule of deliverables and actions,” said Brian Hajost, Chief Operating Officer at SteelCloud. “CISA, NIST, and OMB have done an admirable job to advance the key components of the EO and effectively communicate their progress to industry and government stakeholders.”
Hajost also noted that zero trust is more of a “theme” for better security, and that “moving forward, more prescriptive recommendations will need to be identified so agencies can better assess their progress and the zero trust initiative can move from theory into practice.”
“OMB and CISA have done an excellent job of keeping up with the more than 50 requirements of the executive order, including that the Zero Trust Strategy and Zero Trust Maturity Model were issued within the timeframes originally required by the EO,” agreed Stephen Kovac, Chief Compliance Officer and Head of Global Government Affairs at Zscaler. “As far as other priority areas, I think it’s important we focus on ensuring that agencies have funding to support the implementation of the EO’s requirements.”
“The Zero Trust Strategy lays the groundwork for the Federal government’s transition to a strong and lasting zero trust security environment,” Kovac said. “While the strategy itself provides agencies with nearly three years to achieve full compliance, the various milestones along the way are intended to ensure that real progress is made at each step in the journey.”
“Should we push harder to accelerate the government’s zero trust transition?” he asked. “Yes, but we must be realistic in recognizing that this change in mindset from what has been a focus on perimeter security is not going to happen overnight.”
Despite the fast start on Cyber EO implementation, Chris Blanchette, Senior Principal Solutions Architect at Forcepoint, pointed out that Federal agencies “will face major hurdles” in the process, with those obstacles including “a shift to an active cyber defense mindset.”
“Active cyber defense intonates advanced persistent threats (APT), which are here to stay and will become more pervasive,” he explained. “With the rise and persistence of APTs, network defenders must assume that with time and expertise, networks will be penetrated. With the use of zero trust principles, we can limit or eliminate threats that have penetrated our bridges, moats, and walls.”
“Creating the framework to reuse current capabilities within government networks and the incorporation of new technologies that make use of the government investment are successfully shifting the mindset to meet the Cyber EO,” he said.
From a structural basis, Blanchette said both the Federal Zero Trust Strategy and its three-year adoption window present achievable goals for Federal agencies. “Three years gives agencies and departments time to budget and plan for implementing zero trust,” he said, but added, “what is more concerning is how the government will police itself to meet the stated goals in OMB Federal Zero Trust Strategy draft.”
Looking ahead, Blanchette said he is keeping an eye on “the mindset change from reactionary and implied trust to a zero trust environment enhanced with AI and ML capabilities. The use of AI and ML are of interest in their use in predictive analytics to close the gap from identification to remediation and isolation.”
“We should all remember that zero trust is a set of design principles – not a set of specific, fully matured security controls and tools,” commented Maurice Uenuma, Vice President, Federal and Enterprise Sales at Tripwire, a provider of security and automation software.
“Agencies should take this opportunity to develop a long-term security strategy with these principles in mind,” he said. “Among those principles, it is imperative to establish and maintain system integrity across the entire ecosystem, recognizing that zero trust is predicated on the continuous re-validation of trustworthiness of systems, people, and services. A robust ability to establish and maintain known good, trusted state across all essential systems is critical.”
Cloud Adoption Mandate
The central thrust of the Cyber EO leans just as heavily on the continued cloud adoption mandate for Federal agencies but is somewhat less prescriptive on its face than the zero trust security portion of the order.
That’s likely because most Federal agencies have already taken the plunge – to one degree or another – into cloud services in recent years. Granular instructions to all agencies on this front are less useful because agencies are already engaged in many different stages in cloud adoption.
Nonetheless, the Cyber EO laid out initial instructions for all agencies, giving them 60 days to update their plans to “prioritize resources and use of cloud technology” as outlined in the existing OMB guidance.
The order also directed CISA and the General Services Administration (GSA) – which runs the existing FedRAMP program for cloud provider security certifications – to develop cloud security principles governing cloud service providers and to incorporate those into Federal agency modernization plans.
CISA appeared to hit its mark with the early September 2021 release of its draft Cloud Security Technical Reference Architecture and received public comment on that document. A definitive version of that guidance still awaits finalization. The other September guidance documents issued by OMB and CISA on zero trust also appear to feed into the cloud portions of the order.
“As agencies continue to use cloud technology, they shall do so in a coordinated, deliberate way that allows the Federal government to prevent, detect, assess, and remediate cyber incidents,” the Cyber EO advises, with migration to cloud services incorporating zero trust architecture “as practicable.”
The existing OMB policy on cloud adoption is embodied in the Cloud Smart policy issued in 2019, which succeeded the previous Cloud First policy and prioritizes cloud adoption pillars including security, procurement, and workforce. The time may be ripe for a further OMB policy update to incorporate the Cyber EO’s goals.
When asked about the pace of cloud adoption, Kovac said, “the Federal government continues to make steady progress in adopting cloud, with cloud spending of more than $8 billion projected for FY2021, up significantly from prior years.”
“With that said, more needs to be done to accelerate cloud adoption where it makes the most sense, recognizing that not every on-prem system is ripe to move to the cloud,” he continued. “We also must make it easier for agencies to acquire the cloud solutions they need. Part of that is modernizing and increasing the capacity of the FedRAMP program, which in turn helps make more cloud solutions available to the agencies that need them.”
“Modernizing and increasing the capacity of FedRAMP is a critical and often overlooked requirement of the EO,” Kovac explained. “We need to modernize and accelerate the way that agencies authorize cloud services. Improving FedRAMP through automation, resourcing, and incentivizing authorization to operate (ATO) reuse is pivotal to galvanizing cloud adoption and zero trust architectures.”
“The move to the cloud is an incredible opportunity to align future network security and associated architectures,” commented Blanchette. “The pace of adoption, transition to the cloud, and mandating of cloud adoption needs to be deliberate and clear. The administration needs to establish the requirement for transitioning to the cloud and the regulatory oversight to ensure secure and successful migrations.”
On the cloud front, Hajost said, “across the government, we see good cloud adoption for new applications.”
“But there has been an overestimation of the benefits and an underestimation of the timeline and effort necessary to move existing applications to the cloud and to get them through the [NIST] Risk Management Framework authorization process,” he said. “With tight budgets, there are few dollars available to move existing authorized applications without some more directed budgetary assignment aimed at moving applications to the cloud.”
Tripwire’s Uenuma explained that there are a number of factors at play for the measured pace of cloud adoption by Federal government agencies, including cost and labor issues. “Among them include a slower realization of benefits in Federal agencies than in the commercial entities, which have aggressively shifted workloads into the cloud,” he said.
“One of the biggest benefits is that labor and infrastructure costs can be substantially reduced as work processes shift to service providers and capital-intensive on-premises infrastructures can be scaled down,” he said. “But Federal agencies cannot offload labor expenses nearly as quickly, and on-prem infrastructure is often tied to long-term programs which were years in the making. Human resource policy changes to make the Federal labor force more elastic would help to accelerate cloud adoption.”
EDR and CDM
Another major focus of the Cyber EO is the White House’s directive for Federal agencies to move faster on the deployment of EDR capabilities in their networks and to lean on CISA for help in getting that work done.
Progress on EDR capabilities has been underway at Federal agencies for several years through implementation of CISA’s Continuous Diagnostics and Mitigation (CDM) program. However, Federal agency progress on that foundational aspect of the CDM program has been varied, particularly for large agencies with numerous sub-agency components.
Because the EDR work – along with that of the CDM program – is fundamental to the underlying goal of moving toward effective zero trust security and for CISA to undertake threat hunting across agency networks, OMB in mid-October 2021 issued detailed guidance to Federal agencies to speed the effort.
There are a couple of key dates for agencies to adhere to, including providing CISA with access to current EDR deployments within 90 days, engaging with CISA to identify “future state options,” and then working with CISA to analyze and identify EDR deployment gaps within 120 days. After that, agencies will continue to work with CISA on EDR deployments, enable threat hunting on networks, and work on funding to complete EDR work.
For its part, CISA will work on a process for continuous performance monitoring of EDR solutions, give guidance to OMB on accelerating deployments, publish technical reference architecture and maturity model guidance, and develop a government-wide playbook of best practices for EDR deployments.
MFA and Encryption
Still on tap for Federal agencies, but with less public visibility into progress, are Cyber EO mandates for agencies to adopt “MFA and encryption for data at rest and in transit, to the maximum extent consistent with Federal records laws and other applicable laws.”
The Cyber EO says that agencies have 180 days to comply with that mandate, which would put the deadline in mid-November.
CISA is in charge of helping agencies maximize adoption, based on identified gaps in agency implementation. Agency heads that can’t hit the 180-day deadline will have to provide a written explanation for why they are not able to do it.
Also on the near-term horizon is a mid-November deadline for NIST to publish preliminary guidelines for enhancing software supply chain security.
The Cyber EO tasks NIST to develop those guidelines with stakeholder input to identify existing standards, or develop new standards, tools, and best practices for better supply chain security, with guidelines to include criteria to evaluate software security, and best practices of software developers.
In connection with that effort – and with the Cyber EO’s directive to create “baseline security standards” for software sold to the government – NIST published in late June 2021 an updated definition for “critical software.” CISA is charged with developing a list of software categories and products in use that meet the NIST definition.
In July 2021, NIST followed with the publication of guidance outlining security measures for critical software and minimum standards for vendors’ testing of their software source code as part of the agency’s assignments under the Cyber EO.
Then in August 2021, OMB issued guidance to Federal agencies on how to comply with the critical software security guidance. OMB said that agencies then had a 60-day deadline to report on their critical software inventories, and a year to implement security measures called for by NIST.
“We are very interested in software supply chain cybersecurity, as this represents a multi-faceted front in cybersecurity,” said Tripwire’s Uenuma. “One obvious aspect is the development of potentially new requirements on software vendors, which would affect Tripwire and the many other companies that deliver software products and services. Another aspect is the development of security controls, including technical and policy controls, to harden source code and reduce risk.”
“While the economics of software development still favor a ‘first to market’ and ‘fail fast’ model, the possibilities of introducing effective security controls in the development and production of software is intriguing,” he said. “Tripwire is studying this issue and has already developed solutions for in-development security configuration checking of software builds.”
“As a technology vendor, in addition to the impact on agencies, we are looking at the EO’s requirements on industry,” Hajost said. “Drawing a bright line between ‘critical’ and ‘non-critical’ software opens up some additional requirements that technology vendors and suppliers will have to address in the very near term. Delivering critical software capabilities through a Software as a Service model becomes a real challenge with the EO as well as the critical software requirements outlined by CISA and NIST.”
A host of Federal agencies – OMB, CISA, and NIST chief among them – are the places to watch for further taskings and deadlines under the Cyber EO as the implementation processes continue to roll out. Check back often with MeriTalk for the latest.