During the 2021 Thales Crypto Summit, which brings together a group of experts to speak about cryptographic and key management to keep organizations secure, President Biden’s Executive Order (EO) was a key point of discussion. Aimed at “Improving the Nation’s Cybersecurity”, the EO was issued on May 12, 2021, which is the starting point by which many of the requirements and due dates are measured.
Key Points of the Executive Order
The purpose of the EO is to modernize cybersecurity defenses by strengthening the United States’ ability to respond to incidents when they occur. The release of this Order was as timely as never before. As it is mentioned in the Fact Sheet “Recent cybersecurity incidents such as SolarWinds, Microsoft Exchange, and the Colonial Pipeline incident are a sobering reminder that U.S. public and private sector entities increasingly face sophisticated malicious cyber activity from both nation-state actors and cyber criminals. These incidents share commonalities, including insufficient cybersecurity defenses that leave public and private sector entities more vulnerable to incidents.”
To achieve its goal, the EO sets forward specific requirements:
- “The Federal Government must adopt security best practices; advance toward Zero Trust Architecture; accelerate movement to secure cloud services” [Section 3(a)].
- “develop a Federal cloud-security strategy and provide guidance to agencies accordingly” [Section 3(c)(i)].
- “prioritize identification of the unclassified data” [Section 3(c)(iv)].
- “Within 180 days of the date of this order, agencies shall adopt multi-factor authentication and encryption for data at rest and in transit, to the maximum extent” [Section 3(d)].
- “maintain trusted source code supply chains, thereby ensuring the integrity of the code” [Section 4(e)(iii)].
Zero Trust is no longer a nice-to-have option, rather a strategic choice. Besides being a requirement in the Presidential EO, the National Institute of Standards and Technology (NIST) has issued a blueprint architecture which references three ways to implement it – identity governance, micro-segmentation or network-based segmentation.
Multi-factor authentication, and encryption of data in transit, and at rest, are also part of the Executive Order. This is not surprising, as these security controls are already a vital part of various privacy and security requirements in well-established frameworks and regulations, such as FedRAMP. Prior to protecting data, it is important to identify and classify it. This includes all types of data, structured and unstructured, and regardless of whether the data storage is on-premises, or cloud-based. To improve one’s cybersecurity stance and ensure integrity, key management and root key protection for PKI and code signing should also be implemented.
The Order establishes the creation of a Cyber Safety Review Board. The Board would be convened by the Secretary of Homeland Security, to review significant cyber incidents, and make recommendations based on its findings. This is similar to how the National Transportation Safety Board (NTSB) investigates major transportation incidents, such as airline and train accidents.
Not just a government action
The most effective way to attain any cybersecurity objective is by using strong controls. Without the correct controls, and oversight, your organization cannot fully attest to the requirements of an optimized security program.
Of course, with all government initiatives, there will certainly be a “spillover” effect, as many third party contractors will adopt the rules of the Executive Order to be in alignment with it, especially if they are subcontracting for the government. This is also the government’s intention, since the Fact Sheet mentions that “We encourage private sector companies to follow the Federal government’s lead and take ambitious measures to augment and align cybersecurity investments with the goal of minimizing future incidents.”
How Thales Can Help
Thales has a full line of products and expertise to help you with meeting the requirements of the Executive Order. Whether it is a Zero Trust Architecture, or any controls to help you reach that ideal, let Thales be a trusted partner in helping you meet the new necessities to be compliant with the rigors of a world-class cybersecurity model.
"If you wish to learn how Thales can help you achieve this required security posture, watch this webcast - Executive Order on Cybersecurity"