Biden's Executive Order: Strengthening National Cybersecurity Measures

Biden's Executive Order: Strengthening National Cybersecurity Measures

In response to the significant breach involving SolarWinds Orion software, President Biden signed the Executive Order on Improving the Nation’s Cybersecurity on May 12, 2021. This directive aims to bolster the coordination among US Federal Government agencies in preventing, detecting, responding to, and mitigating security incidents and breaches. The order outlines several key actions:

  • Eliminating obstacles to sharing threat information
  • Modernizing cybersecurity technologies and practices within the Federal Government
  • Strengthening software supply chain security
  • Standardizing the Federal Government’s playbook for vulnerabilities and incident response
  • Enhancing the detection of cybersecurity vulnerabilities and incidents on Federal networks
  • Boosting the Federal Government’s investigative and remediation capabilities

This Executive Order builds upon previous cybersecurity directives and mandates agencies to establish uniform standards based on NIST, with enforcement starting in May 2022. A significant focus is on Section 4: Enhancing Software Supply Chain Security, which introduces new third-party risk management requirements for Federal agencies. Software suppliers unable to meet these standards will be excluded from the Federal Government’s Acquisition Regulation, barring them from selling to the government. The Federal Government plans to release these requirements, including testing and evaluation criteria, later this year.

Understanding Third-Party Risk Management in the Executive Order

Federal Government IT systems have long been targets for nation-state attacks, with third-party services and software often serving as the weakest link. These providers may lack the necessary processes or controls to detect malicious activity, potentially exposing sensitive information.

Third-party risk management technologies and processes are crucial in addressing the Executive Order's guidelines, which require organizations to evaluate and report on software security. The criteria include assessments of developer and supplier security controls, along with documentation demonstrating adherence to secure practices.

Guidance and Recommended Capabilities

When evaluating third-party software security practices, agencies should utilize industry-accepted standardized risk assessment questionnaire templates, such as the Standard Information Gathering (SIG), NIST, and CMMC assessments. Employing a single standardized assessment across the supplier base allows for more efficient comparison of software security practices.

Agencies can also benefit from exchange networks that contain pre-completed security risk assessments, expediting the risk identification process.

Developing a Third-Party Risk Management Program

As the requirements of the Executive Order on Improving the Nation’s Cybersecurity evolve, IT software companies should focus on building or enhancing their third-party risk management programs. Key considerations include:

  • Identifying critical suppliers and concentrating assessment efforts on those posing the most inherent risk
  • Regularly evaluating the secure software development lifecycle practices of key third parties contributing code or updates
  • Continuously monitoring the dark web and related forums for activity concerning third parties
  • Triaging and addressing assessment and monitoring findings
  • Centralizing documentation and reporting for auditors

Organizations like Prevalent offer SaaS solutions that automate essential tasks for identifying, assessing, analyzing, remediating, and continuously monitoring third-party security, privacy, operational, compliance, and procurement-related risks throughout the vendor lifecycle. Exploring such solutions can be beneficial for aligning with the Executive Order on Improving the Nation’s Cybersecurity.

Links:

ESCRYPT TARA: Comprehensive Cybersecurity for IT Products

Cybersecurity in Software Development: Lessons from the Hyundai Hack

Essential Tools for Effective Workplace Risk Management

Strengthening Cybersecurity: Best Practices Post 3CX Breach

Harnessing Machine Learning to Mitigate Cyber Risks in Construction

Revolutionizing Software Development with Artificial Intelligence

Fork me on GitHub

© scram-pra.org