Last week President Joe Biden signed an executive order that establishes the cybersecurity standards for all software sold to the federal government. The order also calls on all software utilised by the government to meet those standards within nine months.
The order follows several recent attacks, most recently a hack on the country's biggest pipeline, the Colonial Pipeline, that has seen fuel shortages and panic-buying across multiple states. Plus the software company SolarWind, whose software was hijacked to break into government agencies and steal thousands of officials’ emails.
“Today, more than ever, cybersecurity is a national security imperative and an economic imperative. And I know I don’t need to say that, given what we’ve all just experienced in the last number of months,” says a senior administration official at the White House.
“So today’s executive order makes a down payment towards modernising our cyber defences and safeguarding many of the services on which we rely. It reflects a fundamental shift in our mindset — from incident response to prevention, from talking about security to doing security — setting aggressive but achievable goals to make the federal government a leader in cybersecurity, and improve software security and incident response.”
What does the order include?
According to the Fact Sheet issued by the White House, this Executive Order will:
- Remove barriers to threat information sharing between government and the private sector
- Modernise and implement stronger cybersecurity standards in the Federal Government
- Improve software supply chain security
- Establish a Cybersecurity Safety Review Board
- Create a standard playbook for responding to cyber incidents
- Improve detection of cybersecurity incidents on Federal Government networks
- Improve investigative and remediation capabilities
The order also requires all government agencies to:
- Adopt multi-factor identification log-in systems within 180 days
- Accelerate moves to the cloud and zero-trust frameworks
- Decide which unclassified data is too sensitive to be kept in normal networks storage
- Conduct more thorough reviews of critical software suppliers
It also states cyber-security vendors must report intrusions within 72 hours of discovery.
CompTIA, the nonprofit association for the information technology (IT) industry and workforce released a statement about Bidens order: "Our nation is at an inflection point in terms of cybersecurity policy, regulation, and legislation. The SolarWinds incident, Colonial Pipeline hack and scores of other cyberattacks that didn't make the headlines magnify the need for a national discourse on cybersecurity issues.
"As we continue to integrate emerging technologies into our federal cyber framework, it is essential to have a modernised architecture built on information sharing and real-time incident response. It is also a national imperative to move away from 'cyber shaming' agencies and private organisations that are victims of attacks. Instead, we should practice and promote more real-time information sharing about potential threats to create more 'noise' in the search for bad actors.”