Following a series of severe cyber-attacks on public and private sector organisations, the US White House released on 12 May 2021 an Executive Order “on Improving the Nation’s Cybersecurity”. In addition to improving the sharing of threat intelligence and enhancing the detection and remediation of cyber incidents, the Order mandates the adoption of cloud-based services and Zero Trust Architecture (ZTA).
The Order does not provide specifics but recommends measures described by the National Institute of Standards and Technology (NIST). Some US armed forces and federal agencies have already begun incorporating ZTA principles into their cybersecurity strategies, but this Order represents the first step toward a common understanding and harmonization of what ZTA implies.
New obligations for threat intelligence sharing
Under Section 2 of the Executive Order, the Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS) are being revamped to increase reporting obligations on contractors and suppliers of the US federal government. Previously, under some circumstances, such as contractual obligations, contractors and suppliers were able to restrain from notifying the government in case of intrusion and were also able to withhold threat intelligence. This is no longer the case. The Executive Order mandates the removal of such contractual barriers.
These companies will be under the obligation to report intrusions and share threat intelligence with relevant federal agencies, namely the Federal Bureau of Investigations (FBI), the Cybersecurity and Infrastructure Security Agency (CISA) and other members of the Intelligence Community (IC). Companies will need to establish a sharing process to be compliant, likely to involve their IT, infosec, legal and compliance departments. Some government entities may require additional FAR rules on an ad-hoc basis.
Zero Trust implementation within government organisations
Section 3 of the Executive Order mandates federal agencies to develop a plan to implement Zero Trust Architecture and cloud-based services within two months. It defines Zero Trust as “a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries”.
The concept emerged in 2009 when security researchers argued not to trust any network traffic. Since then, the idea has spread and developed into a fully-fledged, though fragmented, set of measures and technologies. It includes, among other things, encryption requirements (at rest and in transit), multifactor authentication and granular access control systems.
The Executive Order also aims for the federal government to transition to cloud-based infrastructures and products, namely Software-as-a-Service (SaaS) and Platform-as-a-Service (PaaS). It mentions broader objectives such as improving visibility and understanding of the threat landscape and greater human and financial capital investments. FedRAMP, the federal cybersecurity standard assessment system, will receive a new streamlined process to accelerate compliance audits.
Although these changes affect the federal government primarily, they aim to guide the private sector beyond contractors and suppliers.