RiskXchange provides compliance with Biden’s Executive Order with a specific focus on the private sector.
President Joe Biden has set in motion a new Executive Order to improve the United States’ security posture. The new order encourages better cyber threat information sharing between the U.S Government and the private sector. The aim is to minimise future threats to national security and align cybersecurity initiatives by modernising cybersecurity defences across America.
The official White House publication states that the United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy. The Federal Government states that it must improve its efforts to identify, deter, protect against, detect, and respond to these actions and actors. These threats are not only focused on America, however but can be seen right around the world.
Governments must carefully examine what occurred during any major cyber incident and apply lessons learned. But cybersecurity requires more than government action. Protecting a country from malicious cyber actors requires the government to partner with the private sector. The private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with governments to foster a more secure cyberspace.
Let’s take a closer look at a framework that provides compliance with Biden’s Executive Order with a specific focus on the private sector.
Removing barriers to sharing threat information
The new Executive Order affects all Operational Technology (OT), Information Technology (IT) and cloud providers offering services to the United States government.
In section 2 of the Executive Order, it stipulates that IT Service Providers and cloud providers must share data breach information with government agencies and departments tasked with investigating cyberattacks.
These government departments and agencies include:
- The Federal Bureau of Investigation (FBI).
- The Cybersecurity and Infrastructure Security Agency (CISA).
- Sectors of the United States Intelligence Community (IC).
Prior to the Executive Order being instituted, IT providers were under no obligation to share cyber incident information with the above-mentioned entities. Now all IT service providers in the United States are obligated to share specific data breach information between the private sector and the U.S. government. With the new information, the United States government can adjust its cyber defences in line with evolving nation-state attacks to accelerate its response and remediation efforts.
How to comply with section 2
To ensure compliance with section 2 of the Cybersecurity Executive Order, service providers must share cyber threat intelligence with investigation entities. The information workflow should be conducted in accordance with the revised contract requirements of the Defence Federal Acquisition Regulation (DFAR) and Federal Acquisition Regulation (FAR), highlighted within the Executive Order.
RiskXchange is able to help both the private sector and government entities comply with section 2 of the Executive Order by providing up-to-the-minute reports on the internal and third-party attack surface.
Modernising federal government cybersecurity
Section 3 outlines that to keep pace with today’s dynamic and increasingly sophisticated cyber threat environment, the Federal Government must take decisive steps to modernise its approach to cybersecurity, including by increasing the Federal Government’s visibility into threats, while protecting privacy and civil liberties.
The Federal Government must adopt security best practices; advance toward Zero Trust Architecture; accelerate movement to secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS); centralise and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks; and invest in both technology and personnel to match these modernisation goals.
How to comply with section 3
In order to comply with section 3 of the Cybersecurity Executive Order, the private sector must adopt the higher security standards used by the Federal Government. The following transition framework can help reach higher cybersecurity goals:
- Focus on adopting secure cloud technologies.
- Support cloud technology with solutions that assess, detect, prevent and remediate cyber threats.
- Modernise cybersecurity programs to include cloud-computing environments with Zero Trust Architecture.
- Develop cloud security frameworks that meet the standards created by the Secretary of Homeland Security.
- Develop a Zero Trust Architecture (ZTA) implementation plan following the steps outlined by the National Institute of Standards and Technology (NIST).
- Adopt multi-factor authentication and encryption for all data.
- Facilitate improved data breach information sharing.
- Switch to digital vendor documentation for more efficient risk assessment processes.
Enhancing software supply chain security
In section 4 of the Cybersecurity Executive Order, it outlines that the security of software used by the Federal Government is vital to the Federal Government’s ability to perform its critical functions. The development of commercial software often lacks transparency, sufficient focus on the ability of the software to resist attack, and adequate controls to prevent tampering by malicious actors.
There is a pressing need to implement more rigorous and predictable mechanisms for ensuring that products function securely, and as intended. The security and integrity of “critical software” — software that performs functions critical to trust (such as affording or requiring elevated system privileges or direct access to networking and computing resources) — is a particular concern. Accordingly, the Federal Government must take action to rapidly improve the security and integrity of the software supply chain, with a priority on addressing critical software.
How to comply with section 4
RiskXchange can help the private sector improve supply chain security by undertaking the following steps:
- Pinpointing third-party data leaks before they develop into data breaches.
- Identifying and remediating security vulnerabilities to prevent third-party breaches.
- Assess and evaluate the security postures of all vendors with security ratings.
Improving detection of cybersecurity vulnerabilities and incidents on Federal Government networks
In section 7, the Executive Order outlines that the Federal Government shall employ all appropriate resources and authorities to maximise the early detection of cybersecurity vulnerabilities and incidents on its networks. This approach shall include increasing the Federal Government’s visibility into and detection of cybersecurity vulnerabilities and threats to agency networks in order to bolster the Federal Government’s cybersecurity efforts.
FCEB Agencies shall deploy an Endpoint Detection and Response (EDR) initiative to support proactive detection of cybersecurity incidents within Federal Government infrastructure, active cyber hunting, containment and remediation, and incident response.
How to comply with section 7
In order to comply with section 7 of the Cybersecurity Executive Order, the following steps should be adhered to:
- Pinpoint data leaks to prevent cyber threats.
- Manage remediation of data leaks linked to the internal and third-party threat landscape.
- Incorporate Third-Party Risk management solutions supported by cybersecurity experts.
- Centralise all intelligence for streamlined security posture communication.
- Adopt host-based vulnerability detection to locate and identify vulnerabilities in workstations, servers, and other network hosts.
Improving the Federal Government’s investigative and remediation capabilities
In section 8, the order stipulates that information from network and system logs on Federal Information Systems (for both on-premises systems and connections hosted by third parties, such as CSPs) is invaluable for both investigation and remediation purposes. It is essential that agencies and their IT service providers collect and maintain such data and, when necessary to address a cyber incident on FCEB Information Systems, provide them upon request to the Secretary of Homeland Security through the Director of CISA and to the FBI, consistent with applicable law.
How to comply with section 8
In order to comply with section 8 of the Cybersecurity Executive Order, a single platform capable of end-to-end cyber threat management is key. This platform should include everything from vulnerability detection to complete remediation for both the internal and third-party vendor attack surface.
How RiskXchange can help
RiskXchange is one of the firms leading the fight against cybercrime, coming up with novel solutions to everyday problems experienced at the hands of hackers. We are a respected provider of cybersecurity ratings and can fully assess potential threats to ensure your business is protected inside and out.
With full visibility over your eco-systems entire attack surface in near real-time, you can regularly monitor and mitigate risks to prevent unnecessary exposures. Our passive data collection methods are effective and have no impact on your network performance. Using data-driven insights to prevent breaches is the best way to reduce an attack surface and prevent cyberattacks.
RiskXchange provides a powerful AI-assisted, yet simple automated and centralised 360-degree cybersecurity risk rating management approach. We generate objective and quantitative reporting on a company’s cybersecurity risk and performance, which enables organisations with evolving business requirements to conduct business securely in today’s open and collaborative digital world.
RiskXchange is an information security technology company, which helps companies of all sizes fight the threat of cyber threats by providing instant risk ratings for any company across the globe. RiskXchange was founded and is led by recognised experts within the security industry, who have held leading roles within companies such as IBM Security.
Find out more here.