Policy Insights: Biden cybersecurity order mandates new rules for govt software – ET Telecom

Policy Insights:

Rick Tracy, CSO at Telos Corporation:

“The White House is to be commended for issuing an extensive executive order that acknowledges the severity and scope of the cybersecurity challenges facing the public and private sectors, the American people and our economy. It is encouraging by the initial read of its overall thrust. I especially applaud the direction for federal departments and agencies to, as much of the private sector has already done, move more rapidly to adopt secure cloud services, the requirement for them to adopt multifactor authentication and the push for increased use in government of such practices as zero trust architecture. These are solid steps to improve federal cybersecurity, as is the order’s objective of establishing a government-wide endpoint detection and response system. The order’s requirement that IT providers must now share breach information which could impact government networks is long overdue, as this information is too vital to protecting federal systems for such sharing to be voluntary. While this executive order focuses primarily on federal cybersecurity, the White House announcement does note the importance to the nation of critical infrastructure security, and the growing number of cyber incidents affecting these largely private enterprises. Hopefully further government actions will be taken to at least create incentives for or otherwise encourage these private companies to adopt the NIST Cybersecurity Framework and take other strong actions to better secure their networks and systems.”

 Charles Herring, CTO and Co-Founder of WitFoo:

“The Biden administration’s cybersecurity executive order is wide ranging and carries an aggressive timeline to make overdue safeguards a pressing priority. The mandate for immediate deployment of multi-factor authentication, EDR and log retention technologies across all Federal agencies are critical enhancements needed to modernize and harden government infrastructure. These technologies also provide essential visibility into a very wide surface area across the Executive branch that will enable investigators to effectively track down and respond to emerging attacks.

Section 2 of the order points to problems with the manner in which service providers charge the government for sharing threat and incident information. OMB is instructed to create new contract language within 60 days to require providers to collect and preserve threat and incident data and to make it available to the Federal government while removing restrictive “contract terms or restrictions” that “may limit the sharing” of this information. The language indicates the government is expecting providers to share proprietary intelligence that many providers currently sell at a premium.

The SolarWinds breach highlighted a need to increase software supply chain audits. Progressive language in section 4 of the executive order requires software providers to perform source code analysis at release cycles and to provide proof of secure code before delivering new versions to the federal government. Penalties for not meeting these requirements will mean vendors will lose contracts and agencies will have to find new solutions to meet their needs. For years source code integrity has gone largely unaudited which is going to leave many software providers scrambling to update secure development operations (SECDEVOPS) procedures, acquire tools for testing code, retrain developers to use secure coding approaches and re-write thousands of lines of code to become compliant. It is a potentially devastating blow to providers that have neglected these hygiene steps.”