The Clock's Ticking on Federal Agencies to Implement Executive Order 14028
- Bill Tolson|
- May 5, 2022
The federal data security and data privacy landscape is changing quickly. This transformation is being driven by the issuance of President Biden's Executive Order (EO) 14028, also known as "Improving the Nation's Cybersecurity; Transforming Government Through Technology-Driven Initiatives."
President Biden signed the Executive Order (EO) on May 12, 2021, to “Improve the Nation's Cybersecurity” in response to high-profile cyber-attacks such as the Colonial Pipeline and Solar Winds events. The EO includes a compressed implementation timeline of one year - and we are reaching the end of that year.
This is not the first time presidential Executive Orders have been issued to address cyber security. In Feb 2013, President Obama issued EO 13636 titled "Improving Critical Infrastructure Cybersecurity," and in May 2017, President Trump issued Executive Order 13800 titled "Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure." Why was the new EO needed if prior EOs attempted to address the cybersecurity challenge?
Executive Order 14028 outlines over 55 actions federal agencies need to take to improve their agency cybersecurity capabilities. These actions range from developing strategies for critical software design and use to retiring software products and platforms that do not comply with the revamped security standards, faster secure cloud adoption, and migrating legacy application data when legacy applications cannot adopt the new cybersecurity capabilities.
Federal agencies purchase vast amounts of software and cloud capability every year. In fact, the US government spent $10.5 billion on software contracts in 2020 and $11.8 billion in 2021.
Vendors that provide IT services and products under the Federal Acquisition Regulation (FAR) jurisdiction will play a key role in IT infrastructure cybersecurity in United States agencies. The EO directs the FAR to be updated with heightened software security requirements to allow federal agencies to only purchase applications and platforms that meet the new stricter cybersecurity design requirements.
To accomplish this regulation update, the EO directed the National Institute of Standards and Technology (NIST) to issue the "Secure Software Development Framework (SSDF) and related guidance." Agencies should begin integrating the NIST "Software Supply Chain Security Guidance under Executive Order 140281 Section 4e" into their existing software lifecycle management and acquisition practices to ensure agencies only purchase secure and trustworthy software and cloud platforms.
Following SSDF practices will help software producers/vendors reduce the number of vulnerabilities in software applications, ensure agency cloud platforms meet the new security standards, and reduce the potential impact of undetected or unaddressed cyber-vulnerabilities.
Many agency vendors and providers are already preparing for the implementation of updates to FAR, with 76% of vendor organizations surveyed by the Linux Foundation considering changes to comply with the executive order. Now, I'm not sure of the choice of the word "considering" in this case; either they want to continue supplying agencies, or they do not. But not ensuring software applications meet the updated FAR requirements will ensure the loss of sales.
A big concern for software vendors and agencies is, do software providers that do not currently meet the new cybersecurity specifications have the resources and capabilities to comply with these new design requirements within the compressed timeline? A recent DoD analysis shows that only 1 in 4 defense contractors meet the Pentagon's current cybersecurity standards.
Out of 220 companies surveyed by the DoD, 75% failed to implement basic cybersecurity measures and had to enter "Plans of Actions" and Milestones (POA&M), which track a company's progress in repairing security weaknesses.
So, what are the stated goals of the EO?
Now let's take a high-level look at some of the more notable cyber-protection requirements.
Data Encryption is one of the hot-button issues I have talked about in my articles and podcasts with security subject matter experts and state legislators. With the continuing adoption of global privacy laws and the coming tidal wave of US State privacy laws, data encryption is one technology that's been around for decades yet has not been adopted by organizations in large numbers. For example, the EU's GDPR law falls short of requiring encryption but points out that if data were encrypted and the company suffered a data breach, the breach notification provision is not triggered.
The implementation timeline for the executive order is somewhat compressed for federal government timeframes. Notable implementation dates include:
The above is not a complete timeline but highlights some critical dates for affected agencies. As I said before, this is a compressed timeframe for agencies AND their vendors to adapt to this new security reality; however, included in the EO is the ability for agencies to ask for temporary waivers to ensure agency operations are not impacted.
The EO will impact companies that supply software solutions and platforms to the US government. It spells out the mandatory requirements and directives for all critical software sold to the US government.
It probably doesn't need to be said, but vendors affected by this order should have already begun implementing software redesign plans to meet the new security requirements. Especially with the renewed push for federal agencies to move to the cloud, many information management and archiving vendors will be hard-pressed to meet the many new requirements in the new timeline, especially if they rely on legacy designs.
Also, as federal agencies continue their move to the cloud, will current legacy cloud platforms, especially SaaS cloud solutions and software solutions already in use by agencies, be able to adapt to the new security environment?
For example, many cloud archiving solutions designed years ago did not consider nor were architected to meet today's new data security environment with capabilities like multifactor authentication, zero trust, data encryption including field-level encryption, data masking, secure multi-party computation, role-based access controls (RBAC), and anonymization and pseudo-anonymization. And their legacy architectures will make it difficult for them to be updated to meet the new security requirements.
The three biggest executive order-related questions today are:
This EO (if fully implemented) is a good first step but will need to be updated regularly to stay ahead of evolving cyber-threats. For example, using homomorphic encryption so that data never needs to be decrypted or requiring encryption keys to be stored on premises when encrypted data is stored in the cloud are significant next steps.
In looking at the adoption of the Executive Order cybersecurity requirements into the state and local government agencies, the answer is possibly, sort of, maybe, I hope so. In reality, many of the states will eventually recognize the advantages of the superior cybersecurity capabilities included in the Executive Order but state and local government adoption is still in question.
Archive360 is the leader in secure cloud-based information management and archiving. Because Archive360 is the only cloud archiving solution provider to employ a native platform as a service (PaaS) solution, our solution can offer customizable data security capabilities (unlike SaaS-based providers limited to a one size fits all approach).
One of our patented security advances is the Security Gateway. This on-premises solution works directly with the Archive360 Cloud Archive to create and store your encryption keys locally and encrypt sensitive data before moving into your cloud tenancy while maintaining full search and management capability. This means that your sensitive data is encrypted while in transit, while at rest (stored), AND while in use. Archive360 is the only vendor to provide this market-leading security capability.
For more information on the industry's most secure cloud archive, please get in touch with us at: firstname.lastname@example.org or +1 (212) 731-2438
Bill is the Vice President of Global Compliance for Archive360. Bill brings more than 29 years of experience with multinational corporations and technology start-ups, including 19-plus years in the archiving, information governance, and eDiscovery markets. Bill is a frequent speaker at legal and information governance industry events and has authored numerous eBooks, articles and blogs.