The Clock's Ticking on Federal Agencies to Implement Cybersecurity Executive Order (EO) 14028

The federal data security and data privacy landscape is changing quickly. This transformation is being driven by the issuance of President Biden's Executive Order (EO) 14028, also known as "Improving the Nation's Cybersecurity; Transforming Government Through Technology-Driven Initiatives."

President Biden signed the Executive Order (EO) on May 12, 2021, to “Improve the Nation's Cybersecurity” in response to high-profile cyber-attacks such as the Colonial Pipeline and Solar Winds events. EO 14028 includes a compressed implementation timeline of one year - and we are reaching the end of that year.

This is not the first time presidential Executive Orders have been issued to address cyber security. In Feb 2013, President Obama issued EO 13636 titled "Improving Critical Infrastructure Cybersecurity," and in May 2017, President Trump issued Executive Order 13800 titled "Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure." Why was EO 14028 needed if prior EOs attempted to address the cybersecurity challenge?

Executive Order 14028 outlines over 55 actions federal agencies need to take to improve their agency cybersecurity capabilities. These actions range from developing strategies for critical software design and use to retiring software products and platforms that do not comply with the revamped security standards, faster secure cloud adoption, and migrating legacy application data when legacy applications cannot adopt the new cybersecurity capabilities.

The FAR is getting a security update

Federal agencies purchase vast amounts of software and cloud capability every year. In fact, the US government spent $10.5 billion on software contracts in 2020 and $11.8 billion in 2021.

Vendors that provide IT services and products under the Federal Acquisition Regulation (FAR) jurisdiction will play a key role in IT infrastructure cybersecurity in United States agencies. Cybersecurity Executive Order 14028 directs the FAR to be updated with heightened software security requirements to allow federal agencies to only purchase applications and platforms that meet the new stricter cybersecurity design requirements.

To accomplish this regulation update, the EO directed the National Institute of Standards and Technology (NIST) to issue the "Secure Software Development Framework (SSDF) and related guidance." Agencies should begin integrating the NIST "Software Supply Chain Security Guidance under Executive Order 140281 Section 4e" into their existing software lifecycle management and acquisition practices to ensure agencies only purchase secure and trustworthy software and cloud platforms.

Following SSDF practices will help software producers/vendors reduce the number of vulnerabilities in software applications, ensure agency cloud platforms meet the new security standards, and reduce the potential impact of undetected or unaddressed cyber-vulnerabilities.

Many agency vendors and providers are already preparing for the implementation of updates to FAR, with 76% of vendor organizations surveyed by the Linux Foundation considering changes to comply with the executive order. Now, I'm not sure of the choice of the word "considering" in this case; either they want to continue supplying agencies, or they do not. But not ensuring software applications meet the updated FAR requirements will ensure the loss of sales.

President Biden’s Cybersecurity Executive Order a “Big ___ Deal” For Federal Contractors

Software solutions will be shut down

A big concern for software vendors and agencies is, do software providers that do not currently meet the new cybersecurity specifications have the resources and capabilities to comply with these new design requirements within the compressed EO 14028 timeline? A recent DoD analysis shows that only 1 in 4 defense contractors meet the Pentagon's current cybersecurity standards.

Out of 220 companies surveyed by the DoD, 75% failed to implement basic cybersecurity measures and had to enter "Plans of Actions" and Milestones (POA&M), which track a company's progress in repairing security weaknesses.

So, what are the stated goals of the cybersecurity EO 14028?

1. Improved Transparency Between the Government and the Private Sector
2. Enhanced Security in Supply Chain Software development
3. The development of secure cloud adoption practices and guidelines
4. The creation of a Cybersecurity Safety Review Board
5. New Endpoint Detection and Response Systems
6. Event Logging Requirements
7. The need to Remodel and Digitize Cybersecurity Standards in the Federal Government
8. And the creation of Standard Operation Procedures for Incidence Response

Now let's take a high-level look at some of the more notable cyber-protection requirements.

1. Improved Transparency Between the Government and the Private Sector
   Cybersecurity Executive Order 14028 requires service providers to share cyber incidents and threat information that could impact Government networks. This sounds like a great idea, and many are surprised this hasn't happened before.
   
   
2. Enhanced Security in Supply Chain Software development
   It continues to move the Federal government to secure cloud services, zero-trust architectures, and mandates multifactor authentication and encryption deployment within specific time periods.

Data Encryption is one of the hot-button issues I have talked about in my articles and podcasts with security subject matter experts and state legislators. With the continuing adoption of global privacy laws and the coming tidal wave of US State privacy laws, data encryption is one technology that's been around for decades yet has not been adopted by organizations in large numbers. For example, the EU's GDPR law falls short of requiring encryption but points out that if data were encrypted and the company suffered a data breach, the breach notification provision is not triggered.

3. The development of secure cloud adoption practices and guidelines
   The EO establishes baseline security standards for the development of software sold to the government, requiring developers to maintain greater visibility into their software design and publicly make security data available.
   
   
4. The creation of a Cybersecurity Safety Review Board
   The EO also establishes a Cybersecurity Safety Review Board, co-chaired by government and private sector leads that may (or should) convene following a significant cyber-incident to analyze what happened and make recommendations for improving federal cybersecurity in the future.
   
   
5. New Endpoint Detection and Response Systems
   It creates a standardized playbook and set of definitions for cyber-incident response by Federal departments and agencies.
   
   
6. Event Logging Requirements
   Cybersecurity Executive Order 14028 improves the ability to detect malicious cyber activity on Federal networks by enabling a government-wide endpoint detection and response system and improved information sharing within the Federal government.
   
   
7. The need to Remodel and Digitize Cybersecurity Standards in the Federal Government
   It also creates cybersecurity event log requirements for Federal departments and agencies.
   
   
8. The creation of Standard Operation Procedures for Incidence Response
   And lastly, it requires amendments to FAR to align with requirements in the EO

The implementation timeline for the executive order is somewhat compressed for federal government timeframes. Notable implementation dates for the EO 14028 timeline include:

1. By June 26, 2021 - NIST needed to publish a definition of the term "critical software."
2. By July 11, 2021 - Agency heads must have updated existing plans for the adoption of cloud technology as well as the development of strategies to implement Zero Trust architectures, including data migration plans for legacy application data for applications that would potentially shut down.
3. July 26, 2021 - The Director of CISA needed to create a list of critical software categories that meet the definition of "critical software."
4. By August 11, 2021 – All agencies should have complied with NIST guidance on security measures for "critical software."
   1. The Director of OMB was to develop a cloud-security strategy and provide guidance to agencies to ensure that risks from cloud-based services are understood and addressed and that FCEB Agencies move closer to Zero Trust architectures. Not sure what "move closer" means here…
5. By November 8, 2021, all Agencies should have adopted multifactor authentication and encryption for data at rest and in transit. Those agencies unable to fully meet the requirements needed to provide written rationale to the Director of CISA, the Director of OMB, and the APNSA.
6. On March 7, 2022, OMB did issue a document entitled "Implementation of Software Supply Chain Security Guidance under Executive Order (EO) 14028 Section 4(k)." The document states that "Agencies should begin integrating the NIST Software Supply Chain Security Guidance into their existing software lifecycle management and acquisition practices to ensure purchase of only secure and trustworthy products."
7. By March 8, 2022, the Administrator of the Office of Electronic Government should have ensured that agencies comply with the NIST guidelines for software procured after the date of the executive order.
8. And by May 12, 2022 – the Secretary of Homeland Security will require agencies to remove software products that do not meet the requirements, following final FAR amendments.
   1. In fact, the Office of Electronic Government will require agencies using legacy software to either comply with the order or provide a plan outlining actions to remediate or meet the order's requirements unless an extension or waiver is granted.

The above is not a complete timeline but highlights some critical dates for affected agencies. As I said before, this is a compressed timeframe for agencies AND their vendors to adapt to this new security reality; however, included in the EO is the ability for agencies to ask for temporary waivers to ensure agency operations are not impacted.

What does this mean for agency IT vendors?

Cybersecurity EO 14028 will impact companies that supply software solutions and platforms to the US government. It spells out the mandatory requirements and directives for all critical software sold to the US government.

It probably doesn't need to be said, but vendors affected by this order should have already begun implementing software redesign plans to meet the new security requirements. Especially with the renewed push for federal agencies to move to the cloud, many information management and archiving vendors will be hard-pressed to meet the many new requirements in the new timeline, especially if they rely on legacy designs.

Also, as federal agencies continue their move to the cloud, will current legacy cloud platforms, especially SaaS cloud solutions and software solutions already in use by agencies, be able to adapt to the new security environment?

For example, many cloud archiving solutions designed years ago did not consider nor were architected to meet today's new data security environment with capabilities like multifactor authentication, zero trust, data encryption including field-level encryption, data masking, secure multi-party computation, role-based access controls (RBAC), and anonymization and pseudo-anonymization. And their legacy architectures will make it difficult for them to be updated to meet the new security requirements.

The three biggest executive order-related questions today are:

1. do the additional security requirements go far enough to address today's and tomorrow's risks?
2. what if existing software applications agencies currently rely on cannot be redesigned to meet the new cyber security provisions?
3. and will state, local, and education government (SLED) agencies eventually adopt these common sense cyber-security requirements for software system purchases?

This EO (if fully implemented) is a good first step but will need to be updated regularly to stay ahead of evolving cyber-threats. For example, using homomorphic encryption so that data never needs to be decrypted or requiring encryption keys to be stored on premises when encrypted data is stored in the cloud are significant next steps.

In looking at the adoption of the Executive Order cybersecurity requirements into the state and local government agencies, the answer is possibly, sort of, maybe, I hope so. In reality, many of the states will eventually recognize the advantages of the superior cybersecurity capabilities included in the Executive Order but state and local government adoption is still in question.

Archive360 and Cybersecurity Executive Order 14028

Archive360 is the leader in secure cloud-based information management and archiving. Because Archive360 is the only cloud archiving solution provider to employ a native platform as a service (PaaS) solution, our solution can offer customizable data security capabilities (unlike SaaS-based providers limited to a one size fits all approach).

One of our patented security advances is the Security Gateway. This on-premises solution works directly with the Archive360 Cloud Archive to create and store your encryption keys locally and encrypt sensitive data before moving into your cloud tenancy while maintaining full search and management capability. This means that your sensitive data is encrypted while in transit, while at rest (stored), AND while in use. Archive360 is the only vendor to provide this market-leading security capability.

For more information on the industry's most secure cloud archive, please get in touch with us at: info@archive360.com or +1 (212) 731-2438