Progress and Challenges to Improve Our Nation’s Cybersecurity

One Year Later: Progress and Challenges on the Anniversary of the Executive Order for Improving Our Nation’s Cybersecurity

It has been one year since the release of President Biden’s Executive Order (EO) for Improving the Nation’s Cybersecurity. It’s been a long 12 months, but I believe we are finally trending in the right direction since the EO was issued. The big change I’ve seen in the past year is that CISOs have taken an active engagement in Cyber Defense whereas previous to the EO, many CISOs were more focused on Risk Management Frameworks (RMF) and risk associated with RMF and Authorizations to Operate (ATO).

Operational Risk and Zero Trust

I’ve seen a big shift from focusing on standard endpoint security (which was driven more by compliance and reacting to security events) to endpoint detection and response (EDR). We knew that compliance was a priority because CYBERCOMMAND’s CCRI and DHS CDM/FISMA assessments were focused on scorecards and vulnerabilities. Agencies are beginning to focus more on operational risk and therefore are taking the necessary steps to identify threats in the network and across the endpoints. This EO focused on another shift in how the Government operated, chiefly that–due to COVID–the endpoint wasn’t sitting in Government spaces during 2020 and 2021 but still had access to Government data. Prior to COVID, most of the agencies did telework via VPN if necessary and explicitly entrusted those endpoints with broad access to internal assets, which ultimately led to and exacerbated some of the issues brought on by the Solarwinds compromise in late 2020. The Executive Order put agencies on notice and required agencies to shift to a Zero Trust model. Thus, each agency has now focused on changing their approach toward the explicit trust of assets, identities, and the networks that those users and assets operate on. This single factor has forced many agencies to shift their focus toward a more active engagement of cybersecurity and thus has played a part in making this EO more effective than prior cyber EOs. With the deliberate focus being put on operational risk and internal threat identification, the 2021 EO has given some agencies that were stuck in “legacy” detection practices the impetus to migrate towards a more active participation in cyber defense.

CISA has even helped by procuring an EDR solution to help civilian agencies migrate away from an endpoint compliance capability and towards an active detection and response capability. DISA, on the other hand, is still struggling with migrating from legacy ESS (HBSS) capabilities to a more active EDR solution, and most agencies are doing individual solutions to support this requirement.

The skills gap and a shift to cloud

Other areas of the EO, like changing the Federal Acquisition Regulation (FAR) and requirements for reporting of incidents, were easy for the Government to implement and didn’t cause many headaches. We even saw quick turnarounds from NIST, NSA, CISA, and others regarding their deliverables stemming from the EO. A number of detailed documents were released last summer that helped strengthen the EO but simultaneously caused some concern, as many agencies didn’t get additional funding from Congress to implement many of the requirements.

The EO also put focus on the move to cloud and funding cloud technologies vs legacy on-premise capabilities. While many individuals may argue if this is the right approach, I believe it is the strategy that best meets the needs of government organizations, because–like so many others in the space–they are having a difficult time hiring skilled cybersecurity personnel. The main takeaway is that agencies must begin to move the right capabilities and data to the cloud, but the biggest issue with this shift is getting funding from Congress to acquire the right cloud security solutions for an organization and then fund the movement of assets. Over the years, the government has had many conversations around “cloud-first” initiatives, but I believe this EO will push cybersecurity organizations to put that at the forefront of their solution picking. Now, the main issue will be working with the government to get solutions FEDRamp’d and/or IL5 accredited for use in government spaces.

Strengthening the Supply Chain

The supply chain requirements coming out of the EO have been a real challenge for most agencies. While the EO specifically talks about the supply chain issues highlighted by the Solarwinds breach and examines how an agency gets its software and patch support, it does not address the supply chain issues that led to the follow-on cyber issues with Log4j and Spring4j. Both of these cyber events stemmed from the government and private organizations not having a strong understanding of the software development lifecycle (SDLC) and the Software Bill Of Materials (SBOM) of an application. Even when we look back at RMF, we should have identified an SBOM for applications being built and used within an agency, but that didn’t happen. And unfortunately, addressing Application Security and understanding how to assess an application prior to its release continues to be a struggle for most government organizations. Most organizations utilize a third-party tool to conduct this assessment, and what Log4J and Spring4J showed us is that there wasn’t sound documentation that identified all of the libraries used to support a given application. In my opinion, the follow-on to the EO needs to strengthen our ability to create a more unified Application Security focus.

In closing, the EO is forcing the issue of improving agencies’ cybersecurity programs by putting an emphasis on taking an active role in all parts of cybersecurity and not only focusing on compliance but operational security. While there have been some setbacks, one year later we are on a better path to building roadmaps and migrating to modern cyber solutions and technologies – giving the government a greater overall cyber capability.