The Cybersecurity Executive Order
A White House Executive Order issued in May aims to tighten cybersecurity nationally. As well as reaffirming security standards for the government, it calls for more evidence of compliance throughout the supply chain for government standards. If you do work for the federal government, or subcontract for somebody who does, it’s well worth reviewing your cybersecurity.
According to a White House briefing, the executive order has two main aims: to boost the US government’s cybersecurity and encourage the private sector to better secure critical infrastructure. The goal is to deal with increasing security threats from criminals and those working for, or on behalf of, hostile nations.
The order has seven specific points:
- It requires the government’s IT contractors to share information about breaches and remove any contractual barriers that may prevent this.
- It turns existing recommended security practices such as multi-factor authentication and encryption into mandatory standards.
- It introduces minimum security standards for any software bought for use by the government.
- It sets up a Cybersecurity Safety Review Board to examine and learn lessons from significant cyber incidents.
- It sets out a “playbook” for federal agencies to respond to cyber incidents, reducing the risk of panic and inaction. Private businesses are encouraged to follow the playbook’s procedures.
- It creates a government-wide system to detect breaches and attempted breaches of government. networks and better share information between different agencies and departments about potential risks.
- It imposes tougher requirements for agencies to log cybersecurity events in a more detailed and consistent manner.
Effects on the Private Sector
The biggest effect for businesses is that no matter how far down the supply chain you are, you may need to show compliance with security rules if you are ultimately sub-contracted with the government. In many cases, this will mean tougher enforcement of existing rules rather than introducing new requirements.
It’s also likely the security culture will change to put as much emphasis on preventing security breaches as on dealing with them. Sharing information about both successful and attempted breaches could become standard practice. It’s also possible both agencies and contractors will ask sub-contractors to cooperate more with any official investigations into security risks.
A Bonus Benefit
The new security standards for government-purchased software could wind up helping all businesses. The theory is that the sheer amount the government spends on software may mean developers decide they can’t afford to simply stick to supplying the private sector to avoid meeting the standards. In turn, they may decide it’s simplest to take the enhanced security measures needed to meet the standards and apply them to all their products, regardless of the intended audience.
Your Next Step
The Executive Order may not immediately affect your business, but it will likely change what businesses and government agencies expect when you work for them. You’ll need to be confident that both the software you use and your own procedures are as secure as possible. You should also review the way you monitor security so that you not only detect successful attacks but also attempted breaches.
Interested in other CPI cybersecurity articles / information, see links below: