Definitively Not( James )

2021/06/16


President Biden signed an Executive Order to improve the Nation’s Cybersecurity posture. This is a pretty big deal because it signals to every organization across the government that they need to divert funding to implement this order.


This Executive Order covers a pretty wide variety of tasks, but a few things specifically stand out to me:


  • incorporation of NIST guidelines and standards as part of a playbook
  • enforcement of Multi-Factor Authentication everywhere in government
  • additional expectations of a Software Bill of Materials
  • required movement towards a Zero Trust architecture

The NIST guidelines are not that “out there” all things considered. However, there’s a number of which that most government agencies don’t seem to follow. Suggestions against Password expiration and arbitrary password composition rules are high up on that list. Government sites also often make it difficult ot use password managers which is discouraged by the NIST rules. NIST has a really handy FAQ if you’d like the short version.


Multi-factor Authentication is pretty clear in NIST to not be SMS and not be email. This is to be adopted by agencies within 180 days of the order - and if they can’t adopt it within that time frame they must explain why not every 60 days to DHS / CISA / etc. Hopefully, most organizations will choose existing solutions like login.gov to implement this.


Software Bill of Materials is less clear as to what it’s really requiring. The executive order does not define this, but does set in place the requirement that a definition must be published within 60 days by the Secretary of Commerce.


Zero-Trust architecture is where there will be a huge amount of work to be done. This is designing systems in a way that encourages defense with both public and private interactions of systems. Expect that there’s a potential threat actor that’s breached your network. With that in mind, you can’t give full access to just anyone and everything. Instead, you have to clearly define access and privileges, enforcing controls on who gets what and why.


I’m excited to see an executive order that takes cyber security seriously. Thanks to Beau Woods for tipping me off about this, I hadn’t even heard of it!