November 12 marks six months since the Biden Administration issued the sweeping Executive Order on Improving the Nation’s Cybersecurity (EO), setting a milestone in the advancement of a coherent federal strategy to optimize cyber risk management. With the Executive Order’s release, the Biden Administration put down a marker to elevate the importance of cybersecurity. The EO directed all agencies to improve the United States’ cybersecurity through the issuance of guidance on critical issues like Zero Trust, Software Bill of Materials (SBOM), and secure software development.
As the U.S. government moves into the next phase of refining and implementing the initial guidance, policymakers and administrators face the challenging task of ensuring consistent implementation across federal agencies. To build on the early success of the EO, the administration, policymakers, and industry stakeholders need to continue to work together. Here are three things agency leaders can do to foster a coherent approach to federal cybersecurity and advance our shared goal of improving U.S. cybersecurity:
Prioritize the Inclusion of All Stakeholders in the Development and Implementation of Guidance Documents. Consulting with stakeholders from other agencies and industry in policy development is critical because cyber policy expertise is distributed across these various audiences. By aggregating the distributed body of knowledge and seeking as much input as possible, federal agencies can identify potential complications early on and better design policies to fit into a coherent risk management framework. Several implementing agencies have done a commendable job on such engagement so far. The National Institute of Standards and Technology (NIST), for example, solicited stakeholder input in several workshops which informed its development of guidance documents like the one on consumer labeling standards.
At this stage, it is essential that agencies ensure that there are continuous opportunities for public feedback on outstanding EO taskings. Important details pertaining to the various tasks of the EO have yet to be defined, including standardized contracting language to protect critical software and the consumer labeling programs. Therefore, it is critical that agencies prioritize the inclusion of all stakeholders in the development and implementation of their respective guidance documents to strengthen the final outcome and ensure it achieves its intended purpose. That’s especially the case for the regulatory process. For example, the Federal Acquisition Regulatory Council (FAR Council) has opened FAR Case 2021-017 to review and update standard contract language pursuant to Section 2 of the EO, which will include updates on incident reporting procedures. Simultaneously, the U.S. Congress is discussing several legislative proposals to introduce new cyber incident reporting requirements. The FAR Council should invite stakeholder input early on through roundtables and advanced notices of proposed rulemaking (ANPRMs) to ensure consistency of incident reporting requirements, including those proposed in legislation, throughout the federal government.
Promote a Mindset of Continuous Improvement. Cybersecurity is not an end-state but a continuous process that impacts all verticals of an organization. Organizations achieve the best performance and risk mitigation outcomes when technology is designed with security in mind, properly maintained, and continuously focused on meeting user needs. For example, Section 3 of the Cyber EO directs agencies to adopt Zero Trust. A central tenet of this security strategy assumes that a security breach is inevitable or may have already occurred which requires the implementing organization to continuously look for anomalous or malicious activity. This move towards a proactive security strategy will require a significant shift in mindset across most of the federal government.
Agencies manage this change best when they convince all senior agency leaders that there is no such thing as “done.” Agency leaders need to internalize that cybersecurity risk is present at all agency verticals, not only IT. Consequently, Directors, Chief Financial Officers, Chief Procurement Officers, as well as business line and program managers need to partner with the Chief Information Officers and Chief Information Security Officers to understand and manage risk holistically. Agencies can promote this shift in mindset by leveraging accountability mechanisms like the FITARA Scorecard to hold leaders accountable for improving cyber performance metrics. Updated training and inter-agency information sharing programs can help with the promotion of the needed mindset at scale.
Ensure Interagency Cooperation and Encourage Reciprocity between Various Cybersecurity Compliance Regimes. Agencies have varying levels of cyber maturity and unique risk profiles based on their respective missions. Historically, this has led to a proliferation of federal cyber directives and resulted in a plethora of bespoke solutions that are difficult and costly to maintain. The cyber EO has had initial success in standardizing select requirements across the federal government like the requirement for all civilian agencies to deploy an Endpoint Detection and Response (EDR) initiative. The next phase should continue this work of moving the government towards a coherent cyber strategy and standardize requirements to the greatest extent possible.
In some cases, standardization will not be possible due to unique mission of agency. In these situations, agencies should cooperate to provide alternative pathways to promote competition and leverage other agencies' authorizations to the greatest extent possible. If vendors have already demonstrated compliance with cyber hygiene requirements, they should have to demonstrate compliance with the missing delta of security controls, not go through the entire audit again.
The cyber EO focuses primarily on the federal civilian executive branch (FCEB) and leaves the door open for additional security controls on national security systems. For example, Section 3 encourages the use of shared cloud offerings that have been certified through the General Services Administration’s FedRAMP program. Depending on the assessment level, the security controls required by this program overlap with those required by the Department of Defense’s Cloud Computing Security Requirements Guide (SRG). Identifying opportunities for reciprocity like this one will go a long way in producing meaningful outcomes rather than overly focus on compliance. Where practicable, agencies should cooperate and recognize existing certifications.
The cyber EO had initial success with establishing a common baseline for federal cybersecurity. To build on this momentum, agency leaders should continue stakeholder consultations, embrace a whole-of-agency mindset towards combatting cyber risks, and cooperate with other agencies to encourage reciprocity.