Menu Close

What the Latest Executive Order on Cybersecurity Means for Your Business


On May 12, 2021, President Biden issued an Executive Order focused on improving the nation’s cybersecurity. This executive order strives to accomplish several important objectives for the United States’ approach to safeguarding its data and systems.

  1. Create a Zero Trust environment 
  2. Manage the supply chain and its vulnerabilities  
  3. Minimize barriers to intelligence sharing
  4. Create a Safety Review Board 
  5. Create a standardized playbook for Incident Response  

The key outcomes for US cybersecurity procedures from this executive order include:

  1. Developing a Zero Trust environment. This insight can apply to any organization, regardless of industry or size. Incorporating just this one element will lead to the most effective tightening of security globally.

A Zero Trust environment refers to an environment that has no implicit trust boundaries. The benefit of this approach is that it ensures we only allow authenticated and authorized people to access our applications and systems. This can look very different depending on the application, but inherently in this type of environment, no one or no system is implicitly trusted, and authentication and access rights must be verified at each access step.

This component will ensure all access to systems run or used by the federal government involves Multi-Factor Authentication.   

  1. Enhancing Supply Chain Security. This includes creating a way to track the deployment and provenance within the software lifecycle. It will likely involve lots of new reporting and compliance related to making the software supply chain less vulnerable. This type of approach serves as an example of a system that can prevent large-scale cyber-attacks, such the SolarWinds hack from late last year.

Much of this new infrastructure will make it harder for smaller players because of the cost of keeping up the various mandates. As the industry goes forward, we should consider how this may create barriers to entry for small software developers. Do we want to limit the availability of small software developers? How can the cost and complexity be minimized? Consideration for this needs to be a discussion topic as we advance.   

  1. Improving Coordination and Sharing of Threat Information. The EO gives direction to improve the coordination and sharing of cyber threats between federal law enforcement, federal government agencies, IT contractors, cloud service providers, and industry. To make this happen, contract language will likely have to be renewed.

While increased communication helps bolster cybersecurity, it comes with additional risks to mitigate. When sharing more information between intelligence agencies, law enforcement agencies, and corporations, the privacy rights of individuals and corporate intellectual property rights must be assured.   

  1. Create a Safety Review Board.  The EO creates a Safety Review Board, which is positive because it codifies an automatic review and “lessons learned” session. Performing lessons learned sessions is a crucial way to improve future outcomes. Bringing together Homeland Security and the Attorney General will create an environment where we can more easily bring the perpetrators of any act of cyber-attack to justice. However, the US needs to be careful to avoid this board overreaching – especially when it comes to citizens – and ensure civil liberties are protected.  
  1. Standardize the Playbook for Vulnerabilities and Incidents. Having a go-to playbook is critical in the event of an incident or a breach. The unfortunate reality is that most cybersecurity branches of organizations are run worse than your child’s hockey team. Your child’s team has a playbook, they practice, and they play the game after practice. Most cybersecurity plans are sitting on a shelf somewhere in a binder, and are never tested or practiced.

    Having one playbook for the entire federal government is like the whole NFL having the same playbook – or maybe more like the NFL and all college football teams using the same playbook. The Agriculture Department plays in a far different environment from that of Departments of Energy or Defense.

    Having a playbook and actively putting it into practice much more critical than having conformity across organizations.

So, what does this executive order mean for your organization? For most companies – unless they are doing business with the government – little will directly affect us.

However, there are five main takeaways from this initiative that every company can and should implement:  

1) Create a Zero Trust environment.   

  • Segment your business applications to minimize exposure to hostile actors.  
  • Use a robust authentication system to ensure whom you are allowing into your network is who they say they are.

2) Manage software and operating system patching process. 

  • Use automated tools and scheduled update times to do updates.  
  • Follow the guidelines of the Software Developer to ensure that bugs are fixed in your environment ASAP.   

3) Create an open environment that will allow for free and rapid sharing of information. 

  • Make it easy to report potential and actual threats to those who can mitigate these concerns.  
  • Encourage the team to report or request assistance for any questionable emails, computer activity, etc.  

4) Do an after-action review on all incidents. 

  • Record what went right.
  • Make sure you add to the playbook unforeseen developments.   

5) Create a playbook – an incident response plan.  

  • Make it second nature for your team to take action when an issue arises.   
  • Create a broad outline of how you want an issue handled. 
  • Ensure you have all the contact points for the important people/organizations in the front of the book.  

Overall, the President’s executive order provides a good overview of how to make our nation’s critical information systems more secure with a lot of guidance and timelines. It also helps the government lead by example to illustrate what an enterprise can do to make itself more secure and enable a faster and more standardized response to cyber threats.  


About the Author 

James Gorman

CISO, AuthX 

James is a solutions-driven, results-focused technologist and entrepreneur with experience securing, designing, building, deploying, and maintaining large-scale, mission-critical applications and networks. Over the last 15 years, he has lead teams through multiple FedRAMP, NIST, ISO, PCI, and HITRUST compliance audits. As a consultant, he has helped numerous companies formulate their strategy for compliance and infrastructure scalability. His previous leadership roles include CISO, VP of Network Operations & Engineering, CTO, VP of Operations, Founder & Principal Consultant, Vice President and CEO at GE, Epoch Internet, NETtel, Cable and Wireless, SecureNet, and Transaction Network Services. 

James can be reached online at (james@authx.com, https://www.linkedin.com/in/jamesgorman/) and at our company website https://authx.com 

Disclaimer

Innov8 is owned and operated by Rolling Rock Ventures. The information on this website is for general information purposes only. Any information obtained from this website should be reviewed with appropriate parties if there is any concern about the details reported herein. Innov8 is not responsible for its contents, accuracies, and any inaccuracies. Nothing on this site should be construed as professional advice for any individual or situation. This website includes information and content from external sites that is attributed accordingly and is not the intellectual property of Innov8. All feeds ("RSS Feed") and/or their contents contain material which is derived in whole or in part from material supplied by third parties and is protected by national and international copyright and trademark laws. The Site processes all information automatically using automated software without any human intervention or screening. Therefore, the Site is not responsible for any (part) of this content. The copyright of the feeds', including pictures and graphics, and its content belongs to its author or publisher.  Views and statements expressed in the content do not necessarily reflect those of Innov8 or its staff. Care and due diligence has been taken to maintain the accuracy of the information provided on this website. However, neither Innov8 nor the owners, attorneys, management, editorial team or any writers or employees are responsible for its content, errors or any consequences arising from use of the information provided on this website. The Site may modify, suspend, or discontinue any aspect of the RSS Feed at any time, including, without limitation, the availability of any Site content.  The User agrees that all RSS Feeds and news articles are for personal use only and that the User may not resell, lease, license, assign, redistribute or otherwise transfer any portion of the RSS Feed without attribution to the Site and to its originating author. The Site does not represent or warrant that every action taken with regard to your account and related activities in connection with the RSS Feed, including, without limitation, the Site Content, will be lawful in any particular jurisdiction. It is incumbent upon the user to know the laws that pertain to you in your jurisdiction and act lawfully at all times when using the RSS Feed, including, without limitation, the Site Content.  

Close Bitnami banner