The White House has long called for federal reforms in an early executive order
To print this article, simply register or log in to Mondaq.com.
President Biden’s Executive Order calls for a comprehensive reassessment and renewal of cybersecurity defenses and incident response capabilities of the federal government, establishing benchmarks that can inform standards among private entities.
Following the 2020 cyberattack on numerous U.S. government agencies, President Biden issued an “Executive Order on Improving the Nation’s Cybersecurity” (“EO”) that seeks to strengthen public and private sector cybersecurity defenses and incident response capabilities. Federal government reforms in the OE focus on three key issues: modernization, accountability, and resilience.
First, the EO instructs agencies to modernize their information technology (“IT”) systems by prioritizing the use of cloud services, through multi-factor authentication, and by adopting data encryption technologies in rest and in transit. As part of this effort, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) will update the standards governing the use of cloud services by agencies, which could affect offers from cloud service providers and other government IT contractors. . The EO also directs agencies to use guidelines from the National Institute of Standards and Technology to migrate to “Zero Trust Architecture,” a framework that limits access to data and employee networking to the bare minimum. to perform their work.
Second, the OE increases accountability among federal civilian agencies by giving CISA access to agency network data to conduct vulnerability testing and creating a “Cybersecurity Review Board.” which has the task of considering the mitigation activities and responses of the agencies for any significant cyber incident involving government or private sector entities. The Council will include representatives of private sector cybersecurity entities and software vendors and will offer recommendations to improve response to incidents.
Third, the OE instructs the federal government to develop a standardized incident response “game book” to quickly identify, mitigate, and resolve threats. Federal agencies are also required to maintain event logs in order to increase their ability to detect and mitigate incidents.
While it will take the government a while to implement these requirements, once it does, these benchmarks can inform evolving expectations of private cybersecurity protections. Accordingly, private entities should review the updated CISA standards and the new incident response game book when they are published and consider whether and to what extent to incorporate them into their information security programs.
This alert is the third in a series on the content of President Biden’s Executive Order on Improving the Nation’s Cybersecurity. The above alerts address the new language of EO cybersecurity contracts for civilian government contractors and the EO provisions relating to a cybersecurity labeling regime for consumer products.
The content of this article is intended to provide general guidance on the subject. You need to seek specialized advice on your specific circumstances.
POPULAR ARTICLES ON: United States Technology