The administration calls for a standardized federal playbook and review board for incident response, as well as changes to software procurement.
President Joe Biden on Wednesday signed a much-anticipated executive order aimed at strengthening the protection of computer networks and systems across the federal government and the nation.
It comes as the United States grapples with multiple ongoing cybersecurity incidents.
“Federal agencies can’t defend what they can’t see,” a senior administration official said during a call to preview the order with reporters. The official added that the effort “is about taking the steps necessary to prevent cyber intrusions from happening in the first place, and second—ensuring we’re well-positioned to act rapidly.”
Among many inclusions, the order calls for the modernization and implementation of stronger cybersecurity standards across the federal government for information and operational technology. It aims to help move agencies to “secure cloud services and a zero-trust architecture, and mandates deployment of multifactor authentication and encryption [within] a specific time period,” a fact sheet the White House published on the order notes.
The policy also establishes new approaches to securing software. In particular, it directs the Commerce Department to "identify existing or develop new standards, tools and best practices" for companies that sell software to the government.
In the order, the president additionally calls on the Homeland Security secretary to form a Cybersecurity Safety Review Board co-chaired by senior officials from the government and private sector. The group will ultimately convene after cyber incidents to analyze what happened and offer concrete recommendations regarding how to deal with them.
“We modeled it on the National Transportation Safety Board, used for airplane incidents,” the administration official confirmed.
During the call, the official said the order had been in the works since the early days of the administration but deemed urgently needed in light of recent cybersecurity incidents. The exploited SolarWinds and Microsoft Exchange flaws and the Colonial Pipeline ransomware attack have been damaging to various agencies and U.S. critical infrastructure and led to states of emergency in several Eastern states as consumers stock up on gas.
The order calls for the deployment of a governmentwide endpoint detection and response system to improve agency insiders’ capabilities to detect threats within federal networks. The administration also aims to ensure more information sharing between agencies—and from IT service providers when they first become aware of breaches. Cybersecurity event log requirements are also set to be established for agencies and departments, via the document.
The administration also calls for the making of a standardized playbook and sets definitions for cyber incident responses that government entities will be expected to employ.
“The executive order makes a significant contribution to modernize our cybersecurity—particularly federal security and software security, software we all use. But I should stress that it alone is not enough,” the senior administration official said. “This will be the first of many ambitious steps the public and private sectors must, and will, take together to safeguard our economy, security, and the services on which the American way of life relies.”
Congress is also considering multiple proposals to bolster America’s cybersecurity—and lawmakers were quick to weigh in on Biden’s new policy.
“This executive order is a good first step, but executive orders can only go so far,” Sen. Mark Warner, D-Va., chairman of the Senate Select Committee on Intelligence said in a statement. “Congress is going to have to step up and do more to address our cyber vulnerabilities, and I look forward to working with the administration and my colleagues on both sides of the aisle to close those gaps.”
“From the SolarWinds supply chain compromise to the recent Colonial Pipeline ransomware incident, events in just the past six months have underscored again and again our weaknesses in this new domain. We need the Biden-Harris administration to be bold, as Congress was in turning 27 Cyberspace Solarium Commission proposals into law last year,” Rep. Jim Langevin, D-R.I., who chairs the House Armed Services Subcommittee on Cybersecurity, Innovative Technologies, and Information Systems, said. “Thankfully, today’s executive actions deliver.”