On the heels of the May 2021 Colonial Pipeline Company ransomware attack, President Biden signed an Executive Order on Improving the Nation’s Cybersecurity (EO). The EO establishes federal policy that the Federal Government will partner with the private sector and make significant investments to allow “bold” changes in the identification, deterrence, protection, detection, and response of a cyber incident on Federal Government systems. The EO aims to remove contractual barriers that prevent Federal Information System service providers from sharing threat or incident information with those responsible for investigating or remediating cyber events. Next, the EO focuses on modernizing federal agency cybersecurity protections, especially for critical software and the Federal Government’s supply chain, in the following ways: (1) adopting industry best standards; (2) adopting a Zero Trust Architecture; (3) utilizing secure cloud services; (4) centralizing and streamlining cybersecurity data, and (5) investing in both technology and personnel. The EO also mandates that federal agencies must prioritize cloud technology, develop cybersecurity trainings, and utilize multi-factor authentication.
Significantly, the EO establishes the Cyber Safety Review Board (membership to be determined by the Director of Homeland Security), which will convene when a significant cyber incident occurs on Federal Government or private sector systems to analyze the incident. The EO notes that both federal officials and the private sector should have seats at the table. Additionally, the EO directs the Federal Government to standardize its response to cybersecurity vulnerabilities and incidents, which includes creating a standardized “playbook” for all federal agencies. Finally, the EO aims to improve detection of cybersecurity vulnerabilities in federal networks through Endpoint Detection and Response initiatives, for which each federal agency should execute a Memorandum of Agreement with the Cybersecurity and Infrastructure Security Agency for the Continuous Diagnostics and Mitigation Program. The Department of Defense may potentially be exempt.
Overall, the EO signals the nation’s increased vigilance surrounding cyberattacks, many of which can have far-reaching adverse impacts—as was demonstrated once again with Colonial Pipeline.
The Executive Order is available here.
June 1, 2021