Biden Cybersecurity Order Tells Contractors To Shape Up
As the Colonial pipeline cybersecurity incident causes panic gasoline buying in the Eastern United States, the Biden Administration issued yesterday a sweeping executive order for new cybersecurity standards. FedRAMP contractors must comply with a new set of cybersecurity mandates and procedures, the order says. Due to take effect in 45 days, the order has specific reporting requirements and standardization of cybersecurity specifications. A new cybersecurity policy for unclassified systems within the federal government was also specified in the Biden cybersecurity order.
A Whole of Government Response
The executive order commands the Department of Defense (DoD), Homeland Security (DHS), the Office of Management and Budget (OMB), Department of Commerce (DoC), Federal Trade Commission (FTC), the Director of National Intelligence (DNI), the Federal Bureau of Investigation (FBI), other elements of the Intelligence Community (IC), and the Cybersecurity and Infrastructure Security Agency (CISA) to work on the Federal Acquisition Regulation (FAR). The FAR Council will issue new contractual regulations by early August, according to the executive order.
New Cybersecurity Reporting Requirements
The executive order has several provisions designed to streamline the reporting of threats and threat actors. The order details how the Federal Civilian Executive Branch (FCEB) will coordinate data with the FBI and CISA.
The order also commands Information and Communication Technology (ICT) companies, which includes most US and international telecoms, to have new reporting requirements.
Zero Trust Architecture
The National Institute of Standards and Technology (NIST) Zero Trust Architecture is a centerpiece of the Biden executive order. According to the website, “Zero trust (ZT) is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.” The order states that vendors will be expected to adopt Zero Trust standards in their systems, as regulated by the new FAR.
New FedRAMP Regulations On The Way
The executive order specifies that FedRAMP, “shall develop a Federal cloud-security strategy and provide guidance to agencies accordingly.” This follows up a Trump Administration order that required software as a service (SaaS) and other platform operators to authenticate the identity of their customers. The Trump executive order was in response to foreign threat actors using US-based cloud service providers.
Software Supply Chain Security
The order also specifies a new policy for software supply chain security shall be developed by NIST. These measures address the Solar Winds and Codecov hacks in a new, more systematic way. The new standards are for secure software development environments, foreign artifact validation, the use of devops tooling for automated code checking, and to develop new provenance standards for a Software Bill of Material. The NIST will take about six months to develop the new software supply chain standards.
Biden Cybersecurity Order is Sweeping
The sweeping order has other new administrative initiatives, such as a new Internet of Things (IoT) study group, a Cybersecurity Review Board, a new standard playbook for incident response, bolstering remediation and response capabilities, and log maintenance.
By using the purchasing power of the federal government, the Biden Administration hopes to pull American cybersecurity into the 21st century. These new regulations will certainly have an impact on many Salesforce ISVs, consultants, and system integrators. The Colonial pipeline incident now seems like a seminal moment in the history of cybersecurity.