Biden’s cybersecurity executive order, a progress report

On May 12, 2021, President Biden released a comprehensive cybersecurity executive order, EO 14028, entitled Improving the Nation’s Cybersecurity. The complex order responded to a chain of startling and damaging cybersecurity incidents that primarily occurred during Biden’s first few months in office.

The EO gave several federal government agencies tight deadlines to produce new rules and guidance on stringent cybersecurity requirements that the White House hopes will better protect government offices from malicious digital activity. In addition, the administration designed the order to spur federal government hardware and software suppliers to ratchet up their security efforts to hang onto their government contracts. The hope is that by exercising the power of the purse, the federal government’s new rules would have a positive spillover effect for private sector organizations, too.

Cybersecurity EO mandates 46 actions

The order requires 46 actions to be carried out by the Commerce Department, the Department of Homeland Security (DHS), the Defense Department (DOD), the Office of Management and Budget (OMB), the National Security Agency (NSA), the Director of National Intelligence, the Attorney General, the Federal Acquisition Regulatory (FAR) Council, and other government-related entities. Exemplifying the whole-of-government approach favored by this White House, virtually all the tasks assigned under the EO require collaboration by multiple government agencies.

Some government agencies, notably the NSA, have made little to no public comment on some or all their tasks under the EO. Therefore, it isn’t easy to gauge how far along some actions are to completion. Moreover, the deadlines for at least 11 of those tasks have yet to arrive.

Cybersecurity EO tasks completed to date

With those caveats, the following summarizes the status of the 19 tasks known to be completed to date, in chronological order by the deadlines spelled out in the order:

• 5/26/21, Recommendations on Logging Events Requirements. Section 8(b) of the order requires the DHS secretary, in consultation with the attorney general and the administrator of the Office of Electronic Government within OMB, to provide to the OMB director recommendations on requirements for logging events and retaining other relevant data within an agency’s systems and networks. In addition, the FAR Council must consider the recommendations. Although little is publicly available regarding this requirement, the DOD has noted that as of August 4, FAR and Defense Acquisition Regulation staff are working on this requirement.
• 6/11/2021, Outreach on Enhancing Software Supply Chain Security. Section 4(b) of the order asks the Commerce Department’s National Institute of Standards and Technology (NIST) to solicit input from the federal government, private sector, academia, and other appropriate actors to identify existing or develop new standards, tools, best practices, and other guidelines to enhance software supply chain security. NIST fulfilled this task by hosting a workshop on software security and soliciting position papers on standards and guidelines.
• 6/11/2021, EDR Recommendations. Section 7(c) of the order directs the DHS secretary acting through the CISA director to provide the OMB director with recommendations on options for implementing an extended detection and response (EDR) initiative that are centrally located to support host-level visibility, attribution, and response regarding federal civilian executive branch (FCEB) information systems. Although this is not a public-facing task, CSO confirmed it was completed.
• 6/26/2021, Identifying Components of Cybersecurity Incident Reports. Section 2 g(i) of the EO requires the DHS secretary, in consultation with the secretary of defense acting through the NSA director, the attorney general, and the OMB director, to recommend to the FAR Council contract language that identifies the components of prompt cybersecurity incident reports required by government contractors. Although none of the government agencies have publicly said anything about this requirement, the DOD noted that on 8/4/21, FAR and Defense Acquisition Regulation staff are working on this requirement.
• 6/26/2021, Definition of Critical Software. Section 4(g) and 4(h) of the order requires the secretary of commerce, acting through the NIST director, in consultation with the secretary of defense acting through the NSA director, the DHS secretary acting through the CISA director, the OMB director, and the director of national intelligence to publish a definition of what constitutes critical software. On June 24, NIST released this definition, and on October 13, 2021, released a white paper that revises that definition. On the same date, ahead of schedule, NIST also published a preliminary list of software categories considered to be EO-critical, another requirement in the order.
• 7/11/2021, Minimum Elements of SBOMS. In Section 4(f) of the order, the commerce secretary, in coordination with the assistant secretary for communications and information and the administrator of the National Telecommunications and Information Administration (NTIA), is required to publish minimum elements for a software bill of materials (SBOM). Accordingly, on July 12, 2021, the Commerce Department published a 28-page document containing these minimum elements.
• 7/11/2021, Security Measures for Critical Software. Section 4(i) of the order requires the secretary of commerce acting through the NIST director in consultation with the DHS secretary acting through the CISA director and with the OMB director to publish guidance outlining security measures for critical software. On July 8, NIST published a document containing those security measures.
• 7/11/21, Minimum Standards for Software Source Code Testing. Section 4(r) of the EO requires the secretary of commerce acting through the NIST director in consultation with the defense secretary acting through the NSA director to publish guidelines recommending minimum standards for vendors’ testing of their software source code. Accordingly, on October 12, NIST published a document, Guidelines on Minimum Standards for Developer Verification of Software.
• 7/11/21, Contract Language for Appropriate Cybersecurity Requirements. Section (2)(F)(i) of the order asks the DHS secretary acting through the CISA director, in consultation with the secretary of defense acting through the NSA director, the OMB director, and the administrator of general services, to review agency-specific cybersecurity requirements that currently exist as a matter of law, policy, or contract and recommend to the FAR Council standardized contract language for appropriate cybersecurity requirements. Although this is not a public-facing task, CSO confirmed it was completed.
• 7/11/21, Cloud-Service Governance Framework for FCEB Agencies. Section (3)(c) (iii) of the order directs the DHS secretary acting through the CISA director to develop and issue for FCEB agencies a cloud-service governance framework. CSO confirmed that this task was completed and that the framework is akin to the cloud technical reference architecture that CISA publicly released (see below).
• 7/26/2021, MOAs Regarding Continuous Diagnostics and Mitigation Program. Section (7)(f) of the EO requires that the DHS secretary, acting through the CISA director, have access to agency data relevant to a threat and vulnerability analysis and assessment and threat-hunting purposes.  The order also requires agencies to establish or update memoranda of agreement (MOA) with CISA for the Continuous Diagnostics and Mitigation Program to ensure object-level data are available and accessible to CISA, consistent with applicable law. CSO confirmed that the task is completed and that all 23 relevant agency MOAs are signed.
• 8/10/21, Cloud Computing and Zero Trust Architecture. Under Section 3(c) of the order, the DHS secretary acting through the CISA director, in consultation with the administrator of general services acting through the Federal Risk and Authorization Management Program (FedRAMP) within the General Services Administration, is required to develop security principles governing cloud service providers (CSPs) for incorporation into agency modernization efforts, with a specific focus on zero-trust architecture where practical. On September 7, CISA developed a Zero-Trust Maturity Model to assist agencies in implementing zero-trust architectures. In August, CISA released a Cloud Security Technical Reference Architecture
• 8/10/21, Federal Cloud Security Strategy. Section 3(i) of the order asks the OMB director, in consultation with the DHS secretary acting through the CISA director, and the administrator of general services acting through FedRAMP, to develop a federal cloud-security strategy and move agencies closer to zero-trust architecture. In August, OMB put out a draft memo, Moving the U.S. Government Towards Zero Trust Cybersecurity Principles.
• 8/10/21, Cloud Security Technical Reference Architecture. Section 3(ii) of the order asks the DHS secretary acting through the CISA director, in consultation with the OMB director and the administrator of general services acting through FedRAMP, to develop and issue for the FCEB cloud-security technical reference architecture documentation that illustrates recommended approaches to cloud migration and data protection for agency data collection and reporting. In early September, CISA put out for public comment its Cloud Security Technical Reference Architecture.
• 8/10/21, Report on How Threat Hunting Activities Are Implemented. Section (7)(i) of the order requires the CISA director to provide to the OMB director and the assistant to the president for national security affairs (APNSA) a report describing how authorities granted under section 1705 of Public Law 116-28 to conduct threat-hunting activities on FCEB networks without prior authorization from agencies are being implemented.  This report should also recommend procedures to ensure that mission-critical systems are not disrupted, procedures for notifying system owners of vulnerable government systems, and the range of techniques that can be used during testing of FCEB Information Systems. The CISA director must also provide quarterly reports to the APNSA and the OMB director regarding actions taken under section 1705 of Public Law 116-283.  Although this is not a public-facing task, CSO confirmed it was completed.
• 8/24/21, Improving Investigative and Remediation Capabilities. Section 8(c) of the EO requires the OMB director, in consultation with the secretary of commerce and the DHS secretary, to formulate policies for agencies to establish requirements for logging, log retention, and log management, which ensure centralized access and visibility for the highest-level security operations center of each agency.  Accordingly, on August 27, Shalanda Young, acting OMB director, issued a memo on Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents, which includes, among other things, a suggested maturity model for event log management, along with agency implementation requirements.
• 9/9/21, Steps to Foster Agency Sharing of Data with CIS and the FBI. Section (2)(e) of the order requires the DHS secretary and the OMB director to take appropriate steps to ensure to the greatest extent possible that service providers share data with agencies, CISA, and the FBI as may be necessary for the federal government to respond to cyber threats, incidents, and risks. Although this is not a public-facing task, CSO confirmed it was completed. CISA also previously provided recommendations to the FAR Council to further remove barriers to information sharing between contractors and the federal government.
• 9/9/21, Development of Playbook for Use in Vulnerability and Incident Response Activity. Section(6)(b) of the order asks the DHS secretary acting through the CISA director, in consultation with the OMB director, the Federal Chief Information Officers Council, and the Federal Chief Information Security Council, and in coordination with the secretary of defense acting through the NSA director, the attorney general, and the director of national intelligence, to develop a standard set of operational procedures (playbook) to be used in planning and conducting a cybersecurity vulnerability and incident response activity respecting FCEB Information Systems.  Although this is not a public-facing task, CSO confirmed it was completed.
• 11/8/21, Enhancing Software Supply Chain Security. Section 4(c) of the EO asks the NIST director to publish preliminary guidelines based on input from the federal government, private sector, academia, and existing documents for enhancing software supply chain security. On October 28, NIST published these guidelines in Appendix F of a revised version of its 800-161 publication, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations.