During the first quarter of 2023, Fortress tracked a number of events that impacted the critical...
Preparing for Emerging Regulations
President Biden released the Executive Order on Improving the Nation's Cybersecurity (EO 14028) in May 2021 to galvanize public and private efforts to identify, detect, deter and respond to increasingly sophisticated, malicious cyber campaigns. The executive order followed a series of high-profile information security attacks and ransomware incidents targeting the public and private sectors.
President Biden's executive order emphasizes the need to elevate information security as a core tenet of national security and calls on federal agencies and public sector organizations to work with the private sector to prioritize the data security and privacy of the American people and government. In sum, EO 14028 comprises seven objectives:
- Remove barriers to threat information sharing between government and the private sector
- Modernize and implement stronger cybersecurity standards in the federal government
- Improve software supply chain security
- Establish a cyber safety review board
- Create standardized playbook for responding to cybersecurity vulnerabilities and incidents
- Improve detection of cybersecurity incidents on federal government networks
- Improve investigative and remediation capabilities
At its broadest level, EO 14028 sets an ambitious goal of removing the myriad contractual barriers that impede information sharing between federal agencies and the legion of IT and OT service providers they work with to confront the critical matter of cyber threats, incidents, and risks. To this end, EO 14028 principally charges the Cybersecurity and Infrastructure Security Agency (CISA) and the Office of Management and Budget (OMB) with primary oversight.
In its full sweep, EO 14028 calls for implementing Zero Trust Architecture and, for the first time, requires federal agencies to develop plans to implement a Zero Trust approach. Zero Trust is a conceptual security model founded on the idea that an actor within a network is not inherently trustworthy based simply on their access to or presence within that network.
A Zero Trust architecture creates additional mechanisms and controls beyond network access to protect data from negligent or malicious activity.
In a memo issued in September of this year, OMB required federal agencies to comply with guidance from the National Institute of Standards and Technology (NIST) when using third-party software (e.g., operating systems and firmware). The OMB memo requires agencies to only use software from vendors who attest to complying with NIST's secure software development.
It is under this existing "chain of command" that Fortress Information Security sees an inherent, glaring risk. Namely, that OMB and CISA will create a software bill of materials (SBOM) data repository scheme and mandates for federal agencies that ignore the needs and best practices that fortress has scrupulously developed with the close cooperation of the industry. Adding to the urgency of the situation is a report this October from the Department of Energy (DOE), "Cybersecurity Considerations for Distributed Energy Resources on the U.S. Electric Grid." Among DOE's recommendations:
- Enhance firmware security via code signing. secure patching, and software bills of materials and
- Test and enumerate software/ hardware bills of materials to identify vulnerabilities in code that could be exploited.
Considering the profound impact EO 14028 will have in securing the nation's critical infrastructure, Fortress has formulated a plan of action that merits broad industry support. Key ingredients of this action plan span three key areas:
- Alignment of Fortress's Asset to Vendor (A2V) network with NIST's:
- Software supply chain security guidance
- Critical software identification
- Minimum standards for vendor software
- SBOM minimum standards
- Labeling guidance
- Participation with GSA, CISA and OMB in developing requirements for a central repository
- Develop and socialize an attestation database that is synchronized with A2V. This would include a gap analysis between A2V and NIST-endorsed software development security practices.
The implementation of EO 14028 constitutes a completely new paradigm for national security. It calls for comprehensive response to a formidable adversary that only grows in sophistication and lethality. Fortress and the Fortress A2V Network is well-equipped to help meet this challenge with industry support and a commitment to securing U.S. cybersecurity in new and effective ways.