Understanding the Executive Order on Improving the Nation's Cybersecurity

<img src="https://images.squarespace-cdn.com/content/v1/5d3a0abcf7bd0a0001f0b5e8/1ade7594-f7f0-482d-9d09-25eff80fbd9f/Executive+Order+on+Improving+the+Nation%27s+Cybersecurity.png" alt="" />

Cybersecurity has become a critical issue as we become increasingly dependent on digital technology to operate our businesses, run our homes, and manage our personal lives. Cyberattacks have grown in frequency and sophistication in the past few years, leading government and private sector leaders to demand more action.

In response to these growing threats, on March 21, 2022, the Biden administration released a statement that lays out a series of principles that will guide the development of new policies to reduce risk exposure for the federal government, businesses, and consumers.

This statement builds on the president’s previous executive order 14028, released in May of 2021. The administration believes that hostile foreign actors – specifically Russia – are making malicious moves in the cyber landscape and it urges both the public and private sector to tighten their security.

We created this article to help explain what this statement means for your business in terms of protecting your data online and safeguarding against future cyber threats. Read on to learn how to improve cybersecurity in your organization and apply the principles of the executive order on improving the nation's cybersecurity to your policies and procedures.

Key Takeaways of the Executive Order on Improving the Nation's Cybersecurity

The main focus of the Biden administration’s EO is to make federal government cyber systems and networks stronger and safer and enhance information sharing.

Firstly, EO 14028 focuses on strengthening government networks and technology infrastructure to make them more difficult to breach. It also pushes for upgrades to cybersecurity and promotes initiatives like “zero trust architecture”. Through the executive order, the Biden administration wants to leverage the federal government's $70 billion IT budget to encourage better security practices and encourage the inclusion of security in all software as it’s being developed.

The second major focus of the EO is to remove restrictions on the sharing of information between IT service providers and the government. It also requires the disclosure of major “cyber events” and attacks for better incident response.

The executive order on improving the nation's cybersecurity says, “...the trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is, and to the consequences we will incur if that trust is misplaced.”

In other words, we’re moving towards a zero-trust cybersecurity model meant to safeguard personal information, corporate secrets, and national security. The digital world is borderless, and governments and large organizations have been slow to adapt to the security landscape. This executive order is an attempt to catch up to the ever-evolving catalog of cyber threats and (as much as possible) prevent them from happening in the first place.

Updating the Cyber Incident Playbooks

The CISA created two new playbooks in accordance with Section 6 of EO 14028: the Incident Response Playbook and the Vulnerability Response Playbook. These documents outline how FCEB agencies are expected to respond to cybersecurity events and vulnerabilities. It also covers the corrective actions they should take.

The playbooks offer a standardized response to cybersecurity issues, which allows government agencies to create more efficient and streamlined policies and procedures. Having a standardized playbook also helps ensure that nothing falls through the cracks or is overlooked.

Who Is Affected by the Executive Order on Improving the Nation's Cybersecurity?

EO 14028 mainly affects federal executive agencies and federal contractors, although the private sector will likely also see a focus on software supply chain security and transparency in software/IoT labeling.

Federal agencies will have to modernize their networks and update their security policies and procedures.

Federal contractors and software providers will start to build new cybersecurity standards into their contract terms. They are also now required to share more information should a cyberattack or “incident” occur.

Many organizations across all sectors will likely see an increase in vendor scrutiny. This means that you’ll likely need to revisit your existing vendor contracts as well as your own security policies and procedures to ensure that you still meet eligibility requirements for government agency contracts.

How Does the EO Affect My Company?

While the initiatives and policy changes outlined in the executive order on “Improving the Nation's Cybersecurity” don’t directly affect your business, you can expect to see a ripple effect as software suppliers and IT services implement their responses.

The new EO makes it easier for IT services and employees to request and install higher-quality software. This means that cybersecurity will improve exponentially across the nation as the IT industry is given the arsenal they need to fight against, manage, and report on cybersecurity threats and attacks.

One of the policies we expect to see most adopted by our clients and businesses in general is the “zero trust” cybersecurity model.

What Is Zero-Trust Architecture?

EO 14028 mentions the implementation of a “zero-trust” model in response to cybersecurity. Zero trust–much as it sounds–is a model that focuses on preventing cyber incidents by taking a position opposite to security in the past. Rather than focus on preventing largely external intrusions from being successful, zero trust assumes that the environment is or will be compromised both from external and internal vectors and focuses on being able to stop the attacks in their tracks. Furthermore, the zero-trust model represents a global shift from centralized, on-premises-centric security measures to a distributed, cloud-centric approach.

Zero-trust authentication begins with the assumption that passwords and push messages are relatively easy to intercept by hackers. Therefore, zero-trust authentication requires strong multifactor authentication initially and then as needed (say, when accessing a critical system or file) rather than just once per session or per timeframe (such as up to 90 days with some authorization methods).

How to Protect Against Potential Cyberattacks
<img class="sqs-image-min-height" src="https://images.squarespace-cdn.com/content/v1/5d3a0abcf7bd0a0001f0b5e8/667cd6a9-ceed-4143-937d-53bebeb4b096/How+to+Protect+Against+Potential+Cyberattacks.png" alt="How to Protect Against Potential Cyberattacks" loading="lazy"/> How to Protect Against Potential Cyberattacks

As the situation with Russia grows more and more tense, concerns are rising in the current administration about the potential for malicious cyber activity out of Russia. Along with the statutes laid out by EO 14028, the Statement by President Biden on our Nation’s Cybersecurity urges all companies to take the following steps towards better security as soon as possible:

●     Use multifactor authentication to strengthen your systems against attacks

●     Use upgraded security tools to scan for threats on your devices

●     Patch and protect against all known vulnerabilities

●     Change passwords frequently

●     Backup your data frequently in case of ransomware or other cyber attacks

●     Encrypt your data so that even if it’s stolen it cannot be used against you

●     Run frequent drills and exercises in case of emergency

●     Educate your employees and create detailed policies around cyber security

●     Proactively reach out to your local FBI field office to build relationships in case of a future cyber incident

If your company falls under the technology or software vertical, there are further steps you are encouraged to take:

●     Build security into your products from the get-go – the statement calls this the “bake it in, don’t bolt it on” approach

●     Use highly secure zero-trust systems to develop your software

●     Make sure your developers know where their source code is coming from–your company is the one responsible for the products and code you release to the public

●     Implement and strengthen the practices mandated by the President’s Executive Order, Improving our Nation’s Cybersecurity

Conclusion: A Step Towards Safer Online Experiences

The EO on improving the nation’s cybersecurity and the follow up statement this year are a much-needed step towards enhancing online security, which will ultimately lead to safer and more secure experiences for all. This order will require federal agencies to improve their cybersecurity practices and adopt modern technologies that make it harder for criminals to hack into their systems.

This will make it harder for criminals to hack into the systems of private-sector organizations that provide services to the federal government, such as telecommunications companies, internet service providers, and cloud computing providers. As a result, businesses in every industry will be less vulnerable to cyberattacks and individual private information will be more secure.

Improve Your Company’s Cybersecurity With Passwordless Authentication

Axiad Cloud delivers passwordless authentication that unifies multiple authentication methods and platforms for a seamless access solution. Create a more secure environment and remove barriers to employee productivity. Learn more about Axiad Cloud today!

<img src="https://images.squarespace-cdn.com/content/v1/5d3a0abcf7bd0a0001f0b5e8/4ed8348e-360c-4bd1-a720-d436acb2b549/CTA+3.jpg" alt="" />