President Biden’s Cybersecurity Executive Order: What will it mean for you?
Published 06/01/2021
This blog was originally published by OneTrust here.
On May 12, US President Joe Biden issued an executive order on cybersecurity seeking to improve the state of national cybersecurity in the US and to increase protection of government networks following incidents involving SolarWinds and more recently the Colonial Pipeline hack. The Executive Order outlines the need to modernize cybersecurity defenses in the country as well as opening channels for sharing information relating to cybersecurity threats and breach information. This will undoubtedly bring about concerns for many organizations whose contractual obligations often make these incidents difficult to report, but it also highlights the importance of organizations ensuring that their supply chain is secure and that their vendors meet the necessary cybersecurity requirements.
Watch this webinar: US Cybersecurity Executive Order: How It Will Impact Your Vendor Risk Strategy
The Executive Order looks to lead from the front stating; “the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life […] The Federal Government must lead by example. All Federal Information Systems should meet or exceed the standards and requirements for cybersecurity set forth in and issued pursuant to this order.” And while the Government looks to set a precedent, there are several implications that will affect the way in which private-sector organizations approach their security processes including providing proof of the integrity of open-source code and the security of legacy software, particularly if you are selling software to the federal government.
“In the end, the trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is, and to the consequences we will incur if that trust is misplaced.”
– President Joe Biden, Executive Order on Improving the Nation’s Cybersecurity
The White House also published a factsheet which highlights the seven key points that the Executive Order looked to address:
- Remove Barriers to Threat Information Sharing Between Government and the Private Sector
- Modernize and Implement Stronger Cybersecurity Standards in the Federal Government
- Improve Software Supply Chain Security
- Establish a Cybersecurity Safety Review Board
- Create a Standard Playbook for Responding to Cyber Incidents
- Improve Detection of Cybersecurity Incidents on Federal Government Networks
- Improve Investigative and Remediation Capabilities
What does the Executive Order mean for organizations?
The heightened emphasis on the transparency of cybersecurity outlined in the Executive Order and the consequences for not meeting requirements will lead to a surge in organizations reviewing their third-party contracts. Improving the security of the software supply chain is a key component of the Executive Order and organizations must now look to verify they are working with secure vendors. This will also likely lead to increased scrutiny of vendor risk assessments, potential security gaps in the supply chain, and the remediation policies that are currently in place.
Further to the increased security of the supply chain, it will fall to organizations to ensure their vendors have the proper contract terms in place to allow for the transparent sharing of threat and breach information. In addition, vendor assessments will need to address whether FedRamp guidelines are being met, including assessment, authorization, continuous monitoring, and compliance.
Given The White House’s pledge to ensure government systems “meet or exceed the standards and requirements for cybersecurity” outlines in the Executive Order, organizations that are looking to sell software to government agencies should expect more stringent evaluations of their own security to make sure the appropriate requirements are being met. The top-down approach to cybersecurity standards will set the benchmark for organizations, therefore, it is critical that you and your vendors’ security programs meet the necessary requirements in order to sell software to government agencies.
Vendor risk management is likely to come under the microscope for many organizations following the release of President Biden’s Executive Order on Cybersecurity and lead to the security of the software supply chain being scrutinized. The result is that many organizations will need to re-visit their existing vendor contracts as well as their own security processes in order to meet new standards and protect eligibility for government agency contracts.
Watch this webinar: US Cybersecurity Executive Order: How It Will Impact Your Vendor Risk Strategy
Further reading on President Biden’s Executive Order on Cybersecurity:
- OneTrust DataGuidance News: USA: President issues executive order on improving national cybersecurity
- The White House Briefing Room: Executive Order on Improving the Nation’s Cybersecurity
Related Articles:
How to Demystify Zero Trust for Non-Security Stakeholders
Published: 12/19/2024
Why Digital Pioneers are Adopting Zero Trust SD-WAN to Drive Modernization
Published: 12/19/2024
Managed Security Service Provider (MSSP): Everything You Need to Know
Published: 12/18/2024
Decoding the Volt Typhoon Attacks: In-Depth Analysis and Defense Strategies
Published: 12/17/2024