EO 14028 – The March Forward Continues
While many executive orders are a waste of good space in the Federal Register, so far executive branch agencies seem to be taking the Executive Order on Improving Cybersecurity seriously.
The most recent result is that the Office of Management and Budget has ordered federal agencies to start documenting software that is identified as critical. NIST released the criteria for what software must be considered critical (as required by the EO). The next step is for agencies to document what they are using that is critical.
Agencies have 60 days to complete this task.
Based on typical government, snail-like speed, these timelines are lightning fast. The EO was released in May, NIST released the definition of critical in June and now OMB is giving agencies 60 days to document what they have.
The directive also tells agencies that they have to implement the controls in the Critical Software Security Guidance. They have a year to do that. Given that some agencies are using software developed in the 1960s, 1970s and 1980s, this is definitely going to be challenge.
So what are some of the things that agencies have to do? The list is long, but here are some of them.
- Implement multi-factor authentication
- Deploy encryption across the government
- Identify each service uniquely that access systems and data
- Segment networks
- Create and maintain a data inventory
- Use fine grained access controls
- Implement least privilege
- Backup data, test backups and be ready to restore backups
- Quickly detect, respond to and recover from incidents
- Maintain sufficient logs to figure out what happened
- Train, train and more training
In addition NIST has published standards for testing critical software
While these things are hard to do, is there any of these items that you think is unnecessary? I don’t see any.
While these rules only apply to software used by the executive branch (and any company that wants to sell software to the executive branch), we recommend that businesses follow along as the feds improve their security; it will improve yours.