Share this page!

Eric Geller Profile picture
Twitter logo
12 May, 17 tweets, 9 min read
BREAKING: Biden signs sweeping cyber EO to close gaps exposed by SolarWinds.

Highlights:
* Incident reporting reqs for IT contractors
* Security reqs for software contractors
* Encryption, MFA, EDR reqs for agencies
* Cyber incident review board

Story: subscriber.politicopro.com/article/2021/0…
More highlights:

* Pushes toward zero-trust architecture
* FedRAMP cloud security modernization
* New fed cloud strategy
IoT security labeling pilot program
* Encourages SBOM
* CISA incident response "playbooks" for agencies
* Govt-wide log retention/analysis policy
The EO "makes a down-payment towards modernizing our cyber defenses" and "reflects a fundamental shift in our mindset from incident response to prevention, from talking about security to doing security," a sr admin official told reporters.
“For too long, we fail to take the necessary steps to modernize our cybersecurity defenses, because doing so takes time, effort, and money, and instead we've accepted that we’ll move from one incident response to the next," SAO said.
“We routinely install software with significant vulnerabilities into some of our most critical systems and infrastructure," SAO added. "The cost of the continuing status quo is simply unacceptable.”
The SAO offered a compelling analogy: “We’d never buy a family minivan knowing it could have potentially fatal defects, with the expectation of recalls or [deciding] whether you want to install and pay for seatbelts or airbags afterwards.”
Here is the text of Biden's cyber EO: whitehouse.gov/briefing-room/…

Fact sheet: whitehouse.gov/briefing-room/…

My story: politico.com/news/2021/05/1…
Let's dive into Biden's cyber EO, shall we?

Here's a look at the key provisions...
OMB must recommend to federal acquisition officials a major overhaul of contracting language with new cybersecurity requirements for IT service providers that contract with the government.

CISA must recommend standardized cyber contract language for universal use.
Requirements for agencies:

* Plans for cloud adoption and zero-trust architecture
* Encryption and MFA within 180 days
* New OMB/CISA cloud security strategies and guidance
* FedRAMP (cloud service marketplace) modernization
Software security stuff:

* NIST must develop software security guidance
* Commerce must publish minimum reqs for software bill of materials (think ingredient list for software)
* Defining, identifying, and protecting most critical software
* Ensuring vendor security compliance
* IoT security labeling pilot program (think Energy Star)
* Cyber Safety Review Board: composition (co-led by DHS and industry rep, includes DOD, DOJ, CISA, NSA, FBI), function (think NTSB), and initial reporting requirement (SolarWinds review)
* CISA must create incident response playbooks so all agencies are responding in a consistent way
* Civilian agencies must use EDR software to aid in threat detection
* DOD/IC must improve detection on natsec systems
* CISA must report on use of its new threat hunting authority
* DHS & DOD must share w/ each other their network security directives and consider whether to adopt each other's requirements
* DHS must recommend a log retention policy and OMB must review and issue it
* DOD/IC must adopt standards at or above what's in this EO
That's what I flagged on my review. Did I miss any particularly juicy sections? Let me know!
Some praise from industry groups — many of whose members will have to comply with the new security regulations — for Biden's cyber EO.
Leading cyber-focused lawmakers also praised Biden's EO, although several of them noted that it will not be enough and Congress has to act, too.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Eric Geller

Eric Geller Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @ericgeller

Eric Geller Profile picture
11 May
Senate Homeland Security Committee hearing on SolarWinds and federal cybersecurity is starting now: hsgac.senate.gov/hearings/preve…
In opening statement, ranking member Rob Portman questions why HHS didn't declare its SolarWinds breach to be a "major incident" per FISMA. He also questions why HSGAC learned from news reports that SolarWinds had hit DHS/CISA, including DHS secretary and incident responders.
In opening statement, Acting CISA Director Brandon Wales says one of CISA's top priorities this year is creating joint cyber planning office (authorized in NDAA) to strengthen public-private collaboration, which he says was key to successful SolarWinds/Exchange responses.
Read 18 tweets
Eric Geller Profile picture
10 May
Biden addressed the Colonial Pipeline hack a few minutes ago.

"So far there is no evidence from our intelligence people that Russia is involved, although there is evidence that the actor's ransomware is in Russia. They have some responsibility to deal with this."
Biden was asked, if you can't protect U.S. critical infrastructure from a criminal gang, how can you protect it from a nation-state actor?

"We can do both," he responded, "and we will."
"This is something that our administration has been tracking extremely carefully, and I have been personally briefed every day," Biden said at the top of his remarks.
Read 4 tweets
Eric Geller Profile picture
10 May
White House briefing starting now, with Homeland Security Adviser Elizabeth Sherwood-Randall and Deputy National Security Adviser for Cyber and Emerging Technologies Anne Neuberger.
Sherwood-Randall: "Thus far, Colonial has told us that [its pipeline] has not suffered damage and can be brought back online relatively quickly, but that safety is a priority, given that it is never before taken the entire pipeline down."
A White House-convened interagency team with DOE, CISA, FBI, DOT, Treasury, and DoD "met throughout the weekend," Sherwood-Randall said.
Read 17 tweets
Eric Geller Profile picture
30 Mar
DHS just wrapped up a background briefing with senior officials on the department's cybersecurity agenda.

Nothing earth-shattering, but I'll share a few comments that stood out to me.
We've previously heard from Anne Neuberger that the Biden administration has an EO coming with mitigations related to the SolarWinds/Exchange vulnerabilities. Today, a senior DHS official told us that it will contain "close to a dozen actions."
DHS Sec Mayorkas will be discussing cyber tomorrow during an RSA event.

Per sr official, he will offer a "comprehensive vision" for using DHS/CISA to defend the country, incl through several "cybersecurity sprints" that he previously teased.

1st sprint will focus on ransomware.
Read 11 tweets
Eric Geller Profile picture
30 Mar
New: The U.S.' cyber agency is underfunded, overwhelmed, and struggling to keep up with evolving threats.

@CISAgov got $650m in the Covid-19 bill, but experts say it'll need a lot more support to have a chance of stopping the next SolarWinds.

My story: politico.com/news/2021/03/3…
I talked to 15 people familiar with CISA’s work, including 4 current employees and 5 former CISA officials. Some of the problems they described:

* Far too few hunt & incident response teams

* Not enough $ for risk management center

* Not enough data analysis capabilities
Even though many employees are "exhausted," as one put it, they're still optimistic about their agency's future.

They love their mission and hope new Biden admin leadership will get them what they need.
Read 10 tweets
Eric Geller Profile picture
18 Mar
Senate Homeland Security Committee is beginning a hearing on the federal response to the SolarWinds campaign.

Federal CISO, acting CISA director, and senior FBI cyber official are testifying.

hsgac.senate.gov/understanding-…

We previewed what to expect in MC: subscriber.politicopro.com/newsletter/202…
HSGAC Chair Gary Peters: “The process and procedures for responding to cyberattacks desperately needs to be modernized,” including by reforming FISMA and streamlining information sharing.
Peters: “It is clear from the gravity of this threat that we need to examine whether CISA, the FBI and other agencies have what they need to protect the American people.”
Read 26 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @ericgeller has new unrolls!

Check out other threads from @ericgeller!

Read all threads by @ericgeller

:(