* Pushes toward zero-trust architecture
* FedRAMP cloud security modernization
* New fed cloud strategy
IoT security labeling pilot program
* Encourages SBOM
* CISA incident response "playbooks" for agencies
* Govt-wide log retention/analysis policy
The EO "makes a down-payment towards modernizing our cyber defenses" and "reflects a fundamental shift in our mindset from incident response to prevention, from talking about security to doing security," a sr admin official told reporters.
“For too long, we fail to take the necessary steps to modernize our cybersecurity defenses, because doing so takes time, effort, and money, and instead we've accepted that we’ll move from one incident response to the next," SAO said.
“We routinely install software with significant vulnerabilities into some of our most critical systems and infrastructure," SAO added. "The cost of the continuing status quo is simply unacceptable.”
The SAO offered a compelling analogy: “We’d never buy a family minivan knowing it could have potentially fatal defects, with the expectation of recalls or [deciding] whether you want to install and pay for seatbelts or airbags afterwards.”
OMB must recommend to federal acquisition officials a major overhaul of contracting language with new cybersecurity requirements for IT service providers that contract with the government.
CISA must recommend standardized cyber contract language for universal use.
Requirements for agencies:
* Plans for cloud adoption and zero-trust architecture
* Encryption and MFA within 180 days
* New OMB/CISA cloud security strategies and guidance
* FedRAMP (cloud service marketplace) modernization
Software security stuff:
* NIST must develop software security guidance
* Commerce must publish minimum reqs for software bill of materials (think ingredient list for software)
* Defining, identifying, and protecting most critical software
* Ensuring vendor security compliance
* IoT security labeling pilot program (think Energy Star)
* Cyber Safety Review Board: composition (co-led by DHS and industry rep, includes DOD, DOJ, CISA, NSA, FBI), function (think NTSB), and initial reporting requirement (SolarWinds review)
* CISA must create incident response playbooks so all agencies are responding in a consistent way
* Civilian agencies must use EDR software to aid in threat detection
* DOD/IC must improve detection on natsec systems
* CISA must report on use of its new threat hunting authority
* DHS & DOD must share w/ each other their network security directives and consider whether to adopt each other's requirements
* DHS must recommend a log retention policy and OMB must review and issue it
* DOD/IC must adopt standards at or above what's in this EO
That's what I flagged on my review. Did I miss any particularly juicy sections? Let me know!
Some praise from industry groups — many of whose members will have to comply with the new security regulations — for Biden's cyber EO.
Leading cyber-focused lawmakers also praised Biden's EO, although several of them noted that it will not be enough and Congress has to act, too.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
Senate Homeland Security Committee hearing on SolarWinds and federal cybersecurity is starting now: hsgac.senate.gov/hearings/preve…
In opening statement, ranking member Rob Portman questions why HHS didn't declare its SolarWinds breach to be a "major incident" per FISMA. He also questions why HSGAC learned from news reports that SolarWinds had hit DHS/CISA, including DHS secretary and incident responders.
In opening statement, Acting CISA Director Brandon Wales says one of CISA's top priorities this year is creating joint cyber planning office (authorized in NDAA) to strengthen public-private collaboration, which he says was key to successful SolarWinds/Exchange responses.
Biden addressed the Colonial Pipeline hack a few minutes ago.
"So far there is no evidence from our intelligence people that Russia is involved, although there is evidence that the actor's ransomware is in Russia. They have some responsibility to deal with this."
Biden was asked, if you can't protect U.S. critical infrastructure from a criminal gang, how can you protect it from a nation-state actor?
"We can do both," he responded, "and we will."
"This is something that our administration has been tracking extremely carefully, and I have been personally briefed every day," Biden said at the top of his remarks.
White House briefing starting now, with Homeland Security Adviser Elizabeth Sherwood-Randall and Deputy National Security Adviser for Cyber and Emerging Technologies Anne Neuberger.
Sherwood-Randall: "Thus far, Colonial has told us that [its pipeline] has not suffered damage and can be brought back online relatively quickly, but that safety is a priority, given that it is never before taken the entire pipeline down."
A White House-convened interagency team with DOE, CISA, FBI, DOT, Treasury, and DoD "met throughout the weekend," Sherwood-Randall said.
DHS just wrapped up a background briefing with senior officials on the department's cybersecurity agenda.
Nothing earth-shattering, but I'll share a few comments that stood out to me.
We've previously heard from Anne Neuberger that the Biden administration has an EO coming with mitigations related to the SolarWinds/Exchange vulnerabilities. Today, a senior DHS official told us that it will contain "close to a dozen actions."
DHS Sec Mayorkas will be discussing cyber tomorrow during an RSA event.
Per sr official, he will offer a "comprehensive vision" for using DHS/CISA to defend the country, incl through several "cybersecurity sprints" that he previously teased.
HSGAC Chair Gary Peters: “The process and procedures for responding to cyberattacks desperately needs to be modernized,” including by reforming FISMA and streamlining information sharing.
Peters: “It is clear from the gravity of this threat that we need to examine whether CISA, the FBI and other agencies have what they need to protect the American people.”