Earlier this week the Biden Administration issued an executive order to strengthen the federal government’s cybersecurity and oversight of the larger “software supply chain” that involves government contractors. IT auditors, risk managers, privacy officers, and related compliance professionals should prepare now for what’s coming soon.
The order is most immediately a response to that ransomware attack against Colonial Pipelines, so Team Biden could look like they’re doing something; but really the order is much more a response to the SolarWinds cybersecurity breach last fall, which demonstrated just how vulnerable the software supply chain is.
The businesses that need to pay the most attention here are government contractors, and especially technology contractors that provide IT services via the cloud. Those so-called “cloud service providers” have long had to meet certain cybersecurity standards developed by the FedRAMP program — but FedRAMP is likely to see changes, as well as the Federal Acquisition Rule, and the Defense Federal Acquisition Rule Supplement that applies specifically to defense contractors.
What are the main points of this 34-page executive order? Let’s take a look.
Better Sharing of Threat Information
The order directs various federal agencies to clarify the language in government contracts, that all contractors must preserve data related to cybersecurity breaches, share that data with the feds, and cooperate with any subsequent investigations.
To put that idea into force, the agencies are supposed to propose (and then adopt) new language in Federal Acquisition Rule, and the Defense Federal Acquisition Rule Supplement, which are the two primary rules that govern federal contracting. That should happen within the next year.
Stronger Cybersecurity Within Government
The order also directs federal government agencies to adopt two principles of cybersecurity as widely as possible: zero-trust architecture and multi-factor authentication.
Multi-factor authentication is already relatively well-known: access to confidential data depends on something you know (a password and user ID), plus something you have (a cell phone, key fob, or similar device). So you log into the system, and the system sends a one-time security code to your phone that you must enter as well. The EO says multi-factor authentication should be much more widely adopted.
Zero-trust architecture is a relatively new type of network design, where users on a corporate network are challenged much more often — the system has “zero trust” in who you claim to be. It’s a more technical challenge, mostly for your IT security team.
This part of the order also specifies that the federal government should keep embracing cloud-service providers, because CSPs are often better at securing their systems than the end user. But if you’re a CSP, remember: you’ll need to embrace zero-trust architecture and multi-factor authentication as well.
Stronger Oversight of Software Supply Chain
This section of the order is meant to govern how software is developed and provided to customers. That was the weakness in the SolarWinds attack: Russian agents penetrated SolarWinds and implanted malware into its software products, which were then sent to government agencies and corporate customers via a “routine” software upgrade.
The order directs NIST to devise new guidelines for better, more secure software development. That will translate into steps such as…
- Tighter control over the “build environments” that coders use to write software;
- More multi-factor authentication and other access controls;
- More data encryption and monitoring; and
- More documentation about the provenance of your code (such as, did you grab a piece of open-source code off the internet?); and
- More internal control over the third-party code that you use in your own software code, complete with audits to confirm your controls are effective.
How Does This Affect Compliance?
Hoo boy, this could affect compliance in lots of ways.
Foremost, these proposals are changes to cybersecurity practice that could consequently change your compliance risks — and you’ll need to anticipate that, rather than be caught flat-footed.
For example, go back to that point about better sharing of threat information. Even as you share more information with the feds about an attack, you’ll still have data privacy obligations to consider. (The order specifically notes this point.) Or your attack could end up referred to the Justice Department for criminal prosecution of the attackers; that might raise other issues about data privacy or even civil litigation from the plaintiffs bar.
Or consider the section about better governance of the software supply chain. That could mean new policies and procedures for employees, new training to roll out, new testing to conduct. It will definitely mean more documentation you’ll need to collect.
The bottom line is that this executive order could force substantial operating changes to your business, and those changes could alter your regulatory compliance risks. So compliance officers should start thinking now about how to stay ahead of that challenge.
How Does This Affect Audit?
See my previous “Hoo boy!” statement. You folks could get pulled into the crosshairs of this too.
For example, if we want to embrace zero-trust architecture and multi-factor authentication — which we should, as soon as possible — that could require significant change to user access controls or IT general controls. Those changes will need to be designed and tested. Ditto for all those points about stronger control over software development.
Audit functions will need to assure that they have the relevant expertise to perform that work. You might forge a closer working relationship with the IT security team, especially if your business is small enough that it doesn’t have a dedicated IT auditor in your own department.
And all of this enhanced attention to cybersecurity comes amid pre-existing attention to cybersecurity. So you may be redesigning controls or processes to satisfy enhanced FedRAMP or DFARS requirements, while you still have to preserve controls for HIPAA or PCI-DSS compliance.
Can that be done? Sure, but in all likelihood, you’re going to need sophisticated technology for data mapping, control mapping, remediation, alerts for remediation that isn’t happening in a timely manner, and documentation. (I’m sure all the GRC vendors out there are doing handsprings over this news.)
The only bright point here is that the imperative for better cybersecurity is clear and compelling, so your board and CEO shouldn’t need too much persuasion to pay attention to this. Soon enough, if you whiff on cybersecurity, you’re going to strike out from government contracts. It’s that simple.
That was true even before Colonial Pipelines shut down gas service to half the country. It’s all the more true now.