The White House, on Wednesday, released new cybersecurity guidelines to provide details on the executive order signed by President Biden in May of last year.
The guidelines are based on the Cybersecurity and Infrastructure Security Agency’s (CISA) recommendations and findings. The White House’s statement mentions these guidelines will help ensure protection and enhance security of the software supply chain to government agencies and entities.
The statement from the White House points out three important developments moving forward:
- The National Institute of Standards and Technology (NIST) will be responsible for software accreditation.
- Private vendors selling software to state and federal entities and agencies must have accreditation.
- Agencies must ensure inventorying of all software in 90 days. Further, accreditation for critical and non-critical software must be furnished within 270 and 365 days, respectively.
However, the perception of the big, slow bureaucracy is making it harder to believe that public agencies and companies will be able to adopt these cybersecurity regulations and best practices in three months.
But, the Biden-Harris Administration is adamant about sticking to its cybersecurity goals. It has no plans of offering any quarters to any agency on the matter.
Doubling Down on the May 12th Executive Order
Last year’s executive order signed by President Biden was a key step in modernizing cybersecurity in the federal government. With the rise in cyberattacks, this move was crucial for strengthening the country’s cyber defenses.
The administration recognizes that most cyberattacks against federal agencies have come from unaffiliated sources. Moreover, the new legislation also aims to protect against attacks from adversarial nations such as China, mentioned as one of the instigators of such attacks in the past.
The policy views cybersecurity as the top priority. It seeks to improve prevention, detection, assessment, and remediation of cyberattack cases.
Additionally, the goal is to remove communication barriers and improve information sharing between agencies and entities. The government will set up systems to ease communication and information-sharing between the Intelligence Community (IC), CISA, and the FBI, as well as other agencies and departments relevant to the nation’s cybersecurity.
Further, the executive order also plans to modernize cybersecurity for the federal government. The Zero-Trust Architecture and other similar methods would ensure the stability and security of the cybersecurity systems.
Enhancing the Software Supply Chain
After reviewing the current state of affairs, the Biden-Harris administration concluded that federal agencies and government are using outdated, ambiguous, and ineffective security software.
As a result, the executive order called on NIST to provide quality assurance for software purchased and paid for by public entities.
Last year, NIST, acting on the administration’s instructions, collected input from federal agencies, the private sector, National Science Foundation and Yale academia, and other stakeholders for the national cybersecurity strategy.
NIST published the new cybersecurity guidelines under the former acting director of the agency, James Olthoff. New director, Laurie E. Locascio, who took over the role in April after vacating her position at the University of Maryland, renewed the guidelines.
The CISA committee has made the guidelines stricter. In addition, the guidelines will enforce the use of a compartmentalized administrative environment, trust relationship audits, and multi-factor, risk-based authentication across all entities.
NIST to Become an Accreditation Agency
Under the executive order, and due to NIST’s expertise in the cybersecurity domain, it’s becoming the linchpin of the Biden-Harris cybersecurity policy.
NIST has already collected information and taken stock of the software used by federal agencies back in 2021. Now, they are well-positioned to provide insights into the software used in the federal government and its entities.
From now on, all entities will need to follow three rules:
- Buy software exclusively from NIST-accredited vendors
- Procure cybersecurity information and accreditation for existing software
- Conduct regular checks and updates for re-accreditation
And, while some agencies voiced concerns that these new rules may further slow them down, it’s seen as the only way to protect data from intrusions.
CISA Updates and Recommendations
On top of providing the new cybersecurity guidelines for the public and other federal agencies, CISA gave new recommendations for how it’ll function from now on.
During its fourth Cybersecurity Advisory Committee, the members provided these updates to Lieutenant Colonel Jen Easterly. Lt. Col. Easterly has been serving as the director of the Agency since its founding in 2021.
Moreover, CISA’s six subcommittees offered updates on their progress and their functions for the future. The subcommittees also disclosed their plans for protecting the federal institutions and the American public.
Privacy as an Afterthought
Although May’s executive order mentions privacy five times, four were in relation to upholding current laws on protecting public privacy.
According to opinions, these laws are grossly incomplete and frequently subverted to suit the government’s interests over those of the public.