Update on the Executive Order on Improving the Nation’s Cybersecurity – Security Boulevard
New executive orders on cybersecurity are always packed with positive-sounding actions with assigned deadlines. The Biden administration’s EO on improving the nation’s cybersecurity came in the wake of the SolarWinds and Colonial Pipeline attacks. Its major components were a call for MFA, zero-trust and EDR across federal agencies. It also established a cyber safety review board.
There were 47 action items with associated deadlines imposed in the May 12, 2021 cybersecurity executive order. Those deadlines ranged from 14 days to one year with several requirements for ongoing reporting. As of November 8, 2021, 37 of those deadlines have passed.
I have created a Google Sheet that lists all the tasks and deadlines here. Feel free to email me with comments/suggestions.
The first deadline was May 26, 2021. Section 8b of the executive order called on the secretary of the Department of Homeland Security to provide to the director of the Office of Management and Budget (OMB) recommendations on requirements for logging events and retaining other relevant data within an agency’s systems and networks. Did that happen? What are those requirements? If you read deeper you see that the recommendations are to include methods of encrypting all log data as well as making log data available to CISA among others. I know a few smart people that could sit down and design such a system in two weeks. But if two of those people worked on it together it would take at least six weeks. If a working group was assigned to figure out what to log, how to encrypt it, how to use encrypted data and how to share it with specific groups, it would take at least a year.
The OMB published a memo on tiered requirements for logging on August 27, 2021. It “establishes a maturity model to guide the implementation of requirements across four event logging (EL) tiers.
The next major deadline was for the secretary of DHS to provide to the director of the OMB recommendations on options for implementing an EDR initiative, centrally located to support host-level visibility, attribution and response. That was due June 11, 2021.
On October 8, 2021, OMB published a memorandum on this requirement, too. It requires federal agencies:
- Within 90 days, agencies should provide CISA access to current enterprise EDR deployments or engage with CISA to identify future state options.
- Within 90 days, CISA shall develop a process for continuous performance monitoring to help agencies ensure that EDR solutions are deployed and operate in a manner that will detect and respond to common threats.
- Within 90 days, CISA, in coordination with the CIO Council, shall provide recommendations to OMB on ways to …….