In May of 2021, the Biden administration took a big step toward modernizing the cyber defense of the United States. As a response to the growing number of high profile security breaches, President Biden signed Cybersecurity Executive Order 14028 “Improving the Nation’s Cybersecurity” — with the goal of protecting federal networks from cyber threats. It became clear that cybersecurity was now a national priority.
The first big part of that Cybersecurity Executive Order was rolled out in January of 2022, as the White House shared a nearly 30-page strategy laying out dozens of measures federal agencies need to take in the next two years that will move the U.S. government toward a “zero trust” security model, secure federal systems, and limit the risk of security incidents.
Government agencies have until the end of fiscal year 2024 to put in place many of the measures described in the plan, which include more stringent network segmentation, multi-factor authentication, and widespread encryption.
So, what does the Executive Order mean for your company in 2022? Will this only impact federal employees? And what even is “zero trust”? Keep reading to find out.
TABLE OF CONTENTS:
- What is Cybersecurity Executive Order 14028?
- Executive Order 14028 Key Points
- What is the purpose of EO 14028?
- What is Zero Trust cybersecurity?
- What will zero trust strategy mean for federal agencies?
- Will this only impact federal employees?
- How the Executive Order will impact vendors working with the federal government
- How to implement a zero trust security strategy
- How does ActiveLock endpoint protection help achieve zero trust?
What is Cybersecurity Executive Order 14028?
The executive order on cybersecurity comes amid increasingly public and widespread cyber attacks affecting the nation’s public and private sectors including the SolarWinds software supply chain attack and ransomware attacks on critical infrastructure like the Colonial Pipeline.
The Cybersecurity Executive Order outlined the need to modernize cybersecurity defenses in the country as well as opening channels for sharing information relating to cybersecurity threats and breach information. A big part of the Cybersecurity Executive Order was a pledge to eventually move all government systems to a zero trust strategy.
The administration has taken the first concrete step toward actually implementing the government-wide zero trust strategy with a memorandum addressed to all federal agencies, outlining the basic goals to be reached by the end of fiscal year 2024.
In the memo, the White House said:
This zero trust strategy stipulates a stronger emphasis on enterprise identity and access controls, including multifactor authentication. Federal agencies will need to verify everything that is attempting to establish access, and they’ll need to track and verify each user, device, application and transaction in order to block unauthorized access to sensitive information.
Biden’s Cybersecurity Executive Order 14028: Key Points
According to the Cybersecurity & Infrastructure Security Agency (CISA), the main points of the executive order to pay attention to are:
- Remove barriers to threat information sharing between government and the private sector
- Modernize and implement stronger cybersecurity standards in the federal government
- The EO helps move the Federal Government to secure cloud services and a zero-trust architecture, and mandates deployment of multifactor authentication and encryption within a specific time period.
- Improve software supply chain security
- Establish a cyber safety review board
- Create standardized playbook for responding to cybersecurity vulnerabilities and incidents
- Improve investigative and remediation capabilities
For a deeper dive into the executive order key points, go here
What is the purpose of EO 14028?
The executive order followed a series of high-profile information security attacks and ransomware incidents targeting the public and private sector, most notably the attack on the Colonial Pipeline, JBS, Solarwinds and Kaseya. President Biden’s executive order emphasizes the need to elevate information security as a core tenet of national security, and calls on federal agencies and public sector organizations to work with the private sector to prioritize the data security and privacy of the American people and government.
What is the President’s Executive Order meant to achieve?
The executive order calls on federal agencies to lead the way in security best practices and to modernize their approach to increasingly sophisticated digital threats. The executive order requires federal agencies to prioritize cloud adoption, identify sensitive data and update the protections for that data, encrypt data at rest and in transit, implement multi-factor authentication, and meet expanded logging requirements. It also references Zero Trust Architectures and, for the first time, requires federal agencies to develop plans to implement a Zero Trust approach.
What is Zero Trust cybersecurity?
Zero trust assumes breach and that basically nothing should be trusted. With zero trust there is NO assumption that what was trusted to get into the network should be trusted to access everything that’s inside. Simply put, zero trust functions on the philosophy that because attackers can live both inside and outside the network, no identity should be automatically trusted even if they’ve authenticated themselves at the front door with a username and password.
Zero Trust Architecture treats every user, device, and application as a potential threat to the company, assuming that a breach is imminent or has likely already occurred. A zero trust setup limits user access to only what is needed, and continuously looks for anomalous or malicious activity.
Known as a “zero trust” cybersecurity strategy, this security philosophy holds that “no actor, system, network or service operating outside or within the security perimeter is trusted,” according to Department of Defense Zero Trust Reference Architecture.
This strategy stipulates a stronger emphasis on enterprise identity and access controls, including multi-factor authentication. Federal agencies will need to verify everything that is attempting to establish access, and they’ll need to track and verify each user, device, application and transaction in order to block unauthorized access to sensitive information.
Most security protocols assume that if you have the credentials to access a certain network, you can be trusted to work in it. Simply put, Zero Trust removes that assumption with multi-factor authentication and more expansive data encryption.
For a deeper dive into Zero Trust Architecture, check out this article.
What will zero trust strategy mean for federal agencies?
Generally speaking, it means no more privileged access without continuous re-authentication at every login point. Nothing currently outside the security perimeter is trusted unless it meets the authentication criteria, which will also be elevated from current standards.
Does the Cybersecurity Executive Order (EO 14028) only impact federal employees?
While EO 14028 primarily impacts federal agencies, the effects reach far beyond federal employees. Vendors who sell to the federal government will need to reevaluate their own security to make sure they’re staying compliant with the new cybersecurity guidelines — particularly those who sell software products to the federal government.
As with former President Obama’s EO nearly a decade ago, we anticipate a cascading impact — first to federal contractors and then rippling through other industries, as new standards are set and practices are adopted.
The business community has been talking about zero trust architecture, and adoption has accelerated since the software supply chain attacks in 2021, but many security teams are still asking if it’s right for their business. Seeing zero trust architecture called out in the EO may encourage business leaders to consider it a leading practice and begin adopting zero trust even if they’re not directly working with the federal government.
How will the Executive Order impact vendors working with the federal government?
Improving the security of the software supply chain is a key component of the Executive Order. Vendor risk management is likely to come under the microscope for many organizations following the release of President Biden’s Executive Order on Cybersecurity and lead to the security of the software supply chain being scrutinized. The result is that many organizations will need to re-visit their existing vendor contracts as well as their own security processes in order to meet new standards and protect eligibility for government agency contracts.
Therefore, it is critical that you and your vendors’ security programs meet the necessary requirements in order to sell software to government agencies.
How to implement a zero trust security strategy?
Over the next 2 years, federal agencies and vendors who work with the federal government will need to employ a zero-trust security model, move to secure cloud services, and deploy foundational security tools such as multifactor authentication and encryption to protect sensitive data and close gaping cybersecurity vulnerabilities.
Some agencies may not realize they already have technology in place that simply needs to be activated or fine-tuned to meet the EO requirements. By tapping into technology they already have, CISOs can save significant time and cost as they navigate near- and long-term modernization strategies while improving their agency’s cybersecurity posture.
For starters, you must identify the user before they enter the system with Multi Factor Authentication (MFA). Multifactor authentication is a key component to achieving Zero Trust. It adds a layer of security to access a network, application or database by requiring additional factors (or pieces of evidence) to prove the identity of users.
Continuous authentication is the core of the zero trust security strategy. By protecting the device itself from unauthorized users, you can eliminate the sharing of company devices — ensuring that only authorized employees are accessing their work laptops.
How does ActiveLock endpoint protection help?
Instead of requiring users to repeatedly authenticate themselves throughout the day, ActiveLock works in the background to passively authenticate the employee or contractor whenever they are using a company computer.
ActiveLock continuous authentication ensures each person in front of the computer is the true authorized user and is designed to prevent threats that arise with remote work, such as fraud, device sharing, and unattended devices. ActiveLock constantly verifies user identities by the way they type on their keyboard. If an unauthorized typing pattern is detected, ActiveLock instantly locks the company desktop or laptop to protect your sensitive data.
Learn how ActiveLock continuous authentication helps you achieve the zero trust goals of the Cybersecurity Executive Order. Download your free license of ActiveLock 👇