The Executive Order signed by President Biden yesterday will mandate government agencies implement multifactor authentication that is based on risk and a Zero Trust security model. The government is also creating a Cybersecurity Safety Review Board that will respond to incidents and recommend corrective actions.
Most interesting is that the government intends to eliminate suppliers that are unable or unwilling to adopt these security measures, including systems that operate on premise or in the cloud. In fact it also specifically calls out how legacy systems will be treated.
While the Executive Order only applies to Federal Government systems the mandate to implement incident reporting will eventually make its way to financial regulators, and any critical infrastructure participants that are not implementing Multifactor Authentication and the Zero Trust Model will surely face unwanted liabilities and this will certainly include financial infrastructure participants:
“Although every President in recent years has issued an order to improve the nation’s cybersecurity, experts believe this one is more detailed and has a better chance of success than previous efforts. It also comes amidst unprecedented attacks on US government and critical infrastructure, in the form of the SolarWinds, Exchange Server and Colonial Pipeline attacks, to name just a few.
Among the key measures is a requirement for all federal government software suppliers to meet strict rules on cybersecurity or risk being blacklisted. Eventually, the plan is to create an “energy star” label so both government and public buyers can quickly and easily see whether software was developed securely.
Other measures include an “aircrash investigation-style” Cybersecurity Safety Review Board, which will make recommendations for improvements after any major incident, and a standardized playbook for government incident response.
The EO will also mandate a drive to secure cloud services and zero trust, including multi-factor authentication and data encryption at rest and in transit, by default.
There are also provisions for government-wide endpoint detection and response (EDR), improved information sharing within government and between public and private sectors, and event logging requirements for federal government departments to enhance investigation and remediation.”
Overview by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group
