How the Cybersecurity Executive Order will change your security operations
The Executive Order signed on May 12th to improve the Nation’s Cybersecurity, safety and trust directly relate to the trustworthiness and transparency in digital infrastructure (IT, OT, IoT, IIoT). Alongside the EU Cyber Security Act passed in 2019 and the Network Information Systems Directive, the legislation signals a new approach to security – placing trust at the forefront of operations.
The order outlines better information sharing, a move to cloud-based zero trust services, supply chain transparency, cybersecurity governance, federal oversight to response, shared detection systems and evidence gathering for resiliency.
The common element is sharing trustworthy data: Getting the right data to the right people at the right time and proving “when who did what to assets”.
With this new way of looking at things, let’s delve into three new rules that your organization will be required to implement and check whether existing tools and procedures can meet the challenge.
NEW RULE: Enhancing Software Supply Chain Security with a Software Bill of Materials
“Software Bill of Materials” or “SBOM” is a formal record containing the details and supply chain relationships of various components used in building software. Buyers can use a SBOM to perform vulnerability or license analysis, both of which can be used to evaluate risk in a product.
The development of commercial software often lacks transparency, and sufficient controls to resist attack and tampering. There is a pressing need to ensure products function securely, and as intended. The security and integrity of “critical software” — is a particular concern.
The call to action by this Executive Order on SBOM is to identify and mitigate risk on a recurring basis for any and all software components used by your organization. A one-shot evaluation is not enough – the SBOM must be a living document that accompanies any software throughout its useful lifespan that is provided directly or through a public website. Your organization needs to be tracking SBOMs to prove that your vendors:
- Have manually or automatically tested their software source code, using code review tools, static and dynamic analysis, software composition tools, and penetration testing.
- Audit trust relationships and artefacts of software build tools, deliver integrity, provenance and control on internal, third-party and open-source software components, tools, and services used within any portion of a product
- Attest to the conformity of secure software development practices of developers and suppliers including a vulnerability disclosure program
All stakeholders need proof of when who changed what software to better manage risks.
Can your current systems manage the complex data sharing and privacy rules of digital assets between multiple organizations?
NEW RULE: Removing Barriers to Sharing Threat Information.
Contracting companies with Government agencies must promptly report when they discover a cyber incident involving a software product, service or support system.
Who should they share it with?
When working with Federal Civilian Executive Branch (FCEB) Agencies, The Agency itself and CISA must centrally collect and manage such information and any other agency that the Director of OMB, in consultation with the Secretary of Defense, the Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence, deems appropriate, consistent with applicable privacy laws, regulations, and policies.
What should they share?
Service providers must collect, preserve and share data, information, and reporting relevant to cybersecurity event prevention, detection, response, and investigation on all information systems over which they have control, including systems operated on behalf of agencies, consistent with agencies’ requirements; as they relate to cyber incidents or potential incidents relevant to any agency with which they have contracted doing so, where possible, in industry-recognized formats for incident response and remediation.
All stakeholders need proof of when who did what to move fast and fix vulnerable assets.
Can your current systems enable all stakeholders across organization boundaries to automate compliant collaboration and respect privacy?
NEW RULE: Modernizing Cybersecurity.
Zero Trust security model eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other systems responses. In essence, a Zero Trust Architecture allows users full access but only to the bare minimum they need to perform their jobs. If a device is compromised, zero trust can ensure that the damage is contained.
The Federal Government must advance toward Zero Trust Architecture; secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS); centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks; and invest in both technology and personnel to match these modernization goals.
The SBOM and Threat Intelligence Sharing both compose toward adopting a Zero-Trust identification of potentially compromised devices, software and services.
A Zero Trust Authentication and Authorization system needs proof of when who updated what software against known vulnerabilities to limit risk exposure.
Can your authentication systems connect to SBoM and Threat intelligence to perform dynamic authorization?
Cybersecurity is a team sport and these new rules all pivot on trustworthy data sharing.
What new tools would help with governance, provenance and compliance of sharing trustworthy data?
The Data Assurance Hub – Build Trust in Multi-Party Data
Each new rule brings new dimensions of information control for multi-party metadata, assurance of metadata provenance and transparent compliance for all. Permissioned distributed ledger technology could deliver these attributes yet its accessibility and ease of use have remained elusive until now. A Data Assurance Hub must allow easy access for any developer working for any stakeholder. If all need blockchain PhDs the solution doesn’t scale.
The Jitsuin RKVST is a data assurance hub built with DLT specifically to automate trustworthy metadata sharing, compliance and provenance for any critical asset, for all to use through simple APIs.
Software is one such critical asset and as set forth in the Executive Order, all Federal Information Systems should meet or exceed the standards and requirements for cybersecurity.
The Federal Government must lead by example – and vendors are compelled to follow.
How can we help you meet these objectives?
Jitsuin will make a free SBOM template available for the RKVST and enable access for those who answer one question.
Let us know what you’d like to see!