On May 12, 2021, a press release was released by the Biden Administration regarding intentions to improve the nation’s cybersecurity and protections for federal government networks. The press release cites recent incidents (e.g. SolarWinds and the recent Colonial Pipeline ransomware incident) as reminders that cybersecurity threats are constantly evolving. More recently, there have been reports that the United States government is intending to assign ransomware attacks a similar priority to terrorist attacks to ensure swift responses.
While reviewing the initiatives and actions outlined by the administration, I recognized that it closely aligns to the Cybersecurity maturity reports that I work on within our risk consulting and governance team. This serves as a reminder that industry-best cybersecurity controls are not exclusive to the companies that we serve, but also to larger government entities. As such, this blog post is designed to list each of the bulleted initiatives in the press release of the President’s executive order, and map them to the industry standard that we leverage in our Cybersecurity Maturity Assessments, the NIST CSF cybersecurity framework and its associated functions and categories. Organizations and prospective clients may take interest in this mapping to see how they can better mature their organizations’ cybersecurity maturity and better protect their organizations’ assets.
Remove Barriers to Threat Information Sharing Between Government and the Private Sector.
Associated Function – Category: Identify – Risk Assessment, Response – Communications
Within the press release provided by the White House, the Biden Administration touches upon the importance of IT providers sharing information regarding compromises that may have emerged within network environments, due to either contractual obligations or other hesitations about disclosing such information. The intentions of the government are quoted as, “Removing any contractual barriers and requiring providers to share breach information that could impact Government networks is necessary to enable more effective defenses of Federal departments, and to improve the Nation’s cybersecurity as a whole.”
These sentiments apply to any organization, and align to controls in the NIST CSF Identify function, which state, “Cyber threat intelligence is received from information sharing forums and sources,” and within the Response function that state, “Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness.” While risks and concerns related to cybersecurity are unique to each organization, and while it is the responsibility of the organization to address their security concerns, tending to threats is a collaborative process. When information that can be disclosed to the public is provided and shared, all organizations can prepare and protect themselves from threats that have emerged within the cyber landscape.
Modernize and Implement Stronger Cybersecurity Standards in the Federal Government.
Protect – Access Control, Data Security, Information Protection Processes and Procedures, Protective Technology
The press release states, “The Executive Order helps move the federal government to secure cloud services and a zero-trust architecture, and mandates deployment of multifactor authentication and encryption with a specific time period. Outdated security models and unencrypted data have led to compromise of systems in the public and private sectors,” then declaring that action items include “employing a zero-trust security model, accelerating movement to secure cloud services, and consistently deploying foundational security tools such as multifactor authentication and encryption.”
The NIST CSF cyber security framework is designed to ensure that organizations have consistently implemented and improved upon the most recent cybersecurity standards. The Protect function primarily houses similar ideas to the government’s approach for strengthening their cybersecurity infrastructure, and the Access Control category is designed to ensure that “access to assets and associated facilities is limited to authorized users, processes, or devices, and to authorized activities and transactions.” Within this category, several subcategories emphasize the importance of multifactor authentication and strong password policies. Oftentimes, the employees of a given organization serve as the frontline of defense for cybersecurity attacks. Requiring stronger passwords and implementing multifactor authentication mechanisms ensures that employees are given adequate tools to succeed in preventing cybersecurity attacks.
Improve Software Supply Chain Security
Protect – Information Protection Processes and Procedures
As Ransomware attacks continue to increase in frequency, as part of the weekly news cycle, it is natural that the government would take additional security measures to ensure that software is securely developed and thoroughly tested. The fact sheet released states, “Too much of our software, including critical software, is shipped with significant vulnerabilities that our adversaries exploit. This is a long-standing, well-known problem, but for too long we have kicked the can down the road. We need to use the purchasing power of the Federal Government to drive the market to build security into all software from the ground up.”
Within the NIST CSF, there are several areas that describe the importance of having a secure software development lifecycle (SecSDLC) present within an organization; however, this is most clearly described and presented in the Information Protection Processes and Procedures category within the Protect function. Here, the category description states, “A System Development Life Cycle to manage systems is implemented,” and during the interview process, consultants at RSM are asked to inquire about the SecSDLC process at large, question if version control is used, and examine the method of security testing performed (e.g. black box, grey box, static code analysis). By asking these questions, consultants can deduce whether the SecSDLC process is entirely secure, and what improvements can be made to ensure that software and applications have minimal exploits available at their launch. It is crucial that developers stay aware of vulnerabilities that emerge in their applications, as to ensure that they can be remediated in future security patches.
Establish a Cybersecurity Safety Review Board.
Identify – Security Governance
As with any other national infrastructure department, security safety review boards are critical for reviewing incidents that occur and developing better plans of action for future incidents that may occur. The press release states, “The Executive Order establishes a Cybersecurity Safety Review Board, co-chaired by government and private sector leads, that may convene following a significant cyber incident to analyze what happened and make concrete recommendations for improving cybersecurity. Too often organizations repeat the mistakes of the past and do not learn lessons from significant cyber incidents. When something goes wrong, the Administration and private sector need to ask the hard questions and make the necessary improvements. This board is modeled after the National Transportation Safety Board, which is used after airplane crashes and other incidents.” In many ways, this ties in with the next objective, listed below.
While the NIST CSF does not directly declare the necessity of a safety review board, several different controls allude to the board, and are found primarily within the Security Governance category in the Identify function. In this category, subcategories are present, such as “Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed” and “Governance and risk management processes address cybersecurity risks.” In the assessments that we perform, we frequently note that organizations with cybersecurity safety review boards containing multiple departments are often the most productive and successful in addressing security incidents. Similarly, these organizations are more equipped to develop proactive strategies for mitigating potential cybersecurity threats.
Create a Standard Playbook for Responding to Cyber Incidents.
Respond – Response Planning, Communications, Analysis, Mitigations, Improvements
Though it is crucial for organizations to possess the capabilities to successfully mitigate a cybersecurity attack, it is just as important that organizations have a documented plan for responding to other incidents that occur within their environment. The creation of this documentation ensures that a repeated process is available to all relevant parties in addressing a cyber incident. The press release states, “Recent incidents have shown that within the government the maturity level of response plans vary widely. The playbook will ensure all Federal agencies meet a certain threshold and are prepared to take uniform steps to identify and mitigate a threat. The playbook will also provide the private sector with a template for its response efforts.” In stating that the maturity level varies between departments of the federal government, it is clear that though there are basic known steps between lines of business, there is uncertainty concerning the best approach to mitigation.
The NIST CSF framework features an entire function that is dedicated to how an organization responds to any sort of cyber incident or notable event that would impact the organization. Most frequently, I have found that when an organization performs poorly in a maturity assessment within the Respond function, we recommend that an incident response program is implemented. These plans consist of inspecting and auditing systems, networks, control points, and logs to identify issues that may have occurred. Additionally, this program involves the establishment of an incident response team that has defined roles and responsibilities. Following the occurrence and remediation of an event, “lessons learned” sessions are often performed to review what happened and perfect the remediation steps. This ensures that remediation can be implemented into a playbook.
Improve Detection of Cybersecurity Incidents on Federal Government Networks.
Detect – Anomalies and Events, Security Continuous Monitoring, Detection Processes
The press release describes the Executive Orders initiatives regarding detection of incidences as “[improving] The ability to detect malicious cyber activity on federal networks by enabling a government-wide endpoint detection and response system and improved information sharing within the Federal government. Slow and inconsistent deployment of foundational cybersecurity tools and practices leaves an organization exposed to adversaries. The Federal government should lead in cybersecurity, and strong, Government-wide Endpoint Detection and Response (EDR) deployment coupled with robust intra-governmental information sharing are essential.” Most notable here is the criticism of “slow and inconsistent deployment of foundational cybersecurity tools and practices,” as trailing behind in the most recent security patches, remediation techniques, and additional cybersecurity practices can result in an increased likelihood of data compromise.
Indeed, it is important to implement these controls to better improve detection processes for an organization. Within the NIST CSF, the entirety of the Detect function provides an approach to event detection that ensures full visibility into anomalous events, allows for continuous monitoring to occur, and provides improvements for detection processes. A key component of this function, frequently referenced in recommendations, is the implementation of a security information and event management tool, or SIEM. A SIEM provides organizations with a holistic view into any incidents that occur within their network, oftentimes by receiving logs from different devices in the network, aggregating/centralizing them, and then allowing for event correlation to occur. By analyzing the logs generated by different devices, an organization may be able to determine the initial point of entry for an attacker, or from which system a virus originated.
Improve Investigative and Remediation Capabilities.
Detect – Security Continuous Monitoring
As a final action, the executive order calls for greater implementation of “cybersecurity event log requirements for federal departments and agencies,” as the press release declares that “Poor logging hampers an organization’s ability to detect intrusions, mitigate those in progress, and determine the extent of an incident after the fact.”
In many ways, this goes hand-in-hand with the previously mentioned action item in the executive order, as log requirements are a large part of the effective implementation of a SIEM and full visibility into network occurrences. As seen in our cyber threat intelligence work, a crucial resource in digital forensics is the ability to review system logs to determine when an incident occurred and how it happened. When these logs can be correlated with other logs generated within the network, an organization is provided with a clearer picture about which events occurred, and how they happened.
In writing this blog post, my main objective was initially to test my knowledge of the NIST CSF framework that we frequently leverage in our maturity and risk assessments. However, as I continued to write, I found that the message that I wanted to relay was clear: even large, government organizations have battles to face in regards to cybersecurity, and require help in maturing their security posture. It can often be difficult to recognize which actions should to be taken to secure networks against consistently evolving attacks, and there is no single solution that fits every organization.