Managing Vulnerabilities is Now an Industry Responsibility … and Knowing About it is a Public Right

Understanding the Impact of the Executive Order on Improving the Nation’s Cybersecurity on You and Your Business

The other shoe just dropped.

Cyber defense is now an “all of government” function, and network and supply chain vulnerabilities have been appropriately identified and re-classified as business problems. Even further … national security issues.

With the Executive Order on Improving the Nation’s Cybersecurity – issued in May after the Solar Winds and Colonial Pipeline attacks – now signed, there are a number of new initiatives in this 8,000-word document that will significantly impact several facets of cybersecurity inside and outside the government. We will release a series of blogs over the coming days highlighting our evaluation of the top five issues within this EO.  

Take Away #1: Managing Vulnerabilities is Now an Industry Responsibility … and Knowing About it is a Public Right

Developers and manufacturers will be required to provide far greater transparency, have increased responsibilities in managing their vulnerabilities relative to their supply chains, and be held more publicly accountable for the outcomes of their cybersecurity programs.

The EO sets the federal government’s clear intent to use its purchasing power to drive the markets to deliver products to the government – as well as to the broader market – with fewer known vulnerabilities while actively looking for potential future vulnerabilities (i.e., zero days) or those that have been intentionally placed by an advanced persistent threat (the recent exploitation of SolarWinds Orion platform is a prime example of this.) 

Developers and manufacturers will be required to provide far greater transparency, have increased responsibilities in managing their vulnerabilities relative to their supply chains, and be held more publicly accountable for the outcomes of their cybersecurity programs.

Executive Order 14028 outlines a bold vision for changing the practice of cybersecurity inside and outside the government. It sets an expectation for industry to not only better manage the vulnerabilities in its products and supply chain but also to be increasingly transparent in its methods of doing so.

This does not come without a cost. Cybersecurity is like a brake system on a car. Good brakes allow cars to safely go faster, because they quickly and effectively mitigate the risk of an emergent threat on the road. Bad brakes force you to go slower, no matter the car’s other capabilities. Frankly, too many companies and entities in our nation have been driving without good brakes or any discernable brakes at all. Changing that will require some investment. 

To understand the potential cost of this effort, it is critical to review and understand our “Top 20 List” of what a company will most likely need to do to comply with this requirement from the government:

• Maintain and demonstrate a mature cybersecurity program for your organization.
• Use multi-factor, risk-based authentication and conditional access across your organization.
• Encrypt your data.
• Monitor operations and alerts and respond to attempted and actual cyber incidents.  
• Generate and provide artifacts that demonstrate conformance to the NIST security practices, which will be established in the future. 
• Use secure software development environments. 
• Build an environment that has separate privileged access.
• Audit and document your processes and network readiness.
• Minimize your external dependencies.
• Actively find, track, and fix vulnerabilities in your software across its lifecycle.
• Employ automated tools that check for known and potential vulnerabilities and remediate them throughout the development lifecycle.
• Participate in a vulnerability disclosure program that includes a reporting and disclosure process.
• Maintain and demonstrate the provenance and pedigree of your product’s software.
• Employ automated tools to track the integrity of your code and its sources.
• Provide artifacts to purchasers of the output of these tools and processes and make publicly available summary information on remediation actions, to include a summary of the risks assessed and mitigated.
• Maintain accurate and up-to-date data, provenance (i.e., origin) of software code or components, and controls on internal and third-party software components, tools, and services present in software development processes. 
• Provide prospective purchasers a “products pedigree” in the form of a Software Bill of Materials (SBOM) 
• Ensure and attest, to the extent practicable, to the integrity and provenance of open-source software used within any portion of a product.
• Participate in consumer product labeling program to educate the consumer on the security capabilities of the device and the secure software development practices used in its lifecycle.
• Be prepared to go through a Cyber Safety Review Board if your product or cybersecurity program causes a significant enough cyber incident to trigger a multi-agency response.  

It’s a lot, yes, but that’s why companies like Ardalyst exist. Our goal is to simplify the adoption of the above practices, to replace uncertainty around cybersecurity issues with understanding.

The new EO presents a substantive approach that could have significant impacts on how we as a nation survive this current environment of cyber intrusion and danger. The success of this vision will depend heavily on public- and private-sector investment to make this EO a reality.

Take Away #2: Strengthening Awareness – Threat Intelligence and Public-Private Partnerships (Coming Soon)

Take Away #3: Standardizing Cybersecurity Requirements and Regulations (Coming Soon)

Take Away #4: Centralizing Cybersecurity Methodology and Practices (Coming Soon)

Take Away # 5: Modernizing Technology – Understanding Zero Trust (Coming Soon)