“When the White House issued the EO, I voiced concern that it primarily focused on federal agency cybersecurity and did not adequately address improving cybersecurity in the sixteen critical infrastructure sectors established previously by the Department of Homeland Security. I recognize actual mandates on the private sector would have generated significant and likely insurmountable political—or even legal—pushback. Still, I would have preferred the order to have, at minimum, included concrete incentives for private owners and operators of critical infrastructure to adopt the NIST Cybersecurity Framework, to help them establish better cyber risk management programs to identify, prioritize and manage implementation of essential best practices to strengthen cyber hygiene.
Despite these reservations about what the EO did not do, I am glad to say that, in the past year since the EO’s release, the Biden administration has stepped up in various other ways…”
“More specifically, the Cybersecurity and Infrastructure Security Agency, supported by other federal agencies, has continued to update cybersecurity warnings based on evolving threat intelligence. It has stressed the need for organizations to practice good cyber hygiene, and to adopt and follow best cybersecurity practices. To that end, CISA has also posted some basic, but still solid, recommendations for both the private sector and for individuals on the website for its ‘Schields-Up’ campaign…”
“Second, the EO directed federal agencies to develop a plan to implement zero trust architecture, update plans to prioritize resources for the adoption and use of cloud technology and, where practicable, adopt zero trust as part of this migration to the cloud. The Biden administration has followed up on this by giving specific direction to federal agencies to move more aggressively to adopt cloud computing and zero trust architecture. The White House has also made specific requests for funding in the FY 2023 budget, designed to meet the EO’s goal of further pushing departments and agencies toward zero trust. In fact, zero trust is a common thread throughout the budget request sent to Congress this spring.
Finally, the cyber EO included a very detailed, prescriptive section that began a process to prohibit agencies from buying software not meeting new security guidelines—securely designed and maintained—and the administration has followed through on that commitment. In February, NIST provided the guidelines called for by the EO via an update to its Secure Software Development Framework. Thirty days later, OMB required agencies to begin taking immediate action to follow the revised NIST framework…” Read the full article here.
Source: The Cybersecurity Executive Order: From Missed Opportunity to Unexpected Progress – By Robert Dupree, May 13, 2022. Nextgov.