High-profile cyberattacks against federal systems and critical infrastructure underscore the importance and urgency of strengthening U.S. cybersecurity capabilities. The landmark bipartisan Infrastructure Investment and Jobs Act of 2021 (IIJA) (H.R.3684), signed into law this week, includes about $2 billion in cybersecurity funding for new cybersecurity initiatives across Federal, State, Local, Tribal and Territorial governments. While the investment is welcome, sadly even $2 billion will not make our government systems immune to attack. The scope of the attack surface and dynamic nature of the threat environment make holistically strengthening cybersecurity a complex endeavor. Equally important, high levels of technical debt resulting from a reliance on legacy systems further hinder modernization efforts.
Given the scope and scale of the federal government, building momentum for modernization efforts can be daunting. The Executive Order (EO) on Improving the Nation’s Cybersecurity, issued in May of this year, responds to this challenge by laying a foundation for progress. With its focus on pushing organizations, both in government and industry, to follow best practices for maturing cloud adoption and zero trust, as well as enhancing software supply chain security, the EO has the potential to drive significant advancements in security and resiliency across the federal enterprise.
Adopt security best practices
Recognizing that modernization done right drives security advancements, the EO prompts agencies to:
- Adopt a cloud-service governance framework
- Implement a zero-trust network architecture (ZTNA)
- Enhance software supply chain security
Adopt a cloud-service governance framework
Fundamentally, the EO encourages agencies to continue their cloud adoption journey by transitioning to Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS). The migration of legacy IT systems to secure cloud services can have cascading positive impacts on agency operations as systems are updated to take advantage of native capabilities around resiliency and reliability; protection of sensitive data; and proactive threat detection, prevention, and response. As agencies move forward in adopting a cloud-governance framework, they will need to reevaluate their approach to security, and in many cases adopt new types of technologies that were not needed in legacy architectures. This presents an opportunity for startups, as often there is no incumbent in place yet in the Federal market, and agencies may be more willing to take a risk on an earlier stage company. For example, agencies may never have had a significant need for Cloud Security Posture Management (CSPM), Cloud Workload Protection Platform (CWPP) or Infrastructure as Code (IaC) solutions to date, but as the balance of on-prem to cloud shifts, these become vital parts of a security architecture. Similarly, with the cloud making old concepts of network boundaries obsolete, identity is being described as the new perimeter, opening opportunities for novel approaches to identity and access management. And those identity solutions play a big part in our next section, zero-trust.
Implement a zero-trust network architecture
Zero trust is now an integral part of the federal government’s strategy to strengthen cybersecurity in the face of increasingly aggressive and resourceful attackers. In addition to being a multi-year journey, the move away from perimeter-based network defenses toward zero trust security principles of ‘never trust, always verify,’ will require a major paradigm shift in how federal agencies approach cybersecurity. Throughout all aspects of the infrastructure, zero trust embeds security monitoring, security automation, microsegmentation, and granular access controls based on risk to limit access to only what is needed. DHS’ Cybersecurity and Infrastructure Security Agency (CISA) has put together a zero trust architecture that defines five pillars agencies must consider in a mature zero trust architecture:
- Application Workload
Each of these pillars plays a vital role, and there is room for innovation in all of them. Identity in particular is a key foundation to a successful zero trust implementation, so better approaches to existing identity solutions like Identity and access management (IAM), Privileged access management (PAM) and Single sign-on (SSO) are needed. CISA’s maturity model for zero trust pushes for a future that is more reliant on continuous monitoring and validation across all pillars, real-time risk analysis, and improved machine learning capabilities to allow these systems to make better, faster decisions.
Enhance software supply chain security
Modernizing federal cybersecurity is just one element of the EO. It also results in a monumental shift in supply chain security requirements by establishing baseline security standards for any software—especially critical software—sold to the federal government. Per the EO’s directive, during the initial phase of the EO’s implementation, products identified as critical software will have to meet the technical requirements issued under Section 4(e) of the Executive Order.
Further, aiming to protect government agencies from the risk of supply chain software attacks, the EO calls for the National Institute of Standards and Technology (NIST) to create new supply chain security protocols and establish best practices, guidelines, and criteria for the future standards that software suppliers will need to comply with to be able to sell software to the federal government. This in and of itself may be the most impactful element of the entire EO, with a potential to improve both government and private sector systems. The EO does not mandate commercial industry change how they handle software supply chain security, but by instead using the carrot of federal government acquisitions, the EO has the potential to finally push much of the commercial software market to change their thinking on the importance of securing their development process.
While many of the software supply chain security requirements are high level, with more detail to be developed by NIST over time, the EO does give some insight into what the expectations for future software products will be. These include, among other things:
- Employing encryption for data
- Employing automated tools to maintain trusted source code supply chains, ensuring the integrity of code
- Automated vulnerability discovery and remediation
- Maintaining provenance of all software code or components, and implementing controls on internal and third-party components and tools used in the development process
As you can see above, one notable element of the new requirements is for more visibility into the software development process. Any organization that provides software meeting NIST’s definition of critical software will need to provide a Software Bill of Materials (SBOM) that attests to product and supply chain security. An SBOM is a machine-readable document that lists all components in a product. The SBOM ingredient list includes every library—both open-source software (OSS) and commercial off-the-shelf (COTS)—that is included in an application’s code as well as services, dependencies, compositions, and extensions.
We realize the EO can be complex topic, but understanding it will help you understand where to focus your efforts when bringing your capabilities into the Federal market. For help on navigating the Executive Order’s key requirements, deadlines, and solutions, we encourage you to visit Merlin Cyber’s Cyber EO Resource Center.
As agencies mature their cloud adoption; transition from protecting well-defined networks to securing blurry, fluid perimeters; and pivot from trusted systems to zero trust, the need to embrace new, innovative technologies capable of protecting identities representing people, services, and devices on-prem and in the cloud has never been more urgent. The government undoubtedly has a large task ahead of it as it works to modernize its approach to cybersecurity and adopt strategies to ensure ongoing mission success. Its best hope in doing so is to leverage the capabilities being developed by today’s and tomorrow’s startups.