Katko, Garbarino Comment on Cybersecurity Executive Order
“Cybersecurity thankfully has a tradition of not just being bipartisan, but frequently nonpartisan. The foundational work of PPD-21 and EO 13636 in the Obama Administration was further enhanced by the widely applauded EO 13800 from the Trump Administration which leads us to the issuance of this EO. That previous doctrine, and others, combined with the dynamic nature of the threat environment makes this EO a natural continuation, and necessary follow-through, that should be commended. However, we hope the Administration doesn’t consider their work on cybersecurity to end here. Each of these items will require thoughtful and constant focus in the coming months. It’s incredibly important that the White House meticulously tracks the progress of each of these directives.
“While we should always strive to approach cyber resilience from a proactive – not reactive – posture, it is inevitable that significant cyber incidents will act as a forcing function or galvanizing moments to usher along necessary evolution to our cyber policy and response capabilities. With this in mind, we released a proposed five pillar policy response plan following the SolarWinds cyber espionage campaign. We are heartened to see that much of what is contained in this EO aligns nicely with those five pillars, and we look forward to working with the Administration to ensure effective implementation. Although we are pleased to see that President Biden has heeded some of our calls to fully leverage the expertise of the Cybersecurity and Infrastructure Security Agency (CISA), we think more still can be done over the coming years to empower it with the stature and resources it needs to effectively carry out its mission. There should be no doubt, CISA is the nation’s lead civilian cybersecurity agency, and we should fully recognize that quarterback status.
“This EO continues the nonpartisan tradition we mentioned, and we appreciate the thoughtful process that went into its drafting. We specifically appreciate these provisions being included, and look forward to working with the Biden Administration to ensure their effective implementation:
- Moving forward on Federal Civilian Executive Branch (FCEB) Government-wide Endpoint Detection and Response (EDR) Initiatives by requiring CISA to provide recommendations to the Office and Management and Budget (OMB) Director on implementation approaches, with specific focus on host-level visibility, attribution, and response, as well as a timeline to implement those recommendations with an adequately resourced CISA at the helm.
- A timeline for implementation of Memoranda of Agreement (MOA) between federal agencies and CISA to ensure Continuous Diagnostics and Mitigation (CDM) program object level data is available and accessible to CISA and requirements for log retention are provisioned to CISA. This will allow CISA to have the needed visibility into agencies’ networks to stitch together a holistic cyber risk picture.
- Removal of contractual barriers to threat, incident, and risk information sharing among federal agencies via a requirement that service providers share incident information with CISA, customer agencies, and the FBI.
- A timeline for the creation of clear definitions of cybersecurity incidents and breaches requiring reporting and the categories of information regarding a cybersecurity incident.
- A timeline for the standardization of cybersecurity contractual requirements across federal agencies.
- Movement towards a zero-trust security model, including the acceleration of migration to secure cloud environments, including Software as a Service (SaaS) and Platform as a Service (PaaS) infrastructure that retains visibility.
- Requiring OMB, DHS CISA, and GSA to develop and issue a strategy that ensures risks to the federal civilian enterprise from leveraging cloud-based services are fully understood and being addressed in a comprehensive and coordinated manner.
- Requiring CISA in coordination with OMB and GSA to issue technical reference architecture that recommends approaches to cloud migration and data protection and to develop a federal cloud service governance framework that aligns services, data, and processing activities to specific services/protections provided to federal agencies.
- Establishing reciprocity across agencies between compliance frameworks, and FedRAMP, among other FedRAMP modernizations.
- Creating rapid timelines for steps to improve the security and integrity of the software supply chain, with a priority on addressing critical software.
- Requiring the specification of criteria for “critical software” designations, which should include level of access required for function, integration, dependencies, and potential harm if compromised.
- Ensuring the heads of the Federal Civilian Executive Branch (FCEB) agencies provide reports to the Secretary of Homeland Security, through the Director of CISA, progress in adopting agency-wide multifactor authentication and encryption of data at rest and in transit.
- Directing the Secretary of Homeland Security, through CISA and in coordination with DOD, NSA, DOJ and ODNI to develop a standard set of operational procedures to be used in planning and conducting a cybersecurity vulnerability and incident response activity respecting FCEB Information Systems.
“Many of the directives in this Executive Order are understandably focused on federal networks, but we of course cannot ignore private sector companies, who in fact own and operate the vast majority of our domestic critical infrastructure, as the most recent ransomware attack on the Colonial Pipeline Company painfully highlighted. We look forward to collaborating with the private sector to align their cybersecurity investments with those of the federal government to ensure a resilient cybersecurity posture across our nation’s critical infrastructure sectors.
“Once again, we appreciate the Administration’s nonpartisan work on this important national security issue, but now it’s time to get to work. The stakes are too high to not follow through on these important steps. We look forward to continuing to elevate the national conversation on cybersecurity and will be providing additional analysis and oversight in the coming months.”