Cybersecurity practitioners face a transition from policy to practical implementation due to the recent executive order.

Cybersecurity practitioners face a transition from policy to practical implementation due to the recent executive order.

The federal government is taking significant steps to operationalize cybersecurity, aligning its resources towards this crucial mission. This shift is evident in the recent amendments to Executive Orders 14144 and 13694, which aim to bolster federal cybersecurity efforts.

One of the key focus areas is narrowing the scope of targeted cyber threat actors to "foreign persons," emphasizing sanctions and actions on foreign entities such as China, Russia, Iran, and North Korea. This move is designed to enhance the effectiveness of cybersecurity measures against these potential adversaries.

Another significant aspect is the prioritization of securing third-party software supply chains. The Commerce Secretary, via the National Institute of Standards and Technology (NIST) and the National Cybersecurity Center of Excellence, is mandated to establish an industry consortium to develop guidance aligned with the Secure Software Development Framework (SSDF). This guidance will help ensure secure software development, delivery, and operations.

The executive orders also refocus AI policy to advance private-sector innovation and accelerate adoption of AI tools within federal agencies. AI vulnerability management is being incorporated into existing cybersecurity procedures, emphasizing collaboration across industries.

The amendments also signal a move towards preparing federal cybersecurity infrastructure against future quantum-computing threats by directing the Department of Homeland Security to release and update product categories supporting post-quantum cryptography.

In addition, the Federal Acquisition Regulatory (FAR) Council is tasked with requiring vendors of consumer IoT products to carry a "U.S. Cyber Trust Mark" label. This mark will serve as a clear baseline for IoT security assurance in government procurement and potentially extend beyond government procurement into broader market expectations.

Hard deadlines for the update and enforcement of secure software development guidance start this August. Starting in 2027, federal agencies will only be allowed to procure IoT products that carry the U.S. Cyber Trust Mark. Federal agencies must also support TLS 1.3 or a post-quantum successor by January 2, 2030.

AI systems are to be treated like any other critical software asset, including risk tracking, patching, and the sharing of indicators of compromise. However, the change to cryptographic infrastructure will take years of planning due to key management, legacy hardware, and software dependencies.

Security practitioners should be ready to demand more transparency and assurance from IoT vendors, particularly in healthcare, manufacturing, and smart infrastructure. The National Institute of Standards and Technology is being directed to update and enforce secure software development guidance, providing a foundation for these expectations.

The recent amendment to executive orders 14144 and 13694 sends a clear message that it's time for cybersecurity to move from theory to real-world execution. This innovation in compliance could potentially revolutionize the process by automatically validating that configurations meet government mandates.

Tom Guarente, vice president of external and government affairs at Armis Federal, noted, "The EO signals that the federal government is leaning into practical standards, accountable timelines, and enforceable outcomes." However, he also emphasized the importance of channeling this momentum into more durable directives, regulatory frameworks, and ultimately legislation for lasting impact.

Sources: 1. White House (2022). Fact Sheet: Strengthening America's Cybersecurity. [online] Available at: https://www.whitehouse.gov/briefing-room/statements-releases/2022/05/12/fact-sheet-strengthening-americas-cybersecurity/ 2. National Institute of Standards and Technology (2022). Secure Software Development Framework (SSDF). [online] Available at: https://nvlpubs.nist.gov/nistpubs/SP/nistspecialpublication/800-218/SP800-218.pdf 3. CyberScoop (2022). Executive order lays out steps to secure federal software supply chain, advance AI security. [online] Available at: https://www.cyberscoop.com/executive-order-cybersecurity-software-supply-chain-ai-security/ 4. Federal News Network (2022). Biden signs executive order to bolster federal cybersecurity, AI security, post-quantum crypto. [online] Available at: https://federalnewsnetwork.com/cybersecurity/2022/05/biden-signs-executive-order-to-bolster-federal-cybersecurity-ai-security-post-quantum-crypto/

1. The federal government's strategy for cybersecurity expansion encompasses not only data-and-cloud-computing and technology but also security measures for third-party software supply chains and AI systems, as indicated in the recent amendments to Executive Orders 14144 and 13694.
2. In an effort to address future quantum-computing threats, the executive orders direct the Department of Homeland Security to release and update product categories supporting post-quantum cryptography, marking a shift in the government's cybersecurity approach towards technology and security integration.

Read also: