This may be a bit of a long blog due to the extensive nature of the Executive Order on Improving the Nation’s Cybersecurity and its impact on cybersecurity and the Zero Trust approach. The Biden administration also published a fact sheet: “President Signs Executive Order Charting New Course to Improve the Nation’s Cybersecurity and Protect Federal Government Networks” giving a solid summary of the Executive Order that we recommend checking out, especially for nongovernmental entities.
But before we dive deep into details, you’ll have to bear with us for a bit of a victory lap. Clients of Forrester know that our security and risk team has banged the Zero Trust drum for over a decade. Our dynamic duo of David Holmes and Steve Turner lead Forrester’s Zero Trust charge now, amplifying what we’ve known for a long time: Zero Trust works. And now, the United States federal government has validated, confirmed, and required Zero Trust. We didn’t pop champagne, though, because now the real work begins. For the US government and its suppliers, this executive order represents massive change. But nongovernment organizations should expect to feel repercussions of this, as well.
Ripple Effects Of The Executive Order
The executive order does not directly touch the private sector, but major transformative efforts like this will lead to change well beyond government for security vendors and enterprise organizations. The US federal government’s procurement processes are rigid, antiquated, and glacial, which portions of this executive order seek to address. However, the rigid nature of that procurement process also does provide a baseline that other enterprise organizations use to help them codify and standardize requirements. This executive order will drastically expand beyond the government as enterprise organizations look to it for guidance.
Major changes to government procurement like this create commercial incentives given the amount of money government spends. Estimates based on US agency budget requests place federal cybersecurity spending north of $18 billion dollars. For example, since December 2020, the Cybersecurity and Infrastructure Security Agency (CISA) alone has received $2.6 billion of funding. We’ll detail the major areas of impact next.
SBOM Gets Its Day
Since 2018, the National Telecommunications and Information Administration (NTIA) in the US Department of Commerce has coordinated an industry effort to drive transparency in the software procurement process for organizations to understand what’s in the software they build, purchase, and use. The executive order’s requirement that products provide a software bill of materials (SBOM) will help organizations manage risk by letting them quickly determine what vulnerable software components are in their products.
SBOM is often compared to a list of ingredients in food packaging — while many of us just glance at the ingredient list, those with food allergies take special care to ensure that what they are about to eat won’t harm them. SBOM allows organizations to easily see if the products they use and build contain any components with critical vulnerabilities. When researchers discover new vulnerabilities in open source or other software components, security teams can quickly review SBOMs, determine which products have those components, and prioritize remediation.
In the next 60 days, the Secretary of Commerce must publish the minimum elements for an SBOM. There are multiple SBOM formats today, and we lack standardized naming conventions for all software components. This, unfortunately, won’t be universally consistent on day one but is a move in the right direction.
Potential format confusion aside, making a good enough SBOM available to your users is important. We don’t understand all of the ingredients that we read on food labels, either (I’m reading the label on a bag of M&M’s Minis: What is “Yellow 6,” and how does it differ from “Yellow 5” exactly?). Expect software composition analysis (SCA), vulnerability management, and third-party risk management vendors to enable their customers by integrating the preferred SBOM conventions into their offerings.
Supply Chain And Third-Party Risk
The executive order includes developing criteria “to evaluate the security practices of the developers and suppliers themselves” and proposes a labeling system to identify those vendors and products that have gone above a baseline. The formalization and specificity of this portion of the executive order aligns with one of the major problems facing every organization dealing with software and technology today, regardless of segment. Whether or not companies actually take the time to “Secure What You Sell” is a recurring root cause of breaches and data loss, with recent issues accelerating the signing of this executive order.
A National Transportation Safety Board Equivalent For Cybersecurity
With this executive order, we will finally have a body (with representation from both the public and private sectors) for dealing with “train wrecks” in cybersecurity. This will monumentally improve information sharing that spans the public and private sectors, helping organizations prioritize the implementation of appropriate staffing, security technologies, and processes that matter. With the establishment of the Cybersecurity Safety Review Board, we can finally have information on critical cyberincidents shared across industries, paired with essential, prescriptive recommendations on how another organization can avoid the same perils.
Other Areas Touched On In The Executive Order
Information sharing between the private sector and government gets a spotlight. Standardized response playbooks, reporting standards, detection, investigation, response, and remediation all get mentions, as well. Much of the specifics in these areas come in the next 60 to 120 days, as various agencies and cabinet-level positions received deadlines to create and issue the policies that will shift this executive order into reality and operation across the federal government and private sector. The next two to four months will be slammed for the government. After that, it will get that way for everyone else as we read, digest, and consider how we apply these items in our own security and risk programs.
Excitement exists because this is a significant moment in the history of cybersecurity for the United States. However, history dictates that we avoid getting our hopes up too much. Flaws exist, and we explore those next — including all the possible ways this goes wrong.
Portions Seem Like A Laundry List Of Technologies With A Zero Trust Bumper Sticker
As mentioned above, this is the first time that public policy has acknowledged that the current federal model of cybersecurity is broken and outdated. These are the first steps that need to be taken, considering we have almost 30 years of data and 10 years of highly damaging attacks confirming the obvious: The US government is in the crosshairs of other countries, much like other governments are targeted by the US. We predicted that a government would formalize Zero Trust as a framework, and sure enough, it was the United States.
This executive order screams “We Need To Buy More Tech!” to solve the problem (e.g., endpoint detection and response is mentioned at least 12 times), but generally, that’s the last thing on the list we use to enable problems to be solved. And even now, rumors of old “new” vendors entering the market are emerging. Some of those vendors represent the issues we should be running away from, not toward.
Today, most agencies and departments don’t have budget for these items, the staff to run these tools, nor the free time needed to actually implement any of it. If this winds up in the realm of most enterprise security product deployments — half deployments, shelfware, and only 30% of the features used — then all we’ve done is create a “government security vendor stimulus package.” We’re not sure that does anyone any good, except the investors and shareholders of those vendors. Real incentives that drive security transformation must exist at all levels of government for this to be successful. Security practitioners know that more controls for the sake of adding controls only adds more complexity, not necessarily more or better security.
Guidance Is Still Lacking On The Entirety Of The Security Lifecycle
Unfortunately, National Institute of Standards and Technology (NIST) guidance needs to evolve heavily to be more based in the technology reality we currently live in. The current guidance that came out toward the end of last year is reliant on being able to spot a bad actor within your environment across tooling with some sort of anomaly detection with high efficacy. The security industry has been chasing this magical detection unicorn for years, and it’s still not there today.
This reference architecture brings value but needs to evolve and take into account the continued pains security pros face. NIST reference architectures need to be based in reality, and guidance needs to evolve to match what organizations are actually implementing to get to Zero Trust. Forrester has been writing about this and other practical guidance for years.
Zero Trust Has (Finally) Hit The Mainstream
Like that favorite underground band that finally drops a hit single on Spotify, Zero Trust has found its way into the mainstream. The Zero Trust approach will now have an impact on the way the US secures its federal government. Forrester expects that adoption to expand globally and into corporate infrastructures.