An executive order was signed on May 12, directing the federal government to overhaul its approach to cybersecurity. Corporate compliance and risk management professionals should consider this order carefully — because, in the fullness of time, its directives are going to impact the private sector in significant ways, too.
The order arrived while Colonial Pipeline was recovering from a ransomware attack that disrupted gasoline supplies to Americans across the Southeast. However, when you look at the details, it’s clear that the executive order is much more a response to the SolarWinds attack that happened last year.
The SolarWinds incident allegedly resulted from the work of the hacker group from Russia’s - Foreign Intelligence Service (SVR) gaining access to the networks, systems and data of thousands of SolarWinds customers. As a result, the hack compromised the data, networks and systems of thousands when SolarWinds inadvertently delivered the backdoor malware as an update to the Orion software. The nation-state attackers planted malware into a software patch SolarWinds sent out to customers in the spring of 2020. When customers installed the software patch, they also installed the malware, and Russia then had access to all manner of confidential corporate and government data.
We now know that some of the biggest names in Corporate America were victims of the SolarWinds attack, along with at least 11 departments of the U.S. federal government.
The Colonial Pipeline attack (and numerous other ransomware attacks, which have been sprouting like weeds in the last year or so) added fresh urgency to the current administration’s order — which has been a long time coming.
What Does the Executive Order Do?
The executive order, 34 pages long, has three main points:
- Better sharing of threat information between government contractors and federal agencies, including the notion of mandatory reporting of cybersecurity incidents.
- Stronger cybersecurity practices within the federal government, including much more use of multi-factor authentication and so-called “zero trust architecture” for network design.
- Stronger oversight of the software supply chain, including steps such as tighter controls over how engineers design software code and more documentation on the origin of any third-party software code a business incorporates into its products.
To be clear, those points won’t go into force tomorrow. The executive order directs several federal agencies to develop specific new regulations implementing the order in coming months.
For example, the National Institute of Standards & Technology (NIST) is charged with developing new standards for multi-factor authentication and zero-trust architecture. The Office of Management & Budget will propose new language for the Federal Acquisition Rule (for government contractors) and the Defense Federal Acquisition Rule Supplement (for defense contractors specifically) to include the points mentioned above.
But we can safely say that by later this year, businesses that work as government contractors, and the suppliers to those contractors, will have a much better sense of the new, heightened cybersecurity requirements that they will need to meet.
What Compliance Officers Should Anticipate Now
Even without those specifics available today, compliance officers can — and should — start to anticipate the changes the business will need to make.
First, expect to perform a fresh assessment of compliance risks under these new cybersecurity requirements. For example, if your business is required to collect data about cybersecurity attacks and provide that information to federal agencies, you may have new privacy risks to consider; a risk that the executive order specifically mentions.
Second, consider the new policies and procedures your business might need to implement, and how that would be accomplished. For example, the cybersecurity order will change what your business reports to the government, how employees develop software, the attestations third parties will need to provide to you, and more.
Questions to Consider:
- Who will draft those policies? The compliance, legal and IT security teams, most likely; perhaps with help from other technology officers.
- Who will design procedures and internal controls to, say, introduce multi-factor authentication? The IT team, possibly with help from internal audit.
- How will you assure that contracts with your technology vendors include the necessary language to comply with new cybersecurity rules? Review your policies for third parties and vendors to meet these new cybersecurity requirements.
Third, you will need to rely on technology to keep pace with these changes. Don’t forget, defense contractors already face compliance with a new cybersecurity standard, CMMC. Most businesses also have other security and privacy compliance obligations too, such as HIPAA for health data or PCI DSS for credit card information.
Your business might be able to use one control to satisfy several of those cybersecurity obligations — if you can keep all that remediation work on the right track. So the use of a robust GRC tool, that can handle both data mapping to see where your important data resides and control mapping to see which controls satisfy what compliance frameworks, will be crucial. Spreadsheets won’t be able to manage the complexities of the work to come.
Guidance is Coming
In short, the current administration is poised to impose more structure and oversight over cybersecurity across the federal government. That sort of thing has a habit of filtering out across a large swath of Corporate America.
Regardless of precisely how your company responds to these new cybersecurity demands, risk and compliance officers can play a critical role here. Cybersecurity today is just as much about how your organization interacts with other parties, as it is about firewalls or penetration testing. It will be about developing solid business processes, skillful risk assessment, and thoughtful policies and procedures.
The question is how to bring that expertise to cybersecurity, one of the most pressing priorities for corporations today.
Four Ways to Address Cybersecurity Risks