Abhay Bhargav
Vishnu Prasad K
November 16, 2022

Improving the Nation's Cybersecurity: President Biden's Executive Order

Following the incidents concerning SolarWinds and the Colonial Pipeline hack, US President Joe Biden issued an executive order on cybersecurity pursuing to rehabilitate the state of National Security in the US and to enhance government networks’ defenses against cybersecurity threats.

It is executed as a set of requirements for organizations and acquisition to galvanize both public and private sectors to help detect, intercept, safeguard, and counter relentless and heightened elaborate malicious cyber advances. The Executive Order indicates the necessity to streamline cybersecurity mitigation in the country as well as introduce new approaches to distribute information about cybersecurity risk and breach information. 

Zero Trust architecture strategy

Section 3 of EO 14028 states all U.S. Federal agencies must adopt a Zero Trust strategy for their entire digital infrastructure. The section of the EO specifically states that all government agencies should shift “from verify once at the perimeter to continual verification of each user, device, application, and transaction.”

The National Institute of Standards and Technology (NIST) described zero trust as a “collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.” In short, don't trust your institution's resources before they are verified.

Zero Trust and cloud security

To execute zero trust cloud security, other teams, such as infosec and operations teams, need to emphasize two significant notions. First, to manage access control, security protocols need to be amalgamated into the workload as the cloud is getting adapted so that institutions have better control of safeguarding their data.

Second, the performance of the applications and operations hosted on each system needs better interpretation. The correlations of operations and applications require an exceptional inspection to expedite an extremely regulated zero trust operations model that won't terribly affect network connectivity.   

SBOM and Supply Chain Security

Section 10 (j) of EO 14028 describes SBOM as a “formal record containing the details and supply chain relationship of various components used in building software.” In short, it’s like an ingredient list on the back of a cereal box but for software. The idea of an SBOM is to identify which software applications are the most exposed if a third-party vulnerability is found.

Calculating the supply chain is one of the crucial parts that pivot on the crisis management of extrinsic suppliers, vendors, administration, and shipment. It aims to recognize, inspect, and diminish the threat fundamentals in functioning with other organizations as part of a supply chain. Software Composition Analysis, or SCA, is the piece of the puzzle that always played the role of identifying software vulnerabilities and preventing supply chain attacks. This analysis is to assess security, license compliance, and code quality. 

When a supply chain assault arises, organizations need to go over their entire software to look for imperfections before malicious users do. SBOM (Software bill of materials) makes the process straightforward and trouble-free. SBOM is written metadata that specifically recognizes a software package and its "ingredients".

These are the minimal conditions that the executive order lays out for SBOM:

1. Every section in an SBOM needs a certain amount of data consisting of the supplier of each section and the version integer, among many others.

2. SBOMS should be conventional and in a machine-readable format like SPDX, CycloneDX, etc.

3. Guidelines and implementation encompassing how discerning SBOM should be in terms of dependencies.

DevSecOps and automation

DevSecOps (development, security, and operations) is a set of fundamentals and procedures that incorporate security techniques at every phase of the software development lifecycle to ensure the delivery of secure applications that can withstand most cyberattacks. It’s derived from the standard security method focusing on putting up a defense around applications’ perimeter. 

Supporting DevSecOps automation involves the upcoming development framework to incorporate security paradigms and benchmarks through an integrated development environment (IDE).

In order to meet all necessary conditions of the EO, organizations must carry out automation at various phases of the Software Development Lifecycle (SDLC).  Implementing efficient security depends on transforming various security feedback loops within the SDLC. 

Techniques to adhere to and to be ahead of the Executive Order:

1. Agile Threat Modeling

Identifying and mitigating risk through threat modeling is excellent but integrating it as a component of SDLC is more effective. Agile methodology is directed to encourage a more systematic, steady, and collective way of manipulating IT programs and computer software. 

2. Strategic security automation

Security automation is a must in the current intricate IT architecture. Among the growing number and extremity of cyberattacks, security automation enables you to radically shorten your incident response time and anticipate threats more easily.

3. Vulnerability management tooling

Vulnerability Management Tools have become crucial to stay a step ahead of approaching cybersecurity threats. They are tailored to find shortcomings in an organization's system in order to alleviate potential security transgressions.

Efficient planning and implementation of cybersecurity are crucial to guarantee a substantial cyber defense. Complying with the Executive Order's mandates has been a challenge but implementing the regulations benefits not only the federal government but also the general public in the long run. Cybersecurity includes the daunting process of obtaining and utilizing precise technology solutions.

This Executive Order is a step forward in handling supply chain attacks. Because of the frequency of data breaches, cybersecurity has become a necessity across all sectors. From implementing Zero Trust policy and supply chain security to DevSecOps and automation, we45 is your partner in fortifying your defenses from the inside out against malicious threats.

Need help with your organization's overall security? Here are the services that we are offering:

1. Application Security

2. Cloud Security

3. Kubernetes Security

4. Threat Modeling

To learn more about the preventive security measures indicated in this EO, check out Abhay Bhargav's article here: https://www.helpnetsecurity.com/2021/05/25/bidens-cybersecurity-executive-order/.