Full Report
The federal government will have more power to issue sanctions in response to ransomware incidents, and software vendors will have to do more to prove the security of their products under an executive order issued with just days left in the Biden administration.
Analysis Summary
# Regulation/Compliance: Executive Order on Cybersecurity and Securing Commercial Software
## Overview
This Executive Order (EO) focuses on strengthening U.S. digital foundations, making software more secure for government and citizens, combating cybercrime (including ransomware), securing critical systems (including space assets), promoting AI security, and improving federal cybersecurity posture by leveraging the government's substantial IT procurement power.
## Key Details
- Issuing Authority: The President of the United States (Executive Branch)
- Effective Date: Issued Thursday (Implied immediate effect upon signing)
- Jurisdiction: Primarily U.S. Federal Government operations, federal contractors, and the broader commercial software ecosystem supplying the federal government.
- Status: In Effect (As an Executive Order)
## Requirements
### Mandatory Requirements
1. **Software Security Standards for Federal Contractors:** Software suppliers to the federal government *must prove* they are using secure development practices.
2. **Secure Update Deployment:** NIST must create guidance for how companies can "securely and reliably deploy software updates."
3. **Cloud Security Clarity:** GSA must develop policy requiring cloud companies to clearly articulate how customers can secure their use of cloud products.
4. **Minimum Cybersecurity Practices:** A minimum set of cybersecurity practices *will be required* for any company doing business with the federal government (to be defined/implemented over time).
5. **Federal System Enhancements:** Federal agencies *must* mandate centralized visibility and threat hunting capabilities to quickly identify and mitigate threats on their systems.
6. **Authentication:** Agencies *must* implement phishing-resistant authentication technologies.
7. **Encryption:** Agencies *must* use end-to-end encryption in communications, including email and videoconferencing.
8. **Space System Security:** New cybersecurity contract requirements *must* be instituted for agency-procured space systems to protect command-and-control systems.
9. **Quantum Readiness:** Agency communications *must* be protected with "quantum resistant" methods.
### Recommended Practices
1. Leveraging the results of software supplier validation (which will be published) for non-government customers seeking secure products.
2. Adopting post-quantum technology broadly.
3. Participating in the public/private partnership focused on identity fraud reduction technologies.
## Affected Organizations
- Industries: Software production, Cloud services, Defense/Space contractors, Technology providers serving the federal market.
- Organization Size: Not explicitly size-dependent, but focused on organizations transacting IT/software with the federal government.
- Geographic Scope: Primarily applies within the United States, impacting domestic and international suppliers who wish to work with the U.S. federal government.
## Compliance Timeline
- **Next Three Years:** Federal cybersecurity requirements for federal information systems must be simplified.
- **Ongoing:** NIST must create secure update deployment guidance; GSA must develop cloud security policy.
- **Immediate/Ongoing:** Agencies must begin implementing enhanced security controls (phishing-resistant auth, E2E encryption, threat hunting).
## Implementation Guidance
### Assessment Phase
- Review current software development lifecycle (SDLC) practices against emerging secure development standards to prepare for mandatory proof requirements.
- Inventory existing federal IT systems to determine gaps in centralized visibility, threat hunting capabilities, and authentication methods.
### Implementation Phase
- Develop and implement mandated secure software development practices; prepare documentation/evidence for validation initiatives.
- Integrate phishing-resistant authentication tools across agency access points.
- Begin planning migration paths toward quantum-resistant cryptographic methods for sensitive communications.
- Define policies for end-to-end encryption usage across internal and external communications.
### Validation Phase
- Prepare for external validation or auditing processes related to established secure development practices, as validation results will likely be published.
## Technical Requirements
* Implementation of phishing-resistant authentication technologies.
* Use of end-to-end encryption for communications (email/video conferencing).
* Deployment of centralized visibility and threat hunting tools for rapid threat detection.
* Adoption of "quantum resistant" methods for protecting communications.
## Penalties & Enforcement
- **Fines:** While specific dollar amounts are not detailed in this summary, the EO signals a sharpened enforcement posture against malicious actors via sanctions.
- **Other Consequences:**
* **Federal Contracting:** Companies failing to prove secure development practices risk losing valuable federal contracts (leveraging $100B in annual procurement).
* **Sanctions:** Amendments to sanctioning authorities lower the bar for targeting ransomware gangs, making it easier and broader to impose sanctions on malicious cyber actors, regardless of direct government affiliation.
- **Enforcement:** Enforcement will be conducted by relevant federal agencies (e.g., CISA for visibility/threat sharing, NIST for guidance, GSA for procurement policy).
## Related Standards
- **NIST:** Explicitly tasked with creating guidance for secure software updates.
- **General Principles:** The mandates align with principles found in other federal risk frameworks (like those championed by CISA), focusing on Zero Trust principles, supply chain risk management, and resilience.
## Resources
- Official Documentation: [Executive Order document reference (Requires lookup for specific URL)]
- Guidance Documents: Anticipated guidance from NIST and GSA on secure software and cloud usage.
- Tools: Development/adoption of tools supporting phishing-resistant authentication and threat hunting technologies.
## Practical Recommendations
1. **Supply Chain Review:** Immediately review current software supply chain requirements and begin documenting adherence to secure software development best practices, anticipating federal validation requirements.
2. **Authentication Upgrade:** Prioritize the rollout of phishing-resistant authentication mechanisms (e.g., FIDO2/WebAuthn) across all federal access points.
3. **Sanctions Preparedness:** Organizations whose operations overlap with hostile nation-states or ransomware groups should review their risk profile regarding potential future sanctions targeting cyber activity.
4. **Future-Proofing:** Begin strategic planning for the mandatory transition to quantum-resistant cryptography, particularly for long-term sensitive data communications.