Breaking Down Biden’s Cybersecurity Executive Order

What is the Cybersecurity Executive Order?

On May 12th, 2021 President Joe Biden called for the standardization of secure code practices. After a contagion of recent publicly exposed vulnerabilities such as the Colonial Pipeline, Solarwinds, and Codecov attacks, federal agencies and the vendors they work with, have been given a timeline to comply with the 2021 Cybersecurity Executive Order. The first-ever federal mandate to secure critical software components.

WATCH:

New standards set to improve security and reduce risks of software supply chain hacks.

What is the Cybersecurity Executive Order?

On May 12th, 2021 President Joe Biden called for the standardization of secure code practices. After a contagion of recent publicly exposed vulnerabilities such as the Colonial Pipeline, Solarwinds, and Codecov attacks, federal agencies and the vendors they work with, have been given a timeline to comply with the 2021 Cybersecurity Executive Order. The first-ever federal mandate to secure critical software components.

WATCH:

New standards set to improve security and reduce risks of software supply chain hacks.

Why is the Cybersecurity Executive Order Important?

It puts the focus on secure development.

Fewer than 50% of organizations know what software components make up their applications. The first step towards enhancing software supply chain security is knowing what is inside your apps. Getting a Software Bill of Materials (SBOM) and practicing vulnerability disclosure are outlined as new requirements when contracting with the federal government.

It makes transparency and vulnerability disclosure standard.

Developing an SBOM is the first step towards establishing accountability in cybersecurity. Next, when malicious activity is present, including in third-party software, these organizations are also responsible for reporting vulnerability disclosures. 

Imagine your company had a breach today. Who else is affected? What comes next? Defining clear, vulnerability disclosure standards will save time clearing the noise, and help teams fight attacks quicker.

In this two-part webinar series, secure development professionals come to the mic to discuss how development and security communities will be affected, trends across the public and private sector, and understanding the latest developments in Executive Order news.

It makes transparency and vulnerability disclosure standard.

Developing an SBOM is the first step towards establishing accountability in cybersecurity. Next, when malicious activity is present, including in third-party software, these organizations are also responsible for reporting vulnerability disclosures. 

Imagine your company had a breach today. Who else is affected? What comes next? Defining clear, vulnerability disclosure standards will save time clearing the noise, and help teams fight attacks quicker.

In this two-part webinar series, secure development professionals come to the mic to discuss how development and security communities will be affected, trends across the public and private sector, and understanding the latest developments in Executive Order news.

“In the end, the trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is, and to the consequences we will incur if that trust is misplaced.”
— E.O. 14028 of May 12, 2021

Who Does the Cybersecurity Executive Order Affect?

If you use critical software, you must meet federal compliance requirements.

The National Institute of Standards and Technology (NIST) established a definition for “critical software,” in order to guide the focus of the Executive Order. 

Critical Software (noun) — any software that has, or has direct software dependencies upon, one or more components with at least one additional attribute:

  • is designed to run with elevated privilege or manage privileges;
  • has direct or privileged access to networking or computing resources;
  • is designed to control access to data or operational technology;
  • performs a function critical to trust; or,
  • operates outside of normal trust boundaries with privileged access.

We all use critical software.

With a definition that scopes all stand alone software, software integral to specific devices or hardware components, and cloud based software, complying with the cybersecurity Executive Order is a goal that we all need to meet. Private sector organizations are on a timeline to get their standards together for securing critical software components, but expect to see shifts in the public sector and across other international economies soon after.

How can I get started with Executive Order compliance?

Steps you can take now to get ready for federal compliance.

Don’t wait for the remaining phases of the 2021 Cybersecurity Executive Order to be rolled out,  start preparing to meet its standards now. Stay informed with the links below, and start a free SBOM to know what software components make up your applications.

Who Does the Cybersecurity Executive Order Affect?

If you use critical software, you must meet federal compliance requirements.

The National Institute of Standards and Technology (NIST) established a definition for “critical software,” in order to guide the focus of the Executive Order. 

Critical Software (noun) — any software that has, or has direct software dependencies upon, one or more components with at least one additional attribute:

  • is designed to run with elevated privilege or manage privileges;
  • has direct or privileged access to networking or computing resources;
  • is designed to control access to data or operational technology;
  • performs a function critical to trust; or,
  • operates outside of normal trust boundaries with privileged access.

We all use critical software.

With a definition that scopes all stand alone software, software integral to specific devices or hardware components, and cloud based software, complying with the cybersecurity Executive Order is a goal that we all need to meet. Private sector organizations are on a timeline to get their standards together for securing critical software components, but expect to see shifts in the public sector and across other international economies soon after.

How can I get started with Executive Order compliance?

Steps you can take now to get ready for federal compliance.

Don’t wait for the remaining phases of the 2021 Cybersecurity Executive Order to be rolled out,  start preparing to meet its standards now. Stay informed with the links below, and start a free SBOM to know what software components make up your applications.

Sonatype can help you with Executive Order compliance.