I started off looking to write a summary of the Cyber Resilience Executive Order released on the 12th May 2021 by President Biden.
Unfortunately, this is a must larger task than first envisaged. There is a huge amount of material condensed into a single document. The document is long and dense (but dense in the right way).
We have decided to break it down into its appropriate sections. I’ll cover Sections 1 and 2 in this post. More to follow.
Section 1 requirements
This section is simple so we will get it out of the way early. Section 1 relates to Policy and emphasises that Cyber is a critical, highest priority item for the government.
This sets the stage for everything that follows to be put into the must-do category for all government agencies. And by extension, all service providers supplying the government.
Section 2 requirements
This is where the action really starts.
The section is titled “Removing Barriers to Sharing Threat Information“.
There are quite a few threads that have to come together to achieve this. They are outlined in two mind-maps to illustrate the summary.
The first describes the requirements and the second provides a timeline-based view.
The Executive Order lays down a frantic schedule that will keep government agencies and service providers busy to complete the described activities before the end of the calendar year 2021.
Summary mind-map of the requirements of Section 2
Service Providers to share “ALL DATA“
The biggest talking point in this section is the requirement on service providers to share their incident data. Not just the incident data related to the agency for which a particular service is being undertaken. All of it. Here is the section in full.
2. (c) The recommended contract language and requirements described in subsection (b) of this section shall be designed to ensure that:
(i) service providers collect and preserve data, information, and reporting relevant to cybersecurity event prevention, detection, response, and investigation on all information systems over which they have control, including systems operated on behalf of agencies, consistent with agencies’ requirements;
(ii) service providers share such data, information, and reporting, as they relate to cyber incidents or potential incidents relevant to any agency with which they have contracted, directly with such agency and any other agency that the Director of OMB, in consultation with the Secretary of Defense, the Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence, deems appropriate, consistent with applicable privacy laws, regulations, and policies;
(iii) service providers collaborate with Federal cybersecurity or investigative agencies in their investigations of and responses to incidents or potential incidents on Federal Information Systems, including by implementing technical capabilities, such as monitoring networks for threats in collaboration with agencies they support, as needed;
Proposed timeline for Section 2 requirements
Section 2 is designed to ensure that federal government is in a position to consume huge amounts of log data from service providers. If you just think of the 4 clouds (AWS, Azure, Google and iCloud) and the telcos, that is an enormous aggregation of data that will need to be analysed by something.
One SIEM to rule them all?
This mass aggregation of incident and event related data is a massive undertaking in its own right for federal government.
But if you are currently providing services to the US Government and you do not currently have an effective logging and monitoring solution, please sit down before you read the requirements that the government are going to place on you that are described in Section 3.