United States President Joe Biden signed an executive order on Wednesday to boost the cyber posture of the federal government.
The order points to recent incidents including the ransomware attack on Colonial Pipeline, Exchange vulnerabilities that led to the FBI removing web shells from US servers, and the SolarWinds attack.
The order said the federal government must lead by example.
“Incremental improvements will not give us the security we need; instead, the federal government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life,” the order states.
“The federal government must bring to bear the full scope of its authorities and resources to protect and secure its computer systems, whether they are cloud-based, on-premises, or hybrid.
“The scope of protection and security must include systems that process data (information technology) and those that run the vital machinery that ensures our safety (operational technology).”
The order mandates that agencies have 180 days to implement multi-factor authentication and encrypt data both at rest and in transit “to the maximum extent” available under federal records and other laws. Agencies that cannot meet the deadline will need to provide a written explanation why not.
“Outdated security models and unencrypted data have led to compromises of systems in the public and private sectors,” the White House said in a fact sheet.
“The Federal government must lead the way and increase its adoption of security best practices, including by employing a zero-trust security model, accelerating movement to secure cloud services, and consistently deploying foundational security tools such as multifactor authentication and encryption.”
A Cybersecurity Safety Review Board will be established under the order and be constituted by federal officials from the Department of Defense, Department of Justice, CISA, NSA, and FBI, as well as private-sector representatives to be determined by the Secretary of Homeland Security. The board will be chaired and co-chaired by one federal and one private-sector member.
The board will meet following a “significant” cyber incident and analyse what happened and make recommendations.
“When something goes wrong, the Administration and private sector need to ask the hard questions and make the necessary improvements,” the White House said.
“This board is modelled after the National Transportation Safety Board, which is used after airplane crashes and other incidents.”
A standardised playbook for incident response will also be created, as will a “government-wide endpoint detection and response system” and mandate to maintain logs to help in incident detection, investigation, and remediation.
“Slow and inconsistent deployment of foundational cybersecurity tools and practices leaves an organisation exposed to adversaries,” the fact sheet states.
Earlier on Wednesday, the Colonial Pipeline restarted operations.