Under a forthcoming White House order, companies that do business with the federal government would have to meet software security standards and swiftly report cyber incidents to a new entity within the Department of Homeland Security, sources familiar with a draft version of the document said.
The order, which could be made public in a matter of weeks, is meant to improve the government’s ability to detect, coordinate, respond to and investigate cybersecurity incidents, as well as promote supply chain security and push government contractors to up their defenses. It is spurred largely by the suspected Russian campaign in which hackers exploited the update process for SolarWinds’ Orion software, which led to the compromise of nine federal agencies and roughly 100 companies, the White House previously said.
Some of the order’s measures are aimed at strengthening DHS and its Cybersecurity and Infrastructure Security Agency. The White House directive would establish a body for reporting cybersecurity incidents within CISA modeled after the National Transportation Safety Board. Under the order, DHS and the attorney general would also create a cybersecurity incident review board made up of federal officials and private sector companies for examining threats and vulnerabilities, as well as risk mitigation efforts around major incidents.
CISA would be authorized to hunt threats in agencies other than the Defense Department, something acting acting CISA Director Brandon Wales told Congress was key in testimony last month. Another point Wales made, about the need for federal officials to be able to examine “endpoints” (that is, specific devices), also is poised to be a focus of the executive order.
The White House believes there are limits on what it can do on its own via executive order, sources said — namely, that it has the authority on its own to improve federal agency security and the security of its vendors. It would need Congress for broader initiatives. Legislation on subjects like incident response reporting for privately owned critical infrastructure also is in the works on Capitol Hill.
The order has been a subject of consideration in Washington for months, and comes together after numerous congressional hearings in which U.S. intelligence leaders, cybersecurity executives and other specialists have testified about changes the U.S. government should consider in order to avoid being victimized in another cyber-espionage campaign. (Reuters and Bloomberg have previously reported on many, though not all, of the elements of the executive order outlined in this story.)
Among the four CyberScoop sources who had seen or been briefed on the draft executive order, two expected the release within the first two full weeks of April. The others cautioned that they did not have a firm sense of the timing.
The order’s other upgrades to federal agency security include use of multi-factor authentication and improvements to FedRAMP, the federal process for authorizing and continuously monitoring the security of cloud services.
Federal agencies would need to use data encryption and develop plans for shifting to a “zero trust” model, which assumes that organizations should not automatically assume they can trust anyone or anything inside the network. They would need to keep logs for cyber incidents.
CISA would work with the National Institute of Standards and Technology on defining and identifying “critical software” that requires more action. That includes steps like providing a “software bill of materials” that identifies its building blocks. The White House also has floated the idea of software security grades.
Some of the steps might not come to fruition for some time because they will require additional federal rulemaking, an oft-slow process that includes several phases of public comment.