Biden Security Executive Order Bets Big on Zero Trust
This may be a bit of a long blog due to the extensive nature of the Executive Order on Improving the Nation’s Cybersecurity and its impact on cybersecurity and the Zero Trust approach. The Biden administration also published a fact sheet: “President Signs Executive Order Charting New Course to Improve the Nation’s Cybersecurity and Protect Federal Government Networks,” giving a solid summary of the Executive Order that we recommend checking out, especially for nongovernmental entities.
But before we dive deep into details, you’ll have to bear with us for a bit of a victory lap. Clients of Forrester know that our security and risk team has banged the Zero Trust drum for over a decade. Our dynamic duo of David Holmes and Steve Turner lead Forrester’s Zero Trust charge now, amplifying what we’ve known for a long time: Zero Trust works. And now, the United States federal government has validated, confirmed, and required Zero Trust.
We didn’t pop the champagne, though, because now the real work begins. For the U.S. government and its suppliers, this executive order represents massive change. But nongovernment organizations should expect to feel repercussions of this, as well.
Ripple effects of the executive order
The executive order does not directly touch the private sector, but major transformative efforts like this will lead to change well beyond government for security vendors and enterprise organizations. The U.S. federal government’s procurement processes are rigid, antiquated, and glacial, which portions of this executive order seek to address.
However, the rigid nature of that procurement process also does provide a baseline that other enterprise organizations use to help them codify and standardize requirements. This executive order will drastically expand beyond the government as enterprise organizations look to it for guidance.
Major changes to government procurement like this create commercial incentives given the amount of money the government spends. Estimates based on U.S. agency budget requests place federal cybersecurity spending north of USD 18 billion. For example, since December 2020, the Cybersecurity and Infrastructure Security Agency (CISA) alone has received USD 2.6 billion of funding. We’ll detail the major areas of impact next.
SBOM gets its day
Since 2018, the National Telecommunications and Information Administration (NTIA) in the U.S. Department of Commerce has coordinated an industry effort to drive transparency in the software procurement process for organizations to understand what’s in the software they build, purchase, and use. The executive order’s requirement that products provide a software bill of materials (SBOM) will help organizations manage risk by quickly determining what vulnerable software components are in their products.
SBOM is often compared to a list of ingredients in food packaging — while many of us just glance at the ingredient list, those with food allergies take special care to ensure that what they are about to eat won’t harm them. SBOM allows organizations to easily see if the products they use and build contain any components with critical vulnerabilities. When researchers discover new vulnerabilities in open source or other software components, security teams can quickly review SBOMs, determine which products have those components, and prioritize remediation.
In the next 60 days, the Secretary of Commerce must publish the minimum elements for an SBOM. There are multiple SBOM formats today, and we lack standardized naming conventions for all software components. This, unfortunately, won’t be universally consistent on day one but is a move in the right direction.
Potential format confusion aside, making a good enough SBOM available to your users is important. We don’t understand all of the ingredients that we read on food labels, either (I’m reading the label on a bag of M&M’s Minis: What is “Yellow 6,” and how does it differ from “Yellow 5” exactly?). Expect software composition analysis (SCA), vulnerability management, and third-party risk management vendors to enable their customers by integrating the preferred SBOM conventions into their offerings.
Supply chain and third-party risk
The executive order includes developing criteria “to evaluate the security practices of the developers and suppliers themselves.” It proposes a labeling system to identify those vendors and products that have gone above a baseline. The formalization and specificity of this portion of the executive order align with one of the major problems facing every organization dealing with software and technology today, regardless of segment. Whether or not companies actually take the time to “Secure What You Sell” is a recurring root cause of breaches and data loss, with recent issues accelerating the signing of this executive order.
A National Transportation Safety Board equivalent for cybersecurity
With this executive order, we will finally have a body (with representation from both the public and private sectors) for dealing with “train wrecks” in cybersecurity. This will monumentally improve information sharing that spans the public and private sectors, helping organizations prioritize the implementation of appropriate staffing, security technologies, and processes that matter. With the establishment of the Cybersecurity Safety Review Board, we can finally have information on critical cyber incidents shared across industries, paired with essential, prescriptive recommendations on how another organization can avoid the same perils.
Other areas touched on in the executive order
Information sharing between the private sector and government gets a spotlight. Standardized response playbooks, reporting standards, detection, investigation, response, and remediation all get mentions, as well. Much of the specifics in these areas come in the next 60 to 120 days, as various agencies and cabinet-level positions received deadlines to create and issue the policies that will shift this executive order into reality and operation across the federal government and private sector. The next two to four months will be slammed for the government. After that, it will get that way for everyone else as we read, digest, and consider how we apply these items in our security and risk programs.
Excitement exists because this is a significant moment in the history of cybersecurity for the United States. However, history dictates that we avoid getting our hopes up too much. Flaws exist, and we explore those next — including all the possible ways this goes wrong.
Portions seem like a laundry list of technologies with a Zero Trust bumper sticker
As mentioned above, this is the first time that public policy has acknowledged that the current federal cybersecurity model is broken and outdated. These are the first steps that need to be taken, considering we have almost 30 years of data and ten years of highly damaging attacks confirming the obvious: The U.S. government is in the crosshairs of other countries, much like other governments are targeted by the U.S. We predicted that a government would formalize Zero Trust as a framework, and sure enough, it was the United States.
This executive order screams “We Need To Buy More Tech!” to solve the problem (e.g., endpoint detection and response is mentioned at least 12 times), but generally, that’s the last thing on the list we use to enable problems to be solved. And even now, rumors of old “new” vendors entering the market are emerging. Some of those vendors represent the issues we should be running away from, not toward.
Today, most agencies and departments don’t have the budget for these items, the staff to run these tools, or the free time needed to implement any of them. If this winds up in the realm of most enterprise security product deployments — half deployments, shelfware, and only 30% of the features used — then all we’ve done is create a “government security vendor stimulus package.” We’re not sure that does anyone any good, except the investors and shareholders of those vendors. Real incentives that drive security transformation must exist at all levels of government for this to be successful. Security practitioners know that more controls for the sake of adding controls only add more complexity, not necessarily more or better security.
Guidance is still lacking on the entirety of the security lifecycle
Unfortunately, the National Institute of Standards and Technology (NIST) guidance needs to evolve heavily based on the technology reality we currently live in. The current guidance that came out toward the end of last year relies on being able to spot a bad actor within your environment across tooling with some sort of anomaly detection with high efficacy. The security industry has been chasing this magical detection unicorn for years, and it’s still not there today.
This reference architecture brings value but needs to evolve and take into account the continued pains security pros face. NIST reference architectures need to be based on reality, and guidance needs to evolve to match what organizations implement to get to Zero Trust. Forrester has been writing about this and other practical guidance for years.
Zero Trust has (finally) hit the mainstream
Like that favorite underground band that finally drops a hit single on Spotify, Zero Trust has found its way into the mainstream. The Zero Trust approach will now have an impact on the way the U.S. secures its federal government. Forrester expects that adoption to expand globally and into corporate infrastructures.
The original article by Forrester’s vice president and principal analyst Jeff Pollard, analysts Steve Turner and Allie Mellen, and principal analyst Sandy Carielli is here.
The views and opinions expressed in this article are those of the author and do not necessarily reflect those of CDOTrends. Image credit: iStockphoto/Vacclav
