Image of the United States Capitol Building at night.

Strengthening the U.S. Government Supply Chain: Cybersecurity under Executive Order 14028

Image Credit: Michael Jowen from Unsplash.

U.S. government agencies have a reputation for occasionally clinging on to outdated technology. Some illustrative examples include the U.S. Department of Defense (DoD) paying Microsoft $9 million to continue supporting the defunct Windows XP in 2015 and a U.S. Government Accountability Office (GAO) report from 2019 documenting multiple agencies using legacy systems with 8 to 50-year-old components. In its findings, the GAO unsurprisingly concluded that such legacy systems using outdated or unsupported software languages and hardware poses a cybersecurity risk.

In the wake of the SolarWinds, Microsoft Exchange, and Colonial Pipeline security incidents that impacted U.S. government agencies and/or U.S. critical infrastructure, President Biden issued Executive Order 14028 to update minimum cybersecurity standards for all software sold to the federal government and throughout the supply chain.

Existing Requirements under FedRAMP, DFARS, and CMMC

The new obligations arising out of Executive Order 14028 add to existing security regulations for certain government contractors and subcontractors.

The Federal Risk and Authorization Management Program (FedRAMP) oversees the safe provisioning of cloud products and services from a Cloud Service Provider (CSP) to any government agency. As part of the FedRAMP authorization process, an accredited Third-Party Assessment Organization (3PAO) assesses the CSP’s controls under NIST SP 800-53, a security framework for federal government information systems. The 3PAO also assesses additional controls above the NIST baseline that are unique to cloud computing.

Contractors who supply products or services specifically to the DoD are subject to the Defense Federal Acquisition Regulation Supplement (DFARS). The DFARS standards establish compliance with fourteen groups of cybersecurity requirements under NIST SP 800-171, meant to protect Controlled Unclassified Information (CUI).  

In November 2020, the DoD released the Cybersecurity Maturity Model Certification (CMMC) framework, which builds upon DFARS. Contractors undergo an audit by a CMMC Third Party Assessment Organization (C3PAO), which issues a certification for the contractors’ assessed cybersecurity maturity level. The certification ranges from CMMC Level 1, indicating a low, ad-hoc maturity, to CMMC Level 5, indicating a high, optimized maturity. As contractors progress further up the DoD supply chain all the way to prime contractors—those working directly with the DoD—the DoD scale requirements for those contractors to meet higher certification levels. Meeting all DFARS controls and 110 controls in NIST SP 800-171 roughly correlates to CMMC level 3.

Cybersecurity Requirements of Executive Order 14028

Against this foundation of existing security standards, President Biden signed Executive Order 14028. The executive order lays the plan for several government agencies and actors, such as the Attorney General, Secretary of Defense, and Secretary of Homeland Security, to review the existing regulations, such as DFARS, and recommend updates. The new proposed policy updates can be broadly categorized into several unofficial buckets:

Vendor/Supply Chain Management

  • Review DFARS contract requirements and recommend updates to ensure that service providers can share cyber incident data with the agencies they have contracted with.

Identification and Authentication

  • Implement Zero Trust Architecture (never trust a user based on their location or asset ownership, always verify the user’s identity).
  • Mandate multifactor authentication (requiring additional authentication steps beyond a password).
  • Mandate encryption for data at rest and in transit.

Transparency and Disclosures

  • Publish summary information on the use of automated tools for verifying source code and vulnerability scanning.
  • Provide a Software Bill of Materials (SBOM) (inventory of components in software).
  • Initiate a consumer label program (similar to the “Energy Star” labeling program) to display a device or software’s assessed cybersecurity level.

Audit and Accountability

  • Establish a Cyber Safety Review Board to oversee significant cyber incidents.

Incident Response

  • Create a SOP playbook for cyber incident response by federal agencies.
  • Deploy a government-wide endpoint detection and response system.
  • Maintain cybersecurity event logs.

Cybersecurity Moving Forward

Security works hand in hand with privacy to protect data. While California and Virginia have passed consumer privacy laws in recent years (with some states’ privacy laws in the pipeline), other states have released their own cybersecurity standards (e.g., “NYDFS Cybersecurity Requirements,” 23 NYCRR 500; NY SHIELD Act, N.Y. Gen. Bus. Law § 899-bb; Mass. Gen. Laws 201 CMR 17.00).

While there have been many proposed federal privacy laws to standardize the patchwork of state privacy laws, the U.S. federal government has stalled in its efforts to regulate cybersecurity across multiple states and sectors (beyond the Federal Trade Commission’s current enforcement powers under the FTC Act). The reach of the government supply chain is long, however, and these new requirement may impose de facto standards across the country.

Consequently, all vendors should consider government cybersecurity requirements when investing in information security, and luckily there is substantial overlap amongst all of the frameworks with respect to security controls. End-to-end encryption in storage and transit, multi-factor user authentication, and access controls are all basic components of any cybersecurity framework. By investing in one control to address one framework, a vendor will be able to leverage the same control for many other frameworks.