There’s no particular reason for even data security and compliance professionals to remember anything about May 12, 2021. Still, it was a milestone: On that date, President Biden signed the Executive Order (EO) 14028, also known as "Improving the Nation's Cybersecurity; Transforming Government Through Technology-Driven Initiatives." The wordy mandate came after a slew of high profile attacks on and around the national infrastructure, including devastating hacks into Colonial Pipeline and Solar Winds. More importantly, it signaled a new priority at the federal level and went a long way toward changing the data security and data privacy landscape.
Of course, even strongly worded presidential orders can take a long time to make a real difference. But in this case, perhaps in a bow to the rapid advances of this field, some aspects specifically had a one-year deadline, and many of the rest had a tone of urgency. It’s now been a little over a year—so what’s actually changed, as mandated by law, and what hasn’t?
It’s hard to get specific answers on everything, or even most things. But it appears that the need to strengthen security at the infrastructure level is at least breaking through.
First, a little context. Like many government initiatives, EO 14028 features sprawl: the list of required and recommended actions includes faster secure cloud adoption, adopting zero-trust architectures, multifactor authentication and data encryption, developing strategies for critical software design, retiring software products and platforms that don’t comply with revamped security standards, and more.
In fact, the overall goals are truly ambitious: improved transparency between the public and private sector; enhanced security in supply chain software development; the creation of a cybersecurity safety review board; the development of secure cloud adoption practices and guidelines; new endpoint detection and response systems; event logging requirements; the creation of Standard Operation Procedures for incidence response, and so on.
That’s a lot—but before making any judgments, it's also important to understand the resources involved, and the challenges accompanying them. It’s estimated that the US government devoted $10.5 billion to software contracts alone in 2020, and $11.8 billion in 2021. A lot of that money goes to third parties, and this is key because the EO directs the existing Federal Acquisition Regulation (FAR) to be updated with heightened requirements to allow federal agencies to only purchase apps and platforms that meet the new standards.
This is already a huge obstacle. For example, a recent Department of Defense analysis shows that only one in four defense contractors meet the Pentagon's existing cybersecurity standards—and that’s even before the new mandate. Specially, fully 75 percent of the 220 companies surveyed failed to implement basic cybersecurity measures (and had to submit plans for repairing security weaknesses).
To nudge things along, the EO directs the National Institute of Standards and Technology (NIST) to issue the "Secure Software Development Framework (SSDF) and related guidance." For their part, many vendors and providers are already preparing for the updates to FAR: 76 percent of organizations surveyed by the Linux Foundation are ‘considering’ changes to comply with the executive order.
It’s easy to dismiss the concept of ‘considering,’ but it doesn’t change the bottom line. Either these companies want to keep doing business with federal agencies, or they don’t. The issue has gained enough momentum that vendors falling out of compliance will be noticed, and will lose sales.
In the broader sense, most technology vendors have some agility built into their DNA—it’s likely that, the DoD survey notwithstanding, at least some companies affected by this order began implementing redesign plans even before the new security requirements actually arrived. On a related note, the push for government agencies to move to the cloud means that many information management and archiving vendors in particular will find it challenging to comply with the new standards, especially if they still depend on legacy designs.
This is a necessary first step
Here's the best way to evaluate the current situation: Any executive order, no matter how sweeping, marks a snapshot in time. Meanwhile, the vitality of the technology discipline—with its unending torrent of new tools, new capabilities and new threats—means constant and ongoing progress rather than a single step forward.
So, yes, the Biden EO has surely made a difference in some areas, and will continue to positively affect cloud-based operations. The more nuanced reality is that, even with full implementation, the order is no more than a necessary first step; it will need to be updated regularly to stay ahead of evolving cyber-threats.
Rather than pegging any achievements to a particular date, the better option is to regularly evaluate the most critical issues. These include:
- Do the additional security requirements go far enough to address today's risks—and tomorrow's risks? What pressures have emerged in the past year that warrant more changes?
- What if critical software applications embedded within government agencies can’t be redesigned to meet the new provisions? Will the heightened requirements for security take a toll on other aspects of the operation?
- Finally, will state, local and education agencies chart a similar course with regard to security requirements for software purchases? Or will there be a growing chasm between the federal infrastructure and everything else?
Stay tuned. There’s no question that the federal government acknowledges the gravity of the situation. The strategy is being refined and adopted; now we need to stay focused on the execution.