Dive Brief:
- On the one-year anniversary of the Executive Order on Improving the Nation’s Cybersecurity, industry experts say the Biden administration has made significant inroads in raising software security standards, but additional work and financial support are necessary to achieve security end goals.
- The Office of Management and Budget’s federal zero trust strategy enjoys almost unanimous support from federal cybersecurity decision makers, but two-thirds of them said the three-year timeline was unrealistic, according to a study from MeriTalk, sponsored by AWS, CrowdStrike and Zscaler. Just 14% of those surveyed believe the program is properly funded.
- Almost two-thirds of federal officials expect to achieve zero trust goals by the goal date of 2024, according to a separate study from General Dynamics Information Technology. However, many of those officials see significant challenges, including a lack of sufficient IT staff and the need to replace legacy infrastructure.
Dive Insight:
The White House issued the executive order last year following a series of supply chain and ransomware attacks, which raised serious questions over whether critical infrastructure and key government agencies could withstand attacks from sophisticated nation-states and criminal adversaries.
In the six months prior to the executive order, authorities discovered the SolarWinds attack, the Microsoft Exchange Server attack was uncovered, and a ransomware attack against Colonial Pipeline sent the East Coast reeling.
The Biden administration saw the executive order as a means of immediately taking steps to boost software security standards and to implement zero-trust standards across federal agencies. The hope was to encourage the private sector to exceed those standards through greater compliance.
“Continued work is needed to improve the nation’s cybersecurity and protect federal government networks, but the EO has taken ambitious steps to modernize national cyber defenses and establish action from across multiple entities, driving government and private sector coordination,” said Kelly Rozumalski, SVP, Booz Allen Hamilton, who leads the firm’s national cyber defense business, in an emailed statement.
Major software developers have expressed support for the EO and have taken steps to strengthen software security.
Microsoft sees the EO as a way to leverage “deeper collaboration between agencies and software providers,” Bret Arsenault, corporate vice president and CISO at Microsoft, said in a blog released Tuesday.
The company has made significant investments to enhance software security and boost transparency with the open source community, Arsenault said.
Key federal agencies have been credited with helping to improve baseline security standards. OMB and the National Institute of Standards and Technology have been very effective in creating requirements and supporting guidance to enhance software security, Dale Gardner, Gartner senior director analyst said.
Gardner cited the February publication of the Secure Software Development Framework by NIST. The framework outlines 14 high-level tasks across four secure development practices and establishes specific requirements for software vendors and internal agency development teams.
“The pressing challenge now falls to those creating software, and their need to actually implement and follow these requirements,” Gardner said.
SolarWinds fully supports the EO and has been collaborating with its federal customers to facilitate its implementation, according to Chip Daniels, head of government affairs at the company.
“After distilling and reflecting on the lessons we’ve learned over the last 18 months, we believe this public-private partnership is essential to meeting the cyberthreats that face us in today’s world,” Daniels said via email.
