Securing the Digital World

Identity and the U.S. Government Cybersecurity Executive Order

Jun 28, 2021 | by Steve Schmalz |
Flag of the United States of America

In May, President Biden released an Executive Order on Improving the Nation’s Cybersecurity. The order provides timely, practical and important guidance on how public agencies can protect their data and continue delivering the vital services that all Americans rely on.

Given the number of significant breaches that have affected both the public and private sectors— including the SolarWinds supply chain attack, the exploitation of U.S. AID’s email vendor, and the Colonial Pipeline ransomware attack— it’s more important than ever that organizations harden their defenses.

The order represents an important starting point for public sector agencies to secure their technology, protect their personnel, and ensure that they can pursue their missions. Some of the highest-value new requirements address how the government can realize the value of zero trust, accelerate cloud identity security, and effectively institute multi-factor authentication (MFA).

Zero trust and identity security

Zero trust is one of the buzziest phrases in information security. The executive order does a good job of summarizing what it should mean: “a set of design principles” that “eliminates implicit trust in any one element,” and “allows users full access...only to the bare minimum they need to perform their jobs.”

For the purposes of implementation, the order has a much narrower interpretation of zero trust: it directs government agencies to “move closer to Zero Trust architecture,” likely as defined by NIST’s network architecture framework.

Although NIST’s framework is network-focused, identity, governances, access, and authentication solutions still play major roles in advancing zero trust by providing the supporting infrastructure necessary to effectively implement the core zero trust network components.

In fact, identity and access management (IAM) and identity and access governance (IGA) solutions have been preparing for “zero trust” since long before the term existed: it’s those capabilities that allow hybrid workforces to function when they’re working remotely. (Not coincidentally, ”zero trust” trended on InfoSec twitter just as businesses everywhere entered lockdown).

Likewise, the order’s definition of Zero Trust Architecture notes the need for “granular risk-based access controls…where the answers to the questions of who, what, when, where, and how are critical for appropriately allowing or denying access to resources.” To institute that granularity, public sector agencies need visibility into and control over access to their applications, systems, and data.

Finally, one of the best ways for government agencies to implement it is to identify the critical systems needed to pursue their mission. Risk-based approaches help prioritize “must-have” systems by making access requirements tougher based on the criticality of the request.

Accelerating cloud identity security

The Federal Risk Authorization Management Program (FedRAMP) provides a framework to evaluate and then authorize a vendor’s cloud security offering for use by a sponsoring Agency. FedRAMP allows agencies to extend their on-premise FISMA security posture to the cloud while gaining all the benefits of a cloud security offering.

For vendors and government assessors, processes like FedRAMP have to balance rigorous evaluation with the time required to build out and innovate solutions to address evolving threats.

President Biden’s recent executive order “modernizing” FedRAMP and its “compliance frameworks” will help improve that balance: it will give government agencies the assurance they need that a given solution works and allow them to institute vetted controls even faster, securing their cloud environment.

Moreover, the order will give security teams more time to develop, adapt, and expand their solutions to stay ahead of threat actors. Finally, by adjusting FedRAMP’s review process, the government will spur greater competition and innovation—helping to increase taxpayer value.

In February, the FedRAMP Joint Authorization Board prioritized SecurID Access for a slot to achieve a Provisional Authorization to Operate. That news followed the November 2020 announcement that the U.S. Census Bureau is supporting SecurID Access for FedRAMP authorization. Together, these announcements validated SecurID Access and underscored its value for governmental agencies. SecurID expects an update on its FedRAMP application soon. 

Multi-factor authentication and encryption

The order calls on federal agencies to adopt “multifactor authentication and encryption of data at rest and in transit.”

The intent behind this is rock-solid advice. Instituting MFA is one of the highest-value ways that any organization can protect itself. Ransomware and other hacks begin as access issues: someone obtains unauthorized access, then exploits it. The Colonial Pipeline ransomware attack began when hackers breached the company’s networks through a virtual private network (VPN) that was no longer in active use and wasn’t protected by MFA. Encrypting data is another component of basic cyber hygiene.  

But the wording is important: agencies should use MFA to restrict usage and access. Separately, they should encrypt data at rest and in motion. Putting MFA and “encryption” together in the same sentence, as worded, complicates what should be practical and effective recommendations.

This isn’t nit-picking. Instead, it’s an important distinction. The wording of the order will affect implementation. The government must sort out its requirements to ensure a larger number of successful deployments of both MFA and encryption.  

Ultimately, implementing these recommendations effectively will go a long way in securing the public sector and ensuring that cybersecurity businesses do their part to mitigate the impacts of hacks. Likewise, the order’s call for organizations to share threat intelligence with one another can help us prepare for or prevent the next attack.