Difference between revisions of "Executive Order on Cybersecurity"

From MgmtWiki
Jump to: navigation, search
(Buzz Word Bingo)
(Buzz Word Bingo)
Line 20: Line 20:
 
* Critical software aka admin or sudo access.
 
* Critical software aka admin or sudo access.
 
* security and integrity of the software supply change (esp. wrt "critical software")
 
* security and integrity of the software supply change (esp. wrt "critical software")
** Such guidance shall include standards, procedures, or criteria regarding:  
+
** Such guidance shall include standards, procedures, or criteria regarding: (note in particular the SBOM)
 
           (i)    secure software development environments, including such actions as:
 
           (i)    secure software development environments, including such actions as:
 
               (A)  using administratively separate build environments;
 
               (A)  using administratively separate build environments;

Revision as of 21:46, 12 May 2021

Full Title or Meme

Executive Order on Improving the Nation’s Cybersecurity from Joseph Biden on 2021-05-12

Context

  • Issued days after the Colonial Pipeline carrying 45% of the East Coast's fuel was shut down after a ransomware attack compromised their computer systems which threatened the security of the pipeline.

Problem

"The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy.."

  • The US has been treating cybersecurity as an offensive weapon and not addressing defense of the country, only of the military assets.
  • In this order and in previous reports from the government, it is stated that barriers exist to sharing information. But they never admit that the federal government will not share threats that they find in software with the manufactures of that software.
  • The order continues to push the problem that they have created by building offensive cryber weapons on the private section which is now being attacked by the very weapons that the US government has created or discovered.

Buzz Word Bingo

  • Zero trust architecture as defined by NIST
  • Software as a Service SaaS (aka Cloud Technology)
  • Cloud-service governance framework (a range of services and protections available to agencies based on incident severity.
  • Multi-factor AuthN
  • data at rest and in transit --- ENCRYPTION
  • Critical software aka admin or sudo access.
  • security and integrity of the software supply change (esp. wrt "critical software")
    • Such guidance shall include standards, procedures, or criteria regarding: (note in particular the SBOM)
         (i)     secure software development environments, including such actions as:
             (A)  using administratively separate build environments;
             (B)  auditing trust relationships;
             (C)  establishing multi-factor, risk-based authentication and conditional access across the enterprise;
             (D)  documenting and minimizing dependencies on enterprise products that are part of the environments used to develop, build, and edit software;
             (E)  employing encryption for data; and
             (F)  monitoring operations and alerts and responding to attempted and actual cyber incidents;
         (ii)    generating and, when requested by a purchaser, providing artifacts that demonstrate conformance to the processes set forth in subsection (e)(i) of this section; 
         (iii)   employing automated tools, or comparable processes, to maintain trusted source code supply chains, thereby ensuring the integrity of the code;
         (iv)    employing automated tools, or comparable processes, that check for known and potential vulnerabilities and remediate them, which shall operate regularly, or at a minimum prior to product, version, or update release;
         (v)     providing, when requested by a purchaser, artifacts of the execution of the tools and processes described in subsection (e)(iii) and (iv) of this section, and making publicly available summary information on completion of these actions, to include a summary description of the risks assessed and mitigated;
         (vi)    maintaining accurate and up-to-date data, provenance (i.e., origin) of software code or components, and controls on internal and third-party software components, tools, and services present in software development processes, and performing audits and enforcement of these controls on a recurring basis;
         (vii)   providing a purchaser a Software Bill of Materials (SBOM) for each product directly or by publishing it on a public website;
         (viii)  participating in a vulnerability disclosure program that includes a reporting and disclosure process;
         (ix)    attesting to conformity with secure software development practices; and
         (x)     ensuring and attesting, to the extent practicable, to the integrity and provenance of open source software used within any portion of a product.

References