What the Biden Administration’s Executive Order Means for Cybersecurity and Third-Party Risk

Biden Executive Order Cybersecurity and Third Party Risk

The Biden Administration is prioritizing the nation’s cybersecurity with an executive order to modernize cybersecurity defenses and protect federal networks. The order, which was set in motion to defend against mounting cybersecurity attacks on US critical infrastructure, outlines voluntary and mandated measures for organizations to bolster their defenses. President Biden signed the order into effect on May 12, 2021, forcing organizations to consider cybersecurity throughout their supply chain and within their vendor population.  

In late August 2021, private sector leaders announced ambitious initiatives in conjunction with Biden’s executive order to improve the nation’s cybersecurity. The administration will collaborate with the National Institute of Standards and Technology (NIST) to develop a new framework to improve the security of the technology supply chain. Further, tech giants like Apple, Google, Microsoft and IBM rolled out plans to invest heavily in cybersecurity programs that will increase transparency throughout their supply chains. These commitments shine a light on the emerging national cybersecurity effort, begging the question of what opportunities your organization should take to address internal and external cybersecurity risks. 

Key Points of the New Executive Order on Cybersecurity

The Biden administration has made it clear that cybersecurity is a national security and economic imperative. The executive order will enact the following initiatives with a 100-day plan:  

  • Remove barriers to threat information sharing between government and the private sector: IT service providers can share information about data breaches with the government. Contractual obligations have prevented this from happening in the past. 
  • Modernize and implement stronger cybersecurity standards in the federal government: Outdated security models and unencrypted data are to be replaced by secure cloud services, zero-trust architecture, mandated multifactor authentication and data encryption. 
  • Improve software supply chain security: Vulnerabilities in software will be addressed with baseline security standards for the development of software sold to the government, requiring developers to maintain greater visibility into their software and making it available to the public. 
  • Establish a Cybersecurity Safety Review board: A Cybersecurity Safety Review board will be established to provide analysis and improvement recommendations following a breach. The board will be co-chaired by government and private sector leads. 
  • Create a standard playbook for responding to cybersecurity incidents: A standardized playbook and set of definitions for cyber incident response by federal departments and agencies will be created.  
  • Improve detection of cybersecurity incidents on federal government networks: The ability to detect malicious activity on federal government networks will be improved with a government-wide endpoint detection and response system. 
  • Improve investigative and remediation capabilities: Cybersecurity event log requirements are created for federal departments and agencies.  

Address Internal and External Cybersecurity Risks to Prepare for New Standards

The growing attention to cybersecurity improvements nationwide gives organizations an opportunity to address their internal and external cybersecurity risks. In fact, organizations will need to address these risks to meet emerging requirements. This process starts with identifying internal cybersecurity practices, policies and controls, as well as those of their third parties.   

To prepare for the new expectations set by the executive order, your organization should address any vulnerabilities in your current cybersecurity program. High-value assets and the security controls that protect them should be assessed; and ownership of these items should be established to facilitate enterprise-wide integration on cybersecurity initiatives. Your organization should review what data and applications your third parties can access to help create an understanding of potential risks.  

Further, given the increased sharing of data and IT infrastructure, organizations will need to ensure that their vendors are secure. Vendor risk management processes should be buttoned up to gain a real sense of visibility into your organization’s vendor population. Current third-party risk workflows such as vendor risk assessments and due diligence should be evaluated for their effectiveness in scrutinizing a vendor’s cybersecurity posture. Vendor contracts may need to be reviewed to reflect new requirements. 

Lastly, organizations that seek to sell software to the government will need to be exceedingly stringent in assessing their security. The executive order aims to put all government infrastructure under the microscope to improve security, indicating extremely thorough software reviews. Organizations contracted by the government will need to prove the security of both their organization and their vendor population. 

Gain Insight into Third-Party Cyber Risk with ProcessUnity Cybersecurity Program Management

The new standards for nationwide cybersecurity have been set – now it’s up to your organization to take the steps necessary to address cyber risk throughout your vendor population. ProcessUnity Cybersecurity Program Management offers a single, comprehensive platform for centrally managing an organization’s entire cybersecurity program with prepackaged mapped content, automated workflows, assessments and dynamic reporting. To learn more about how ProcessUnity Cybersecurity Program Management can support your organization during the cybersecurity changes to come, request a demo today.