What were your biggest takeaways from the Executive Order on Improving the Nation’s Cybersecurity? (https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/)
VP, Chief Security & Compliance Officer in Software, 1,001 - 5,000 employees
Executive orders like this are there for guidance, generally. This one gives organizations that may not be focused on cybersecurity the incentive to get started. But companies that have already been in this space—especially in the tech sector—have a lot more to do.Our industry needs to have a real and candid conversation with providers. I can't balance multiple solutions in my fabric that are not handshaking together or increasing my transparency. We have to see transparency at both the data and application layers. This executive order will put pressure on open architecture between vendors so that they start to play together better. We're really going to need that.
CEO in Services (non-Government), Self-employed
When they issue executive orders, are they in a silo away from world trade? Because GM was making ventilators and PPE, and their huge facilities in Canada were also making that same PPE and shipping some of it across the border. The code that was used to program the machines to turn car parks into ventilator making was a government contract. It was an executive order under the war measures act. If there’s a company that does business with the US federal government, would they be subjected to these rules and regulations because the procurement from the federal government touches them? I'm trying to figure out how these pieces fit together because it would probably impact 80% of tech companies, manufacturing companies and the electronics industry, including companies like Intel and IBM.Senior Information Security Manager in Software, 501 - 1,000 employees
It is a good start, but way too high-level. It is also too reactive to the SolarWinds breach, in the same way that SoX was reactive to the Enron scandal.https://cybersec.cyolo.io/s/7-things-to-know-about-biden-s-cybersecurity-executive-order-1008
Content you might like
Senior Director, Technology Solutions and Analytics in Telecommunication, 51 - 200 employees
Palantir FoundryDirector of IT in Healthcare and Biotech, 501 - 1,000 employees
Overall fit of the provider's services is key in any recommendation when selecting one of the big 3 clouds for any organization. Multi-cloud is significantly more difficult than most companies realize, and selecting a ...read moreYes35%
Yes, but not enough, we want/need to ramp up39%
No19%
No, but I expect this will change soon6%
660 PARTICIPANTS
We provide company-wide training57%
We only train certain departments/roles32%
We have a targeted individual training approach.9%
I am unsure how we handle security training.3%
230 PARTICIPANTS
Reading it was like reading eight executive orders because there’s a policy section up front, a definition section at the bottom and then another administrative section. There was so much ground to cover. Pushing Zero Trust architecture was one piece, and another was modernizing the existing FedRAMP assessment program requiring cloud providers to be authorized. But there are also a couple sections about better incident response and forensics, and capturing better logs—being able to do a better job not just from an investigative perspective, but from an incident response perspective in terms of communication and sharing information.
FedRAMP is somewhat mature and short answer if you are selling a cloud service to the US federal government, yes, you need to use FedRAMP (that’s been the case for a while).
There are exceptions like you only have one client (no reuse), but you’d still have to meet the NIST requirements it’s based on. If you are selling a product that gets installed in a client’s tenant (or data center), that is different as well. And as anything in a government market, there’s a lot of nuance (some agencies are much less particular about ATOs until they get audited themselves 😬).
Here’s a playbook from FedRAMP that might help - https://www.fedramp.gov/assets/resources/documents/CSP_Authorization_Playbook_Getting_Started_with_FedRAMP.pdf