What were your biggest takeaways from the Executive Order on Improving the Nation’s Cybersecurity? (https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/)

2.7k views2 Upvotes6 Comments

CISO in Software, 51 - 200 employees
I don't understand the executive order that Biden put out. I tried to read through it to find out if I can sell my product without being Federal Risk and Authorization Management Program (FedRAMP) certified. Is that part of the executive order? Is it like an emergency authorization for Pfizer and those drugs?
2 2 Replies
President and National Managing Principal in Software, 501 - 1,000 employees

Reading it was like reading eight executive orders because there’s a policy section up front, a definition section at the bottom and then another administrative section. There was so much ground to cover. Pushing Zero Trust architecture was one piece, and another was modernizing the existing FedRAMP assessment program requiring cloud providers to be authorized. But there are also a couple sections about better incident response and forensics, and capturing better logs—being able to do a better job not just from an investigative perspective, but from an incident response perspective in terms of communication and sharing information.

Senior Director, Defense Programs in Software, 5,001 - 10,000 employees

FedRAMP is somewhat mature and short answer if you are selling a cloud service to the US federal government, yes, you need to use FedRAMP (that’s been the case for a while).

There are exceptions like you only have one client (no reuse), but you’d still have to meet the NIST requirements it’s based on. If you are selling a product that gets installed in a client’s tenant (or data center), that is different as well. And as anything in a government market, there’s a lot of nuance (some agencies are much less particular about ATOs until they get audited themselves 😬).

Here’s a playbook from FedRAMP that might help - https://www.fedramp.gov/assets/resources/documents/CSP_Authorization_Playbook_Getting_Started_with_FedRAMP.pdf

VP, Chief Security & Compliance Officer in Software, 1,001 - 5,000 employees
Executive orders like this are there for guidance, generally. This one gives organizations that may not be focused on cybersecurity the incentive to get started. But companies that have already been in this space—especially in the tech sector—have a lot more to do.

Our industry needs to have a real and candid conversation with providers. I can't balance multiple solutions in my fabric that are not handshaking together or increasing my transparency. We have to see transparency at both the data and application layers. This executive order will put pressure on open architecture between vendors so that they start to play together better. We're really going to need that.
CEO in Services (non-Government), Self-employed
When they issue executive orders, are they in a silo away from world trade? Because GM was making ventilators and PPE, and their huge facilities in Canada were also making that same PPE and shipping some of it across the border. The code that was used to program the machines to turn car parks into ventilator making was a government contract. It was an executive order under the war measures act. If there’s a company that does business with the US federal government, would they be subjected to these rules and regulations because the procurement from the federal government touches them? I'm trying to figure out how these pieces fit together because it would probably impact 80% of tech companies, manufacturing companies and the electronics industry, including companies like Intel and IBM.
Senior Information Security Manager in Software, 501 - 1,000 employees
It is a good start, but way too high-level. It is also too reactive to the SolarWinds breach, in the same way that SoX was reactive to the Enron scandal.



Content you might like

Senior Director, Technology Solutions and Analytics in Telecommunication, 51 - 200 employees
Palantir Foundry
Read More Comments
6k views15 Upvotes48 Comments


Yes, but not enough, we want/need to ramp up39%


No, but I expect this will change soon6%


1.7k views1 Upvote1 Comment

We provide company-wide training57%

We only train certain departments/roles32%

We have a targeted individual training approach.9%

I am unsure how we handle security training.3%