Are there any major red flags in Biden’s executive order on cybersecurity?
Sort by:
I expected that there would be some mention of things like Reconfigurable Optical Add/Drop Multiplexer (RoadM) which splits the traffic into prioritized segments according to what would and would not be encrypted. For example, one level could be email: mission-critical information coming from suppliers or customers that might need to be encrypted. But the video of your next marketing campaign may not need the same level of encryption.
There are gaping holes in this executive order, some of which I can easily pinpoint: What happens to companies that are foreign-owned that sell to the US government? I couldn't find anything about it. In the world of manufacturing, you have cars with parts made in Mexico, Canada and the US, and those vehicles and parts go back and forth across borders. There are now up to 2 million lines of code that go with each car, and when they're all EV there will be up to 3 million. What happens there? That makes a huge difference to how I think corporations will start reacting to this.
That's a good question, it's not specified in there. And they ignored the whole defense industrial base too. That's why I suspect there is some level of politics involved in this order. But the Federal Risk and Authorization Management Program (FedRAMP), Cybersecurity Maturity Model Certification (CMMC) program, civilian agencies and Department of Defense (DOD) agencies don't seem to be talking to each other a whole lot. The CMMC wasn't even mentioned and that's relatively new. They talked about Homeland Security, and General Services Administration (GSA), which is FedRAMP. I think DOD was referenced in the procurement requirements, but they didn't even mention this other program.
When I wrote a quick blog article on this (https://www.schellman.com/blog/schellman-first-take-on-cybersecurity-executive-order) - I focused on modernizing federal cybersecurity, software security and the supply chain because they were most relevant to my day job. Section 4, “Enhancing Software Supply Chain Security” is where most of the net-new concepts are presented. Rather than propose improvements, it details areas the government hasn't gone after before. Now, if you're a software provider, you'll have to go through an authorization system that’s still unnamed. It shouldn't be a certification program, but in the summary press release they call it an energy star stamp. All of the good practices that we talk about are highlighted: code review, static/dynamic code analysis, testing, separate environments for testing, etc.