EO Gives Momentum to Federal Cloud Movement
President Joe Biden’s cybersecurity executive order (see 2105130065) will boost the federal government’s reliance on cloud services and information sharing, experts told us. The EO directs federal civilian agencies to “accelerate movement to secure cloud services,” including software as a service (SaaS), infrastructure as a service (IaaS) and platform as a service (PaaS). Within 90 days, the OMB director will develop a federal cloud-security strategy with guidance to agencies, in consultation with the Cybersecurity and Infrastructure Security Agency and the General Services administrator through the Federal Risk and Authorization Management Program (FedRamp).
“It’s time for federal agencies to openly move to the cloud,” said Accurics Chief Technology Officer Om Moolchandani.
“That’s really the best way for the government” to secure data, said RedSeal Federal Chief Technology Officer Wayne Lloyd. He expects the EO to drag agencies “kicking and screaming” into the cloud: “It’s something that’s long overdue,” from which the commercial sector has long seen the benefits.
FedRAMP shifted government toward cloud services, and the EO increases momentum, said Seyfarth Shaw’s Paul Ferrillo. The most immediate real-world impacts of the EO are the information sharing and security concepts for entities serving the government, said Ferrillo. “It’ll force more information-sharing, more security, more thought on cybersecurity. If you don’t change the paradigm and it’s all about security, then we don’t change anything.”
The call for an increase in information-sharing can lead to “impactful change,” said CompTIA Executive Director-Information Sharing and Analysis Organization MJ Shoer. Information-sharing on threats, techniques and procedures (TTPs) should be extended into the private sector, he said: “Any specific information around threat activity -- that needs to be shared in as close to real time as possible between parties.” The EO is a “step in the right direction,” and there were missed opportunities in signals for the private sector, he added.
The order includes new North American Electric Reliability Corp. reporting standards for critical infrastructure and information technology protection, said Moolchandani: The new standards will have a “massive” impact because NERC CIP is considered “one of the most difficult compliance standards to achieve.” There could be “resistance” because they aren’t easy, and it shows government is now “very serious” about critical infrastructure and IT security, he added.
The new standards will involve security audits of documented architecture and a review of practices, said New America international security fellow Tarah Wheeler: Agencies need to deliver such documentation within 90 days of the order. If they’re not working on the second draft of their white papers, “they’re probably behind the curve for getting it out the door on time,” she added.
The consumer labeling program, led by the Commerce Department, National Institute of Standards and Technology and the FTC, looks very much like a software bill of materials for consumers, said Wheeler: It will provide technical information simplified for consumers so they can understand the security of suppliers, devices and components. If companies are manufacturing IoT devices, they should be aware of the consumer labeling program, said Lloyd. Ferrillo called this a “long-term strategy,” noting NIST has been discussing it for two years.