On May 12, 2021, President Biden signed an executive order calling on federal agencies to improve their cybersecurity practices. Following the recent SolarWinds and Colonial Pipeline attacks, it is clear that security incidents can severely impact the economy and civilians' day-to-day lives and that cybersecurity needs to be a high-priority issue.
We encourage you to read the full executive order. In this post, we’ll summarize the key takeaways of the executive order and highlight the areas that we feel are most relevant to the DevSecOps space.
From a high level, the executive order includes several core statements:
- Cybersecurity is a top priority and future government contracts will require agencies and vendors to work more closely with each other and share more security-related information.
- Supply-chain security, security monitoring and operations, and endpoint detection and response (EDR) are becoming increasingly important.
- Federal agencies will continue moving to cloud services with adherence to Zero-Trust architecture, which includes the use of multi-factor authentication (MFA) and encryption of data at rest and in transit.
- Agencies will continue using and investing resources in FedRAMP.
- Agencies will begin implementing steps toward cross-agency vulnerability detection and incident response.
With these points in mind, we’ll look at each of the executive order’s sections in more detail.
The administration made it clear that cybersecurity is a top priority and essential to national and economic security. They strongly encourage partnership between the public and private sectors to create a more secure cyberspace. Additionally, all federal information systems should meet the standards and requirements that the executive order lists.
A key part of improving incident detection and response is removing contractual barriers with service providers—such as the major cloud providers—that prevent or limit the sharing of information relevant to the security of federal information systems.
As cloud adoption accelerates, information systems have become more connected and the technology stack has become more modular—each component is actually composed of smaller parts that can be owned by many different service providers. In order to act with clarity and conduct effective security incident investigations, the administration will need to remove legal barriers that would hinder the ability to get visibility across all of these tools.
This section lays out requirements that will likely be included in future federal agency–issued contracts for products and services. Government vendors must:
- Collect and store data relevant to security prevention, detection, response, and investigation
- Share data about security incidents and threat intelligence with contracted agencies
- Collaborate with federal cybersecurity agencies in investigations and incident response
- Promptly report cyber incidents to contracted agencies and the Cybersecurity and Infrastructure Security Agency (CISA)
This section emphasizes the urgency of improving the government’s security posture and lays out several key steps that federal agencies must take to do so. These include:
- Continuing to implement Zero Trust Architecture
- Fully adopting multi-factor authentication (MFA) and encryption of data at rest and in transit
- Accelerating adoption of secure cloud services, including infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), and software-as-a-service (SaaS)
The spirit of the executive order encourages agencies to continue their cloud adoption journey—with a particular emphasis on security best practices—and to keep seeing cost savings and operational benefits as a result.
Fully adopting MFA, for example, will allow agencies to better restrict access to their newly adopted cloud services. SMS and authenticator apps are frequently used to implement multi-factor authentication, but some companies like Datadog also leverage a physical authentication factor (e.g., a YubiKey) to better protect against phishing. To learn more about how Datadog used YubiKeys to fully adopt MFA across our entire workforce, read this Yubico case study.
In addition, the CISA, the Office of Management and Budget (OMB), the National Security Advisor, and the General Services Administration’s (GSA) FedRAMP Program Management Office will form requirements for cloud service providers to be included in the modernization efforts. FedRAMP authorization will be an integral part moving forward, and there will be an effort to streamline FedRAMP authorization by providing additional training, standardization, and automation (which already began with the publication of the Open Security Controls Assessment Language).
The FedRAMP Program Management Office will also review other compliance frameworks as potential substitutes for aspects of FedRAMP authorization, which should allow for more flexibility in meeting some FedRAMP requirements. This should also allow agencies to choose from a greater number of approved IaaS, PaaS, and SaaS solutions, such as Datadog, to help them modernize and build new services.
Over the past decade, more services have migrated to the cloud, software complexity and delivery pace have increased, and reliance on third-party software packages and tools has become commonplace. This shift requires us to make additional investments to ensure that every component of our supply chain is secure, from the initial build all the way to the user-facing product.
The SolarWinds attack, which has been attributed to Russia, impacted nine federal agencies as well as other vendors that work with the federal government, such as Microsoft and Intel. The length and impact of this cyberattack and espionage campaign caught the government unprepared. Now, the government is taking steps to prevent and mitigate future supply-chain attacks.
The National Institute of Standards and Technology (NIST) is partnering with FedRAMP PMO to provide guidance for securing supply chains, including:
- Use of separate environments for development and production
- Use of multi-factor and risk-based authentication
- Use of encryption across the board
- Responding quickly to incidents by implementing effective monitoring (i.e., automated alerts)
To help monitor the security of your supply chain, the Datadog Cloud Security Platform delivers real-time threat detection and continuous configuration audits across applications, hosts, containers, and cloud infrastructure. Datadog automatically detects MFA and encryption misconfigurations and lets you immediately initiate a response through out-of-the-box integrations.
In order for the end customer to leverage a product in a secure way and to understand the additional security risk associated with using that product, vendors will make software bills of material (SBOM) and vulnerability disclosures available to agencies. The Secretary of Commerce has published minimum requirements for the SBOM. In alignment with this guidance, you can read our engineering blog post to learn about the pioneering work Datadog has done to secure its supply chain from SolarWinds-style attacks—and how you may apply it to your own supply chain.
The Department of Homeland Security (DHS) will establish a Cyber Safety Review Board, with board members from the Department of Defense (DoD), National Security Agency (NSA), Federal Bureau of Investigation (FBI), Department of Justice (DOJ), CISA, and private-sector cybersecurity and software suppliers. The purpose of this board is to convene in the event of significant cybersecurity incidents and assess recommended steps for the administration’s response.
Section 6: Standardizing the federal government’s playbook for responding to cybersecurity vulnerabilities and incidents
We believe that one of the administration’s primary goals is to have a centralized overview of vulnerabilities and incidents across all agencies. In the case of another incident like the SolarWinds attack, this unified visibility will allow the government to coordinate remediation and investigation efforts across agencies faster and more effectively.
To that end, the executive order requires that agencies standardize the way in which they identify, remediate, and recover from vulnerabilities and incidents. DHS will lead this effort in collaboration with other agencies and create a playbook for vulnerability and incident response activities.
Section 7: Improving detection of cybersecurity vulnerabilities and incidents on federal government networks
Mean time to detection (MTTD) is a key performance indicator that security professionals track when evaluating the effectiveness of incident detection and response. Early detection can help contain and reduce the impact of cyber incidents. In order to strengthen agencies' early-detection capabilities, the federal government will issue recommendations for increasing visibility and threat detection across government networks and endpoints. Agencies will also be required to execute an endpoint detection and response (EDR) initiative and proactively hunt for threats.
Agencies and public sector partners can leverage Datadog to hunt threats across their environment. The Cloud Security Platform is built on top of Datadog’s observability platform, which facilitates seamless collaboration between Security and DevOps teams and aligns them to shared organizational goals. If you’d like to learn more about how Datadog can help you proactively identify threats in authentication logs, read our blog post.
Logs are an invaluable data source for security investigations. The director of the OMB will publish requirements to ensure that agencies implement specific logging and log management processes. These will define what events should be logged, the required log retention period, and the appropriate cryptographic protections for logs.
The executive order’s recommendations and requirements apply primarily to agencies under the Federal Civilian Executive Branch (FCEB). However, the order also requires the DoD and intelligence agencies—which have unique cybersecurity-related concerns—to come up with requirements that are equivalent to or exceeding those in the order. These agencies are expected to formalize these requirements in a future National Security Memorandum.
This executive order establishes a new baseline for agencies' cybersecurity requirements. We anticipate that we will continue to receive new guidance with further specifications, similar to what we’ve already seen in the ransomware memorandum that was recently issued by the Deputy Assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technology.
The administration has made it clear that improving the cybersecurity of the nation is a high priority, and we look forward to continuing to support the public sector and partners in the adoption of the cloud and enhancement of their cybersecurity capabilities.