President Biden has signed an Executive Order Charting New Course to Improve the Nation’s Cybersecurity and Protect Federal Government Networks, ushering in a massive shift for the U.S. government and its suppliers.
Here are some highlights of the new EO:
Focus on SBOM
The EO requires that products provide a software bill of materials (SBOM) to aid organizations in managing risk as they can quickly determine which vulnerable software components are included in their products.
When researchers discover new vulnerabilities in open source or other software components, security teams can quickly re-scan SBOMs and determine which products have these components to make fixing them a priority.
The Secretary of Commerce will publish the minimum elements for an SBOM in the next 60 days.
Supply Chain and Third-Party Risks
The EO includes the development of defined criteria to evaluate the safety practices of developers and suppliers and proposes a labeling system to identify those suppliers and products that have exceeded the baseline.
A Safety Board for Cybersecurity
The promises are to improve information sharing in both the public and private sectors and help organizations put in place adequate staffing, security technologies, and processes that matter.
Now, with the creation of the Cybersecurity Safety Review Board, information on critical cyber incidents is being made available and shared across industries, along with key recommendations on how another organization can avoid these threats.
Exchange of information between the Private and Public Sector
The EO also focuses on information sharing between the government and the private sector, including standardized response playbooks, reporting standards, detection, investigation, response, and elimination.
Various agencies and cabinet positions were given deadlines to draft and publish the guidelines for the federal government and the private sector.
FLAWS OF THE EO
In reality, most agencies and departments lack the budget, time, and staff to operate and implement these tools, which creates serious problems in implementing the new EO, leading to the truth that this will force many organizations and departments to simply buy more technology.
The current guidance, which has been published, relies heavily on being able to identify a bad actor through some type of anomaly detection with high effectiveness.
The guidelines of the National Institute of Standards and Technology (NIST) need to evolve and be based on reality in order to do justice to what organizations are actually implementing in order to gain zero trusts.
For more information, read the original story in Tech Republic.