Mary Kopczynski, CEO of RegAlytics, breaks down this week’s hot regulatory topics, exclusively for Exiger.
Today, we’re doing our first ever deep dive, where instead of giving you a quick glance of regulatory news, I’m going to talk about one thing. But don’t worry, we still reviewed the 20,166 alerts last week and hand selected the most important ones you need to be aware of included at the end of this blog post.
Executive Order 14028
Today’s focus is Executive Order 14028 on Improving the Nation’s Cybersecurity. Why is an executive order from May 12 of 2021 worth talking about today? Because it is the context for why we are under a flurry of new government contracting rules that will take effort to meet as they come online and also important. In later deep dives, I will break each one of these down so you can completely understand what’s going on. But for now, let’s start with the why.
So where do we begin? I’m going to take us back to a time when the world was seemingly normal. September of 2019. Remember? We were enjoying the hustle and bustle of very full and busy lives. I do recall John Oliver making a “good riddance 2019” video ending with a dumpster fire. Little did we know what 2020 would have in store with the pandemic.
September 2019: SolarWinds Breach
But why September of 2019? Because back then we had no idea, but we do know now, that a group of Russian-sponsored hackers called Nobellium, gained access to the SolarWinds network. SolarWinds is major software company based in Tulsa, Oklahoma, which provides system management tools for network and infrastructure monitoring, and other technical services to hundreds of thousands of organizations around the world. Among the company’s products is an IT performance monitoring system called Orion.
In October, the hackers injected a small test into Orion, which worked, so on February 20, they injected malicious code into Orion.
March 2020: SolarWinds Deploys Hacked Code
Fast forward to March of 2020, while all of us were in the process of walking away from our offices for what we believed was a few weeks, SolarWinds unknowingly starts sending out Orion software updates with hacked code.
More than 18,000 companies were impacted, as were government agencies including Homeland Security, the State Department, Commerce and Treasury. It wasn’t detected until late 2020. This time in which the hackers had access unknown is called “dwell” time, and the average dwell time is 95 days. This 14-month window of dwell time was so huge that it’s still not fully confirmed today that the infection is over, given the potential of adversaries to mask their activity while in networks.
Executive Order 14028
The SolarWinds attack was the principal impetus for EO 14028, and it was meant to address some of the issues that made the federal government susceptible to the attack. This is by no means the first executive order on cyber, but it’s the one driving the action today.
In this order, it’s clear that – “incremental improvements will not give us the security we need; instead, the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life.”
There are three main requirements in the order, and all of them are affecting government agencies and contractors and others that work in security now.
Remove Barriers to Sharing Threat Information
First, the EO calls for a complete review of all Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation (DFAR) to be reviewed to Remove Barriers to Sharing Threat Information. It’s a funny of way of saying it, because in the description, it talks about more than just removing barriers. It says Homeland Security and the OMB shall ensure to the greatest extent possible that service providers share data with agencies, CISA and the FBI.
Modernizing Federal Government Cybersecurity
The second part is about Modernizing Federal Government Cybersecurity — bringing these agencies up to Fortune 1000 standards. This includes zero trust architecture, multi-factor authentication and more.
Enhancing Software Supply Chain Security
The third part is what’s getting a lot of attention: Enhancing Software Supply Chain Security. Some of this, you are already doing, like using multi-factor authentication, encrypting data, and monitoring trust relationships; but some of these requirements — like maintaining accurate and up-to-date data, provenance of software code or components (aka a “Software Bill of Materials” or SBOM) and performing audits, you may not be.
Software Bill of Materials
So this is why your organization is going to have to change if you intend to stay a supplier to the U.S. government. And some of these requirements — for example, a Software Bill of Materials and Hardware Bill of Materials — is where your relationship to Exiger is going to be of great use.
We’ll cover all of this in later deep dives, but today is just the primer and the why. In our next deep dive, I’ll be talking about cyber incident reporting.