The long awaited Cybersecurity Executive Order was released yesterday. https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/
I had some initial thoughts on the order. There is a tremendous amount to unpack in the order. My focus is on the elements impacting Federal Departments and Agencies. My opinions here are informed by my experience in agencies as someone who would have to actually implement these changes.
The Good — of which there is quite a bit:
The focus on acquisition and using the FAR to improve cybersecurity is very smart and critical to change long term. I can speak from experience that this will require not just changes to the FAR but enforcement of those changes across ALL Federal spending. FITARA has shown us that there is a tremendous amount of Federal IT spending that goes under the radar.
The inclusion of Zero Trust focus is a big deal. I appreciated this because it is not just a reactionary effort or catch up, it is moving toward the future.
The broad push towards the cloud, multi-factor on all systems, and the importance of logs in threat hunting and response are much needed areas of technical emphasis and these will all have dramatic impact on improving cybersecurity in the Federal enterprise.
This is good news for cybersecurity enhancement even if you are not involved in Federal IT — because the Federal government is a huge IT customer, many of these changes for the good will flow down to consumers and small business.
There are a lot of cooks in the kitchen in this EO, and as a result it fails to emphasize who owns ultimately outcomes in some areas. Most importantly, it does not acknowledge that agency leaders ultimately own outcomes for their organizations — that is where implementation will happen. They are responsible for resource management and culture change needed to sustainably improve cybersecurity in Departments and Agencies.
Also missing was focus on the broken Federal Authorization to Operate (ATO) process. It is far too slow, and often a compliance exercise that once completed is not revisited in a meaningful way for years. I believe this EO would have been a great spot to push the move towards a continuous monitoring model.
There is focus on FedRAMP, but it misses the bottom line that FedRAMP needs more resources. It is often taking a year or more for FedRAMP approval, which is slowing down access to innovation and limiting options to accelerate the move to the cloud.
The document is extremely tactical, with little emphasis on a broader strategic view of where we are going on cybersecurity in the Federal government. Federal cybersecurity has become far too dependent on sprints, but sustainable cybersecurity is a marathon.
I think that is most clearly shown by the fact that the word risk is only mentioned 15 times in the order, and never in the context of risk management. Many of the various tactical cybersecurity activities in the order are excellent steps and important, but no one, not even the Federal government, has unlimited resources.
Cybersecurity is ultimately about making informed and intentional choices based on risks, resources, and mission. That fundamental premise is not represented in the order and it is going to be the real challenge for those who have to make tough resource choices at Departments and Agencies.
Beyond timelines, the order is missing goals, outcomes, and metrics — how will we measure the results in lowered risk?
Finally, as a former Federal CIO, I notice a major focus on what Departments and Agencies must do or provide to DHS, the FBI and others. Left unaddressed — what do DHS, the FBI, and other Federal organizations owe back to Departments and Agencies? Will incident responses be slowed down due to law enforcement investigations? I have seen that happen. Can we ensure that DHS resource decisions are driven by their customer needs and requirements?
I believe that many of these risk management and resource allocation decisions must be bottom-up driven, not centralized and top-down. The risk and missions of the Federal government are too broad and diverse for a few people in a room to make all the decisions. I hope that the steps in this order will succeed, and the best way for that to happen is to be inclusive of the input from folks who will have to implement these measures on the ground.