Help Me With HIPAA - EP 306 "6 Points In Cyber Executive Order"

[10:23] The recently signed Executive Order on Improving the Nation’s Cybersecurity has some interesting plans included in it. Here are our top 6 thoughts on what we see in the Order’s directives.

1 – The policy statement itself has some text that is important to note.

The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy. The Federal Government must improve its efforts to identify, deter, protect against, detect, and respond to these actions and actors. The Federal Government must also carefully examine what occurred during any major cyber incident and apply lessons learned. But cybersecurity requires more than government action. Protecting our Nation from malicious cyber actors requires the Federal Government to partner with the private sector. The private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace. In the end, the trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is, and to the consequences we will incur if that trust is misplaced.Incremental improvements will not give us the security we need; instead, the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life. The Federal Government must bring to bear the full scope of its authorities and resources to protect and secure its computer systems, whether they are cloud-based, on-premises, or hybrid. The scope of protection and security must include systems that process data (information technology (IT)) and those that run the vital machinery that ensures our safety (operational technology (OT)).

It is the policy of my Administration that the prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security. The Federal Government must lead by example. All Federal Information Systems should meet or exceed the standards and requirements for cybersecurity set forth in and issued pursuant to this order.

It is a welcome site to see some of those statements in policy directives. The question will be what actually gets done on this list. None of those statements are wrong, but we have been trying to get many of these things done for years and the list keeps growing the longer it takes to get the ball rolling.

2 – Information sharing contract updates

[16:56] A lot of information about cybersecurity findings and attack methods isn’t being shared so that everyone can benefit from the incident to improve their protections. According to a lot of folks, that has to do with contracts in place that set limits on information that can be shared.

The directive is for all the lawyers and cyber folks to figure out how to make it possible for better information sharing while maintaining confidentiality of information. Surely they can work that out, but it’s not a problem we want to spend much time on.

However, check out the things they are supposed to make sure all the service providers, including cloud providers, contracts cover. It states that the “contract language and requirements shall be designed to ensure that:”

service providers collect and preserve data, information, and reporting relevant to cybersecurity event prevention, detection, response, and investigation on all information systems over which they have control,service providers share such data, information, and reporting, as they relate to cyber incidents or potential incidents relevant to any agency with which they have contracted, directly with such agency and any other agency that the Director of OMB, in consultation with the Secretary of Defense, the Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence, deems appropriate, consistent with applicable privacy laws, regulations, and policies;

service providers collaborate with Federal cybersecurity or investigative agencies in their investigations of and responses to incidents or potential incidents on Federal Information Systems, including by implementing technical capabilities, such as monitoring networks for threats in collaboration with agencies they support, as needed;

service providers share cyber threat and incident information with agencies, doing so, where possible, in industry-recognized formats for incident response and remediation.

Those are not little requirements there. There is also this little note down in all the other language about contract requirements:

information and communications technology (ICT) service providers entering into contracts with agencies must promptly report to such agencies when they discover a cyber incident involving a software product or service provided to such agencies or involving a support system for a software product or service provided to such agencies

We know there are cases where contracts are preventing things and there are also cases where people are hiding behind contracts. They want these updates to language and requirements to happen in short time frames like 90 days for some parts and 45 days for other parts of this review and update.

The important thing is they mention standardizing cybersecurity requirements across agencies to make it more efficient and effective for the Federal Government to enter into things and know across all the agencies what the language and requirements include. That has never been done because there has never been any national standards for these things.

Today, we are figuring out cybersecurity much like they had to figure out managing planes flying all over the world at the same time. The big problem is in the last year we threw a bunch of planes up without much worry for standards or safety.

3 – Zero Trust Adoption

[34:37] We probably have to do an entire episode on what Zero Trust is, but it has been discussed as the ultimate security solution for the last few years. Basically, it means that all network traffic and system activities should be assumed to be bad actors until proven otherwise. Exactly the opposite of the way it works today where it assumes you are good until it sees bad things happen.

To keep pace with today’s dynamic and increasingly sophisticated cyber threat environment, the Federal Government must take decisive steps to modernize its approach to cybersecurity, including by increasing the Federal Government’s visibility into threats, while protecting privacy and civil liberties. The Federal Government must adopt security best practices; advance toward Zero Trust Architecture; accelerate movement to secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS); centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks; and invest in both technology and personnel to match these modernization goals.

Every single new migration must include Zero Trust. All the folks that have been proponents of these implementations are excited, for sure!

To facilitate this approach, the migration to cloud technology shall adopt Zero Trust Architecture, as practicable. The CISA shall modernize its current cybersecurity programs, services, and capabilities to be fully functional with cloud-computing environments with Zero Trust Architecture.

You will not stop hearing about Zero Trust for the next decade, if not longer.

4 – Software Supply Chain Security

[39:09] No surprise here. We have been talking about this for years and SolarWinds just locked this requirement into the sights of all cybersecurity professionals.

The development of commercial software often lacks transparency, sufficient focus on the ability of the software to resist attack, and adequate controls to prevent tampering by malicious actors. There is a pressing need to implement more rigorous and predictable mechanisms for ensuring that products function securely, and as intended.

I love how the development of software has improved dramatically over the last decade or so with the concepts of agile development. However, one major thing that was skipped to attain better speed is security concerns. This getting features out as soon as possible and fixing the problems later approach has only exacerbated the problem by purposefully not taking the time to find all the potential vulnerabilities before release.

NIST has just released the Defending Against Software Supply Chain Attacks guide in April. That document opens by saying that we want you to use our other guides:

This document provides an overview of software supply chain risks and recommendations on how software customers and vendors can use the National Institute of Standards and Technology (NIST) Cyber Supply Chain Risk Management (C-SCRM) framework and the Secure Software Development Framework (SSDF) to identify, assess, and mitigate risks.

I have been sending out the SSDF guide to our clients and partners in the development business for months now. That came out in April of 2020 but no one had time to look at it back then. Slowly, it has gained attention. NIST won’t have time to start over on all these things, so I would expect these guidelines will be a part of it unless they were already working on a different approach.

Here are a few of the requirements included in that list:

maintaining accurate and up-to-date data, provenance (i.e., origin) of software code or components, and controls on internal and third-party software components, tools, and services present in software development processes, and performing audits and enforcement of these controls on a recurring basis;providing a purchaser a Software Bill of Materials (SBOM) for each product directly or by publishing it on a public website;

participating in a vulnerability disclosure program that includes a reporting and disclosure process;

attesting to conformity with secure software development practices;

C-SCRM is designed to provide ways to complete the NIST CSF Supply Chain defined practices. We have one that is specifically designed for small and medium healthcare organizations. We haven’t had a chance to spend much time on it, but it will be a good option for any SMB to follow. And then there’s the Health Industry Cybersecurity Supply Chain Risk Management Guide (HIC-SCRiM). These guides are not going to make a lot of vendors happy. As much as they have hated ours so far, this one will be despised.

5 – Establishing a Cyber Safety Review Board

[47:28] Remember I said we were a lot like the FAA when they were trying to figure out managing all the planes? The NTSB investigates all the plane, train, etc big incidents to determine what happened and who or what caused the incident to occur.

We’re gonna be getting a Cyber Safety Review Board! When these major events occur they will be called in to investigate major incidents. It will have cyber professionals from the public and private sector along with representatives from CISA, FBI, NSA, and you get it.

6 – Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents.

[49:17] Again, an important part of managing this massive problem is by standardizing the processes being used. When we work with small clients we help them build playbooks for specific incidents. This directive says in 120 days they will come up with a standard response that covers all the NIST standards and appropriate guidelines.

It also includes requirements for improving detection of vulnerabilities and incidents on federal systems, investigation and remediation capabilities and some other specifics that basically mean that nothing in here should mess up National Security while we are trying to do security.

So, yeah… this cyber executive order will make everybody do cybersecurity the same way. We are all going to be speaking the same language. And there will be a standard playbook that everyone will follow when it comes to ransomware.

Share0

Tweet0

Share0

Help Me With HIPAA – EP 306 “6 Points In Cyber Executive Order”

What to do After a Virus Removal to Prevent Reinfection

Don’t Use Promotional USB Drives!

How Much Random Access Memory (RAM) Do You Need On Your Computer?

How Do Google Searches Work?

Ubiquiti UniFi AC Wireless Access Point

How to Set Up Outlook 2010 to Work with Gmail

Understanding SEO (Search Engine Optimization)

Subscribe to our newsletter now!