- Within a digital ecosystem, every Government has four main roles that it plays – consumer, enforcer, defender, and enabler
- The US framework provides an effective template to countries that have not yet created a minimum set of standards in cyber and information security regulations
- Over the next few years, such guidelines will include in their ambit, likely every critical (national) infrastructure and not remain limited to the federal agencies
May 2021: The US Policy Intent on Improving the Cybersecurity
“The trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is.”
”Incremental improvements will not give us the security we need; instead, the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin our way of life.”
“The scope of protection and security must include systems that process data (information technology (IT)) and those that run the vital machinery that ensures our safety (operational technology (OT)).”
Under the Executive Order, the National Institute of Standards and Technology (NIST) also published a definition of the term critical software viz. “EO-Critical Software” in October 2021.
The Federal Government acknowledges that it can no longer depend on conventional perimeter-based defenses to protect critical systems and data.
We highlight the below two, from their initiative toward a sweeping government-wide effort to ensure that baseline security practices are in place.
January 2022: Memorandum on Federal Zero Trust Architecture (ZTA) strategy
This memorandum requires agencies to achieve specific zero trust security goals by the end of the Fiscal Year (FY) 2024. These goals are organized using the zero-trust maturity model developed by Cybersecurity & Infrastructure Security Agency (CISA).
“The foundational tenet of the Zero Trust Model is that no actor, system, network, or service operating outside or within the security perimeter is trusted. Instead, we must verify anything and everything attempting to establish access.”
This strategy sets a new baseline for access controls across the Government that prioritizes defense against sophisticated phishing and directs agencies to consolidate identity systems so that protections and monitoring can be consistently applied.
A key tenet of a zero-trust architecture is that no network is implicitly considered trusted—a principle that may be at odds with some agencies’ current approach to securing networks and associated systems. All traffic must be encrypted and authenticated as soon as practicable.
September 2022: Memorandum on Enhancing the Security of the Software Supply Chain
The objective is to ensure Federal agencies utilize software that has been built following common cybersecurity practices. With the cyber threats facing Federal agencies, the technology must be developed in a way that makes it resilient and secure.
A Software Bill of Materials (SBOMs) – an ingredient list for tech systems that organizations can consult when a new bug is discovered to see if they have vulnerable software needing to be patched – may be required by the agency in solicitation requirements, based on the criticality of the software.
SBOMs are designed to be shared across organizations and are particularly helpful at providing transparency of components delivered by participants in a software supply chain.
The above is part of larger enterprise cybersecurity and information technology (IT) modernization plan that ensures the Federal Government can deliver a simple, seamless, and secure experience to its people.