After nearly two decades of modest progress, there is a new push to strengthen cybersecurity for U.S. federal agencies. The new policy, “Improving the Nation’s Cybersecurity,” was set by President Joe Biden in Executive Order E014028 on May 12, 2021.
Before addressing the new order and how it will affect security operations center (SOC) professionals, it’s useful to consider why a refresh is occurring now. Swiftly following the terrorist attacks on September 11, 2001, the U.S. passed the 2002 Homeland Security Act, which included the Federal Information Security Management Act (FISMA). In this case, cybersecurity was buried as Title III in the associated E-Government Act of 2002 and based on the federal agency compliance track record with FISMA, cybersecurity for many stakeholders has been somewhat of an afterthought.
In this post I’ll cover how we’ve arrived to the new Executive Order:
- FISMA: framework for federal cybersecurity
- Refreshing FISMA’s approach to threat detection and response
- A new federal priority for logging
FISMA: Framework for Federal Cybersecurity
FISMA established the nation’s first framework for federal cybersecurity. FISMA’s intent was to “provide a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets.”
FISMA directed the National Institute of Standards and Technology (NIST) to create and systematize these controls to help agencies understand how to implement the law. These standards range from a broad framework such as Special Publication 800-53, “Security and Privacy Controls for Information Systems and Organizations” to control-specific guidance such as SP 800-92, “Guide to Computer Security Log Management.”
Ongoing audits of agency compliance with FISMA, such as a recent bipartisan look by the Senate Homeland Security and Governmental Affairs committee, have found relatively poor results. The current average department and agency grade on information security is C-. Despite years of previous warnings, “there are still systemic failures to safeguard American data” in seven departments, according to the committee report.
The audit said the failures include: “to protect personally identifiable information adequately, to maintain accurate and comprehensive IT asset inventories, to maintain current authorizations to operate for information systems, to install security patches quickly, and to retire legacy technology no longer supported by the vendor.”
Refreshing FISMA’s Approach to Threat Detection and Response
The new Executive Order’s refresh of cybersecurity is all the more urgent in light of recent surge of sophisticated modern attacks – especially successful breaches, such as the 2020 SolarWinds supply-chain attack that included multiple federal agencies. The Executive Order does not replace FISMA. Instead, it prioritizes policy in two ways:
- “It is the policy of my Administration that the prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security.
- “The Federal Government must lead by example. All Federal Information Systems should meet or exceed the standards and requirements for cybersecurity set forth in and issued pursuant to this order.”
To accomplish these policies, Improving the Nation’s Cybersecurity brings six initiatives to stakeholders. The first is to remove barriers to threat information sharing between government and the private sector. With the general push to cloud services, the Executive Order will ensure that IT service providers are able to share information with the government and require them to share certain breach information.
The order directs agencies to modernize and implement stronger cybersecurity standards in the federal government. This includes securing cloud services and using a zero-trust architecture. It also mandates deployment of multifactor authentication and encryption within a specific timeframe.
Supply chain security is also under the microscope. New baseline security standards will be developed for software sold to the government. Developers will need to provide greater visibility into their software and make security data publicly available – including an “energy star” type of label so that everyone will know if software was developed securely.
A new Cyber Safety Review Board will be established for deployment after a significant cyber incident to determine what happened and how it could have been averted. This board will be modeled after the National Transportation Safety Board, which is used after airplane crashes and other incidents.
Also look for a new standard playbook for responding to cyber incidents by federal departments and agencies. This playbook will also serve as a template for the private sector to use in coordinating cyber response efforts.
Finally, the order aims to improve investigative and remediation capabilities. Of special note to SIEM and XDR users, Improving the Nation’s Cybersecurity also provides updated cybersecurity event log requirements to detect intrusions, mitigate those in progress, and determine the extent of an incident after the fact.
A New Federal Priority for Logging
SIEM and XDR technologies owe their existence to event logs. One of the big reasons Exabeam’s platform is successful in these domains is massive log ingestion capability fueled by more than 500 integrations with IT and security products.
The White House fact sheet says good logging is essential for strong security. “Poor logging hampers an organization’s ability to detect intrusions, mitigate those in progress, and determine the extent of an incident after the fact. Robust and consistent logging practices will solve much of this problem.”
According to the order, new recommendations for logging shall include “the types of logs to be maintained, the time periods to retain the logs and other relevant data, the time periods for agencies to enable recommended logging and security requirements, and how to protect logs. Logs shall be protected by cryptographic methods to ensure integrity once collected and periodically verified against the hashes throughout their retention. Data shall be retained in a manner consistent with all applicable privacy laws and regulations.”
The order expressly notes that new logging policies are to “ensure centralized access and visibility for the highest level security operations center of each agency.”
And here you thought logging was a boring, old, and “invisible” technical topic!In my next post, I’ll take a closer look at a new three-phase federal program for systematically improving log management, and how the new federal guidance can help your department or agency achieve more robust capabilities for threat detection and response. Meanwhile, you can find more information about the new executive order, Improving the Nation’s Cybersecurity, at the Cybersecurity & Infrastructure Security Agency (CISA) webpage on this initiative. I also invite you to learn more about how Exabeam can help secure your agency.
Similar Posts
Augmenting Microsoft Sentinel SIEM: The Power of Exabeam for UEBA and TDIR
Exabeam Unveils 2023 Partner of the Year Award Winners
Exabeam IRAP Assessment Completion Creates New Opportunities for Partners in Australia
Recent Posts
What’s New in Exabeam Product Development – March 2024
Take TDIR to a Whole New Level: Achieving Security Operations Excellence
Generative AI is Reshaping Cybersecurity. Is Your Organization Prepared?
Stay Informed
Subscribe today and we'll send our latest blog posts right to your inbox, so you can stay ahead of the cybercriminals and defend your organization.
See a world-class SIEM solution in action
Most reported breaches involved lost or stolen credentials. How can you keep pace?
Exabeam delivers SOC teams industry-leading analytics, patented anomaly detection, and Smart Timelines to help teams pinpoint the actions that lead to exploits.
Whether you need a SIEM replacement, a legacy SIEM modernization with XDR, Exabeam offers advanced, modular, and cloud-delivered TDIR.
Get a demo today!