On May 12th, a new Executive Order (EO) was issued that requires US federal government agencies to prioritize improvements to cybersecurity, including implementing a zero-trust model, centralizing access to security information, and requiring federal contractors to report information to the government through changes in contract language. The order states that information sharing and cooperation between the government and private industry is necessary, but the language of the order only addresses the flow of information one way: from private industry to the US government through reporting, and then from government agencies to other government agencies internally. Many companies in private industry could benefit from an increased flow of information from the government to the private sector, but that was not addressed in this order.
Some of the specific requirements of the order that will undoubtedly benefit the government agencies include:
- Required implementation of Multi-Factor Authentication (MFA) everywhere
- Required encryption of data at rest (unless it is not feasible)
- Evaluation of the most sensitive data on unclassified systems that attackers might seek, to prioritize the protection and detection efforts around that data
- Focus on early detection of threats, rather than relying on defensive controls alone
- Implementing Zero Trust Architecture across government
- Measures to enhance supply chain verification and validation of products
- Standard requirements for event logging and data retention
