Light Dark
May 31, 2024 By Jennifer Gregory 3 min read
News

Recently, the United States Government Accountability Office issued an update on the progress of Executive Order 14028, Improving the Nation’s Cybersecurity.

In 2021, the White House identified 55 leadership and oversight requirements that needed to be met to improve cybersecurity in federal IT systems, with all systems needing to meet or exceed the standard outlined. Executive Order (14028) on Improving the Nation’s Cybersecurity elaborated on the reasons for the requirement, stating that the “prevention, detection, assessment and remediation of cyber incidents is a top priority and essential to national and economic security.”

Additionally, the executive order (EO) said that completing these was essential because the government should lead by example to encourage the private sector to also reduce the risk of cybersecurity breaches and attacks.

The EO designated the agencies responsible for implementing the requirements: the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB).

The key requirements of this order focused on cybersecurity solutions including:

  • Removing barriers to threat information
  • Modernizing federal government cybersecurity
  • Enhancing software supply chain security
  • Establishing a cyber safety review board
  • Standardizing the federal government’s playbook for responding to cybersecurity vulnerabilities and incidents
  • Improving the federal government’s investigative and remediation capabilities

Update on progress toward the requirements

The April 2024 update reported that the three responsible agencies completed 49 of the requirements. The requirement for standardizing the playbook for responding to cybersecurity vulnerabilities and incidents was determined to be not applicable. Additionally, the agencies have partially completed the remaining five requirements.

Of the key requirements, modernizing federal government cybersecurity is the only one completely fulfilled. The efforts in that area included implementing or beginning implementation of zero trust architecture for federal agencies, securing cloud services and centralizing access to cybersecurity data.

Other initiatives included addressing unclassified data, making progress on implementing multifactor authentication and encryption and developing a cloud security technical reference architecture documentation.

Outstanding requirements remain

While the update commended the agencies on their efforts toward improving federal cybersecurity, the conclusion stressed the importance of completing the remaining requirements.

The five remaining requirements are:

1. Incorporate into the annual budget process a cost analysis of the steps to be taken in this section.

While the OMB partially incorporated a cost analysis into the annual budget process, they did not provide evidence for details on the implementation of all leadership and oversight requirements in the order.

2. Identify and make available to agencies a list of categories of software and software products in use or the acquisition process meeting the definition of “critical software.”

CISA and OMB assisted NIST with the criteria and guidelines for required federal government software security measures. CISA, OMB and NIST also created a definition of critical software and a preliminary list of common categories of software that are consistent with that definition. However, CISA did not issue the list of common categories of software by the September 2023 deadline.

3. Review the recommendations provided to the president for improving the board’s operations and take steps to implement them as appropriate.

CISA has not provided evidence of the steps taken to improve operations through recommendations for improving future operations. The update states that this step is key to allowing the board to effectively conduct its future incident reviews.

4. Ensure that agencies have adequate resources to comply with the requirements for adopting EDR approaches.

Although OMB reported that they had incorporated endpoint detection and response (EDR) within their guidance to agencies for budget submissions and included EDR in the list of FISMA metrics in fiscal year 2023, the agency was not able to provide proof of this documentation. The update shares the concern that without the proof, it’s possible that agencies will not receive sufficient funding for EDR initiatives.

5. Work with agency heads to ensure that agencies have adequate resources to comply with requirements for logging, log retention and log management.

OMB gave guidance to agencies regarding logging, such as log retention and log management. However, OMB did not demonstrate that the agencies had enough resources to implement logging, log retention or log management.

The update made specific executive action recommendations for the five remaining requirements to be completed by December 31, 2024.

 |  |  |  |  | 
Jennifer Gregory
Cybersecurity Writer

More from News
November 18, 2024

Research finds 56% increase in active ransomware groups

4 min read - Any good news is welcomed when evaluating cyber crime trends year-over-year. Over the last two years, IBM’s Threat Index Reports have provided some minor reprieve in this area by showing a gradual decline in the prevalence of ransomware attacks — now accounting for only 17% of all cybersecurity incidents compared to 21% in 2021. Unfortunately, it’s too early to know if this trendline will continue. A recent report released by Searchlight Cyber shows that there has been a 56% increase in…

November 4, 2024

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

October 28, 2024

CISA and FBI release secure by design alert on cross-site scripting 

3 min read - CISA and the FBI are increasingly focusing on proactive cybersecurity and cyber resilience measures. Conjointly, the agencies recently released a new Secure by Design alert aimed at eliminating cross-site Scripting (XSS) vulnerabilities, which have long been exploited to compromise both data and user trust. Cross-site scripting vulnerabilities occur when a web application improperly handles user input, allowing attackers to inject malicious scripts into web pages that are then executed by unsuspecting users. These vulnerabilities are dangerous because they don't attack…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature