Light Dark
May 31, 2024 By Jennifer Gregory 3 min read
News

Recently, the United States Government Accountability Office issued an update on the progress of Executive Order 14028, Improving the Nation’s Cybersecurity.

In 2021, the White House identified 55 leadership and oversight requirements that needed to be met to improve cybersecurity in federal IT systems, with all systems needing to meet or exceed the standard outlined. Executive Order (14028) on Improving the Nation’s Cybersecurity elaborated on the reasons for the requirement, stating that the “prevention, detection, assessment and remediation of cyber incidents is a top priority and essential to national and economic security.”

Additionally, the executive order (EO) said that completing these was essential because the government should lead by example to encourage the private sector to also reduce the risk of cybersecurity breaches and attacks.

The EO designated the agencies responsible for implementing the requirements: the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB).

The key requirements of this order focused on cybersecurity solutions including:

  • Removing barriers to threat information
  • Modernizing federal government cybersecurity
  • Enhancing software supply chain security
  • Establishing a cyber safety review board
  • Standardizing the federal government’s playbook for responding to cybersecurity vulnerabilities and incidents
  • Improving the federal government’s investigative and remediation capabilities

Update on progress toward the requirements

The April 2024 update reported that the three responsible agencies completed 49 of the requirements. The requirement for standardizing the playbook for responding to cybersecurity vulnerabilities and incidents was determined to be not applicable. Additionally, the agencies have partially completed the remaining five requirements.

Of the key requirements, modernizing federal government cybersecurity is the only one completely fulfilled. The efforts in that area included implementing or beginning implementation of zero trust architecture for federal agencies, securing cloud services and centralizing access to cybersecurity data.

Other initiatives included addressing unclassified data, making progress on implementing multifactor authentication and encryption and developing a cloud security technical reference architecture documentation.

Outstanding requirements remain

While the update commended the agencies on their efforts toward improving federal cybersecurity, the conclusion stressed the importance of completing the remaining requirements.

The five remaining requirements are:

1. Incorporate into the annual budget process a cost analysis of the steps to be taken in this section.

While the OMB partially incorporated a cost analysis into the annual budget process, they did not provide evidence for details on the implementation of all leadership and oversight requirements in the order.

2. Identify and make available to agencies a list of categories of software and software products in use or the acquisition process meeting the definition of “critical software.”

CISA and OMB assisted NIST with the criteria and guidelines for required federal government software security measures. CISA, OMB and NIST also created a definition of critical software and a preliminary list of common categories of software that are consistent with that definition. However, CISA did not issue the list of common categories of software by the September 2023 deadline.

3. Review the recommendations provided to the president for improving the board’s operations and take steps to implement them as appropriate.

CISA has not provided evidence of the steps taken to improve operations through recommendations for improving future operations. The update states that this step is key to allowing the board to effectively conduct its future incident reviews.

4. Ensure that agencies have adequate resources to comply with the requirements for adopting EDR approaches.

Although OMB reported that they had incorporated endpoint detection and response (EDR) within their guidance to agencies for budget submissions and included EDR in the list of FISMA metrics in fiscal year 2023, the agency was not able to provide proof of this documentation. The update shares the concern that without the proof, it’s possible that agencies will not receive sufficient funding for EDR initiatives.

5. Work with agency heads to ensure that agencies have adequate resources to comply with requirements for logging, log retention and log management.

OMB gave guidance to agencies regarding logging, such as log retention and log management. However, OMB did not demonstrate that the agencies had enough resources to implement logging, log retention or log management.

The update made specific executive action recommendations for the five remaining requirements to be completed by December 31, 2024.

 |  |  |  |  | 
Jennifer Gregory
Cybersecurity Writer

More from News
June 27, 2024

A proactive cybersecurity policy is not just smart — it’s essential

3 min read - It’s easy to focus on the “after” when it comes to cybersecurity: How to stop an attack after it begins and how to recover when it's over. But while a reactive response sort of worked in the past, it simply is not good enough in today’s world. Not only are attacks more intense and more damaging than ever before, but cyber criminals also use so many different attack methods. Zscaler ThreatLabz 2024 Phishing Report found that phishing attacks increased by…

June 24, 2024

Poland spending $760 million on cybersecurity after attack

3 min read - Visitors to the Polish Press Agency (PAP) website on May 31 at 2 p.m. Polish time were met with an unusual message. Instead of the typical daily news, the state-run newspaper had supposedly published a story announcing that a partial mobilization, which means calling up specific people to serve in the armed forces, was ordered by Polish Prime Minister Donald Tusk beginning on July 1, 2024. Deputy Prime Minister Krzysztof Gawkowski refuted the claim on X (formerly Twitter). His post…

June 20, 2024

New ransomware over browser threat targets uploaded files

3 min read - We all have a mental checklist of things not to do while online: click on unknown links, use public networks and randomly download files sent over email. In the past, most ransomware was deployed on your network or computer when you downloaded a file that contained malware. But now it’s time to add a new item to our high-risk activity checklist: use caution when uploading files. What is ransomware over browsers? Researchers at Florida International University worked with Google to…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature