The Cybersecurity Executive Order: What’s coming and where are the opportunities?

By Davis Johnson, VP & General Manager

Private sector companies have a considerable amount of work to do to comply with the recent Presidential Executive Order on Improving the Nation’s Cybersecurity. Existing contracts must be scrutinized to reduce the trend of serious cyberattacks across government and industry alike.

It’s clear that the order puts the onus on the vendor community. It reads, in part, “The private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace.”

The order further recommends standardizing common cybersecurity contractual requirements across agencies, to “streamline and improve compliance for vendors and the Federal Government.”

Beyond the effect on contract implications, vendors can expect more attention from the government in several key technology areas, which will spark greater demand and more funding. Here are just a few:

Cyber Vulnerability and Incident Detection

Agencies are required to establish a Memoranda of Agreement with CISA for Continuous Diagnostics and Mitigation. CISA is required to report quarterly to OMB and the National Security Advisor on implementation of threat-hunting practices. Vendors can expect more contact with agencies as these reports and documents are being prepared.

Incident Response Playbook

CISA and government are developing a cybersecurity vulnerability and incident response activity across all phases of incident response. Vendors will need to be sure they provide proper responses across their solutions, partners and products.

Modernizing Federal Cybersecurity

The order requires a number of security best practices. This includes developing plans that will facilitate a move to Zero Trust architecture and embracing secure cloud services, such as software as a service, infrastructure as a service and platform as a service. Agencies also are required to adopt multi-factor authentication and encryption for data at rest. Agencies will have to make investments in technology and human resources to meet modernization goals. Vendors should be prepared to address this requirement with their technological offerings.

Software Supply Chain Security

By the end of the summer (within 90 days of the date of the order) the Secretary of Commerce will provide guidance on practices to enhance software supply chain security. This guidance is expected to come through consultation with agencies as recommended by NIST. This supply chain guidance is in addition to requirements that NIST provide information that defines “critical software,” “legacy software remediation” and “IoT security.”

This particular mandate will shape requirements in future budgets. It will be important to monitor and to analyze how this guidance applies to each agency and across agencies.

That’s just part of the details covered in this order. Suffice it to say, the summer is shaping up to be an interesting and fast-paced time for vendors and agencies alike.

To keep on top of trends in government IT, subscribe to immixGroup’s Government Sales Insider blog now!

This blog is adapted from a commentary that originally ran in Washington Technology. To view the full commentary, view here.