On May 11th, President Donald Trump issued an Executive Order requiring all heads of executive agencies and departments to modernize and strengthen cybersecurity within Federal networks and critical infrastructure.
The order acknowledged that the government’s IT infrastructure needs drastic improvement and outlines directives to help create organizational change and strengthen the nation’s cyber defense, including both Federal and Public-sector vulnerabilities. Highlights include:
- Each Federal agency must implement and manage the risks associated with threats to our Nation’s cybersecurity and take immediate action to review cybersecurity protocols in order to upgrade each department’s IT infrastructure, including the protection of IT and data from unauthorized access, detection and prevention of anomalies and incidents, and mitigation of impacted systems.
- Agencies shall follow The Framework for Improving Critical Infrastructure Cybersecurity (the Framework) developed by the National Institute of Standards and Technology” (NIST)” while creating and developing cybersecurity practices. This is a direct requirement by the Executive branch for Federal agencies to use ISO 27001 and ISO 15408.
- Each executive agency head must submit a Cybersecurity Status Report to the Secretary of Homeland Security and the Director of the Office of Management and Budget (OMB) within 90 days on conformance to and implementation of the Framework.
- The Secretary of Defense must submit a report within 90 days outlining cybersecurity risks facing bases, supply chains, platforms, networks, capabilities, and systems.
- Resources and Federal support will be committed to the Nation’s critical infrastructure through cybersecurity risk management efforts.
- Heads of appropriate sector-specific Agencies shall identify capabilities that they can employ to support the cybersecurity effort.
You can read the full Executive Order here.
As agencies move to comply with this order, companies doing business with the FED must comply also comply, if they are to continue doing business with the Federal government. What does compliance mean?
- The Order, which calls for adherence to the Framework, outlines strict policy for conformance to Special Publication 800-53 Revision 4.
- This Special PUB mandates compliance to NIST security and privacy controls for Federal Information Systems and Organizations and ISO 27001 and ISO 15408 (Common Criteria)
- The Order calls for enforcement of cryptographic requirements within the Special PUB as outlined within the FIPS 140-2 validation standard.
Every Federal agency is expected to fully comply with this Order and implement it accordingly. Gone are the days when waivers, or claims of unique products, could help companies sell into the FED. We expect to see the new order form the basis of contract award decisions as we head into the summer, and fully implemented across all agencies in the next buying cycle. This means every company doing business with the FED must have their product validated against the FIPS 140-2 and Common Criteria standards prior to pilots, proof of concepts, and contract awards. And for those selling into the Department of Defense, compliance with the DoDIN APL is expected.
Complying with these certifications could take 12-14 months (or longer) from start to finish. The level of effort, associated complexity, and timing requirement will largely depend upon your product’s readiness against FED security hardening requirements and your organizational readiness. If you would like to plan ahead to ensure the Executive Order does not shut down your FED/Public sector business/ revenue opportunities, contact Corsec to discuss a path forward.
Stay up to date with Corsec as we bring you all the most recent updates to the standards, certifications, and requirements – Subscribe