How the Federal Cybersecurity Order Impacts Regulatory Compliance

May 20, 2021by Robert Cruz

Subscribe to the Smarsh Blog Digest

Subscribe to receive a monthly digest of articles exploring regulatory updates, news, trends and best practices in electronic communications capture and archiving.

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.

Late last week, the Biden Administration issued an executive order to strengthen the country’s cybersecurity infrastructure and oversight in light of recent events including the Colonial Pipeline ransomware attack and last fall’s SolarWinds cybersecurity breach. Both events called attention to potential vulnerabilities among software offerings delivered by cloud services providers, though its impact and reach extend to other areas of critical infrastructure protection, including the banking system.

Among the order’s key provisions are directives that impact governance service providers. The provisions are meant to enhance existing standards that must be met under the U.S. government’s FedRAMP program, including the following:

  • Improved preservation and reporting on information related to cybersecurity breaches, and removal of barriers to share information across government agencies (e.g., FBI, Intel Community, and Cybersecurity and Infrastructure Security Agency (CISA)
  • Modernizing cybersecurity within government, including the use of multi-factor authentication and the development of plans to implement a Zero Trust Architecture (essentially, “never trust, always verify”)
  • Improving software supply chain security, entailing the use of encryption and enhanced monitoring of software development environments (the vulnerabilities of which were highlighted in the SolarWinds attack)
  • Establishment of a cross-agency Cyber Safety Review Board, comprised of the Department of Defense, DOJ, NSA, CISA and the FBI to develop recommendations for further federal government cybersecurity actions
  • Standardizing the playbooks across government agencies to respond to cybersecurity incidents, as well as improving the detection of incidents on federal government networks

The impact on regulated industries

The order directly affects those doing business with the federal government. However, it should also serve to elevate the threat of cybersecurity issues among private sector firms engaged in critical infrastructure industries including banking, healthcare and energy.

Every industry has its cyber guidance and obligations for breach notification and incident management. But raising the bar by bolstering federal standards will likely trickle down into regulatory notices from the SEC, FINRA, FERC, NERC and HHS. It should also help to elevate the work led by CISA to drive greater collaboration between the government, industry and technology providers to:

  • Share critical threat information
  • Enhance government awareness of the latest cybersecurity technology advances
  • Improve the overall security and resilience of the country’s critical infrastructure

For market participants, it is also a strong reminder to entrust your most sensitive information only with those cloud services providers that treat information security and protection as a core capability. These organizations have the expertise, demonstrated adherence to industry standards (supported by third-party attestations), and proven practices that can be verified.

Share this post!

Robert Cruz
Smarsh Blog

Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.

Ready to enable compliant productivity?

Join the 6,500+ customers using Smarsh to drive their business forward.

Get a Quote

Tell us about yourself, and we’ll be in touch right away.

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.

Contact Us

Tell us about yourself, and we’ll be in touch right away.

Smarsh handles information you submit to Smarsh in accordance with its Privacy Policy. By clicking "submit", you consent to Smarsh processing your information and storing it in accordance with the Privacy Policy and agree to receive communications from Smarsh and its third-party partners regarding products and services that may be of interest to you. You may withdraw your consent at any time by emailing privacy@smarsh.com.