How the Federal Cybersecurity Order Impacts Regulatory Compliance
Late last week, the Biden Administration issued an executive order to strengthen the country’s cybersecurity infrastructure and oversight in light of recent events including the Colonial Pipeline ransomware attack and last fall’s SolarWinds cybersecurity breach. Both events called attention to potential vulnerabilities among software offerings delivered by cloud services providers, though its impact and reach extend to other areas of critical infrastructure protection, including the banking system.
Among the order’s key provisions are directives that impact governance service providers. The provisions are meant to enhance existing standards that must be met under the U.S. government’s FedRAMP program, including the following:
- Improved preservation and reporting on information related to cybersecurity breaches, and removal of barriers to share information across government agencies (e.g., FBI, Intel Community, and Cybersecurity and Infrastructure Security Agency (CISA)
- Modernizing cybersecurity within government, including the use of multi-factor authentication and the development of plans to implement a Zero Trust Architecture (essentially, “never trust, always verify”)
- Improving software supply chain security, entailing the use of encryption and enhanced monitoring of software development environments (the vulnerabilities of which were highlighted in the SolarWinds attack)
- Establishment of a cross-agency Cyber Safety Review Board, comprised of the Department of Defense, DOJ, NSA, CISA and the FBI to develop recommendations for further federal government cybersecurity actions
- Standardizing the playbooks across government agencies to respond to cybersecurity incidents, as well as improving the detection of incidents on federal government networks
The impact on regulated industries
The order directly affects those doing business with the federal government. However, it should also serve to elevate the threat of cybersecurity issues among private sector firms engaged in critical infrastructure industries including banking, healthcare and energy.
Every industry has its cyber guidance and obligations for breach notification and incident management. But raising the bar by bolstering federal standards will likely trickle down into regulatory notices from the SEC, FINRA, FERC, NERC and HHS. It should also help to elevate the work led by CISA to drive greater collaboration between the government, industry and technology providers to:
- Share critical threat information
- Enhance government awareness of the latest cybersecurity technology advances
- Improve the overall security and resilience of the country’s critical infrastructure
For market participants, it is also a strong reminder to entrust your most sensitive information only with those cloud services providers that treat information security and protection as a core capability. These organizations have the expertise, demonstrated adherence to industry standards (supported by third-party attestations), and proven practices that can be verified.
Share this post!
Our internal subject matter experts and our network of external industry experts are featured with insights into the technology and industry trends that affect your electronic communications compliance initiatives. Sign up to benefit from their deep understanding, tips and best practices regarding how your company can manage compliance risk while unlocking the business value of your communications data.