By Brittany Johnston, Research Director, MeriTalk
In May 2021, President Biden issued the Executive Order on Improving the Nation’s Cybersecurity (cyber EO), which included technology guidance and mandates pushing Federal agencies to improve their cybersecurity posture to better protect the American people.
The cyber EO came on the heels of several high-profile cyberattacks that plagued public and private sector organizations, including the Colonial Pipeline attack that caused gas shortages along the East Coast and the Solar Winds software breach that affected agencies and organizations across the public and private sectors. These incidents highlighted the cybersecurity vulnerabilities within government agencies and across our nation’s critical infrastructure.
The cyber EO set a new tone for Federal cyber policy and aligned agencies under the same cybersecurity principals, including modernizing legacy technology, accelerating cloud migration, and implementing a zero trust architecture.
While the cyber EO provided direction, Federal cyber leaders were faced with work that needed to be done under accelerated timelines, limited budgets, and a shortage of trained technology experts in order to meet the mandates.
Even with that pressure, a new study from MeriTalk, underwritten by AWS, CrowdStrike, and Zscaler, found that 99 percent of Federal cyber decision makers say that the cyber EO had a positive impact on their agency, and 91 percent say that the cyber EO has made U.S. data and critical infrastructure safer. Most agree that the steps outlined in the cyber EO are necessary to protect our nation.
A Year of Progress
The study explores Federal technology leaders’ perspectives on progress made against the cyber EO as we approached the one-year anniversary of its release. It identifies what agencies are doing differently and examines where agency cyber leaders say they need more help to succeed.
Over half of technology leaders confirm that IT management and staff are placing increased priority on cybersecurity. However, all agencies agree that progress against cyber EO goals is still in the early stages, with just 15 percent reporting tangible improvements because of cyber EO efforts to date. Agencies are making the most progress in creating a formal strategy, implementing endpoint detection and response solutions, improving software supply chain security, strengthening investigative and remediation capabilities, and migrating to the cloud.
While fewer than half rate of leaders rate their agencies’ progress against key cyber EO goals as “excellent,” a significant portion expects to see an impact within the next year.
Focus on Zero Trust
Many of the cyber EO mandates involve building a zero trust architecture, which is one that requires users and devices to be authenticated and authorized before accessing the agency network, applications, and data. A zero trust architecture includes several technology components including identity management, access control, and policy enforcement.
Ninety percent of technology leaders say that a zero trust architecture is an important factor for national cybersecurity, and 96 percent agree that the Office of Management and Budget’s (OMB’s) Federal Zero Trust Strategy is somewhat or very helpful.
Despite the high priority, just 30 percent of Federal cyber decisionmakers rate their zero trust progress as “excellent.” Sixty-seven percent say the EO’s three-year window for implementing a zero trust architecture is not realistic.
“Getting to zero trust is not easy. The detail provided in the multi-step guidance from OMB provides a path, but there is no single box you can buy to meet the varied needs of the five zero trust pillars,” says Stephen Kovac, chief compliance officer and head of global government affairs, Zscaler. “You need multiple solutions from varying vendors that work together with seamless integration to achieve true zero trust – it is a team sport. OMB has done a good job in helping to define those rules, with rule one being to keep users off the network. If they can’t reach you, they can’t breach you.”
When rating the most important factors in national cybersecurity going forward, technology leaders pointed to elements of a zero trust architecture, including multi-factor authentication and standardized event logging. Over the next five years, technology leaders point to endpoint detection and response capabilities – another element of a zero trust architecture – as the cyber EO requirement that will have the single greatest impact on improved cybersecurity.
“Zero Trust is the gold standard for cybersecurity, so we’re encouraged to see the EO is prioritizing that approach,” said Drew Bagley, vice president and counsel for Privacy and Cyber Policy, CrowdStrike. “In addition, cloud-native endpoint detection and response capabilities can significantly strengthen the cybersecurity posture for the Federal government, especially when integrated with other security capabilities including identity security, threat intelligence, and managed threat hunting. These concepts have become cybersecurity best practices for the private sector’s most technologically advanced businesses, and we encourage the public sector to continue to embrace these technologies and strategies.”
Roadblocks to Achieving Cyber EO Mandates
While agencies are being asked to meet the aggressive mandates outlined in the cyber EO, just 14 percent report they have all funding needed to do so, and one-third say they have half, or less than half, of the funding needed.
“The sea change is the focus on comprehensive cyber resiliency,” says Nicole Burdette, principal, MeriTalk. “The EO provided direction, but progress requires sustained funding and resource commitment. The research shows the gaps.”
Eighty-seven percent of technology leaders also report negative impacts from the EO, including time-consuming proof of compliance requirements, moving IT staff from other projects to focus on the cyber EO requirements, confusion around competing priorities, and an increased cost with working with the private sector. Twenty-eight percent of technology leaders report that the cyber EO has created competition between agencies for trained staff or other resources, which is significant in today’s environment where Federal agencies are already struggling to recruit technology talent away from the private sector.
To overcome resource issues, in addition to heavy recruiting and training, agencies should focus on automating repetitive tasks and minimizing any optional proof-of-compliance practices. Agencies should look to private-sector partners and utilize managed services for support where appropriate.
Private Sector’s Role
When asked about the gaps in the cyber EO directives, 74 percent of technology leaders feel that the cyber EO should have been more authoritative with private-sector directives. After all, many critical infrastructure operators are privately held companies, like Colonial Pipeline.
“The U.S. Federal government is taking important steps to improve the nation’s cybersecurity posture,” said Dave Levy, Vice President of U.S. Government, Nonprofit, and Healthcare at Amazon Web Services. “In the cyber EO, the White House directs Federal agencies to adopt security best practices, implement zero trust architectures, and accelerate migration to secure cloud services. Organizations of all sizes should consider similar principles and practices to enhance their cybersecurity and protect employees and sensitive data against cyberattack.”
In the year since the release of the cyber EO, progress has been made to share information with the private sector. The Cybersecurity and Infrastructure Agency has developed and implemented several information sharing programs with the private sector and state, local, tribal, and territorial governments. Most recently, the U.S. Cyber Command has created a collaborative program called “Under Advisement” to share insights and information about critical cyber threats in an effort to further bolster national cybersecurity.
Sharing is a two-way street, and to help critical infrastructure operators that have experienced a breach, Congress included a mandatory reporting requirement in the Infrastructure Investment and Jobs Act.
A Look Ahead
Agencies that are behind the curve with EO implementation can accelerate their progress by appointing implementation leads with the authority to make bold changes. Agencies that graded their EO implementation as “excellent” were significantly more likely to have confidence in the cyber EO’s impact and report they are already experiencing the benefits.
With hackers constantly looking for new ways to outmaneuver existing security measures, agencies must continually prioritize cyber talent and adopt an active cyber mindset to remain ahead. Trusted industry partners can help agencies by providing scalable solutions and innovative approaches to realize the spirit of the cyber EO and guard against future attacks.
About the Author
Brittany Johnston is the Research Director for MeriTalk, where she develops and manages integrated market research programs for government’s top technology partners. With nearly 15 years of experience in survey design, data analysis, and insight development, Brittany helps Federal executives and their partners explore new technologies, uncover market opportunities and challenges, and identify strategic recommendations for improving the outcomes of government IT. Brittany can be reached online at [email protected], LinkedIn, and at our company website https://www.meritalk.com/.