On May 12, 2021, President Biden signed a new Executive Order (EO) focused on revamping national cybersecurity defenses by guarding national networks against planned adversarial attacks, promoting public/private partnerships on cybersecurity issues, and increasing the country’s capacity to respond to incidents when they occur. The initiatives outlined in the EO apply immediately to federal agencies and contractors, but states face similar data and network security concerns as those encountered by the federal government. The EO provides useful guidance to states looking to modernize their cybersecurity approach to minimize risk and prepare for impending changes to federal cybersecurity requirements.

The EO establishes cybersecurity mandates and timelines to achieve the following key objectives:

1. Adoption of modernized practices to strengthen security posture: There is an increased need for government entities to deploy robust and updated security measures to keep pace with the constantly evolving cyberthreat landscape and sophisticated cyber criminals. The EO assists agencies in setting the standard for security best practices by moving to a zero-trust architecture, increasing adoption of cloud technology and secure cloud services, and consistently implementing fundamental security safeguards such as multifactor authentication and encryption.
2. Improved security preparedness and responsiveness: The EO authorizes the use of appropriate tools and security controls to allow early detection of cybersecurity vulnerabilities and incidents on government networks and enable swift breach response. This approach includes:
• Eliminating contractual barriers to allow increased sharing of threat information between service providers and government agencies.
• Implementing endpoint detection and response initiatives to support proactive detection and remediation of incidents.
• Standardizing incident reporting and communication methods.
• Devising policies and standards to collect and manage network and system logs for investigative purposes.
3. Enhanced software supply chain security: Software, including mission-critical tools used by agencies to perform key government functions, is shipped with significant security vulnerabilities. The EO will bolster software security by establishing baseline security requirements for software sold to the government, including requiring software vendors to comply with updated National Institute of Standards and Technology guidelines, provide Software Bill of Materials to the purchaser, and disclose software vulnerability data publicly. This approach leverages the federal government's purchasing power to incentivize the market to adopt secure software development practices and increase transparency.

State and local governments facing the same risks as the federal government should approach cybersecurity modernization to both guard against vulnerabilities and prepare for required federal regulations.

In March 2021, President Biden signed the American Rescue Plan Act into law, allocating nearly $2 billion in cyber and tech funds. State and local governments will be able to use the revenue replacement portion of the State and Local Fiscal Recovery Funds to support their cybersecurity and IT modernization efforts.

The Guidehouse State and Local Government Cybersecurity practice is dedicated to assisting state and local government agencies to meet these next-generation needs. We specialize in:

• Migrating agencies to a zero-trust architecture to eliminate implicit trust in their information systems through the application of advanced identity and access management principles such as risk-based authentication, privileged access monitoring and auditing, and enforcement of just-in-time access and the principle of least privilege.
• Identifying security deficiencies in high-value information and business technology assets through security assessments and vulnerability testing, assessing associated security risks, prioritizing defects, providing recommendations for remediation, and defining mitigation strategies and risk acceptance processes.
• Assisting agencies in planning for and responding to security incidents by conducting business impact analysis and disaster recovery planning, developing incident response strategy and plan, testing response readiness through table-top exercises, providing training, detecting and containing incidents, and prioritizing remediation investment.

Special thanks to contributing author Zeshta Bhat.