So far in our ongoing series on the Biden Administration’s Cybersecurity Executive Order (EO) to bolster the U.S. Government’s resilience against cyberattacks we’ve taken a look at what’s next for federal agencies and then mapped out major milestones. Two of those milestones are on August 10, 2021, focused on critical software and classifying agency data guidance. Today, we cover the connection between the two, and ways agencies can address both head-on as part of a holistic cyber modernization strategy.
Improving the security of critical software
To enhance the security of the software supply chain, NIST recently published its definition of “critical software,” followed by guidance outlining security measures for critical software in accordance with the EO Section 4 timeline. We recognize the importance of prioritizing risk management efforts and ensuring that security measures are applied to critical software. Notably, within the security measures, the importance of MFA and encryption is underlined along with other Zero Trust best practices such as verifying identity explicitly, using least privileged access, and assuming breach. The security measures also align with other recent federal guidance that highlights the importance of using supported software and deploying patches.
The NIST guidance marks a significant step forward in equipping agencies with an approach for better assessing and managing technology-based assets and potential impacts so security and resiliency resources can better align to risk priorities. As we approach the next major August 10 milestone to comply with NIST, CISA, and OMB guidance around applying practices of least privilege, network segmentation, and proper configuration, we recommend agencies fine-tune existing security measures for critical software by:
- Identifying risks and managing governance processes;
- Protecting data and functions associated with critical software, including through identity and access management, proper configuration management, and software maintenance;
- Detecting anomalies and potential issues; and
- Ensuring the readiness of appropriate response and recoverability capabilities.
Welcome news for agencies is that they are likely already well prepared to address critical software risks by simply activating the tools and capabilities they have deployed as part of their EO and modernization journey to date. Utilizing posture management tools, like Microsoft Secure Score to continually measure and audit agencies’ operational security posture, and Compliance Manager to simplify the compliance journey and reduce risk, can ensure greater visibility into risk management gaps and help better align agency security resources.
Along with real-time analytics, adopting a Zero Trust architecture can also help further holistic efforts to protect, detect, respond, recover, and manage the risks associated with deploying critical software. Agencies can reference Microsoft’s Zero Trust rapid modernization plan and Zero Trust Scenario Architectures, which have been developed based on decades of experience collaborating with federal agencies. Additionally, Microsoft is working with NIST’s National Cybersecurity Center of Excellence (NCCoE) on the Implementing a Zero Trust Architecture Project to develop practical, interoperable approaches to designing and building zero trust architectures that align with the tenets and principles documented in NIST SP 800-207, Zero Trust Architecture.
Addressing software security is not new to us; Microsoft has long invested in developing best practices for secure software development, source code testing, and vulnerability disclosure and management programs. We will continue to collaborate with government and industry to provide configuration tools and guidance around EO-critical software, as well as share lessons learned and implementation strategies to help accelerate and drive successful cybersecurity deployments into the future.
Evaluating and classifying agency data
The first milestone on improving the security of critical software goes hand-in-hand with the second August 10, 2021 milestone, which calls for evaluating and classifying agency data, and providing a report of their evaluation to DHS and OMB. If approached together, work toward this milestone will simultaneously help agencies satisfy the data inventory requirements for critical software as outlined in security measure (SM 2.1), which requires agencies to understand the data inventory of their EO-critical software.
Aligning the two milestone efforts is the broader recognition that agency data may have different sensitivity levels and not all data needs the same level of protection. Understanding sensitive data exposure will help agencies better define policies for security and compliance requirements, automatically inspect documents and emails across locations, and detect common controlled unclassified information (CUI) data types such as financial, healthcare, personally identifiable information (PII), or others.
The EO’s focus on the discovery phase of the information protection lifecycle will allow agencies to both address critical software needs and better evaluate and classify data no matter where it is stored or who it is shared with. To meet this joint milestone, agencies should focus on creating unified labels for broad categories of sensitive content types such as PII. Using tools like Activity Explorer, agencies can identify the locations and quantities of sensitive data. Microsoft Cloud App Security can also provide sensitive data flow information via in-session inbound and outbound file labeling.
Microsoft also works in close partnership with agencies to avoid common data loss prevention pitfalls, like overprotecting data. Users who experience friction from untuned classification labels or sizable changes in their productivity workflows are more likely to try and work with sensitive data outside of the governed systems and services. Agencies can avoid this risk by implementing tools like Microsoft Information Protection, which allows agencies to balance security and control with end user-friendly policies. Beyond technology, Microsoft Consulting Services can help agencies optimize their information protection deployment strategies and navigate labeling and compliance requirements.
Sustaining the momentum through shared responsibility
The EO achievements to date show what can be realized when government and industry come together and invest in securing our nation’s cybersecurity and technology ecosystem. The August 10 milestones and other related work already underway, help establish a consistent and high baseline for the security of both technology products and agency operations and is critical for dealing with the new realities of federal work.
We encourage you to visit our Cyber EO resource center and stay tuned to this blog for additional insights as we chart the course for the next major September EDR milestone, which asks for federal civilian agencies to adopt government-wide EDR approaches based on OMB requirements.