Cybersecurity Mandates: Keeping Up with the Federal Government’s Standards

Want to know what esteemed cybersecurity visionaries have to say about its ever-changing role in the government?

Click here to register for the upcoming Potomac Officers Club’s 2024 Cyber Summit.

Digital transformation ushered in solutions for various government bodies to expedite their processes, enjoy efficiency, and tackle massive loads of information without compromising confidentiality and transparency.

However, as digital methods become more sophisticated, so do the threats that arise to destroy their foundations. That said, the government continues to push for reforms and standards that maintain the integrity of every data and information.

In this article, we’ll explore these cybersecurity mandates, their requirements, and their long-term impact on private and federal government sectors.

What are cybersecurity mandates? 

The foremost mandate encompassing cybersecurity protection is Executive Order (EO) 14028. Issued by the White House on May 21, 2021, the administrative order was made to improve national online security standards by adopting zero-trust infrastructure.

Added to that, the executive order also enables the government and private sector to work together and protect their organizations from various cyber threats.

On July 26, 2023, the SEC adopted rules pressing all public organizations to disclose any material–strategy, governance, and risk management–cybersecurity incidents. This rule took effect on December 15, 2023.

With the newly implemented material cybersecurity authority by the US Securities and Exchange Commission (SEC), government agencies can manage the risks and assess which ones are needed immediately.

Agencies could also share cyber threat information that may help smaller organizations bolster their protection methods.

What qualifies as a cybersecurity incident?

The growth of  online security defense methods has inadvertently ushered in threats and crimes that could devastate even the most secure systems.

With new dangers arising, it is a continuous battle for private and public institutions to bolster, update, and refine their protective strategies against cyberattacks.

That said, the recently mandated SEC order simplified the parameters that consider an event a “material” cybersecurity incident. Under the mandate, organizations need to evaluate an event explicitly should it have the following implications:

• Reduction of competitiveness and efficiency
• Harm to the company’s or agency’s reputation
• Abuse or damage to consumer relationships
• Probability of litigation or lawsuits
• Possibility of other government agencies to investigate or act upon the incident

It is worth mentioning that these security reporting standards extend to anomalies experienced by third-party applications and cloud providers. The mandate explicitly explains that no incident caused by third-party applications is irrelevant not to be reported and addressed.

In addition, the mandate highlights that reasonable investors wouldn’t dismiss even the slightest  anomaly, even if they’re from an outside hosting service.

Related Article: Jacobs’ John Karabias & Adi Karisik Warn of Lack of Operational Tech Cybersecurity in US Water Sector

What are the requirements of these cybersecurity mandates?

Besides enabling public organizations to strengthen their digital safeguarding capabilities, cybersecurity mandates push different agencies to modernize outdated strategies into working, efficient, enduring, and trustworthy measures.

That said, agencies must comply with EO 14028’s requirements to push through with their cybersecurity protection and business strategies. 

Outlined below are the key points of the White House’s cybersecurity mandates and their requirements:

Share cybersecurity information

Under the executive order, public organizations are required to share all cyber incidents and threat information with various government networks.

At the same time, EO 14028 dissolves any contractual restrictions on cybersecurity incident sharing within executive departments and federal agencies. By eliminating these restrictions, the mandates become more effective in protecting national security.

Enhance software supply chain security

President Biden’s Cybersecurity EO requires private entities to enhance their software supply chain security to comply with requirements for selling to the federal government.

Improving software supply chain security means reducing the risk of data breaches, system failures, and other costly damages to the organization.

Foster baseline security standards

The executive order established basic-level standards for bolstering software security. With that, software developers are empowered to create greater visibility into their organizations’ software and grant public access to their security data.

Establish a standardized playbook for response

A standardized playbook for responding to cybersecurity threats, vulnerabilities, and unusual activities is essential for agencies and businesses to brace themselves for imminent cyber-attacks.

The playbook also helps organizations improve their ability to detect malicious cyber activities and enhance their future mitigation efforts. 

By thoroughly understanding various cybersecurity threats and how to negate them, public and private institutions would minimize damages, recover faster, and avoid confusion within their networks while dealing with undergoing the recovery process.

Strengthen investigative capabilities

Through EO 14028, organizations can boost their investigative and remediation efforts; they’ll have the capacity to strengthen their networks from various cybercrimes, as well as trade secret theft and economic espionage.

Added to that, bolstering investigative capabilities would further the deterrence of malicious actors and the protection of businesses and customers.

Create a Safety Review Board

Organizations must create a Cybersecurity Safety Review Board and appoint government and private sector leads as co-chairs. The review board will discuss crucial cyber incidents and their recommendations for strengthening security strategies.

How do these mandates affect contractors?

The new mandates aren’t just about enhancing protective measures and reporting vulnerabilities. Present government contractors and businesses brokering opportunities in the federal marketplace need to comply with other regulations. 

This is tantamount to promoting healthy cyber environments and further business operations.

Outlined below are the other ways cybersecurity mandates affect contractors:

1. Contractors need to review if their cyber protections align with the recommendations of EO 14028 and related memos. This entails amending any conflicting regulations and preparing flow-down contracts to subcontractors.
2. Changes in security protocols encompass the involvement of senior stakeholders in the creation of this policy.
3. Agencies must invest in more robust and efficient response and cyber-resilience preparedness programs. Since cyberattacks can cause costly damages, such investments will be beneficial for long-term cyber protection.
4. The new mandate brings about intensive employee training and testing for cybersecurity awareness. With well-equipped staff, contractors will have the power to avert a wide range of cyberattacks and maintain cyber integrity.