This is the twenty-second in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”). The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through January 2023. This blog describes key actions taken to implement the Cyber EO during February 2023.
Biden Administration Announces National Cybersecurity Strategy
On March 2, 2023, the White House released the U.S. National Cybersecurity Strategy. (We know that March 2 wasn’t in February, but we just couldn’t wait until our next monthly blog to report on a document as significant as this one.) Please see our blog summarizing the National Cybersecurity Strategy’s key elements, including measures designed to shift the burden of mitigating cyber risks from end users to owners and operators of systems that hold data and technology providers that build and service these systems (e.g., technology firms, software vendors, cloud service providers, and others). We will keep you informed of actions to implement the new strategy (some of which have already occurred in critical sectors like water systems and transportation), and our future monthly blogs on implementation of the Cyber EO will also cover implementation of the National Cybersecurity Strategy.
DOD Issues an Updated Version of Its Cybersecurity Reference Architecture
On February 21, 2023, the U.S. Department of Defense (“DOD”) released Version 5.0 of its Cybersecurity Reference Architecture (“CSRA”) to comply with Section 3 of the Cyber EO and Section 1 of National Security Memorandum 8, “Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems.” The key objectives of these sections, according to the CSRA, are “adoption of Zero Trust Architecture, accelerat[ing] movement to secure cloud services, and centraliz[ing] access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks.” CSRA Version 5 establishes characteristics for cybersecurity architecture in the form of principles, fundamental components, capabilities, and designs to address threats both outside and inside traditional network boundaries. For contractors, one of the key strategic outcomes referenced in the CSRA is “procurement planning alignment” with these goals.
CISA Issues Guidance to Agencies Regarding Implementation of Cyber EO Logging Requirements
On February 27, 2023, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) publicly released guidance to assist agencies in complying with the logging requirements of Section 3 of the Cyber EO. Specifically, the CISA guidance provides additional information to assist agencies with prioritizing their implementation of the policy requirements outlined in the U.S. Office of Management and Budget’s (“OMB”) Memorandum 21-31, “Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents.” The CISA guidance establishes a “framework for deciding the systems to collect logs from and the event types to prioritize.” One key aspect of this framework is the recommendation that agencies prioritize high value asset (HVA) systems, high impact systems, and the enterprise IT network, as well as internet-accessible systems and systems that interact with the internet regularly. Additionally, the CISA guidance addresses some frequently asked questions regarding the logging requirements, including clarifying that agencies “do not need to implement a ‘break and inspect’ solution to meet” Event Logging Tier 2, which is one of four tiers set out in OMB’s memorandum.