The President released the “Executive Order on Improving the Nation’s Cybersecurity” in response to the malicious actors targeting US federal IT systems and their supply chain. The EO is intended to modernize and strengthen the cybersecurity of federal information technology infrastructure.
The General Services Administration (GSA) has issued an updated directive on improving federal cybersecurity, requiring US government agencies to build a plan for “managing risk” of IT systems in their supply chain. The order instructs agencies to comply with NIST guidelines for secure purchasing and handle more sensitive data via encryption.
What Does the Executive Order Mean for Improving the Nation’s Cybersecurity?
The majority of the Executive Order focuses on administrative tasks associated with it, including redefining contract language, setting timelines, and defining agency roles and responsibilities. For enterprises that don’t supply technology to the federal government, it may feel as though it is not as important. However, it is important to understand that many of the provisions in the executive order deal with subcontract agreements, providing a contractual vehicle for compliance. The language is provided in section 2 of the Executive Order.
The Executive Order gives agencies the authority and responsibility to consider their own risk management programs and those of suppliers when making purchasing decisions on IT goods and services. Agencies must identify vulnerabilities through the use of NIST standards such as ISO/IEC 27001 and ISO/IEC 27002. Several of the basic tenets could be used by companies operating outside the federal IT supply chain, including:
- Better intelligence sharing
- Modernizing agency infrastructure
- Securing the federal IT software supply chain
What the Executive Order Says
Highlighting the key concepts are taken from the Executive Order, there are some main points that can improve the state of cybersecurity within the U.S. The first point is better information sharing between the government and both public and private sectors. The second section is directed toward NIST standards and updating software coding to help increase security. Third, increased awareness of supply chain risks for both agencies and the public sector is included in the EO. The last point is a focus on addressing current cybersecurity law to reverse the effects of the transfer of critical infrastructure components to foreign owners or governments.
The second point is that companies must move to the cloud and create a Zero Trust Architecture to better secure their information. This point uses the term “cloud” for a broader definition of IT services and infrastructure. The idea is that if they are using the cloud, as opposed to physical or on-premise infrastructure, that the data has to travel over a network to get there. By doing so, it increases the chance of being vulnerable to an attack.
The third key point focuses on supply chain risk and how agencies should look at contracts with vendors and their supply chain. If a company is a vendor under contract, it must be aware of the security risks within the supply chain. It also must perform risk assessments and help ensure appropriate safeguards are in place to minimize such risks. It is important to note that this same provision is applicable to companies that have no direct contracts with the federal government.
Section 3 of the executive order directs agencies to establish policies and guidelines related to their acquisition management processes, including a risk-based methodology for selecting IT solutions.
SaaS Security Playlist Enhancement
As agencies and enterprises start looking for solutions, enhancing SaaS security should b on the “proactive steps to take” list.
Here are five things you can do to make your SaaS-based applications more secure:
1. Perform a Security Scan Before Implementing Your SaaS Application
When you’re purchasing SaaS-based applications or software, you should always run security scans to make sure it includes all the necessary components, such as anti-malware and anti-spam filters. You should also consider the type of usage your organization will have and whether it is for consumer or business apps.
2. Audit and Secure Your SaaS-Based File Sharing Solutions
Since many people use file-sharing applications to share proprietary or sensitive data, including social media platforms, you should consider implementing security measures to prevent insiders from sharing and viewing inappropriate material. You should also take steps to secure the communication between your file-sharing software and the vendor’s network to prevent unauthorized access or manipulation of the data.
3. Protect Your SaaS-Based Application from Malicious Code
Another way to secure your SaaS-based application is by implementing a firewall and intrusion detection system, as well as an application firewall. You should also ensure that every employee has a desktop or laptop to access the SaaS application on their own private network.
4. Install and Configure Web Application Firewalls
Before an employee can access the SaaS application, it should be protected by a Web Application Firewall (WAF). Organizations can choose from a number of WAF products to achieve this goal. When the WAF is integrated with the application firewall and service firewall, you can achieve even tighter control of your data.
5. Use Encryption and Authentication to Protect Sensitive Data
It is best practice to encrypt sensitive data, such as credit card numbers. The automated system message that a transaction is not allowed can be made orally, in writing, or by tactile and electromagnetic signals. In addition, the automated system message can be communicated by a machine-readable medium separate from the device/system to which it is directed. This machine-readable medium may one day include electronically programmable logic devices (EPLDs) such as a light-emitting diode (LED) or an organic light-emitting diode (OLED) display.
Interested in learning further about the executive order? You may want to read Executive Order Over U.S. Cybersecurity.
If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access Control, Fire, IT consultant, or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at email@example.com.