How state and local governments can get a head start on the new cyber Executive Order 14028

Yubico works with a lot of government agencies and contractors, as well as with customers in regulated industries, so we understand the challenges new compliance regulations can bring. 

The executive order that was released May 12, 2021 can be seen as the federal government fully embracing the move toward multi-factor authentication (MFA) for use cases where authentication using the Personal Identity Verification (PIV) card or Common Access Card (CAC) are not possible. While the mandate is expected to impact federal government employees, it is prudent to expect that it will have a trickle down effect on state and local governments as well. 

The cybersecurity executive order makes it clear that MFA and Zero Trust Architectures are going to be the new standards for modernizing and securing government agencies down the road. But the inevitable question is: Now what? 

Here are steps you can take today to prepare for your agencies to embrace the practices outlined in the cybersecurity executive order

• Take a breath. This is a 23-page order with a lot in it, and in most cases, an immediate reaction before doing your due diligence on information gathering could be counterproductive. The order is relying on established cybersecurity best practices that your organization should already be implementing.

•  

• Know your data, software and controls. Many of the requirements for contractors and associated service providers will center on log retention, incident reporting, and monitoring of supply chains. So it’s worth kicking off an internal effort to make sure security controls and reporting are following best practices. Do you know where your sensitive data resides—on-premises or in the cloud, and exactly who all have access to your data? Who is involved in your supply chain, and are strong authentication methods in place? Do you retain log data or are you working with a provider who retains log data? If you have clear answers to these questions ahead of time you will be in a better position to meet an agency’s guidelines. Section 4 of the executive order also references defining “critical software” and ensuring the right security measures, especially for software purchased from external vendors. 

•  

• It’s a process. In the next few months there will be reports submitted to the White House about recommended ways to move forward on the executive order, but what the exact final outcome will be is hard to predict. It’s important to stay updated on proposed regulations and work closely with your agency counterparts. Though we don’t know exactly what the final approach will be, if you follow cybersecurity best practices you will be in a good position to meet new regulations.

•  

• Work with your counterparts. The agencies are living in uncertainty much like their partners are. Reach out to your contacts and offer to have a conversation about what the executive order might mean. Become their “back-stops” on this issue and make sure they have all inventories or other reports they might need from you. You are in this with them for the long haul.

•  

• Don’t treat this as a quick win for security vendors. It’s a journey to make the country safer rather than an immediate opportunity. Though it’s tempting to see this as a new windfall of capital coming down, this is actually a real opportunity to improve the security of the nation.  Spending the time to understand how to best address the security risk compared to just deploying a point solution will be much better for all of us. Deploying zero trust concepts and architectures is an ongoing process that will be measured in years and decades rather than months. Look into the array of MFA options but know that not all MFA is created equal. Weaker MFA options, though they provide some level of protection, can be bypassed. With the long view in mind, consider the strongest level of MFA to future-proof security investments that you make now and down the line. 

•  

• Build funding requests into upcoming budget cycles. Current potential funding agencies can leverage the order’s call to action to meet the cybersecurity, modernization, and identity requirements. Those agencies could include the Technology Modernization Fund (TMF) and the American Rescue Plan (ARP) Funding. 

•  

• Embrace the uncertainty and move toward flexibility and strong authentication. You want to position yourself to go in the direction that the industry is building around even if you don’t know the final directive. FIDO-compliant security keys that work with a number of Identity Access Management (IAM) providers, operating systems, and browsers will give you the maximum ability to react when you know what type of MFA your agency will move toward. A single YubiKey can hold smartcard, OTP, and FIDO credentials, allowing for a strong authentication bridge across legacy and modern infrastructures.

•  

• For now, it’s best to assess your internal security controls against industry cybersecurity best practices and reach out to your agency counterparts to understand their thoughts on the executive order and improving cybersecurity.

• Also, watch the on-demand Yubico roundtable webinar The President’s Cybersecurity Executive Order: Achieving zero trust and strong MFA. 

• Michael Santini
• Sales Leader, Public Sector
• Yubico
• michael.santini@yubico.com
• 408 816 6988
  
•