Читать книгу Cybersecurity Risk Management - Cynthia Brumfield - Страница 18

In response to a series of damaging and high-profile cyberattacks involving Chinese state-sponsored threat actors and Russian ransomware operators, President Joe Biden released a wide-ranging and ambitious executive order (EO) on May 12, 2021, the President’s Executive Order (EO) on “Improving the Nation’s Cybersecurity (14028). The EO assigns NIST several complex tasks that reshape U.S. cybersecurity policy and requirements. They also elevate the foundational importance of the NIST cybersecurity framework’s core functions of identifying, protecting, detecting, responding, and recovering. (See https://www.nist.gov/itl/executive-order-improving-nations-cybersecurity).

As of this book’s publication date, many of these NIST mandates are still in process. In addition, it’s important to note that any requirements coming out of the EO apply only to federal government agencies and their contractors. But, under the theory that most of the world’s leading tech companies are also major suppliers to the federal government, it’s likely that the EO and the NIST requirements would ultimately have spill-over effects for private sector organizations.

The NIST assignments in the EO include:

 Developing guidance to help agencies achieve “zero-trust” architecture. Zero-trust is the latest trend in cybersecurity that “eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses,” according to the EO.

 Defining what constitutes “critical software” and publishing guidance outlining security measures for critical software. These intricate tasks aim to prevent the infiltration of malware into widely used and essential software.

 Developing guidelines that result in minimum standards for vendors’ testing of their software source code. These guidelines aim to put into place processes to ensure that software is sufficiently safe and secure.

 Publishing guidance that identifies practices to enhance software supply chain security. This guidance aims to foreclose, to the extent feasible, malicious software from third parties from sneaking into the various subcomponents that make up modern software.

 Initiating labeling programs related to the Internet of Things (IoT) and software to inform consumers about the security of their products. This task aims to provide consumers with a ratings scale that helps them better understand the security level of their hardware IoT devices and software.

The Cybersecurity Framework is a critical reference document for organizations to consult in the NIST tasks completed or underway. In particular, all the software security measures count the Framework as an informative reference.