Onus on vendor community to assist in agency compliance
According to the recent Presidential Executive Order on Improving the Nation’s Cybersecurity “the private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely and partner with the federal government to foster a more secure cyberspace.”
The order further recommends standardizing common cybersecurity contractual requirements across agencies, to “streamline and improve compliance for vendors and the federal government.” Existing contracts must be scrutinized to reduce the trend of serious cyberattacks across government and industry alike.
As this mandate will shape requirements in future budgets, it will be essential for vendors to analyze how this applies to each agency across the federal government.
Beyond the effect on contract implications and budgets, vendors can expect more attention from the government in several key technology areas, which will spark greater demand and more funding. Here are just a few:
Cyber vulnerability and incident detection
Agencies are required to establish a Memoranda of Agreement with CISA for Continuous Diagnostics and Mitigation. CISA is required to report quarterly to OMB and the National Security Advisor on implementation of threat-hunting practices. Vendors can expect more contact with agencies as these reports and documents are being prepared.
Incident response playbook
CISA and government are developing a cybersecurity vulnerability and incident response activity across all phases of incident response. Vendors will need to be sure they provide proper responses across their solutions, partners and products.
Modernizing federal cybersecurity
The order requires a number of security best practices. This includes developing plans that will facilitate a move to zero trust architecture and embracing secure cloud services, such as software as a service, infrastructure as a service and platform as a service. Agencies also are required to adopt multi-factor authentication and encryption for data at rest. Agencies will have to make investments in technology and human resources to meet modernization goals. Vendors should be prepared to address this requirement with their technological offerings.
Software supply chain security
The Secretary of Commerce will provide guidance on practices to enhance software supply chain security in coming months. This guidance is expected to come through consultation with agencies as recommended by NIST. This supply chain guidance is in addition to requirements that NIST provide information that defines “critical software,” “legacy software remediation” and “IoT security.”
Vendors who provide cybersecurity products and solutions to the federal government need to keep on top of developments in this area if they want to stay in the game.
This article is adapted from a commentary that originally ran in Washington Technology. To view the full commentary, click here.
