Progress and Gaps Found in Implementing Biden’s Cybersecurity Executive Order

Implementing Biden's Cybersecurity Executive Order | CyberPro Magazine


Overview of Implementation Progress

A recent report from the Government Accountability Office (GAO) sheds light on the progress made in implementing the 2021 executive order aimed at enhancing the nation’s cybersecurity. Out of the 55 leadership and oversight requirements outlined in President Joe Biden’s order, agencies responsible for implementation have completed 49, partially completed 5, and marked one as “not applicable” due to its timing with other requirements. The GAO underscores the importance of fulfilling these requirements to ensure the adequate protection of federal systems and data.

Among the agencies charged with implementing the Cybersecurity Executive Order are the Cybersecurity and Infrastructure Security Agency (CISA), the National Institute of Standards and Technology (NIST), and the Office of Management and Budget (OMB). Their combined efforts have 

significantly advanced Cybersecurity Executive Order measures within the federal government:

Areas of Partial Completion and Concern

One area where partial completion is noted is in the section addressing the removal of barriers to threat information. The Office of Management and Budget (OMB) only partially incorporated a required cost analysis into its annual budget process, raising concerns about the sufficiency of agency budgets to implement cybersecurity recommendations effectively. Additionally, OMB faced challenges in documenting communications with agencies regarding the deployment of endpoint detection and response (EDR) approaches, citing the decentralized nature of conversations as a hindrance.

Further, OMB provided guidance on improving log retention and management practices but fell short in ensuring agencies had adequate resources for implementation. Meanwhile, the Cybersecurity and Infrastructure Security Agency (CISA) encountered hurdles in identifying and making available a list of critical software, expressing concerns about interpretation and planning to revise criteria for validation. Additionally, CISA faced criticism over the effectiveness and independence of the Cyber Safety Review Board, with incomplete steps taken to implement recommendations for improvement.

Despite progress in many areas, the GAO report highlights significant challenges that remain in fully realizing the objectives of the executive order.

Overall Progress, Recommendations, and Future Steps

Despite these challenges, federal agencies have made significant strides in various aspects of the Cybersecurity Executive Order, including enhancing threat information sharing, establishing security measures for critical software, and developing incident response protocols. The Office of the National Cyber Director has played a crucial role in coordinating implementation efforts across agencies.

The GAO issued recommendations to the Department of Homeland Security (DHS) and OMB to address gaps in implementing the executive order’s requirements. While OMB did not provide comments, DHS agreed with the recommendations, emphasizing the need to define critical software and enhance the effectiveness of the Cyber Safety Review Board’s operations.

Looking ahead, continued collaboration and concerted efforts among agencies will be essential to address remaining challenges and ensure the comprehensive implementation of the Cybersecurity Executive Order. As cyber threats continue to evolve, the federal government must remain vigilant and proactive in safeguarding its systems and data against malicious actors.