“The EO gave several federal government agencies tight deadlines to produce new rules and guidance on stringent cybersecurity requirements that the White House hopes will better protect government offices from malicious digital activity. In addition, the administration designed the order to spur federal government hardware and software suppliers to ratchet up their security efforts to hang onto their government contracts. The hope is that by exercising the power of the purse, the federal government’s new rules would have a positive spillover effect for private sector organizations, too…”
“With those caveats, the following summarizes the status of the 19 tasks known to be completed to date, in chronological order by the deadlines spelled out in the order:
- 5/26/21, Recommendations on Logging Events Requirements. Section 8(b) of the order requires the DHS secretary, in consultation with the attorney general and the administrator of the Office of Electronic Government within OMB, to provide to the OMB director recommendations on requirements for logging events and retaining other relevant data within an agency’s systems and networks. In addition, the FAR Council must consider the recommendations. Although little is publicly available regarding this requirement, the DOD has noted that as of August 4, FAR and Defense Acquisition Regulation staff are working on this requirement…”
- “6/26/2021, Definition of Critical Software. Section 4(g) and 4(h) of the order requires the secretary of commerce, acting through the NIST director, in consultation with the secretary of defense acting through the NSA director, the DHS secretary acting through the CISA director, the OMB director, and the director of national intelligence to publish a definition of what constitutes critical software. On June 24, NIST released this definition, and on October 13, 2021, released a white paper that revises that definition. On the same date, ahead of schedule, NIST also published a preliminary list of software categories considered to be EO-critical, another requirement in the order.
- 7/11/2021, Minimum Elements of SBOMS. In Section 4(f) of the order, the commerce secretary, in coordination with the assistant secretary for communications and information and the administrator of the National Telecommunications and Information Administration (NTIA), is required to publish minimum elements for a software bill of materials (SBOM). Accordingly, on July 12, 2021, the Commerce Department published a 28-page document containing these minimum elements…” Read the full article here.
Source: Biden’s cybersecurity executive order, a progress report – By Cynthia Brumfield, November 1, 2021. CSO Online.
