Internet Explorer 11 is not supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Why States and Localities Should Embrace Biden’s Cyber Plan

It’s a bold attempt to transform cybersecurity. State and local government organizations, along with their vendors, will benefit from strengthened federal requirements.

President Joe Biden at the desk in the oval office signing papers.
President Biden signs cybersecurity executive order. (Photo courtesy: White House)
President Biden’s long-anticipated and much-discussed Executive Order on Improving the Nation’s Cybersecurity was finally released in May and, weighing in at more than 30 pages and over 8,000 words, this presidential novella is easily the federal government’s most ambitious and comprehensive attempt to address a vast array of long-standing cybersecurity issues, calling as it does for “bold changes and significant investments in order to defend the vital institutions that underpin the American way of life.”

Even though the executive order is focused exclusively on the federal government, there is much to appreciate for state and local government organizations. They should pay attention and embrace the boldness of its attempt to transform cybersecurity. State and local governments will ultimately be beneficiaries of the EO’s higher federal security requirements, much as I highlighted in this space a month ago in exploring how the StateRAMP initiative for procuring security-tested cloud products is leveraging the lessons and successes of the FedRAMP program. As security product and service vendors strengthen their security profiles to continue doing business with the federal government, those efficiencies and standards will directly reinforce security programs at other levels of government.

Overall, I’m pleased with the path the EO lays out, and if the responsible federal agencies can hit their deadlines it could be truly transformational. However, with 74 actionable directives — 45 of which have hard dates for completion — I fear it is perhaps overly ambitious. These directives are momentous in the context of the time, people and money required to accomplish them and meet the target dates. Unfortunately, these tasks will be piled on top of organizations that already are struggling with overworked cybersecurity staff and with deficient funding to meet even their current requirements.

I don’t intend to dissect each of the major sections of the EO in detail, but I do think it worthwhile to highlight them and provide some historical and experiential context. None of the EO’s initiatives are trivial. Some are aspirational and transformational. Others are simply restatements of the cybersecurity challenges and barriers we’ve been trying to solve for ages. My 50,000-foot observations:

● Remove barriers to threat information sharing between government and the private sector. The federal government has been tested daily and has regularly failed to improve information sharing for years. Just. Do. It.

● Modernize and implement stronger cybersecurity standards in the federal government. Stronger than the National Institute of Standards and Technology’s Cybersecurity Framework or NIST’s catalog of security and privacy controls? These are already considered worldwide de facto standards. Simply requiring compliance with existing standards would save a lot of time and energy.

● Improve software supply chain security. This has always been a challenge, and both COVID-19 and the SolarWinds attack highlighted the vast gaps in our supply chain security over the past 15 months. This one could revolutionize security in a way that translates to both state and local governments, as well as the private sector. It’s no surprise that this is the largest section in the EO.

● Establish a cybersecurity safety review board. This, similar to the National Transportation Safety Board, has the potential to really help — as long as we remember that cybersecurity incidents rarely have tangible and physical evidence like after a plane crash.

● Create a standard playbook for responding to cyber incidents. I’m a believer in playbooks, but a standard playbook? Across all federal government agencies? Every cybersecurity incident is different, and even the same incident affecting different agencies is nuanced. I love the efficiencies that come with standardization, but flexibility is critical in incident response.

● Improve detection of cybersecurity incidents on federal networks. Oh my! The Department of Homeland Security has spent (wasted?) billions on its Einstein network protection program over the past decade with very little to show for it and very little support across the federal government. The sad part is that most people realize that Einstein is a failure. There are very robust commercial technologies available that dance rings around Einstein for a fraction of the cost.

● Improve investigative and remediation capabilities. This is the technical section that calls for logging, log retention and log management and, most important of all, permits agencies to share logs with other federal agencies to improve overall investigative capabilities. Please let this happen.

Another issue that has plagued government organizations at all levels since the beginning of time is the glacial, baffling and often mind-numbing technology procurement process. The new executive order establishes a process to review the Federal Acquisition Regulation and the Defense Federal Acquisition Regulation with the goal of far more transparency than exists today. This is the key to better and more efficient procurement of technologies, and it is directly translatable to state and local governments, since vendors can use this transparency as a differentiator in their customer relationships.

The expression that “a rising tide lifts all boats” is apropos in the cybersecurity arena, where raising standards benefits all participants. I can’t think of a better summary than the new executive order’s statement that “the federal government must lead by example.”

Governing's opinion columns reflect the views of their authors and not necessarily those of Governing's editors or management.
Mark Weatherford, Governing's cybersecurity columnist, is the chief strategy officer for the National Cybersecurity Center.
Special Projects
Sponsored Stories
Workplace safety is in the spotlight as government leaders adapt to a prolonged pandemic.
While government employees, students and the general public had to wait in line for hours in the beginning of the pandemic, at-home test kits make it easy to diagnose for the novel coronavirus in less than 30 minutes.
Governments around the nation are working to design the best vaccine policies that keep both their employees and their residents safe. Although the latest data shows a variety of polarizing perspectives, there are clear emerging best practices that leading governments are following to put trust first: creating policies that are flexible and provide a range of options, and being in tune with the needs and sentiments of their employees so that they are able to be dynamic and accommodate the rapidly changing situation.
Service delivery and the individual experience within health and human services (HHS) is often very siloed and fragmented.
In this episode, Marianne Steger explains why health care for Pre-Medicare retirees and active employees just got easier.
Government organizations around the world are experiencing the consequences of plagiarism firsthand. A simple mistake can lead to loss of reputation, loss of trust and even lawsuits. It’s important to avoid plagiarism at all costs, and government organizations are held to a particularly high standard. Fortunately, technological solutions such as iThenticate allow government organizations to avoid instances of text plagiarism in an efficient manner.
Creating meaningful citizen experiences in a post-COVID world requires embracing digital initiatives like secure and ethical data sharing, artificial intelligence and more.
GHD identified four themes critical for municipalities to address to reach net-zero by 2050. Will you be ready?
As more state and local jurisdictions have placed a priority on creating sustainable and resilient communities, many have set strong targets to reduce the energy use and greenhouse gases (GHGs) associated with commercial and residential buildings.