With the recent number of attacks that have had significant impact on critical systems, a new executive order on improving the nation’s cybersecurity has been released, covering many key areas that need to be addressed to protect critical digital infrastructure. This is one of the most detailed U.S. executive orders on cybersecurity and we welcome this effort to improve the trustworthiness of the digital infrastructure. The challenges are many and it is encouraging to see this order addressing the issues from many fronts.
This executive order will affect many organizations, both in the public and private sector, that work with the government. These typically include financial services, healthcare, the public sector, critical infrastructures, high tech, and education.
While the order covers a number of key topics, implementing multi-factor authentication (MFA), deploying Zero Trust Architecture, and securing the software supply chain are of particular note.
MFA officially a front line of defense
The executive order recognizes the importance of MFA and how it greatly deters account compromise. All agencies shall adopt MFA within 180 days. Additionally, software vendors must establish MFA across the enterprise. Though the order doesn’t call out specific MFA standards, phishing-resistant hardware backed authentication methods, like FIDO security keys and smart cards, provide the level of security needed to address modern day attacks.
Zero Trust Architecture
To modernize Federal government systems, agencies must develop a plan to implement a Zero Trust Architecture within 60 days. A Zero Trust security model eliminates implicit trust and is designed to only allow the minimal access needed to perform a function. Zero Trust design principles makes a “no-trust” assumption that requires authentication as users cross network boundaries particularly as organizations move to the cloud. The Zero Trust emphasis in the order demonstrates the high priority status the government is placing on modernizing agencies’ infrastructure. Strong, modern authenticators, like the YubiKey, will be essential to reaching Zero Trust goals while providing a low-friction and secure user experience.
Software Supply Chain Security
The Federal Government relies heavily on software developed internally and from technology vendors. The order specifically calls out the lack of transparency and adequate controls to prevent tampering by malicious actors. Recent attacks have shown the importance of software chain of custody. The executive order develops guidelines that will improve the verification of the integrity of the software. A best practice is to ensure code and commits are cryptographically signed, which can be accomplished with a YubiKey.
Phishing attacks continue to evolve and can lead to account takeovers and ransomware attacks, resulting from stolen or phished credentials. The best way to prevent phishing is to embrace the implementation of strong MFA and Zero Trust Architectures — exactly what part of this executive order now mandates. Furthermore, cryptography signed code and commits will be an important way to establish trust and achieve a high level of assurance.
The recently launched YubiKey 5 FIPS Series is certified at FIPS 140-2, Overall Level 1 and Level 2, and in addition, has achieved Physical Security Level 3; the YubiKey 5 FIPS series is able to meet the requirements for Authenticator Assurance Level 3 (AAL3) as defined in NIST SP800-63B. For more information on the new YubiKey 5 FIPS Series, please visit the Yubico website. The series is also available for purchase on the Yubico store, through Yubico’s dedicated sales team, or from any Yubico-approved channel partners and resellers.