As President Biden’s landmark cybersecurity executive order (EO) approaches its first anniversary on May 12, new research shows that most Federal cybersecurity decision-makers solidly back the aims of the EO, but also think that its initial timelines to implement zero trust security are unrealistic.
The top-line findings of the new research – Impact Assessment: Cyber EO Year One – from MeriTalk, Amazon Web Services (AWS), CrowdStrike, and Zscaler reflect input from 160 Federal cybersecurity decision-makers and find buoyant support for the order’s broad aims:
- 78 percent say the steps outlined in the Cyber EO are necessary to protect the United States;
- 99 percent say the EO is making progress against its goals;
- 96 percent see the Office of Management and Budget’s (OMB) Federal Zero Trust Strategy as somewhat or very helpful; and
- 82 percent agree that moving staffing and budget to zero trust is vital to national security.
Underneath that strong support, however, the Federal cybersecurity decision-makers also see significant problems in reaching the goals of the policy within its timelines and with current resourcing levels, most notably:
- 67 percent believe the EO’s three-year window for implementation of zero trust security principles is unrealistic; and
- Only 14 percent believe they have all the funding they need to complete the order’s requirements.
“The sea change is the focus on comprehensive cyber resiliency,” Nicole Burdette, principal at MeriTalk, said upon release of the new research. “The EO provided direction, and Federal cyber leaders are now doing the hard work. But progress requires sustained funding and resource commitment. The research shows the gaps.”
“Getting to zero trust is not easy,” Stephen Kovac, chief compliance officer and head of global government affairs at Zscaler, said. “The detail provided in the multi-step guidance from OMB provides a path, but there is no single box you can buy to meet the varied needs of the five zero trust pillars.”
“You need multiple solutions from varying vendors that work together with seamless integration to achieve true zero trust – it is a team sport,” Kovac added. “OMB has done a good job in helping to define those rules, with rule one being to keep users off the network. If they can’t reach you, they can’t breach you.”
The EO already has had a positive effect on the security of the nation’s critical infrastructure and data, though there is still room for improvement, Federal cybersecurity decision-makers said.
The research finds that 91 percent of respondents believe the EO – and its calls for things like endpoint detection and response capabilities and multi-factor authentication – have made the nation’s critical infrastructure and data safer. But at the same time, just 28 percent said those have made those entities significantly safer.
“Cloud-native endpoint detection and response capabilities can significantly strengthen the cybersecurity posture for the Federal government, especially when integrated with other security capabilities including identity security, threat intelligence, and managed threat hunting,” Drew Bagley, vice president and counsel for Privacy and Cyber Policy at CrowdStrike, said.
“These concepts have become cybersecurity best practices for the private sector’s most technologically advanced businesses, and we encourage the public sector to continue to embrace these technologies and strategies,” he said.
What’s the recipe for more success in executing on the Cyber EO’s requirements?
Federal cybersecurity leaders who give their own agencies an “A” grade thus far in EO implementation are also the ones who feel better about their funding resources and are much more likely to have their chief information officers leading the implementation effort.
As for wish lists to make the multi-year implementation more effective, Federal cybersecurity leaders most often listed workforce training and expertise, stronger executive buy-in, detailed direction from agency IT leadership, and help from government centers of excellence.
To view the entire survey and see how Federal IT leaders are doing on implementation ahead of the one-year cyber EO anniversary on May 12, the findings are available here.