The White House (d) Within 90 days of receiving the recommendations described in subsection (c) of this section, the Director of OMB, in consultation with Secretary of Homeland Security, shall issue requirements for FCEB Agencies to adopt Federal Government-wide EDR approaches. The scope of protection and security must include systems that process data (information technology (IT)) and those that run the vital machinery that ensures our safety (operational technology (OT)). 4. Federal Robotic Process Automation Community of Practice, Federal Identity, Credential and Access Management (FICAM) Program, Identity, Credentials, and Access Management, Federal Risk and Authorization Management Program (FedRAMP), Federal Information Security Modernization Act, Continuous Diagnostics and Mitigation (CDM), Homeland Security Presidential Directive 12 (HSPD-12), Blueprint for a Secure Cyber Future - The Cybersecurity Strategy for the Homeland Security Enterprise[PDF], Security Content Automation Protocol (SCAP) Validated Products and Modules, Glossary of Key Information Security Terms [PDF], Federal Information Security Modernization Act of 2014 (FISMA 2014), M-18-02, Fiscal Year 2017-2018 Guidance on Federal Information Security and Privacy Management [PDF], M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information [PDF], M-17-02, Precision Medicine Initiative Privacy and Security [PDF], M-16-19, Data Center Optimization Initiative (DCOI) [PDF], M-16-15, Federal Cybersecurity Workforce Strategy [PDF], M-16-04, Cybersecurity Strategy and Implementation Plan (CSIP) for the Federal Civilian Government [PDF], M-15-16, Multi-Agency Science and Technology Priorities for the FY 2017 Budget [PDF], M-10-28, Clarifying Cybersecurity Responsibilities and Activities of the Executive Office of the President and the Department of Homeland [PDF], EO 13800 - Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, EO 13691 - Promoting Private Sector Cybersecurity Information Sharing, EO 13681 - Improving the Security of Consumer Financial Transactions, EO 13636 - Improving Critical Infrastructure Cybersecurity, EO 13556 - Controlled Unclassified Information, PPD 41 - United States Cyber Incident Coordination, PPD 21 - Critical Infrastructure Security and Resilience, HSPD 20 - National Continuity Policy [PDF], HSPD 12 - Policy for a Common Identification Standard for Federal Employees and Contractors, Federal Information Processing Standards (FIPS), White House FACT SHEET: Cybersecurity National Action Plan, National Information Assurance Partnership (NIAP), Presidential & Congressional Commissions, Boards or Small Agencies, White House Office of Management and Budget (OMB) Circulars, Homeland Security Presidential Directives (HSPD), Federal Emergency Management Agency (FEMA) Directives. The SBOM enumerates these components in a product. Sec. 11. (f) Within 60 days of the date of this order, the Secretary of Commerce, in coordination with the Assistant Secretary for Communications and Information and the Administrator of the National Telecommunications and Information Administration, shall publish minimum elements for anSBOM. The Zero Trust security model eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses. These requirements should be designed to permit agencies to share log information, as needed and appropriate, with other Federal agencies for cyber risks or incidents. Software developers and vendors often create products by assembling existing open source and commercial software components. Those requirements shall support a capability of the Secretary of Homeland Secretary, acting through the Director of CISA, to engage in cyber hunt, detection, and response activities. (c) Within 180 days of the date of this order, the Director of NIST shall publish preliminary guidelines, based on the consultations described in subsection (b) of this section and drawing on existing documents as practicable, for enhancing software supply chain security and meeting the requirements of this section. (e) To address cyber risks or incidents, including potential cyber risks or incidents, the proposed recommendations issued pursuant to subsection (b) of this section shall include requirements to ensure that, upon request, agencies provide logs to the Secretary of Homeland Security through the Director of CISA and to the FBI, consistent with applicable law. The Federal Government must adopt security best practices; advance toward Zero Trust Architecture; accelerate movement to secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS); centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks; and invest in both technology and personnel to match these modernization goals. A-130 - Managing Information as a Strategic Resource, Federal Information Security Modernization Act (FISMA), The Federal Risk and Authorization Management Program (FedRAMP), Identity, Credentialing, and Access Management (ICAM), Federal Government Adoption of Internet Protocol Version 6 (IPv6) FAQs (2011), Planning Guide and Roadmap Toward IPv6 Adoption within the Federal Government (2012), Performance.gov - Government Performance Website, Back to Policies, Priorities and Resources, Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, Federal Information Security Modernization Act, Chief Information Security Officers Council. (j) Within 60 days of receiving the recommended contract language developed pursuant to subsection (i) of this section, the FAR Council shall review the recommended contract language and publish for public comment proposed updates to the FAR. General Provisions. (i) Within 90 days of the date of this order, the Director of CISA shall provide to the Director of OMB and the APNSA a report describing how authorities granted under section 1705 of Public Law 116-283, to conduct threat-hunting activities on FCEB networks without prior authorization from agencies, are being implemented. (s) The Secretary of Commerce acting through the Director of NIST, in coordination with representatives of other agencies as the Director of NIST deems appropriate, shall initiate pilot programs informed by existing consumer product labeling programs to educate the public on the security capabilities of Internet-of-Things (IoT) devices and software development practices, and shall consider ways to incentivize manufacturers and developers to participate in these programs. 451). 3552(b)(2). Opt in to send and receive text messages from President Biden. (j) The Secretary of Homeland Security, in consultation with the Attorney General and the APNSA, shall review the recommendations provided to the President through the APNSA pursuant to subsection (i) of this section and take steps to implement them as appropriate. Share sensitive information only on official, secure websites. Territories and Possessions are set by the Department of Defense. If a device is compromised, zero trust can ensure that the damage is contained. Sec. (i) Within 60 days of the date of this order, the Secretary of Commerce acting through the Director of NIST, in consultation with the Secretary of Homeland Security acting through the Director of CISA and with the Director of OMB, shall publish guidance outlining security measures for critical software as defined in subsection (g) of this section, including applying practices of least privilege, network segmentation, and proper configuration. These communications may include status updates, requirements to complete a vendors current stage, next steps, and points of contact for questions; (iii) incorporating automation throughout the lifecycle of FedRAMP, including assessment, authorization, continuous monitoring, and compliance; (iv) digitizing and streamlining documentation that vendors are required to complete, including through online accessibility and pre-populated forms; and (v) identifying relevant compliance frameworks, mapping those frameworks onto requirements in the FedRAMP authorization process, and allowing those frameworks to be used as a substitute for the relevant portion of the authorization process, as appropriate.Sec. (d) The Boards initial review shall relate to the cyber activities that prompted the establishment of a UCG in December 2020, and the Board shall, within 90 days of the Boards establishment, provide recommendations to the Secretary of Homeland Security for improving cybersecurity and incident response practices, as outlined in subsection (i) of this section. The Zero Trust Architecture security model assumes that a breach is inevitable or has likely already occurred, so it constantly limits access to only what is needed and looks for anomalous or malicious activity. Traveler reimbursement is based on the location of the work activities and not the accommodations, unless lodging is not available at the work activity, then the agency may authorize the rate where lodging is obtained. 7. (e) Within 90 days of the date of this order, the Secretary of Homeland Security acting through the Director of CISA, in consultation with the Attorney General, the Director ofthe FBI, and the Administrator of General Services acting through the Director of FedRAMP, shall establish a framework to collaborate on cybersecurity and incident response activities related to FCEB cloud technology, in order to ensure effective information sharing among agencies and between agencies and CSPs. Within 75 days of the date of this order, agencies shall establish or update Memoranda of Agreement (MOA) with CISA for the Continuous Diagnostics and Mitigation Program to ensure object level data, as defined in the MOA, are available and accessible to CISA, consistent with applicable law. Washington, DC 20500. (g) the term Intelligence Community or IC has the meaning ascribed to it under 50 U.S.C. We must also expand partnerships with the private sector and work with Congress to clarify roles and responsibilities. The CIO Council, and the Chief Information Security Officers Council, leverage FISMA quarterly reporting and agency cybersecurity budget enhancements to meet the key Federal cybersecurity priorities across the enterprise. Waivers shall be considered by the Director of OMB, in consultation with the APNSA, on a case-by-case basis, and shall be granted only in exceptional circumstances and for limited duration, and only if there is an accompanying plan for mitigating any potential risks. Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks. (c) Within 90 days of receiving the recommendations described in subsection (b) of this section, the Director of OMB, in consultation with the Secretary of Commerce and the Secretary of Homeland Security, shall formulate policies for agencies to establish requirements for logging, log retention, and log management, which shall ensure centralized access and visibility for the highest level security operations center of each agency. Developers often use available open source and third-party software components to create a product; an SBOM allows the builder to make sure those components are up to date and to respond quickly to new vulnerabilities. Rates for foreign countries are set by the State Department. (h) Within 90 days of the date of this order, the Secretary of Defense, the Director of National Intelligence, and the CNSS shall review the recommendations submitted under subsection (g) of this section and, as appropriate, establish policies that effectuate those recommendations, consistent with applicable law. (ii) Within 90 days of receipt of the recommendations described in subsection (g)(i) of this section, the FAR Council shall review the recommendations and publish for public comment proposed updates to the FAR. Sec. (b) The Board shall review and assess, with respect to significant cyber incidents (as defined under Presidential Policy Directive 41 of July 26, 2016 (United States Cyber Incident Coordination) (PPD 41)) affecting FCEB Information Systems or non-Federal systems, threat activity, vulnerabilities, mitigation activities, and agency responses. The Federal Government must bring to bear the full scope of its authorities and resources to protect and secure its computer systems, whether they are cloud-based, on-premises, or hybrid. (h) The Secretary of Homeland Security shall provide to the President through the APNSA any advice, information, or recommendations of the Board for improving cybersecurity and incident response practices and policy upon completion of its review of an applicable incident. Please enable JavaScript to use this feature. (e) The Director of OMB shall work with the Secretary of Homeland Security and agency heads to ensure that agencies have adequate resources to comply with the requirements issued pursuant to subsection (d) of this section. Such agencies shall provide such reports every 60 days after the date of this order until the agency has fully adopted, agency-wide, multi-factor authentication and data encryption. (c) The Secretary of Homeland Security shall convene the Board following a significant cyber incident triggering the establishment of a Cyber Unified Coordination Group (UCG) as provided by section V(B)(2) of PPD-41; at any time as directed by the President acting through the APNSA; or at any time the Secretary of Homeland Security deems necessary. (e) Within 120 days of the date of this order, the Secretary of Homeland Security and the Director of OMB shall take appropriate steps to ensure to the greatest extent possible that service providers share data with agencies, CISA, and the FBI as may be necessary for the Federal Government to respond to cyber threats, incidents, and risks. (b) Within 60 days of the date of this order, the Director of the Office of Management and Budget (OMB), in consultation with the Secretary of Defense, the Attorney General, the Secretary of Homeland Security, and the Director ofNational Intelligence, shall review the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement contract requirements and language for contracting with IT and OT service providers and recommend updates to such requirements and language to the FAR Council and other appropriate agencies. The criteria shall reflect a baseline level of secure practices, and if practicable, shall reflect increasingly comprehensive levels of testing and assessment that a product may have undergone. (c) Within 30 days of the date of this order, the Secretary of Homeland Security acting through the Director of CISA shall provide to the Director of OMB recommendations on options for implementing an EDR initiative, centrally located to support host-level visibility, attribution, and response regarding FCEB Information Systems. (x) Within 1 year of the date of this order, the Secretary of Commerce, in consultation with the heads of other agencies as the Secretary of Commerce deems appropriate, shall provide to the President, through the APNSA, a report that reviews the progress made under this section and outlines additional steps needed to secure the software supply chain. (f) Within 60 days of the date of this order, the Administrator of General Services, in consultation with the Director of OMB and the heads of other agencies as the Administrator of General Services deems appropriate, shall beginmodernizing FedRAMP by: (i) establishing a training program to ensure agencies are effectively trained and equipped to manage FedRAMP requests, and providing access to training materials, including videos-on-demand; (ii) improving communication with CSPs through automation and standardization of messages at each stage of authorization. Standardizing the Federal Governments Playbook for Responding to Cybersecurity Vulnerabilities and Incidents. The .gov means its official. The SBOMs gain greater value when collectively stored in a repository that can be easily queried by other applications and systems. (c) The recommended contract language and requirements described in subsection (b) of this section shall be designed toensure that: (i) service providers collect and preserve data, information, and reporting relevant to cybersecurity event prevention, detection, response, and investigation on all information systems over which they have control, including systems operated on behalf of agencies, consistent with agencies requirements; (ii) service providers share such data, information, and reporting, as they relate to cyber incidents or potential incidents relevant to any agency with which they have contracted, directly with such agency and any other agency that the Director of OMB, in consultation with the Secretary of Defense, the Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence, deems appropriate, consistent with applicable privacy laws, regulations, and policies; (iii) service providers collaborate with Federal cybersecurity or investigative agencies in their investigations of and responses to incidents or potential incidents on Federal Information Systems, including by implementing technical capabilities, such as monitoring networks for threats in collaboration with agencies they support, as needed; and (iv) service providers share cyber threat and incident information with agencies, doing so, where possible, in industry-recognized formats for incident response and remediation. The Board shall comprise representatives of the Department of Defense, the Department of Justice, CISA, the NSA, and the FBI, as well as representatives from appropriate private-sector cybersecurity or software suppliers as determined by the Secretary of Homeland Security. The evaluation shall prioritize identification of the unclassified data considered by the agency to be the most sensitive and under the greatest threat, and appropriate processing and storage solutions for thosedata. The End Date of your trip can not occur before the Start Date. (d) Agencies with cybersecurity vulnerability or incident response procedures that deviate from the playbook may use such procedures only after consulting with the Director of OMB and the APNSA and demonstrating that these procedures meet or exceed the standards proposed in the playbook. (w) Within 1 year of the date of this order, the Director of NIST shall conduct a review of the pilot programs, consult with the private sector and relevant agencies to assess the effectiveness of the programs, determine what improvements can be made going forward, and submit a summary report to the APNSA. 3502. An SBOM is useful to those who develop or manufacture software, those who select or purchase software, and those who operate software. The Director of OMB shall on a quarterly basis provide a report to the APNSA identifying and explaining all extensions granted. Sec. 3003(4). (iii) Heads of FCEB Agencies that are unable to fully adopt multi-factor authentication and data encryption within 180 days of the date of this order shall, at the end of the 180-day period, provide a written rationale to the Secretary of Homeland Security through the Director of CISA, the Director of OMB, andthe APNSA. 7. Sec. (b) Nothing in this order shall alter the authority of the National Manager with respect to National Security Systems as defined in National Security Directive 42 of July 5, 1990 (National Policy for the Security of National Security Telecommunications and Information Systems) (NSD-42). These recommendations shall describe: (i) identified gaps in, and options for, the Boards composition or authorities; (ii) the Boards proposed mission, scope, and responsibilities; (iii) membership eligibility criteria for private sector representatives; (iv) Board governance structure including interaction with the executive branch and the Executive Office of the President; (v) thresholds and criteria for the types of cyber incidents to be evaluated; (vi) sources of information that should be made available to the Board, consistent with applicable law and policy; (vii) an approach for protecting the information provided to the Board and securing the cooperation of affected United States individuals and entities for the purpose of the Boards review of incidents; and (viii) administrative and budgetary considerations required for operation of the Board. (b) Nothing in this order shall be construed to impair or otherwise affect: (i) the authority granted by law to an executive department or agency, or the head thereof; or (ii) the functions of the Director of the Office of Management and Budget relating to budgetary, administrative, or legislative proposals. Sec. TheDirector of NIST shall examine all relevant information, labeling, and incentive programs, employ best practices, and identify, modify, or develop arecommended label or, if practicable, a tiered software security rating system. (d) This order is not intended to, and does not, create any right or benefit, substantive or procedural, enforceable at law or in equity by any party against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person. (k) the term Zero Trust Architecture means a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries. Such guidance shall seek to ensure that risks to the FCEB from using cloud-based services are broadly understood and effectively addressed, and that FCEB Agencies move closer to Zero Trust Architecture. Sec. (e) The Director of CISA, in consultation with the Director of the NSA, shall review and update the playbook annually, and provide information to the Director of OMB for incorporation in guidance updates. The security and integrity of critical software software that performs functions critical to trust (such as affording or requiring elevated system privileges or direct access to networking and computing resources) is a particular concern. The Director of NIST shall examine all relevant information, labeling, and incentive programs and employ best practices. The President has made strengthening the Nations cybersecurity a priority from the outset of this Administration. 4. (c) This order shall be implemented in a manner consistent with applicable law and subject to the availability of appropriations. (h) Current cybersecurity requirements for unclassified system contracts are largely implemented through agency-specific policies and regulations, including cloud-service cybersecurity requirements. Sec. 5. (i) Within 30 days of completion of the initial review described in subsection (d) of this section, the Secretary of Homeland Security shall provide to the President through the APNSA the recommendations of the Board based on the initial review. Unless otherwise specified, the per diem locality is defined as "all locations within, or entirely surrounded by, the corporate limits of the key city, including independent entities located within those boundaries. (m) Agencies may request a waiver as to any requirements issued pursuant to subsection (k) ofthis section. (b) the term auditing trust relationship means an agreed-upon relationship between two or more system elements that is governed by criteria for secure interaction, behavior, and outcomes relative to the protection of assets. Standardized response processes ensure a more coordinated and centralized cataloging of incidents and tracking of agencies progress toward successful responses. (g) Within 45 days of the date of this order, the Director of the NSA as the National Manager for National Security Systems (National Manager) shall recommend to the Secretary of Defense, the Director of National Intelligence, and the Committee on National Security Systems (CNSS) appropriate actions for improving detection of cyber incidents affecting National Security Systems, to the extent permitted by applicable law, including recommendations concerning EDR approaches and whether such measures should be operated by agencies or through a centralized service of common concern provided by the National Manager. (j) the term Software Bill of Materials or SBOM means a formal record containing the details and supply chain relationships of various components used in building software. 10. (g) To ensure a common understanding of cyber incidents and the cybersecurity status of an agency, the playbook shall define key terms and use such terms consistently with any statutory definitions of those terms, to the extent practicable, thereby providing a shared lexicon among agencies using the playbook. Such requirements may provide for exceptions in circumstances necessitated by unique mission needs. (ii) Within 90 days of the date of this order, the Secretary of Homeland Security acting through the Director of CISA, in consultation with the Director of OMB and the Administrator of General Services acting through FedRAMP, shall develop and issue, for the FCEB, cloud-security technical reference architecture documentation that illustrates recommended approaches to cloud migration and data protection for agency data collection and reporting. (u) Within 270 days of the date of this order, the Secretary of Commerce acting through the Director of NIST, in coordination with the Chair of the FTC and representatives from other agencies as the Director of NIST deems appropriate, shall identify secure software development practices or criteria for a consumer software labeling program, and shall consider whether such a consumer software labeling program may be operated in conjunction with or modeled after any similar existing government programs, consistent with applicable law. 8. The Director of CISA shall provide quarterly reports to the APNSA and the Director of OMB regarding actions taken under section 1705 of Public Law 116-283. (i) the term logs means records of the events occurring within an organizations systems and networks. Such recommendations shall also be considered by the FAR Council when promulgating rules pursuant to section 2 of this order. (g) Within 45 days of the date of this order, the Secretary of Commerce, acting through the Director of NIST, in consultation with the Secretary of Defense acting through the Director of the NSA, the Secretary of Homeland Security acting through the Director of CISA, the Director of OMB, and the Director of National Intelligence, shall publish a definition ofthe term critical software for inclusion in the guidance issued pursuant to subsection (e) of this section. An official website of the United States government. 3552(b)(6), 3553(e)(2), and 3553(e)(3). To facilitate this work: (i) Within 90 days of the date of this order, the Director of OMB, in consultation with the Secretary of Homeland Security acting through the Director of CISA, and the Administrator of General Services acting through FedRAMP, shall develop a Federal cloud-security strategy and provide guidance to agencies accordingly. It requires each agency to assess its cybersecurity risks and submit a plan to OMB detailing actions to implement the NIST Cybersecurity Framework. By the authority vested in me as President by the Constitution and the laws of the United States of America, itishereby ordered as follows:Section1. Improving the Federal Governments Investigative and Remediation Capabilities. The Secretary of Homeland Security acting through the Director of CISA, in consultation with the Administrator of General Services acting through the Federal Risk and Authorization Management Program (FedRAMP) within the General Services Administration, shall develop security principles governing Cloud Service Providers (CSPs) for incorporation into agency modernization efforts. (e) Within 90 days of publication of the preliminary guidelines pursuant to subsection (c) of this section, the Secretary of Commerce acting through the Director of NIST, in consultation with the heads of such agencies as the Director ofNIST deems appropriate, shall issue guidance identifying practices that enhance the security of the software supply chain. The private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace. Modernizing Federal Government Cybersecurity. (a) The cybersecurity vulnerability and incident response procedures currently used to identify, remediate, and recover from vulnerabilities and incidents affecting their systems vary across agencies, hindering the ability of lead agencies to analyze vulnerabilities and incidents more comprehensively across agencies.