On May 12, US President Joe Biden issued an executive order on cybersecurity seeking to improve the state of national cybersecurity in the US and to increase protection of government networks following incidents involving SolarWinds and more recently the Colonial Pipeline hackThe Executive Order outlines the need to modernize cybersecurity defenses in the country as well as opening channels for sharing information relating to cybersecurity threats and breach information. This will undoubtedly bring about concerns for many organizations whose contractual obligations often make these incidents difficult to report, but it also highlights the importance of organizations ensuring that their supply chain is secure and that their vendors meet the necessary cybersecurity requirements.  

Register for the webinar: US Cybersecurity Executive Order: How It Will Impact Your Vendor Risk Strategy

The Executive Order looks to lead from the front stating; “the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life […] The Federal Government must lead by example.  All Federal Information Systems should meet or exceed the standards and requirements for cybersecurity set forth in and issued pursuant to this order.” And while the Government looks to set a precedent, there are several implications that will affect the way in which private-sector organizations approach their security processes including providing proof of the integrity of open-source code and the security of legacy software, particularly if you are selling software to the federal government.  

 

“In the end, the trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is, and to the consequences we will incur if that trust is misplaced.”  

– President Joe BidenExecutive Order on Improving the Nation’s Cybersecurity 

 

The White House also published a factsheet which highlights the seven key points that the Executive Order looked to address: 

Gain a holistic view of risk across your enterprise with OneTrust’s GRC software. 

What does the Executive Order mean for organizations? 

The heightened emphasis on the transparency of cybersecurity outlined in the Executive Order and the consequences for not meeting requirements will lead to a surge in organizations reviewing their third-party contractsImproving the security of the software supply chain is a key component of the Executive Order and organizations must now look to verify they are working with secure vendors. This will also likely lead to increased scrutiny of vendor risk assessments, potential security gaps in the supply chain, and the remediation policies that are currently in place 

Further to the increased security of the supply chain, it will fall to organizations to ensure their vendors have the proper contract terms in place to allow for the transparent sharing of threat and breach information. In addition, vendor assessments will need to address whether FedRamp guidelines are being met, including assessment, authorization, continuous monitoring, and compliance.  

Learn more about managing vendor risk: Expert Panel: How Do You Manage Vendor Risk? 

Given The White House’s pledge to ensure government systems meet or exceed the standards and requirements for cybersecurity” outlines in the Executive Order, organizations that are looking to sell software to government agencies should expect more stringent evaluations of their own security to make sure the appropriate requirements are being met. The top-down approach to cybersecurity standards will set the benchmark for organizations, therefore, it is critical that you and your vendors security programs meet the necessary requirements in order to sell software to government agencies.  

Vendor risk management is likely to come under the microscope for many organizations following the release of President Biden’s Executive Order on Cybersecurity and lead to the security of the software supply chain being scrutinized. The result is that many organizations will need to re-visit their existing vendor contracts as well as their own security processes in order to meet new standards and protect eligibility for government agency contracts.  Request a demo to find out more about how OneTrust Vendorpedia can streamline and automate your VRM program and set you up for the future of cybersecurity in the US.  

Register for the webinar: US Cybersecurity Executive Order: How It Will Impact Your Vendor Risk Strategy

Further reading on President Biden’s Executive Order on Cybersecurity: 

Next steps on risk management:   

Follow OneTrust on LinkedInTwitter, or YouTube for the latest on vendor risk management.