Third-Party Risk Management in the Executive Order on Improving the Nation’s Cybersecurity

On May 12, 2021, President Biden signed the Executive Order on Improving the Nation’s Cybersecurity. Developed in the wake of the highly damaging SolarWinds Orion software supply chain breach, the Order directs several US Federal Government agencies to better coordinate in preventing, detecting, responding to and mitigating security incidents and breaches by:

• Removing barriers to sharing threat information
• Modernizing Federal Government cybersecurity technologies and practices
• Enhancing software supply chain security
• Establishing and standardizing the Federal Government’s playbook for vulnerabilities and incident response
• Improving the detection of cybersecurity vulnerabilities and incidents on Federal Government networks
• Improving the Federal Government’s investigative and remediation capabilities

This Executive Order (EO) builds on previous cybersecurity-related EOs and requires agencies to establish uniform standards based on NIST, with enforcement beginning in May 2022.

Since this EO introduces several new third-party risk management requirements for Federal agencies to implement, this post focuses on Section 4. Enhancing Software Supply Chain Security. If software suppliers are not able to meet these requirements, they will be removed from the Federal Government’s Acquisition Regulation – meaning they can no longer sell to the government. The Federal Government will publish these requirements, including testing and evaluation criteria, later in the year.

How Third-Party Risk Management Applies to the President’s Executive Order

Critical Federal Government IT systems have long been the target of nation state attacks. Malicious actors know that the easiest, least secure path into Federal systems is often through third-party services and software. Third-party providers may not have the processes or controls necessary to detect malicious activity or code, and they can potentially expose a wide range of sensitive information.

Third-party risk management technologies and processes can help to address guidelines in the Executive Order that require organizations to evaluate and report on software security. The EO criteria include assessments of developer and supplier security controls, as well as documentation that demonstrates adherence to secure practices.

The table below summarizes some of the most important third-party risk management requirements addressed in the EO, along with Prevalent’s recommended capabilities to assess supplier practices.

Building a Third-Party Risk Management Program that Complies with the EO on Improving the Nation’s Cybersecurity

As the requirements outlined in the Executive Order on Improving the Nation’s Cybersecurity take shape in the next year, now is the time for IT software companies to build or mature their own third-party risk management programs. Key considerations should include:

• Identifying which suppliers are considered critical, and focusing assessment efforts on those that present the most inherent risk to your operations
• Regularly assessing the secure software development lifecycle practices of key third parties that contribute code or updates to your final builds
• Continuously monitoring the dark web, hacker chatter and other related forums for activity related to your third parties
• Triaging and remediating assessment and monitoring findings
• Centralizing documentation and reporting for auditors

Prevalent can help. We offer a SaaS solution that automates the critical tasks required to identify, assess, analyze, remediate, and continuously monitor third-party security, privacy, operational, compliance and procurement-related risks across every stage of the vendor lifecycle. For more on how Prevalent can help, read about our TPRM capabilities for the Executive Order on Improving the Nation’s Cybersecurity or contact us for a strategy discussion today.