Plaintext: Understanding Cybersecurity Policy

Welcome to Dark Reading in Plaintext, brought to your inbox this week by Axonius. In this issue of Plaintext, we look at the second cybersecurity executive order issued by the outgoing Biden Administration. The Administration has released a flurry of technical documents over the past week, providing guidance on what federal agencies need to be doing to secure federal systems. We also note that DORA compliance is coming up, and remind organizations that they need to strengthen their third-party risk management practices. If you enjoy Plaintext, please share with friends and colleagues!

Biden's Second Executive Order on Cybersecurity. U.S. President Biden issued a second cybersecurity executive order outlining actions federal agencies need to take, such as strengthening the software supply chain by addressing vulnerabilities in open source components, encrypting federal email messages, and securely storing private cryptographic keys used for identity management. The EO calls on the General Services Administration, CISA, and NIST to create incentives for cloud service providers to "produce baselines with specifications and recommendations for agency configuration of agency cloud-based systems." It also gives the federal government more power to sanction attackers who target critical infrastructure such as schools and hospitals.

The first cybersecurity executive order in 2021 required agencies to exclusively use software from manufacturers who claimed to follow secure software development practices. The second EO requires the Office of Management and Budget (OMB) director to team up with the heads of the National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA) to develop rules on how software providers would attest that they are addressing vulnerabilities in their applications.

“In some instances, providers of software to the Federal Government commit to following cybersecurity practices, yet do not fix well-known exploitable vulnerabilities in their software, which puts the Government at risk of compromise.”

CISA and NIST has released a number of technical documents and playbooks this week, such as the AI playbook for information sharing, guidance for OT owners and operators, detailed information on how to use Microsoft's logging systems.

Nothing in the executive order would be considered partisan, but there is no guarantee the incoming administration will keep any of these rules. "Cybersecurity is not a partisan issue — everyone in the United States has a shared interest in protecting our nation against foreign cyber threats, such as spying and network disruption," Tom Cross, a cybersecurity strategist at WitFoo, wrote in a statement.

Dark Reading in Plaintext is brought to you by Axonius

Join Axonius for Cyber Reset Week 2025!

Kick off 2025 with Cyber Reset Week (Jan 21-23)! Join expert sessions on automating security, top trends, and lasting change with Charles Duhigg. Register now for a secure year ahead!??

DORA: Third-Party Risk Management. Financial services and banking firms will need to comply with the European Union's Digital Operational Resilience Act (DORA) beginning with Jan. 17. Financial institutions are expected to have rigorous measures to test and demonstrate compliance with new rules for cybersecurity risk management, incident reporting, operational resilience testing, and third-party risk monitoring. The regulation originally went into effect in 2023, and is finally now in its enforcement stage. DORA addresses third-party risks by requiring organizations to conduct due diligence and continuous monitoring of their service providers. The business continuity standards defined in DORA require organizations to maintain backup systems for swift incident recovery. Organizations are expected to be able to restore critical functions within two hours of an outage. Covered entities are also expected to simulate real-world cyberattacks to assess their defenses against sophisticated threats.

What We Are Reading

• [Axonius] How to Build Cybersecurity Program Metrics from the Ground Up
• New AI Challenges Will Test CISOs in 2025
• The Edge: "Where Warlocks Stay Up Late" Docuseries
• DR Global: Taiwan Sees Surge in Cyberattacks
• Commentary: OWASP's New LLM Top 10 Shows Emerging AI Threats by Matias Madou

What We Heard On-Air

Tune in to our on-demand webinar What Network Resilience Means to Enterprise Cybersecurity Posture.

"Open source is only free if your time has no value." — Jake Williams

From Our Library

Check out some of the latest reports from our Dark Reading Library

• [Axonius] The State of Cyber Resilience
• Dark Reading Reports: Understanding Social Engineering Attacks and What to Do About Them
• Dark Reading Reports: What Issues and Challenges Cybersecurity Pros Care About
• Tech Insight: Building Blocks for Next-Gen Security Operations
• Tech Insight: Digging Out of Your Organization's Technical Debt

On That Note

Have you submitted your caption for this month's Name That Edge Toon contest? Come up with a cybersecurity-related caption for a chance to win $25. Deadline is Jan. 28. Submission details here.

Dark Reading in Plaintext is brought to you by Axonius