Executive Cybersecurity Order

Cybersecurity Executive Order #

“Presidential Action” launch issued on 5/12/21, has several actionable actions assigned to federal agencies, such as NASA. The focus of the presidential action is on “Improving the Nation’s Cybersecurity” and is broken down into nine sections:

  1. Policy
  2. Threat Data Sharing
  3. Modernizing Cybersecurity
  4. Enhancing Supply Chain Security
  5. Establishing a (federal) Cyber Security Review Board
  6. Standardization of Federal Cybersecurity Response Playbook
  7. Improving Detection of Cybersecurity Vulnerability and Incidents
  8. Improving the Federal Government’s Investigative and Remediation Capabilities
  9. National Security Systems

You can view a summary of each section in the Section Summaries section below

AppDat Applicability #

After review of the executive order following details summarize the applicable elements to AppDat:

  • 35 unique line item requirements applicable to AppDat
    • focused in 4 sections:
      • (2) Threat Data Sharing (6)
      • (3) Modernizing Cybersecurity (8)
      • (4) Enhancing Supply Chain Security (18)
      • (8) Improving the Federal Government’s Investigative and Remediation Capabilities (3)
  • The other sections have good information on other federal actions focused on non NASA agencies, and may result in future actions, but they did have any actions that would be applicable to AppDat.

Threat Data Sharing #

Focus is on the need for agencies to share cyber security data effectively, particularly when a cyber security incident occurs.

  • Monitoring
  • Analytics
  • Security/Monitoring data APIs

Modernizing Cybersecurity #

Details the primary areas of modernization that all agencies are going to need to adopt, namely:

  • ZTA
  • MFA
  • Encryption

It also details how FedRAMP needs to support compliance framework and automation centric approaches as substitute for the relevant portion of the authorization process.

Enhancing Software Supply Chain Security #

Focuses on securing the software supply chain within government agencies and within the software providers working or supplying products to the federal government. Essentially a set of requirements pointing towards DevSecOps systems.

  • Automation
  • Software Security
  • Documentation
  • Attestation

Improving the Federal Government’s Investigative and Remediation Capabilities #

This section focuses on information system and network logging, specifically in ensuring consistent type of logs, retention and protection; along with establishing clear requirements that agencies must centralize log data and be capable of sharing data with other cyber intelligence and security agencies such as the FBI, CISA, and DHS.

  • Logging
  • Log Data Sharing
  • Incident Response Handling

Next Steps: MTDS project #

AppDat is in the middle of a 12 month OCIO funded ITIF project: Mission Telemetry Distribution Services (MTDS) launch expanding AppDat to support a fully featured end-to-end Zero Trust hybrid cloud system designed to support ISS telemetry data sharing between NASA and their trusted commercial and international partners.

On completion of the MTDS project the AppDat maturity levels in compliance with the presidential Cybersecurity actions will meet or exceed a majority of the requirements.

More importantly however, is that the AppDat platform’s design around open source, “cloud-native”, and open-standards based technologies; will enable AppDat to continually evolve at a rapid pace to maintain industry leading Cybersecurity parity for NASA.

After going through the report card, there are currently three specific Epics identified that will bring AppDat to a very high maturity level of all 35 specific requirements. Moving AppDat to being not only the most streamlined software development environment, but the most secure cloud computing platform at NASA.

  1. Zero Trust Policy Enforcement launch
  2. Monitoring & Logging with Elastic Stack launch
  3. Gitlab DevSecOps enhancements

AppDat Report Card (June 2021) #

View our complete report card breakdown here launch

Section Summaries #

Section 1: Policy #

This section simply states that it is now the policy:

All Federal Information Systems should meet or exceed the standards and requirements for cybersecurity set forth in and issued pursuant to this order.

Section 2: Threat Data Sharing #

This section focuses on upcoming updates to contractual language regarding service provider requirements and federal agency processes surrounding cybersecurity data and incidents. The specific focus is on the need for agencies to share cybersecurity data effectively, particularly when a cybersecurity incident occurs. While the contract language is still be drafted, there are some specific requirements this order outlines.

Section 3: Modernizing Cybersecurity #

This section details the primary areas of modernization that all agencies are going to need to adopt, namely:

  • ZTA
  • MFA
  • Encryption

It also details how FedRAMP needs to support compliance framework and automation centric approaches as substitute for the relevant portion of the authorization process.

Section 4: Enhancing Software Supply Chain Security #

This section focuses on securing the software supply chain within government agencies and within the software providers working or supplying products to the federal government.

Section 5: Establishing a Cyber Safety Review Board #

This section details the formulation of a new Cyber Safety Review Board. It does not have any direct applicability to NASA or AppDat beyond what will be potential agency level tie ins to this new Cyber Safety Review Board.

Section 6: Standardization of Federal Cybersecurity Response Playbook #

This section focusing on the development and release of a new set of procedures to be used across all federal agencies with respect to planning and conducting a cybersecurity vulnerability and incident response activities.

There are no specific IT service provider actions identified in this section, however once the proposed incident response playbook is published, the procedures defined will align to the AppDat incident response processes.

Section 7: Improving Detection of Cybersecurity Vulnerability and Incidents #

This section focuses on the establishment of improved cybersecurity vulnerability and incident detection at the federal level, down through all government agencies. This is described primarily as being implemented though “Endpoint Detection and Response” system which essentially do cyber threat detection by matching system events against known adversarial behaviors.

While the guidance describe in this section may have applicability to NASA and AppDat, there is currently not information on the requirements to determine exactly how NASA and AppDat would best meet those requirements.

Section 8: Improving the Federal Government’s Investigative and Remediation Capabilities #

This section focuses on information system and network logging, specifically in ensuring consistent type of logs, retention and protection; along with establishing clear requirements that agencies must centralize log data and be capable of sharing data with other cyber intelligence and security agencies such as the FBI, CISA, and DHS.

Section 9: National Security Systems #

This section focuses on National Security Systems, which is broadly not applicable to NASA or AppDat.