New US Executive Order on Cybersecurity
President Biden signed an executive order to improve government cybersecurity, setting new security standards for software sold to the federal government.
For the first time, the United States will require all software purchased by the federal government to meet, within six months, a series of new cybersecurity standards. Although the companies would have to “self-certify,” violators would be removed from federal procurement lists, which could kill their chances of selling their products on the commercial market.
I’m a big fan of these sorts of measures. The US government is a big enough market that vendors will try to comply with procurement regulations, and the improvements will benefit all customers of the software.
EDITED TO ADD (5/16): Good analysis.
Clive Robinson • May 13, 2021 10:24 AM
@ Bruce, ALL,
When you look through it you will find,
Take a carefull look and you will see there is no comma after “authentication”…
Which under certain rules, it actually mrans “both”,
1, Multi-Factor Authentication(MFA).
2, Multi-Factor Encryption(MFE).
Are to be used.
That is going to be interesting, whilst ways to do MFE have been around and,are fairly easy to understand[1], thinking back I can’t remember seeing any general consumer software that does MFE for FDE. I have seen some “security” systems that require several “crypto ignition keys”(CIK) theycare not exactly “consumer” grade or oriented.
Therefor I suspect most consumer security product vendors will get MFE more badly mucked up than they have with MFA requirments…
But the “self certification” requirment is realy asking for trouble. MFA has been on auditors check lists for some time, but it used to not be defined. Any one else remember the apocryphal “But two passwords are MFA”. Or even worse “But a secret username and password are MFA”…
[1] MFE or “M of N key” split/share[2] systems come in several varieties. The easiest to undetstand conceptually is the idea that,
Thus you compute the center and radius when you have all three points. Only knowing one or two points on the circumferance will not help an attacker.
[2] https://en.m.wikipedia.org/wiki/Secret_sharing