In my last article on the EO 14028 I mentioned that I thought there were several parallels between what the EO was calling out and some of the concepts and technologies that I discussed in my interviews and articles over the last 6 years. I constructed this crosswalk to reflect these relationships. I also added a third column that reflects other news and resources you can look over that I believe are also relevant to what the EO is requiring. Let me know what you think and if there are other resources or news that I missed. Also let me know how your Cybersecurity Awareness Month is going.

Executive Order 14028 on Improving the Nation’s CybersecurityRelevant LLC Articles and InterviewsRecent Events, Responses, and Resources
“In the end, the trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is, and to the consequences we will incur if that trust is misplaced.”
Enabling Authenticity and Trust in the IoT Age Using Decentralized Systems
Authenticity-by-Design: Ensuring the Authenticity of Content and Identity
2020 – The Year of Insecurity of the Critical Infrastructure
Industry IoT Consortium has been busy recently producing a variety of white papers including several on software trustworthiness that are worth a look.
One of the more recent papers provides practical and actionable best practices for managing risk and ensuring trust in software across the life cycle, whether developed in house or acquired.
A trust framework paper is also available which is a good foundation for understanding the mechanisms needed to instill trust in software.
“The scope of protection and security must include systems that process data (information technology (IT)) and those that run the vital machinery that ensures our safety (operational technology (OT)).”
Trends and Challenges Shaping the Security Look of OT and IoT Systems
Measuring the Cyber Resiliency of OT and IT Systems
Active Cyber Surveys the Standards Landscape for OT and IoT Systems Security
Security Capabilities Needed for OT and IIoT Systems
Security Capabilities for OT and IIoT Systems – Part 2
Active Cyber Interviews Tony Sager – Chief Evangelist of the Center for Internet Security – on Emerging Technologies for Active Defenses
The Defense of United States Infrastructure Act, introduced by Sens. Angus King, I-Maine, co-chair of the Cyberspace Solarium Commission (CSC), Mike Rounds, R-S.D., and Ben Sasse, R-Neb., commissioner of the CSC, would provide funding, tools, and authority to protect critical infrastructure.
Specifically, the bill would establish a Bureau of Cyber Statistics, which would exist within the Department of Homeland Security, to collect and publish cybersecurity statistics to better understand cybersecurity threats facing the United States and how to address them.
“Sec. 2. Removing Barriers to Sharing Threat Information.
(a) The Federal Government contracts with IT and OT service providers to conduct an array of day-to-day functions on Federal Information Systems. These service providers, including cloud service providers, have unique access to and insight into cyber threat and incident information on Federal Information Systems. At the same time, current contract terms or restrictions may limit the sharing of such threat or incident information with executive departments and agencies (agencies) that are responsible for investigating or remediating cyber incidents, such as the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and other elements of the Intelligence Community (IC). (c) The recommended contract language and requirements described in subsection (b) of this section shall be designed to ensure that:
(i) service providers collect and preserve data, information, and reporting relevant to cybersecurity event prevention, detection, response, and investigation on all information systems over which they have control, including systems operated on behalf of agencies, consistent with agencies’ requirements;
(ii) service providers share such data, information, and reporting, as they relate to cyber incidents or potential incidents relevant to any agency with which they have contracted, directly with such agency and any other agency that the Director of OMB, in consultation with the Secretary of Defense, the Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence, deems appropriate, consistent with applicable privacy laws, regulations, and policies;
(iii) service providers collaborate with Federal cybersecurity or investigative agencies in their investigations of and responses to incidents or potential incidents on Federal Information Systems, including by implementing technical capabilities, such as monitoring networks for threats in collaboration with agencies they support, as needed; and
(iv) service providers share cyber threat and incident information with agencies, doing so, where possible, in industry-recognized formats for incident response and remediation.”
Interview with Dr. Eric Burger: the State of Cyber Threat Intelligence Research / STIX/TAXII
Intel-based Defenses
Mr. Robert Rahmer, Program Manager of IARPA’s CAUSE Program, Discusses Progress in Cyber Event Forecasting Research
Krystal Covey of DCISE Discusses the DoD-DIB Threat Information Sharing Program with Active Cyber
U.S. Department of Homeland Security (DHS) Cyber Information Sharing and Collaboration Program (CISCP) enables actionable, relevant, and timely unclassified information exchange through trusted public-private partnerships across all critical infrastructure (CI) sectors. CISCP fosters this collaboration by leveraging the depth and breadth of DHS cybersecurity capabilities within a focused operational context. Specific relevant DHS NCCIC services include –
·         Monthly Analyst to Analyst Webinars: Learn the specific actions to take to protect against emerging threats and vulnerabilities.
·         Analyst to Analyst Technical Exchanges: Receive and share threat actor tactics, techniques, and procedures (TTPs) as well as emerging trends and themes.
·         Digital Malware Analysis: Use NCCIC malware analysis reports to understand and mitigate threats and attack vectors.
·         Cross Industry Orchestration: Learn lessons and share expertise with peers across all 16 CI sectors.
·         CISCP Analytical Products: Receive analysis delivered through an exclusive and trusted partner portal.
·         Automated Indicator Sharing: Distribute cybersecurity information bi-directionally using STIX and TAXII
·         Operational Context: Collaborate and correlate threat intelligence and cybersecurity data to bring clarity
·         Forum Post: Share emerging threats, warnings, and indicators of compromise (IOCs) via a trusted venue
DHS recently published the Critical Infrastructure Threat Information Sharing Framework, a guide for critical infrastructure owners and operators as well as other critical infrastructure security and resilience stakeholders. It describes how threat information is shared between the federal government and owners and operators. This framework includes descriptions and contact information for key threat information-sharing entities, as well as case studies that show how threat information sharing works in practice.
“Sec. 3. Modernizing Federal Government Cybersecurity.
(a) To keep pace with today’s dynamic and increasingly sophisticated cyber threat environment, the Federal Government must take decisive steps to modernize its approach to cybersecurity, including by increasing the Federal Government’s visibility into threats, while protecting privacy and civil liberties. The Federal Government must adopt security best practices; advance toward Zero Trust Architecture; accelerate movement to secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS); centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks; and invest in both technology and personnel to match these modernization goals.”
ActiveCyber’s Quest for the Holy Grail of Cyber ROI
Government-Industry Partnerships Enable Rapid Growth in Security Automation Advances and Adoption
AI and Mod-Sim Tools Create Insight for Better Cyber Investing
Learn How Cybersecurity Dynamics Lays The Foundation For Advanced Cybersecurity Defenses In This Active Cyber Interview with Professor Shouhuai Xu of UTSA
Run-time Cyber Economics – Applying Risk-Adaptive Defenses
ActiveCyber Interviews Scott Musman, MITRE, About Applying Gaming Techniques to Cyber Risk Estimation
Big tech companies promise funding and action to address EO requirements.
The Office of Management and Budget (OMB) and CISA are seeking public feedback on strategic and technical guidance documents meant to move the U.S. government towards a zero trust architecture
OMB’s Federal Zero Trust Strategy
CISA’s Zero Trust Maturity Model
“c) As agencies continue to use cloud technology, they shall do so in a coordinated, deliberate way that allows the Federal Government to prevent, detect, assess, and remediate cyber incidents. To facilitate this approach, the migration to cloud technology shall adopt Zero Trust Architecture, as practicable.”
Agile Cloud Security
Waverley Labs Pioneers Open Source Version of CSA’s Software-Defined Perimeter Specification
CISA’s Cloud Security Technical Reference Architecture, a guide for agencies to leverage when migrating to the cloud securely. The document explains considerations for shared services, cloud migration, and cloud security posture management.
CISA has released a new framework – Risk Considerations for Managed Service Provider Customers – for government and private sector organizations on how to engage with managed security service providers (MSSPs) and managed service providers (MSPs) to minimize supply risk and improve their overall security.
The Cloud Security Alliance is going to announce a guidebook at their annual conference in October 2021 for implementing zero trust in cloud and hybrid environments. You can find more research about zero trust at the CSA web site as well.
“(iv)   Within 90 days of the date of this order, the heads of FCEB Agencies, in consultation with the Secretary of Homeland Security acting through the Director of CISA, shall evaluate the types and sensitivity of their respective agency’s unclassified data, and shall provide to the Secretary of Homeland Security through the Director of CISA and to the Director of OMB a report based on such evaluation. The evaluation shall prioritize identification of the unclassified data considered by the agency to be the most sensitive and under the greatest threat, and appropriate processing and storage solutions for those data.”
Learn How High Yellowbrick Data Sets The Bar for High Performance Data Warehouse Solutions in This Interview with Active Cyber Interviews Groupsense and Airgap Networks on Joint Offering for Ransomware Response Service
CISA has released the fact sheet Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches to address the increase in malicious cyber actors using ransomware to exfiltrate data and then threatening to sell or leak the exfiltrated data if the victim does not pay the ransom.
is the U.S. Government’s official one-stop location for resources to tackle ransomware more effectively by consolidating information from all federal government agencies. reduces the fragmentation of resources, which is especially detrimental for those who have become victims of an attack, by integrating federal ransomware resources into a single platform that includes clear guidance on how to report attacks, and the latest ransomware-related alerts and threats from all participating agencies.
“(d) Within 180 days of the date of this order, agencies shall adopt multi-factor authentication and encryption for data at rest and in transit, to the maximum extent consistent with Federal records laws and other applicable laws.”
Voice Biometrics – Plugging the OPM Breach
Security Capabilities Needed for OT and IIoT Systems
CISA recently added the use of single-factor authentication to the official bad practices list. Using such authentication alone, a username and password, in other words, is bad for all businesses, CISA says, but particularly so for those systems that support critical infrastructure operations. The agency warns that doing so “is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety.”
A fact sheet on Multi-Factor Authentication (MFA) from CISA is available
“(e) Within 90 days of the date of this order, the Secretary of Homeland Security acting through the Director of CISA, in consultation with the Attorney General, the Director of the FBI, and the Administrator of General Services acting through the Director of FedRAMP, shall establish a framework to collaborate on cybersecurity and incident response activities related to FCEB cloud technology, in order to ensure effective information sharing among agencies and between agencies and CSPs.”
Cloud Access Security Brokers – The New Frontier of Active Cyber Defenses
Security Orchestration: Looking Forward
CISA site for Information sharing resources
CISA site for incident response
The Technical Reference Architecture will be a guide for agencies to leverage when migrating to the cloud securely. Additionally, the document explains considerations for shared services, cloud migration, and cloud security posture management.
“(i) establishing a training program to ensure agencies are effectively trained and equipped to manage FedRAMP requests, and providing access to training materials, including videos-on-demand;”
Cybrary’s Free and For Pay Training Offerings Helps to Turn Cyber Novices Into Professionals and Professionals Into Experts. Learn More In This Interview with Ralph Sita
JHUAPL Brings SOAR Technology to Universities As Part of Educational Outreach and Adoption Strategy
NIST, in collaboration with industry, is developing the Open Security Controls Assessment Language (OSCAL). OSCAL is a set of formats expressed in XML, JSON, and YAML. These formats provide machine-readable representations of control catalogs, control baselines, system security plans, and assessment plans and results. FedRAMP ATO is one of the early beneficiaries of OSCAL.
“Sec. 4. Enhancing Software Supply Chain Security.
(a) The security of software used by the Federal Government is vital to the Federal Government’s ability to perform its critical functions. The development of commercial software often lacks transparency, sufficient focus on the ability of the software to resist attack, and adequate controls to prevent tampering by malicious actors. There is a pressing need to implement more rigorous and predictable mechanisms for ensuring that products function securely, and as intended. The security and integrity of “critical software” — software that performs functions critical to trust (such as affording or requiring elevated system privileges or direct access to networking and computing resources) — is a particular concern. Accordingly, the Federal Government must take action to rapidly improve the security and integrity of the software supply chain, with a priority on addressing critical software.”
Business and Technology Trends Impacting OT Systems Security
Learn How Code DX Simplifies Application Vulnerability Management, Security Testing, and Compliance In This Interview with Active Cyber
Learn How New Context Services Is Building Secure Attribution and Threat Detection Into ICS Security
Using MBSE and Digital Twins to Design and Evaluate Cyber Resilient Systems
The memorandum calls to establish an initiative to create a voluntary, collaborative effort between the Federal Government and the critical infrastructure community to significantly improve the cybersecurity of these critical systems. The primary objective of this Initiative is to defend the United States’ critical infrastructure by encouraging and facilitating deployment of technologies and systems that provide threat visibility, indications, detection, and warnings, and that facilitate response capabilities for cybersecurity in essential control system and operational technology networks.
NIST’s Cyber Supply Chain Risk Management provides an overview of software supply chain risks and recommendations on how software customers and vendors can use the NIST Cyber Supply Chain Risk Management (C-SCRM) framework and the Secure Software Development Framework (SSDF) to identify, assess, and mitigate risks.
“Such guidance shall include standards, procedures, or criteria regarding:
(i) secure software development environments, including such actions as:
(A) using administratively separate build environments;
(B) auditing trust relationships;
(C) establishing multi-factor, risk-based authentication and conditional access across the enterprise;
(D) documenting and minimizing dependencies on enterprise products that are part of the environments used to develop, build, and edit software;
(E) employing encryption for data; and
(F) monitoring operations and alerts and responding to attempted and actual cyber incidents;
(ii) generating and, when requested by a purchaser, providing artifacts that demonstrate conformance to the processes set forth in subsection (e)(i) of this section;
(iii) employing automated tools, or comparable processes, to maintain trusted source code supply chains, thereby ensuring the integrity of the code;
(iv) employing automated tools, or comparable processes, that check for known and potential vulnerabilities and remediate them, which shall operate regularly, or at a minimum prior to product, version, or update release;
(v) providing, when requested by a purchaser, artifacts of the execution of the tools and processes described in subsection (e)(iii) and (iv) of this section, and making publicly available summary information on completion of these actions, to include a summary description of the risks assessed and mitigated;
(vi) maintaining accurate and up-to-date data, provenance (i.e., origin) of software code or components, and controls on internal and third-party software components, tools, and services present in software development processes, and performing audits and enforcement of these controls on a recurring basis;
(vii) providing a purchaser a Software Bill of Materials (SBOM) for each product directly or by publishing it on a public website;
(viii) participating in a vulnerability disclosure program that includes a reporting and disclosure process;
(ix) attesting to conformity with secure software development practices; and
(x) ensuring and attesting, to the extent practicable, to the integrity and provenance of open source software used within any portion of a product.”
Business and Technology Trends Impacting OT Systems Security
Learn How Code DX Simplifies Application Vulnerability Management, Security Testing, and Compliance In This Interview with Active Cyber
Learn How New Context Services Is Building Secure Attribution and Threat Detection Into ICS Security
Cyber Risk Assessment Takes On An Actionable Approach In This Methodology by Dr. Charles Harry of UMD
Government-Industry Partnerships Enable Rapid Growth in Security Automation Advances and Adoption
Security Capabilities Needed for OT and IIoT Systems
What Roles Do Provenance and Reputation Play in “Authentic-By-Design” Approaches to Digital Content?
Scalable Network Technologies’ Mod-Sim Tools Enable LVC Training and Testing of Active Defenses Across Different Cyber Terrains
Start-up Rivetz Wants to Secure Internet Transactions Using Crypto Tokens that Provide Proof of Security
NTIA released minimum elements for software-bill-of-materials
White House orders compliance with “critical software” protection measures. The memo also starts a 60-day clock for agencies to report on their critical software inventories and a one-year timeline for implementing security measures as called for by NIST to safeguard critical software.
CISA Announces New Vulnerability Disclosure Policy Platform. CISA’s Vulnerability Disclosure Policy (VDP) Platform will support agencies with the option to use a centrally-managed system to intake vulnerability information from and collaborate with the public to improve the security of the agency’s internet-accessible systems.
“(i)  Within 60 days of the date of this order, the Secretary of Commerce acting through the Director of NIST, in consultation with the Secretary of Homeland Security acting through the Director of CISA and with the Director of OMB, shall publish guidance outlining security measures for critical software as defined in subsection (g) of this section, including applying practices of least privilege, network segmentation, and proper configuration.”
Learn How DARPA Is Leading Research In Developing Resilient and Cyber-Assured Embedded Systems In This Active Cyber Interview
Dr. Ron Ross of NIST Discusses New Multi-dimensional Cyber Protection Strategy In This Interview with Active Cyber
CISA provides recommended cybersecurity practices as the foundation for preliminary control system cybersecurity performance goals. Each of the nine goals includes specific objectives that support the deployment and operation of secure control systems that are further organized into baseline and enhanced objectives.
“(s) The Secretary of Commerce acting through the Director of NIST, in coordination with representatives of other agencies as the Director of NIST deems appropriate, shall initiate pilot programs informed by existing consumer product labeling programs to educate the public on the security capabilities of Internet-of-Things (IoT) devices and software development practices, and shall consider ways to incentivize manufacturers and developers to participate in these programs.”
Trends and Challenges Shaping the Security Look of OT and IoT Systems
Learn About Emerging Research in Autonomous Vehicle Safety and Security in This Active Cyber Interview With NIST’s Dr. Ed Griffor
ActiveCyber Interviews Professor Ehab Al-Shaer on Advanced Research in Autonomous Cyber Defenses
NIST’s web site for consumer labeling for cyber
and position papers can be found at this NIST site
The current UL-SAE activity around UL 4600 could ultimately result in a “safety and even a security label” for AVs.
“Sec. 6. Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents.
(a) The cybersecurity vulnerability and incident response procedures currently used to identify, remediate, and recover from vulnerabilities and incidents affecting their systems vary across agencies, hindering the ability of lead agencies to analyze vulnerabilities and incidents more comprehensively across agencies. Standardized response processes ensure a more coordinated and centralized cataloging of incidents and tracking of agencies’ progress toward successful responses.”
Verodin Sets the Pace in the Emerging Security Instrumentation Market
Learn How D3 Security’s SOAR Platform Transforms SOC Operations In This Interview With
New Innovations Drive Active Cyber Defense
How CISA is supporting the EO
This article provides status of meeting the playbook requirement contained in the EO.
“(g) To ensure a common understanding of cyber incidents and the cybersecurity status of an agency, the playbook shall define key terms and use such terms consistently with any statutory definitions of those terms, to the extent practicable, thereby providing a shared lexicon among agencies using the playbook.”
Learn how Demisto applies machine learning to facilitate collaborative investigations beyond playbook automation
Interview with Matt Barrett of NIST on the Cybersecurity Framework
This article provides status of meeting the playbook requirement contained in the EO.
“(b) FCEB Agencies shall deploy an Endpoint Detection and Response (EDR) initiative to support proactive detection of cybersecurity incidents within Federal Government infrastructure, active cyber hunting, containment and remediation, and incident response.”
Adaptive Endpoints
Adaptively Secure Smartphones
How Can Machine Learning Improve Your Cyber Posture? Learn how in this interview with Homer Strong of Cylance
This article provides status of meeting the EDR requirement contained in the EO.
“…shall provide to the Director of OMB recommendations on requirements for logging events and retaining other relevant data within an agency’s systems and networks. Such recommendations shall include the types of logs to be maintained, the time periods to retain the logs and other relevant data, the time periods for agencies to enable recommended logging and security requirements, and how to protect logs. Logs shall be protected by cryptographic methods to ensure integrity once collected and periodically verified against the hashes throughout their retention. Data shall be retained in a manner consistent with all applicable privacy laws and regulations.”
Active Cyber Interview with Rob Frazier – Certified Splunk Architect
Interview with Mike Brown, CTO of ISARA Corporation on Quantum Cryptography
Digital Forensics Pioneer Jim Christy Provides His Unique Insights In This Interview with Active Cyber™
This article provides status of meeting the playbook requirement contained in the EO.
Crosswalk of ActiveCyber to EO 14028

And thanks to my subscribers and visitors to my site for checking out! Please give us your feedback because we’d love to know some topics you’d like to hear about in the area of active cyber defenses, authenticity, PQ cryptography, risk assessment and modeling, autonomous security, digital forensics, securing OT / IIoT and IoT systems, Augmented Reality, or other emerging technology topics. Also, email if you’re interested in interviewing or advertising with us at Active Cyber™.