Cybersecurity Executive Order: Can automation fix the nation’s misconfiguration problem?

President Joe Biden signed and released an Executive Order (EO) from the White House on May 12th, addressing his plan to improve the nation’s cybersecurity and protect federal government networks. This order comes on the heels of the Colonial Pipeline Ransomware attack and the now infamous SolarWinds breach.

You can read the full text of the EO here.

The order addresses numerous cybersecurity issues, from incident handling, data sharing, and staffing. The reaction from my peers in the industry has been mostly positive. The EO is a positive step toward addressing security at the federal level.

However, there was a single word, repeated multiple times in the EO that caught my attention: automation.

The inclusion of automation as a key concept in this EO is a breakthrough in how the government views security. In the past, the federal government tended to focus strictly on data sharing, incident response, and staffing. This was the first time (as far as I can remember) where the government specifically addressed automation in the context of information security.

Breach after breach has taught us all the same lesson: misconfigurations are dangerous. When you entrust the configuration of a cloud environment or an application solely to people and processes, mistakes are bound to happen. This isn’t necessarily because those people are incompetent, but rather because they are human. In the rush to get applications to market, it’s easy for people to skip steps, overlook problems, or forget details.

Automation has the power to solve this problem. With automation, you get two critical things that directly reduce misconfigurations: standardization and consistency. Automation can build cloud environments quickly, to proven standardized specifications. This creates consistent enforcement of security controls and configurations across an environment. Standardization also makes it easier to identify misconfigurations and quickly repair them with automation. This in turn allows organizations to build and secure at scale, at speed, and without sacrificing good security practices – such as encryption at rest, zero-trust access rights, and comprehensive intrusion monitoring.

Automation eliminates (or reduces) the human element. When deployment code runs, it always runs the same way. Whether you deploy 1 or 10,000 systems, every single one will be identical. This means if a system gets hacked, it instantly stands out. It’s significantly easier to find a problem in a consistent, standardized environment than a cobbled together, manually built mess.

This EO also places automation squarely in the context of the Federal Risk and Authorization Management Program (FedRAMP). Anybody who has pursued FedRAMP knows how complex it is. Yet, it is that very complexity that is beneficial. Implementing FedRAMP controls forces an organization to be diligent, thorough, and consistent. Building out FedRAMP environments can be tedious and complex, when done manually.

This is why FedRAMP is ripe for automation, and this EO specifically directs resources to automate FedRAMP authorizations and continuous monitoring. This is music to Anitian’s ears. Automating complex cloud security controls is the basis of our pre-engineered Compliance Automation Platform. Uniting compliance and automation offers a real chance to take security (and FedRAMP) from an impediment that slows down companies, to an energizing force that allows the organization to move quickly, yet remain secure.

This EO is an encouraging step forward in how the government views not only security but the entire context of compliance and cloud. It will be interesting to see how this EO impacts federal contracting, as well as the FedRAMP PMO, Defense Information Systems Agency, and the emerging CMMC standards. At this point, it looks promising.

Leave a Reply