OMB official reviews progress six months after the cyber EO

A federal official tasked with overseeing the execution of the cybersecurity executive order the president signed six months ago said agencies have "come a long way" in meeting its aggressive deadlines and ambitious targets.

Steven McAndrews, director of federal civilian cybersecurity for the Office of Management and Budget (OMB), said his office was working closely with agencies and industry partners after laying out a vision through a series of guidelines to help stakeholders improve their cyber posture.

"Today is the 180-day mark of the cyber EO. We have come a long way in these six months," McAndrews said on Monday at ACT-IAC's Imagine Nation ELC 2021 conference. "We started establishing the policies that are going to get us to the end state that we're looking for."

The executive order required all federal agencies to adopt multi-factor authentication and encryption for data at rest and in transit by Monday, 180 days after President Joe Biden announced the sweeping directives.

OMB and its partners have meanwhile released a steady stream of guidance, including the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST), instructing agencies on how to meet the requirements outlined in the executive order. Those guidance documents include a federal zero trust strategy OMB released earlier this year, which sets key security outcomes for agencies in order to establish baseline cybersecurity requirements.

CISA has also launched multiple efforts to engage key stakeholders and ensure agencies were on track to meet deadlines, including a joint website with OMB covering zero trust implementation.

McAndrews said OMB was planning to soon release new policies and guidelines that further address critical cybersecurity needs, while working to produce "logical timelines, roadmaps and metrics" designed to create consistency across the federal government.

"The memos and the policies that we've put out tie directly to each of the sections laid out in the EO," he said. "There's copious amounts of deliverables throughout the [EO] and we've taken it piece-by-piece, one section at a time to make sure that we're addressing them and giving them our full attention and … setting up policies to be successful at every agency."

Even as McAndrews spoke, federal cyber officials were reacting to yet another major cyberattack, this one with links to China, in which a threat actor " successfully compromised at least nine global entities across the technology, defense, healthcare, energy and education industries," according to a report from the security firm Palo Alto Networks.