Executive Order 14028 "Improving the Nation's Cybersecurity": Streamline Compliance Using XQ's Zero Trust Data
Protecting Federal Agencies and their contractors from cyberattacks.
Executive Order 14028 Background and Relevance
Published two years ago on May 21, 2021, Executive Order 14028 guides Federal Agencies and their prime contractors to protect themselves from state-sponsored cyberattacks. The order pushes agencies to adopt zero trust cybersecurity principles and adjust their network architectures accordingly. The order directs federal agencies on advancing security measures that drastically reduce the risk of successful cyberattacks against the federal government's digital infrastructure.
Structure
The document is split into 11 sections, with the 9th, 10th, and 11th being administrative. Section 1 provides an introduction and motivation, while Section 2 highlights the importance of sharing threat information due to the evolving nature of cyberattacks on America. Section 3 introduces the concept of using Zero Trust to protect networks, application resources, and data. Section 4 presents the importance of protecting the software supply chain and tamper-proof processing. Section 5 requires Agencies to establish a Board to review the activities recommended. Section 6 focuses on developing strategies to identify and respond to attacks, while section 7 focuses on identifying vulnerabilities that cyber attackers may utilize. Section 8 focuses on collecting cyberattack data to enable analysis, sharing, and criminal prosecution.
How XQ Can Streamline 14028 Compliance For Federal Agencies And Their Contractors
Since 14028 was published in May 2021, Federal agencies have made significant progress in vulnerability assessment and information sharing, but two areas require more attention;
Zero Trust Data and Software Security. We’ll look at each one:
Section 3 introduces the concept of using a Zero Trust Architecture to protect application infrastructure, the networks to them, and the data they process. While many Federal agencies have implemented some form of Zero Trust access control to application infrastructure and partitioned their cloud environments, data protection needs to catch up.
The contributing factor is that the US Department of Defense published the reference architecture for Zero Trust Data in November of 2022 (17 months after 14028 was published).
However, XQ’s Zero Trust Data solutions enables Federal Agencies using hybrid cloud environments to provision an XQ Zero Trust Gateway to ensure data traveling between application servers or virtual machines can only be accessed by authorized and authenticated software programs and identities as a countermeasure to data exfiltration.
XQ protects data by generating a unique encryption key and unique label for every data object. Thus, software programs must request encryption keys from a Zero Trust Policy Server, which, as the name implies, verifies the identity of the requesting software program.
Section 4 focuses on the importance of having a trusted software lifecycle from development to provisioning to operations and updates.
As one would expect, this is the most complex and challenging set of recommendations due to the global software developer ecosystem and utilization of open-source code. To enable Zero Trust Software, XQ has developed SDKs which enable software to encrypt data the moment its created within application code. XQ enables software developers to embed Zero Trust deep into their application code, thus providing an effective countermeasure to lateral moving malware by ensuring data cannot be read. XQ can also store and transmit software hashes to detect code tampering; conceptually, a Zero Trust software verification micro-service can be executed at runtime with minimal overhead. This will be especially beneficial for solution developers working in new technologies such as AI or 5G ior enterprise software.
US Dept. of Defense New Data Policy
XQ is the first company to have a Zero Trust Data (ZTD) solution that has all seven components as defined by the DoD. XQ can meet the DoD’s ZTD framework via a patented solution that wraps encrypted data (conceptually a secure envelope). Using any solution that doesn't meet these standards for critical infrastructure or sensitive data handling is an investment in technical debt.
XQ’s Zero Trust email, file, and data transfer allow solution providers supporting Federal agencies the first solution that supports all of the seven features as defined by the DoD in their November 2022 documents. Those requirements include data labeling & tagging and monitoring across the digital estate.
US Department of Defense Zero Trust Data Component
4.1 Data Catalog Risk Assessment
Multi-mission capability
XQ Implementation: Fully decentralized architecture enables policies to be matched to risk/clearance of project
4.2 DoD Enterprise Data Governance
Simplified operations
XQ Implementation: Real-time monitoring of creation-movement-access of protected data
4.3 Data Labeling & Tagging
Easier application support
XQ Implementation: Every block of encrypted data is identified by the unique label which is generated using quantum entropy
4.4 Data Monitoring & Sensing
Data exfiltration monitor
XQ Implementation: Agents track location of data as it is moved and report back to policy server
4.5 Data Encryption & Management
Improved system performance
XQ Implementation: Crypto agile encryption enables different algorithms based on risk (post quantum) or data type (voice, video, data)
4.6 Data Loss Prevention (DLP)
Reduced data leakage
XQ Implementation: Content is scanned during encryption process to reduce risk of data leakage
4.7 Data Access Control
Coalition data sharing
XQ Implementation: Access to protected data is only allowed after policy verification: identity, location, token, time, server type
Thus XQ’s portfolio of Zero Trust Data solutions for secure cloud computing and software execution provides solution developers with significant cost and risk reduction. XQ enables businesses to benefit from DoD’s Zero Trust Data (ZTD) security model to help meet the compliance requirements to sell to the DoD at a far lower cost than alternative solutions. Small businesses also benefit by having a CMMC compliance solution that utilizes a security architecture defined by DoD; thus future-proofing the solution.
For municipalities and other government entities trying to comply with Executive Order 14028, XQ’s Cloud storage and transfer solutions provide out of the box compliance solutions which future-proof networks and infrastructure.
In summary, XQ provides a clear path towards accelerating compliance with Executive Order 14028 "Improving the Nation's Cybersecurity" in the most cost-effective, secure way possible.
Reach out to XQ to learn more.
