Data Integrity Definition

Data integrity refers to the accuracy and consistency of data over its lifecycle. Without accurate information, companies are not able to use it in any way.

Data integrity can be compromised and checked for errors. Validation procedures are used to ensure the data is not changed during transfer or replication.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Process and State Of Data Integrity

Data integrity can mean one of two things: either the state that a data set is in, or it refers to processes used for accuracy. Error checking and validation methods are an example of this.

Why is Data Integrity Important

Maintaining data integrity is important because it ensures that the company can recover and search for information, trace to its origin, connect with other databases without errors or mistakes. It also stabilizes performance while improving reusability and maintainability.

Data is increasingly important in the workplace, but it needs to be changed and processed before it can be useful.

Data integrity can be compromised in a variety of ways, making it crucial to have data integrity practices. Data may be corrupted through:

  • Human error, whether it’s intentional or not.
  • The most common mistakes with transferring data are unintentional alterations or compromising the integrity of that information.Article: In a study, they found that people who have been reading for more than 60 minutes can be as much as 10% slower at solving problems.
  • Computer viruses, hacking, and other cyber threats are a major concern for many companies.
  • When a device or disk crashes, the data is compromised.
  • Physical compromise to devices

In order to ensure data integrity, it is critical that there be backup and duplication. It’s also important for input validation so invalid data can not enter the system. Error detection data validation helps identify errors in transmission of information as well as security measures such as encryption.

Data Integrity in Computer Database

Data integrity refers to the health and maintenance of any digital information. For many, it’s related only to database management. There are four types of data integrity for databases.

  • In a database, there are columns and rows. In order to have accurate data in the system with no mistakes, every column should be different from each other and none of them can be null.
  • Foreign keys are a way to relate data in different tables. For example, employees can share the same role or work in the same department.
  • Domain Integrity means that all of the categories and values in a database are set, including nulls (e.g., NA). The domain integrity of data refers to common ways to input or read this information. For example, if there is monetary data with dollars and cents, three decimal places will not be allowed.
  • There are sets of data not automatically classified as entity, referential or domain integrity. If an employer creates a column to input corrective action for employees, this would be considered “user-defined.”

Difference Between Data Security and Data Integrity

Data integrity and data security are both important in the workplace. Data security is necessary to ensure that no one can access or change the information without authorization, while data integrity means that it’s accurate.

Data security is not the same as data integrity. Data integrity refers to whether or not there are errors in your data, like if it’s valid and accurate.

Data integrity is essential for businesses. It’s a central focus of many data security programs, achieved through backup and replication, database constraints, validation processes – all manageable by enterprises today.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

What is Endpoint Detection & Response?

In this post, you’ll learn what endpoint detection and response is all about. Its definition, processes, importance and capabilities.

EDR definition

Gartner’s Anton Chuvakin coined the term Endpoint Threat Detection and Response (ETDR) in July 2013 to define “the tools primarily focused on detecting suspicious activities.” This is a relatively new category of solutions, sometimes compared to Advanced Threat Protection (ATP), that has more security capabilities than other endpoint protection providers.

EDR is an emerging technology that helps companies monitor their networks for threats. It could be argued that endpoint detection and response is a form of advanced threat protection.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

How EDR Works

EDR tools work by monitoring endpoint events, storing the information in a central database for further analysis. The software agent installed on the host system is key to this process.

These tools are used to make sure that companies have a better understanding of all the threats they’re facing.

One endpoint detection and response tool might work better than another depending on what your company needs. Some of them are more focused on the agent, while others focus more on backend management through a console.

All endpoint detection and response tools have the same goal: to be able to identify, detect, and prevent advanced threats.

EDR Tools and capabilities

Some tools offer multiple different types of security capabilities, such as endpoint detection and response in addition to application control, data encryption, device control and encryption or network access controls.

There are three broad categories for endpoint visibility:
-Endpoint detection and response tools provide a multitude of use cases.
-The first category is those who offer EDR as part of broader set capabilities, which can be used in many different situations.

  • Data search and investigations
  • Suspicious activity detection
  • Data exploration

A lot of EDR tools can identify patterns or anomalies in processes that are flagged based on comparisons to baselines. These alerts may be automated, but some require further investigation.

Importance of EDR

The field of endpoint detection and response is still relatively new, but it’s quickly becoming an essential element in the enterprise security solution. Organizations should consider EDR capabilities when looking for a company to provide them with their most advanced security system.

If you want to buy a security solution, make sure it has these features.

  • False positives are easy to filter out, but alert fatigue can happen because of the many alerts that come in. This leads to a higher chance for real threats slipping through unnoticed.
  • A good security solution will block threats the moment they are detected and throughout their lifetime.
  • A data leak prevention solution can help prevent a full-blown breach if it includes threat hunting and incident response capabilities. Threat hunting is the process of looking for malicious activity that may lead to an attack, while incident response involves taking action in case one has already occurred.
  • Multiple Threat Protection: It’s important to have a security solution that can handle multiple types of threats at the same time, such as ransomware and malware.

When it comes to advanced threats, a lot of companies are in need of endpoint detection and response.

What is Endpoint Detection And Response

Endpoint detection and response (EDR) is a type of endpoint security solution. It combines real-time continuous monitoring with rules-based automated responses.

Sales of EDR solutions are expected to increase significantly over the next few years.

The first sentence is a paraphrase because it’s from an article that talks about what happened in the past. The last two sentences could be either paraphrased or quoted, based on how they’re used within your essay.

The number of endpoints attached to networks has increased, as well as the sophistication of cyber attacks. The latter often targets endpoints because it is easier than infiltrating a network.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Least Privilege Definition

Let’s start off by answering, “what is the principle of least privilege?”

The principle of least privilege is the idea that at any user, program or process should have only the minimum privileges necessary to do their job. For example, a salesperson account created for pulling records from a database doesn’t need admin rights while an employee who regularly updates old code lines needs access to financial records, and that is what is principle.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Least Privilege Access

The principle of least privilege means giving employees only the access they need to do their job. In an IT environment, it reduces risk by preventing attackers from gaining access to sensitive systems or data, least privilege example.

Least Privilege Policy

The principle of least privilege access can be applied to everything in an IT environment. It applies both to end-users and the system itself, as well as all other facets, including least privilege cybersecurity.

  • With the principle of least privilege, an employee who only needs to enter information into a database should be granted as few privileges as possible. If malware infects that employee’s computer or if heshe clicks on a link in a phishing email, it will limit the malicious attacks to making entries into that particular system and not others.
  • If a MySQL account is made to only have sorting privileges, and not the ability to delete records, then an attacker will be limited in what they can do if they exploit that form.
  • With Just in Time Least Privilege, when someone only needs to use root privileges occasionally they should work with the least amount of access possible. The user can retrieve credentials for the root account from a password vault as needed. This increases traceability and security.

Least Privilege Example Failures

Implementing the principle of least privilege will help organizations from being hacked.

  • Edward Snowden was able to leak millions of NSA files because he had admin privileges, though his highest-level task was creating database backups. The principle of least privilege has been in place since the Snowden leaks; 90% of employees no longer have higher-level access.
  • Target exposed themselves to hackers by not following the principle of least privilege. They had a very wide attack surface because they gave too many people access.
  • Malware that is limited to just one part of the system can be contained by limiting its privileges.
  • The principle of least privilege also helps system stability by limiting the effects changes can have on other parts of a computer.
  • When the system is built on least privilege, it can reduce how much of its audit. It also makes compliance easier because many regulations call for POLP implementation.

Best Practices for Least Privilege (How to Implement POLP)

  • Make sure that all accounts, processes, and programs have the permissions they need to do their jobs.
  • You should start with the least privilege possible, and only add higher-level privileges as you need them.
  • Make sure you separate admin accounts from standard ones, and also make sure to divide system functions into at least two groups.
  • Give people just enough privileges to get the job done, but don’t give them more than they need. If you do have to grant someone higher-level access on one occasion, make sure it’s revoked afterward.
  • One way to limit the damage is by having individual actions trackable. This can be done with a user ID, one-time passwords, or monitoring.
  • Make it a routine. Regularly checking for old permissions, accounts, and processes can prevent one from accumulating privileges they no longer need.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Encrypted Email Meaning

In an attempt to define encrypted email we can say email encryption is simply protecting an email. An email message can be protected by giving an email a password to keep the email from being read by anyone other than the intended recipient. When this is done, we can say the email is encrypted.

As PC World points out, it’s not just those who may email sensitive information that need to encrypt their emails. Hackers can gain unauthorized access and even hijack your entire account if they get ahold of any personal data you send in an email.

You can’t be too careful about email. Even if you send it over a secure network, someone may intercept your login credentials.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

What Should be Encrypted: Email Encryption

PC World recommends three things to encrypt:

  • The email provider that you use
  • Your actual email messages
  • Your old email messages

Encrypting the connection prevents unauthorized users on your network from intercepting and capturing login credentials or email messages as they travel around the Internet.

Encrypting email messages before they’re sent means that even if a hacker should intercept your emails, the message is unreadable and useless.

If you have a Microsoft Outlook account, hackers can still gain access to your emails even if they are encrypted.

What Does it Mean to Encrypt an Email

The Symantec 2019 Internet Security Threat Report says that smaller companies are being targeted more often by malicious emails, with one in 323 of them a target.

Both SSL and TLS are application-layer protocols that allow the communication channel between two computers to be encrypted. The protocol encrypts a computer’s information.

Basically, to send and receive emails, you need a client that can make contact with the server. This is done through TCP or Transmission Control Protocol.

The handshake is when the email client tries to communicate with an email server so they can start sending emails. SSL and TLS are kind of interchangeable, but the only difference between them is which version you’re using.

Once they’ve “shaken hands,” the server will verify the client’s identity by sending a certificate to them verifying their authenticity. This also verifies that it is trusted by your software.

This also helps make sure that the emails are going to who they’re supposed to, and it also allows two people from different companies with encryption keys for email correspondence.

TLS and SSL are application layer protocols, so both the sender and recipient need to know that they’re being used in order for it to work.

How Secure is Encrypted Email?

What does email encryption do?

A personal email certificate is one way to protect your emails from spam. Personal certificates sign all of the messages you send, which lets recipients know if they were really sent by you.

Email encryption usually relies on a Public Key Infrastructure or PKI, in most cases. A public key is used to encrypt messages and only the person with the corresponding private key can decrypt them.

Encrypting only the emails containing sensitive information is a bad idea because it points hackers to exactly what they are looking for.

When you encrypt all email messages as a standard practice, hackers wishing to access your personal information have a more difficult time gaining it. Decrypting just one message is an arduous task that even the most dedicated hacker may not see as worth their trouble.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

What is NIST Compliance?

The National Institute of Standards and Technology (NIST) is a key resource for technological advancement. As such, compliance with NIST standards has become a top priority in many high tech industries today, and nist compliance standards.

A Definition of NIST Compliance

What is NIST security standards? The National Institute of Standards and Technology is a government agency that helps other federal agencies with security guidelines.

NIST develops Federal Information Processing Standards (FIPS) in conjunction with the Department of Commerce. The Secretary of Commerce approves FIPS, which federal agencies must use – they cannot waive these standards.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

NIST Compliance at a Glance

What is NIST?, or the National Institute for Standards and Technology, is an organization that provides guidelines to federal agencies. The NIST Cybersecurity Framework was created by using best practices from several security documents.

One way to meet many regulations is by following NIST laws and guidelines. For example, the nine steps toward FISMA compliance outlined in their Guidelines for Managing and Securing IT Systems can be very helpful.

  • Make sure you know what data and information need to be protected.
  • If you want to start a business in the tech industry, it’s important to have at least baseline controls.
  • Conduct risk assessments to make sure your controls are doing what they’re supposed to do.
  • Write down your baseline security controls in a written plan.
  • Implement security controls to your IT systems
  • Once a security policy is in place, watch to see if it’s effective.
  • Determine the risk of a company based on its security controls.
  • This will allow the computer to process your information.
  • Keep a close eye on the security of your company.

NIST Compliance Benefits

NIST compliance is good because it helps to ensure your company’s infrastructure is secure. It also lays the foundation for what you should do when complying with specific regulations like HIPAA or FISMA.

But NIST isn’t a complete assurance that your data will be safe, which means you need to inventory all of your cyber assets using a value-based approach in order to find out where most sensitive data lies and focus protection efforts on those areas.

NIST SP 800-Series Compliance

NIST 800-series guidelines, such as NIST SP800-53 and NIST SP80037 help government agencies identify their cyber assets and monitor them in a way that allows for quick responses to potential vulnerabilities.

NIST Guidelines

The new NIST guidelines say that you should use at least 8 characters, including a lowercase letter and an uppercase letter, as well as numbers or symbols.

1. Complex

Conventional wisdom says that a complex password is more secure. But in reality, the length of your password should be much more important to you.

2. Some companies have a periodic reset to their commission structure, which causes angst and confusion.

Many companies ask their users to reset passwords every few months, thinking that any unauthorized person who obtained a user’s password will soon be locked out. But frequent changes actually make security worse.

If an attacker already knows a user’s previous password, they won’t have any trouble hacking the new one. The NIST guidelines state that periodic password changes should be removed for this reason.

3. Use a password protection method that has been breached, like the one in Microsoft Word.

The new NIST password guidelines require that every new password be checked against a “blacklist” of words and patterns. This will ensure the passwords are not easy to guess by cybercriminals.

4. Don’t give hints about your password to new employees.

Some companies offer hints or personal questions so users can remember passwords.

But it has been found that with the constant dissemination of personal information on social media or through social engineering, attackers are able to find this information easily. This is why the NIST guidelines forbid these questions during an interview process.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

The State’s Need for the KISS Principle

SecurityStudio is dedicated to serving state and local government.

In our work, we’ve witnessed firsthand the incredible challenges facing state cybersecurity [1] personnel. State Chief Information Security Officers (CISOs) are tasked with the mission of securing state information assets, but the challenge is nearly impossible. The challenge is hopeless with limited political/management support, obstructed visibility, inadequate resources, and constant distraction.

We must put state CISOs in the best position to succeed.

Specific cybersecurity challenges are different in each state, but there are common themes like:

  1. Technology Adoption – We continue to adopt technology faster than our ability to secure it.
  2. Personnel Support – Cybersecurity personnel are asked to do more than they’re capable of.
  3. Fundamentals – The fundamentals are fundamentals; it doesn’t matter where they’re applied.
  4. Complexity – This is always the worst enemy of information security.

The CISO’s mission may be “nearly” impossible, but we believe the mission can become reality. The path forward (now or later) is the KISS Principle (or something similar).

Introduction to the State KISS Principle

In our context, K.I.S.S. stands for “Keep Information Security Simple [2]”.

Complexity is the worst enemy of security. This is logical. It’s easier to secure three systems versus three hundred. A small organization is easier to secure than a large one, like a state. If complexity is our worst enemy, is it safe to say that “simplicity is our best ally”? We think so.

Simplicity is the key to achieving information security success in state government. Speaking of “success”, this is the first phase of the KISS Principle. There are six simple (not easy) phases to the KISS Principle.

Phase 1: Define Information Security Success

Try this, ask someone to define information security success for you. From the governor, legislators, CIO, agency heads, and citizens, the answers will be different. This is not necessarily a bad thing; this is a great opportunity to lead and unify.

At SecurityStudio we define information security success as “managing information security risk well”. This by itself is too vague without elaboration.

  • This is managing information security risk, NOT eliminating information security risk. Eliminating risk is impossible. Managing risk requires understanding risk (assessment), making responsible risk decisions, and acting on the decisions that were made. Just one more thing…

Measurement. We can’t manage what we can’t measure. SecurityStudio’s S2 platform is a risk measurement and management platform that will help.

securitystudio dashboard
  • Information security encompasses three domains, operational (or administrative) [3], physical [4], and technical. Information security is NOT an IT issue, it’s everyone’s issue.
  • Risk is the likelihood of something bad happening and the impact if it did. Likelihood and impact are dependent upon threats and vulnerabilities (or weaknesses). The goal is to minimize the likelihood and/or impact of compromise in line with what we deem “acceptable”.

Assuming success in all the above, the word “well” is defined by our decisions and resulting measurement (or score). This is information security success!


An example:

Information security success in (INSERT_STATE) is attained by achieving and maintaining an overall S2Score of 660 (or higher) while also maintaining S2Scores of 660 (or higher) across operational, physical, and technical security domains.

This definition of success is easily understood, objective, measurable, and comprehensive. Defining success isn’t all that difficult, making success reality is the hard part.

Socialize the definition of success so people can 1) understand it, 2) buy into it, and 3) hold each other accountable for it.

Phase 2: Simple Structures

Securing a complex organization (like a state) can be overwhelming. In some states, the CISO is responsible for controlling (or influencing) information security across agencies, departments, counties, municipalities, education, and much more. Without proper structure and simplification, this is an impossible proposition.

securitystudio score

We can’t boil the ocean, and we can’t tackle the state as a single mammoth entity either. A complex organization, like a state, is made up of many smaller, simple structures (or “entities”). There are three main entity types, aligned with our definition of information security:

  • Administrative Entity –maintains its own administrative authority over information security, meaning its own management structure, policies, or way of doing things. Typically, counties, education institutions, municipalities, and larger agencies.
  • Physical Entity –maintains its own physical control authority (building security and/or facilities personnel).
  • Technical Entity –maintains its own technical control authority. Typically, an entity with its own IT department or function (including “ghost” IT).

Some entities fit nicely into a single type; other entities are combinations of types. Defining entities can be a tedious task, but it must be done and it’s well worth the effort.

Phase 2 Tasks

Answer the following questions:

  • What are the entities under the purview of the state? Some are under the authority of the state, and some are supported (or influenced). Give each entity a name.
  • Define who’s responsible for each entity. We call these people “Risk Owners”.
  • Define the Risk Owner role, inform Risk Owners and provide basic training.

Risk Owners

Keep this simple. Risk Owners commonly have three responsibilities:

  1. Obtain quality risk information (assessments) for their entity.
  2. Make risk decisions on behalf of their entity.
  3. Ensure that risk decisions are carried out.

It’s common for a Risk Owner to not know they are a Risk Owner, and it’s also common for Risk Owners to not know what they’re responsible for. This role must be documented and communicated properly. If you need any assistance, SecurityStudio can offer many free resources (including templates).

Phase 3: Same Language

Not everybody speaks “information security” the same way. It’s important for every entity to use the same methodology and terminology when managing risk. Risk assessments must be done using the same (or similar) tool for consistent context and scoring throughout the state (between entities).


S2Org was built to be the simple information security language.


Benefits of using the same language include:

  • It’s educational. Most people don’t appreciate the many facets of information security. Improved education leads to more buy-in.
  • Measurements are consistent. Consistent measurements allow for rollups, dashboards, and apples-to-apples comparisons. This puts risk into context.
  • It becomes cultural. The language becomes part of the culture and people participate more.

Phase 3 Tasks

The S2 platform makes all these tasks simple (and easy).

  • Choose your language. At this point, only the Risk Owners need to speak the language.
  • Conduct risk assessments. Completed by Risk Owners or delegated by the Risk Owner.
  • Compile results on a single dashboard or screen for context.
  • Report the results to all interested parties. The language is taught to others throughout this process and buy-in slowly starts.

IMPORTANT: Many people overthink this part of the process, we suggest you don’t.

Phase 4: Baselines

There are certain risks that are unacceptable to the entire organization, from top to bottom. Determining these risks will help establish the global baseline by which all entities should abide. Local baselines are set by the Risk Owners, where they decide the following:

  • What is the risk decision? The are only four options: accept, mitigate, transfer, or avoid. Undecided risks become accepted ones by default.
  • Who will enact the risk decision? Someone must be accountable, or it won’t get done.
  • When will the risk decision be enacted?
  • How much will it cost? This is the objective and justified budget we all covet.

The local baselines become road maps.

Securitystudio L3 assessment


Risk Owners have weighed in, deciding which risks are acceptable and which are not. All decisions were made using objective criteria and all budget items are tied to specific risks. Getting budget approval is more likely when decisions are quantified, distributed, and put into context. The classic “what will this money get us?” is an easy discussion.

There will be multiple budgets affected, depending on how things break down fiscally.

Ultimately, budget approvers/stakeholders (usually the legislature) can begin to understand:

  1. The current state of the state’s information security program.
  2. The future/planned state of the state’s information security program.
  3. When the state can expect to reach the future/planned state.
  4. How much the future/planned state will cost.

Some expenditures will be state expenditures, and some will be local. Costs can be distributed, and resources can be pooled, saving money in the end. In addition to the four important metrics (above), we can communicate what our most significant risk is now.

Phase 4 Tasks

Four simple, but certainly NOT easy tasks in Phase 4:

  • Establish global, or universal standards of what’s acceptable and what’s not.
  • Coach Risk Owners to make good risk decisions, then let them.
  • Finalize roadmaps with Risk Owners.
  • Establish and obtain budget.

At this point, distributed risk management will start becoming operationalized and people will begin to see the vision.

Phase 5: Progress

This is all about execution. Joint, coordinate progress is made building the state’s information security program together. All entities have roadmaps, and execution continues until the end of the roadmap.

Many things will happen at once during this phase (CISOs are used to this anyway). Every entity should be busy managing to their roadmap, and the CISO has visibility into it all. As things are completed, scores (S2Scores on S2) change. Current status can be provided to any/all interested parties.

Phase 5 Tasks

Manage the roadmap process, ensuring that people complete what they agreed to complete. If/when roadmap projects and tasks don’t get completed, the Risk Owner should be held accountable.

Phase 6: Improvement

This phase is about review and improvement before beginning the cycle again. Review the successes and challenges in the first cycle, Phase 1 through Phase 5. Adjust and run the entire process again. The second, and each successive time through the cycle gets easier because the processes become operationalized and cultural.

In each cycle, risk assessments are completed in Phase 3. These assessments are like stakes in the ground where the state (and entities) measure themselves from. In each pass, the stake gets set again with newer, more relevant risk data.

Phase 6 Tasks

There are only two tasks in Phase 6:

  • Conduct a formal review of the entire KISS Principle as it was applied. In the review, focus on simplification and resist the urge to add more things.
  • Suggest and make improvements, as necessary.

That’s it. Start at Phase 1 again. The six phases of the State KISS Principle. At each phase, complex concepts were simplified. The work was not easy, but nobody said it would be. What was removed (even if just a little) was confusion and complexity.


SecurityStudio is here to help those who serve in our state governments. We focus on our mission, to fix the broken information security industry, before all else. Our mission forces us to look at things from the perspective of those who are served (usually individual people) and those who serve (our information security compatriots).

The truth is complexity in state government has never been greater, and state cybersecurity personnel are asked to do more than they’re capable of.

These things are the purpose behind SecurityStudio’s S2 platform.

s2 state government

Contact us to see a demonstration, register trial accounts, and/or arrange for a proof of concept (POC).

ss logooo

We are always here to serve. SecurityStudio CEO Evan Francen, email:

To learn more about SecurityStudio, our tools, or our #MissionBeforeMoney, visit us online at

[1] “It’s easier to go through your secretary than it is to go through your firewall.”

[2] “Your firewall doesn’t help when someone steals the server.”

[3] “It’s easier to go through your secretary than it is to go through your firewall.”

[4] “Your firewall doesn’t help when someone steals the server.”


Estimate your score or book free demo today

Once again, we are seeing K-12 schools shut down due to ransomware attacks. The FBI and the Department of Homeland Security have repeatedly warned that K-12 is a soft target for cybercriminals. Why?

K-12 schools are particularly vulnerable because of a serious lack of knowledge amongst school administrators for how to properly prepare for ransomware attacks. This is not acceptable as it is only a matter of when, not if.

So what should school administrators with limited time and budget focus on? The answer is always the fundamentals. Those simple, basic steps you can take to prepare for, respond, and recover from a ransomware attack. Sadly, the fundamentals often go overlooked or are poorly implemented.  

What are the top 5 fundamental things every K-12 S2School should be doing to prepare for ransomware attacks?

#1 Know what you have in your environment

You cannot protect what you cannot see. Perform an asset inventory starting with the most critical systems, networks, applications, and data. Then expand your scope to less critical assets, systems, applications, and data.

Performing asset inventory is an ongoing activity, and updates should be made at least annually.

#2 Know your risk level

Perform a comprehensive risk assessment like S2School to get a measure of your current security posture. Quantifying your risks helps to identify high risks, and enables you to create a prioritized roadmap so that your resources can be spent on fixes that will have the biggest impact on securing your environment. Without a risk assessment, it is very hard to know where to start.

Like asset inventory, risk assessments should be updated at least annually.

#3 Air gap your system and data backups

This is the most important precaution that can be taken to ensure a school is able to recover from a ransomware attack quickly and at minimum cost. The latest trend is for cybercriminals to go after backups before attempting to ransom the system. They know that backups can help you avoid paying the ransom. 

By keeping the backups encrypted and physically offline, you can be sure that your backups will be safe from cybercriminals and ready for when you need them most.

Make sure to test your backups and ensure they are working before you encrypt them.

#4 Implement Multi-Factor Authentication (MFA)

This extra step makes it much harder for cybercriminals to get access to your systems and data. By using MFA, you can reduce the likelihood that a phishing link or malicious website will result in the theft of credentials.

#5 Have a response plan

This is no different from the response plans that schools have in place for other emergencies. A ransomware response plan helps us achieve quick, action by reducing the confusion, hesitation, and decision-making that needs to be done in an emergency. Just like other response plans, it must be tested regularly to ensure the plan is working as designed.


Estimate your score or book free demo today


Each year, the National Association of State Chief Information Officers (NASCIO) conducts a survey of state Chief Information Officers (CIOs). In the survey, state CIOs are asked to identify and prioritize the top policy and technology issues facing state government.

The top priority for state CIOs in 2021 is “Cybersecurity and Risk Management”.

This is great news because the SecurityStudio (S2) platform was specifically built for cybersecurity and risk management in state government. S2 wasn’t just built as a solution for this issue, it was built to be the best solution for this issue.

SecurityStudio is the best solution for tackling cybersecurity and risk management in state and local government.

In this short paper, we’ll demonstrate why SecurityStudio is the best platform to solve 2021s top state CIO priority.

NASCIO Survey Results

Since 2014, eight years in a row, “Security”, “Security and Risk Management”, or “Cybersecurity and Risk Management” have been the top priority for state CIOs. Under the heading of “Cybersecurity and Risk Management” are the following topics:

  • Authority and executive support
  • Budget and resource requirements
  • Data protection
  • Determining what constitutes “due care” or “reasonable”.
  • Governance
  • Insider threats
  • Risk assessment
  • Security frameworks
  • Third party security practices as outsourcing increases
  • Training and awareness

The topics supporting the top CIO priority for the past eight years are all fundamental information security concepts.

NASCIO Survey Results

The SecurityStudio (S2) platform was developed to simplify cybersecurity risk management fundamentals for everyone. Simplify does not mean we’ve taken shortcuts, in fact, our platform is the most comprehensive platform on the market. Simplify means we’ve taken unnecessary complexity out of the equation. The truth is complexity is the worst enemy of security.

There are four integrated tools on S2:

  • S2Org – The organizational risk management tool for measuring risk across administrative, physical, and technical controls. The ability to “nest entities” makes S2Org flexible and scalable for any application.
  • S2Vendor – The third-party information security risk management tool leveraging integration with competitive tools and S2Org.
  • S2Team – The personnel information security risk management tool leveraging personal habits measured through S2Me.
  • S2Me – The FREE personal information security risk management tool for people at home. States are using S2Me as a community education initiative too.

NOTE: We’ve also developed S2School, a K12-specific version of S2Org.

s2 state government

Knowing that you can’t manage what you can’t measure, S2 uses the S2Score risk management metric throughout. To date, more than 5,000 organizations in public and private sectors use S2 and the S2Score to objectively measure cybersecurity risk.

SecurityStudio to Solve the Top State CIO Priority

There were ten (10) topics mentioned in NASCIOs publication, and here’s how S2 addresses each one.

s2score 621

Authority and executive support

Executive management (CIO, legislature, Governor, etc.) isn’t likely to read a lengthy report full of technical jargon, but they will actively embrace concise scorecards and easily understood metrics. They want the assurance of knowing scorecards and metrics are justified by loads of technical detail, but they want to be spared the detail. Obtaining executive support with S2 is simple.

Budget and resource requirements

Budgets justified by risk decisions and objective metrics are much more likely to be approved, giving state CIOs and CISOs the confidence to deliver. It’s a great feeling to have an answer to the question, “What will we get for our money?”

executive management risk treatnment decision

Data protection

Information security is managing risk to unauthorized data disclosure, modification, and destruction. Data protection risks are built into S2. Using the program correctly will lead the state to making the best data protection investments.

Determining what constitutes “due care” or “reasonable”.

According to ALM’s Legal Dictionary, the term “due care” is defined as:

the conduct that a reasonable man or woman will exercise in a particular situation, in looking out for the safety of others. If one uses due care then an injured party cannot prove negligence.

There is no better way to demonstrate due care than by prudently managing information security risk throughout the state. Using objective metrics, automated processes, and full accountability within S2, demonstrating “due care” couldn’t be any simpler. Risk management is reasonable, risk ignorance is probably less so.


Everyone has a role in information security, from the Governor to citizens, from the CISO to the System Administrator, and from the legislator to the common worker. Good governance must be established for a functional cybersecurity “program” and S2 (leading with risk) is the perfect guide.

s2 management responisibilities

The CISO should never be left to do it all. S2 is designed with distributed accountability as its core, allowing a CISO to distribute common assessments to various agencies, facilities personnel, etc. Once the assessments are completed, the CISO can make effective risk decisions and hold people accountable for making all necessary positive changes throughout state government.

s2 company profile

Insider threats

Every organization deals with insider threats and there is no easy solution. The only legitimate approach is a holistic one driven by good governance and solid processes. S2 accounts for protecting against insider threats by measuring the state’s adherence to good practice.

s2 insider threats

Risk Assessment

We can’t manage risk unless we’ve assessed it first. Risk assessments form the basis by which we make sound risk decisions and measure meaningful mitigation (or similar) progress.

s2 risk assessments

Security Frameworks

If there’s one thing our industry has, it’s frameworks (and standards)! The challenge isn’t in understanding the framework(s), but it’s in implementing and managing against it/them. S2’s content was derived from the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and mapped to several others.

s2 security frameworks

Third party security practices as outsourcing increases

Third party information security risk management is handled by the built-in S2Vendor tool and integrated into the state’s S2Org for a full accounting of information security risk. Using S2Vendor is flexible, allowing for roles such as Vendor Relationship Manager, Vendor Risk Manager, and others.

s2 vendor dashboard

Training and awareness

The world was flipped on its side (or maybe upside down) when COVID 19 hit in early 2020, and some people say things will never be the same. When it comes to information security training and awareness, S2 was already ahead of the curve, before the pandemic.

s2 team dashboard

People are creatures of habit and they follow the same habits regardless of where they are, at home or in the office. S2Team takes aggregated and anonymous data from S2Me (our free personal information security risk management tool) and gives state CISOs unprecedented insight into true employee behavior. S2Me has the added benefit of motivating personnel to adopt better cybersecurity habits for themselves while the state benefits in the process.

Why SecurityStudio is Best

SecurityStudio is the best tool for tackling the top state CIO priority bar none. The S2 platform was built with simplicity, scalability, distributed accountability, and countless other features to revolutionize the way states manage information security.

Contact you representative to see a demonstration, register trial accounts, and/or arrange for a proof of concept (POC) today!

ss logooo

We are always here to serve.

Evan Francen, email:

To learn more about SecurityStudio, our tools, or our #MissionBeforeMoney, visit us online at


Estimate your score or book free demo today

Summary and opinions on President Biden’s Executive Order (EO) 14028

Table of contents

  1. Introduction
  2. Summary
  3. Section 1. Policy
  4. Section 2. Removing Barriers to Sharing Threat Information – Summary
  5. Section 3. Modernizing Federal Government Cybersecurity – Summary
  6. Zero Trust Architecture (ZTA)
  7. Movement to secure cloud services
  8. Section 4. Enhancing Software Supply Chain Security – Summary
  9. Section 5. Establishing a Cyber Safety Review Board – Summary
  10. Section 6. Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents – Summary
  11. Section 7. Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks – Summary
  12. Section 8. Improving the Federal Government’s Investigative and Remediation Capabilities – Summary
  13. Section 9. National Security Systems – Summary
  14. Section 10. Definitions – Summary
  15. Section 11. General Provisions – Summary
  16. Conclusion


On May 12, 2021, President Biden issued Executive Order (EO) 14028. The EO was published into the Federal Register on May 17, 2021 and can be referenced online here:

This document is a summary interpretation of the EO and our unbiased opinion, section by section.


There are eleven sections in the EO, each with a subset of topics, deadlines, and responsible parties:

  • Section 1. Policy
  • Section 2. Removing Barriers to Sharing Threat Information
  • Section 3. Modernizing Federal Government Cybersecurity
  • Section 4. Enhancing Software Supply Chain Security
  • Section 5. Establishing a Cyber Safety Review Board
  • Section 6. Standardizing the Federal Government’s Playbook for Responding to Cybersecurity
  • Vulnerabilities and Incidents
  • Section 7. Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal
  • Government Networks
  • Section 8. Improving the Federal Government’s Investigative and Remediation Capabilities
  • Section 9. National Security Systems
  • Section 10. Definitions
  • Section 11. General Provisions

The titles are good indicators of each section’s contents; however, there are some interesting, and maybe concerning “hidden gems” found in the details. Zero Trust Architecture, Endpoint Detection and Response are specifically called out, and these could turn out disastrous if they’re not done right or if they’re done for the wrong reasons. Few would argue that the Federal Government doesn’t need to do a better job protecting its assets. This EO could be exactly what the country needs.

On the other hand, an EO with poorly written requirements and/or ulterior motives could be worse than no EO at all.

If you only read the titles of each section, you might be very supportive of this EO. If you read the details within each section, which we did, you might find some things you don’t feel completely comfortable with. We encourage everyone to read the President’s EO in detail and form your own opinions, then share them with us.

We promise to respect your opinions, and we hope you will reciprocate.

Section 1. Policy – Summary

A standard opening and the Biden Administration’s justification for the EO.

The policy statement is:

It is the policy of my Administration that the prevention, detection, assessment, and remediation of
cyber incidents is a top priority and essential to national and economic security.

The scope of the EO is:

All Federal Information Systems should meet or exceed the standards and requirements for
cybersecurity set forth in and issued pursuant to this order.

Section 1 also contains admissions that the Federal Government must improve “cybersecurity”, must partner with the private sector, must make “bold changes and significant investments”, and must “bring to bear the full scope of its authorities and resources”.

Section 1. Policy – Opinion

Section one sounds good. The right words are used in the right places, and the right justifications are used to support the EO.

There should be little doubt our country needs to do “cybersecurity” better, but we can’t help feeling some level of distrust based on track record and political motivations.

Information security is logical and should never be political.

Maybe our feelings are just run of the mill paranoia, or maybe our feelings are justified by witnessing our Federal Government operate with a less than stellar track record:

  • There’s no objection to partnering with the private sector; however, the government has a reputation of only working with the powerful people in the private sector.
  • There’s no objection to making “bold changes and significant investments”; however, the government has a reputation of making bold changes with ulterior motives and making HUGE investments on bad things.
  • Anytime our Federal Government says it “must bring to bear the full scope of its authorities and resources” (or something similar), the hairs rise on the back of our collective necks and we cringe a little.

If the goal is to secure the government (and the country better), then let’s look at the rest of this EO with this lens. Let’s NOT look at this EO with a political or emotional lens.

Section 2. Removing Barriers to Sharing Threat Information – Summary

This section is mostly related to establishing better “cyber incident” reporting between contracted IT and OT service providers and the Federal Government.

Topics covered in this section include:

  • Review existing reporting requirements and procedures.
  • Recommend updates to the Federal Acquisition Regulation (FAR).
  • Update the FAR.
  • Enforce IT/OT provider compliance.
  • Centralize reporting.
  • Provide budget for this section.

The timelines are aggressive, and several deadlines are mentioned, the latest being October 9, 2021.

Section 2. Removing Barriers to Sharing Threat Information – Opinion

One of the best sections in the EO, setting proper expectations for incident information sharing. We’re very interested to see the specific requirements once they’ve been vetted and communicated. The requirements in this section should go a long way toward ensuring incident information is shared properly and promptly between concerned parties. A quick and coordinated response should significantly limit the impact of future incidents.

Section 3. Modernizing Federal Government Cybersecurity – Summary

The main purpose for this section is to force wider adoption of cloud technologies, a Zero Trust Architecture (ZTA), and multi-factor authentication (MFA).

According to this section, the Federal Government must:

  1. Adopt security best practices.
  2. Advance toward Zero Trust Architecture
  3. Accelerate movement to secure cloud services.
  4. Adopt multi-factor authentication.
  5. Encrypt data at rest and in transit.
  6. Centralize and streamline access to cybersecurity data.
  7. Invest in both technology and personnel to match the modernization goals.

The timelines for the requirements in this section are also aggressive, for instance, the plan to implement a Zero Trust Architecture is due within 60 days (7/11/21).

Section 3. Modernizing Federal Government Cybersecurity – Opinion

This is a weighty section with many requirements, and the timelines are VERY ambitious. On the surface, everything in this section seems good, until we consider reality.

Security best practices are good, adopting multi-factor authentication is good, encrypting data at rest and in transit seems good (although it could disrupt some things), and centralizing and streamlining access should be good depending upon the implementation.

To be blunt, pushing the Zero Trust Architecture (ZTA) on this scale seems premature. There are many steps that could be made towards ZTA without going all the way this quickly. Taking steps is doable and effective but pushing ZTA the way this EO does seems unrealistic and more marketing than substance. Many people in our industry see “ZTA” as marketing on what have always been seen as best practice.

Accelerating movement/migration to the cloud also gives us an uneasy feeling. Is the cloud more secure than on premise? Maybe, but that’s almost like saying Apple is more secure than Linux. It sort of depends, doesn’t it? One could make the argument that the cloud is not inherently more secure, so why are we accelerating the migration to the cloud on this scale? Feels more about money than security, but the EO doesn’t give all the justification either.

Zero Trust Architecture (ZTA)

ZTA is generally good and conceptually sound. Despite all the marketing BS by vendors trying to make a buck (at our expense), ZTA draws upon information security concepts we’ve been preaching for many years; things like default deny, network isolation, least privilege, inventory management, etc. Despite the good things about ZTA, its inclusion in the EO is premature and almost impractical.

zero trust architecture
Figure 1: 2020 Federal Information Technology Acquisition Reform Act (FITARA) Scorecard.

ZTA is VERY difficult to implement in large, complex environments. We swear it’s easier and more effective to start over in some/most cases. Here are just some of the challenges with mandating ZTA wholesale like this EO appears to:

  • Most people don’t know what a Zero Trust Architecture is.
  • We already have a talent shortage problem (allegedly), this is going to take many knowledgeable people to implement.
  • ZTA adds complexity, adding a Policy Engine (PE), a Policy Administrator (PA), Policy Enforcement Points (PEP), a Continuous Diagnostics and Mitigation (CDM) system, an industry compliance system, and (a lot) more.
  • Deciding which variation of ZTA is the right one is no trivial task. There’s ZTA using enhanced identity governance, ZTA using micro-segmentation, ZTA using network infrastructure and software defined perimeters, device agent/gateway-based deployments, enclave deployments, resource portal-based deployments, device application sandboxing, and various combinations in between. If that’s not enough, there’s variations in trust algorithms too.
  • From NIST SP 800-207, “Gaps that Prevent Immediate Move to ZTA”:
    • Lack of Common Terms for ZTA Design, Planning, and Procurement
    • Perception that ZTA Conflicts with Existing Federal Cybersecurity Policies
  • From NIST SP 800-207, “Systemic Gaps that Impact ZTA”:
    • Standardization of Interfaces Between Components
    • Emerging Standards that Address Overreliance on Proprietary APIs
  • From NIST SP 800-207, “Knowledge Gaps in ZTA and Future Areas of Research”:
    • Attacker Response to ZTA
    • User Experience in a ZTA Environment
    • Resilience of ZTA to Enterprise and Network Disruption
  • And many, many, many other challenges.

We can’t help but wonder if FCEB agencies and the Federal Government are ready for ZTA? Judging from last year’s FITARA scorecard (See: Figure 1 above), there’s still plenty of work to do on the fundamentals.

Let’s give the benefit of the doubt and just go for it, right? Here’s what we must do to get ZTA going in the Federal Government…

After preparing for the long arduous ZTA journey, step one in the migration “requires an organization to have detailed knowledge of its assets (physical and virtual), subjects (including user privileges), and business processes”. ZTA or not, every organization should have detailed knowledge of their assets.

NIST Special Publication 800-207, “Zero Trust Architecture”

How can you possibly protect the things you don’t know you have?

Start with an inventory of every single piece of hardware (firewalls, routers, switches, server chassis, workstations, laptops, mobile devices, and all other), then an inventory of every single piece of software (operating systems, client/server applications, cloud systems/applications, host applications, databases, and all other), then figure out your where your data is and where it goes (data flows).

Got it? OK, now map your business processes. If you’ve got all that figured out, you might want to consider throwing half of it away. You probably don’t “need” some of it, or you aren’t using it correctly anyway.

Step two, risk assessment and policy development. Step three is deployment, four is operations, then cycle back through continuously.

Vendors LOVE ZTA because it sells things, lots of things. The market is flooded with vendors who claim to sell ZTA solutions, but most of them are not ZTA solutions and most buyers won’t know the difference. Other vendors love ZTA because you’ll probably need software to do some/all of this. At a minimum, you’ll need a public key infrastructure (PKI), ID management system, and a security information and event management (SIEM) system.

All this adds more complexity to the environment, and complexity is the worst enemy of security. We sincerely hope ZTA isn’t in the EO for marketing to increase vendor sales (for companies with close ties).

Movement to secure cloud services

Certainly, cloud service providers like Microsoft, Amazon and others love seeing this in the EO. Sure, there are security benefits in using cloud services, but there are also drawbacks. It all comes down to “how” you use as much (or more than) “what” you use. In our opinion about ZTA (above), we mentioned that you cannot secure the things you don’t know you have. The follow-up is you can’t secure things you can’t control. When you move to the cloud, it’s not that you lose control, it’s that you have less control.

There’s also a concern that you’re giving attackers one (or a few) big juicy target(s) versus distributed ones. So, why accelerate movement to the cloud for better security? We’ll keep the rest of our thoughts to ourselves right now. This doesn’t sit 100% well with us.

Section 4. Enhancing Software Supply Chain Security – Summary

This section of the EO covers topics and requirements to:

  • Develop standards, tools, and best practices for secure software development.
  • Enforce secure software development practices.
  • Define and enforce a “Software Bill of Materials (SBOM)”.
  • Define “critical software” and its protection requirements.
  • Consumer labeling programs for IoT and software.

This section contains two new topics and concepts that we haven’t seen before; the Software Bill of Materials (SBOM) and the consumer labeling programs.

Section 4. Enhancing Software Supply Chain Security – Opinion

If the requirements in this section are developed and implemented well, they could be great for information security. One of our concerns is (and has been) the insecure methods software developers follow and how we allow this to persist. Secure software development requirements and the transparency mentioned in this section of the EO is very intriguing.

We think the SBOM is a double-edged sword. On one side, it allows consumers (the government, organizations, people, etc.) to know where software comes from, how it’s made, and how to secure it better. On the flip side, this could be great intel for an adversary to build a better attack. We’ll have to see how this fleshes out.

Consumer labeling for IoT devices and software (and hardware) is too long in coming. Granted, many people won’t read the labeling, but for those who do, this is a great move.

All-in-all, there’s a lot of good stuff in this section of the EO. Let’s hope it all gets implemented well.

Section 5. Establishing a Cyber Safety Review Board – Summary

This section outlines requirements for a new “Cyber Safety Review Board”. All the requirements in this section are for the Secretary of Homeland Security and the (yet to be established) Cyber Safety Review Board (“board”).

This section contains high-level information about the board, when the board is convened, how the board is convened, who’s on the board, and what the board needs to do. Most of the responsibilities for the board are related to “cyber incidents”. The board reports directly to the Director of Homeland Security and by proxy, the President.

Section 5. Establishing a Cyber Safety Review Board – Opinion

There’s not enough detail to know what the board will do exactly. There is no charter or other detail provided; however, one of the board’s responsibilities is to create a charter. There is mention of membership, which we thought was interesting:

  • Federal officials.
    • Representatives of the Department of Defense
    • Representatives of the Department of Justice
    • Representatives of CISA
    • Representatives of the NSA
    • Representatives of the FBI
  • Representatives from private-sector entities and/or “appropriate” private-sector cybersecurity or software suppliers as determined by the Secretary of Homeland Security. 

Seems like the right government agencies are represented. We’ll have to see what the “appropriate” private-sector members will be. Let’s hope there’s no pay to play here!

Section 6.  Standardizing the Federal Government’s Playbook for Responding to Cybersecurity

Vulnerabilities and Incidents – Summary

This section is about the creation of a standard set of cybersecurity and incident response procedures (or “playbook”).

The playbook:

  • Will Incorporate all appropriate NIST standards.
  • Be used by all Federal Civilian Executive Branch (FCEB) Agencies.
  • Will articulate progress and completion through all phases of an incident response.
  • Will allow flexibility so it may be used in support of various response activities.
  • Establishes a requirement that the Director of CISA reviews and validates FCEB Agencies’ incident response and remediation results upon an agency’s completion of its incident response.
  • Defines key terms and use such terms consistently with any statutory definitions.

Essentially, one “cyber incident” response plan to rule them all.

Section 6.  Standardizing the Federal Government’s Playbook for Responding to Cybersecurity

Vulnerabilities and Incidents – Opinion

Getting all the FCEB Agencies to work from the same (or similar) playbook seems like a step in the right direction. The government will need to be careful that the playbook is kept confidential if/when it outlines details (which it likely will).

We’re sort of disappointed such a thing didn’t already exist. By the way, are we still sure we’re ready for ZTA?

Section 7.  Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal

Government Networks – Summary

This section puts a lot of power in the hands of the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency (CISA).

Major topics covered in this section of the EO include:

  • The adoption of a Federal Government-wide Endpoint Detection and Response (EDR) initiative.
  • CISA threat hunting on FCEB networks and systems without agency authorization.
  • Information sharing between the Department of Defense and the Department of Homeland Security

The timeline is aggressive, with EDR requirements mandated to be issued no later than September 9th, 2021.

Section 7.  Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal

Government Networks – Opinion

We’re not against EDR as much as we are against adding more complexity to technology environments, especially when the environment is likely to contain tools that are not used well as it is. Adding more tools to an environment that already uses tools poorly just adds to the insanity.

Maybe the agencies are ready for EDR, but it’s hard to ignore that there’s going to be a HUGE payday for one or more vendors here. Which vendor or vendors? We’ll have to wait and see. Obviously, EDR only does what EDR does and there are some clear differentiators amongst the players in the market.

CISA doing threat hunting on FCEB networks without prior agency authorization should be interesting to watch. There need to be strict rules of engagement and strong oversight for such things. CISA will obviously need to hire many, many new employees, between this and all the other EO requirements. These will be employees that won’t be available to the private sector.

Section 8.  Improving the Federal Government’s Investigative and Remediation Capabilities – Summary

The section of the EO is all about network logging, system logging and information sharing requirements.

FCEB Agencies and IT service providers will need to comply with (details TBD) requirements for logging events and retaining other relevant data within an agency’s systems and networks, including:

  • Types of logs to be maintained.
  • Time periods to retain the logs and other relevant data.
  • Time periods for agencies to enable recommended logging and security requirements.
  • How to protect logs (logs shall be protected by cryptographic methods to ensure integrity once collected and periodically verified against the hashes throughout their retention)
  • Data shall be retained in a manner consistent with all applicable privacy laws and regulations.
  • Ensure that, upon request, agencies provide logs to the Secretary of Homeland Security through the Director of CISA and to the FBI, consistent with applicable law.
  • Permit agencies to share log information, as needed and appropriate, with other Federal agencies for cyber risks or incidents.

Once the requirements are set, enforcement will follow.

Section 8.  Improving the Federal Government’s Investigative and Remediation Capabilities – Opinion

Standardized logging is a good thing, and it too has been a best practice for years. There are numerous sources for good logging configuration guidance, most notably being CIS and the STIGs. It’s important to point out that logs can (and often do) contain sensitive information. Sharing log files and other data can certainly help expedite and improve the quality of an incident response, but they can also be used by attackers to enhance the effectiveness of their attacks.

Share, but don’t.

Section 9. National Security Systems – Summary

Within 60 days, the Secretary of Defense must adopt National Security Systems requirements that are equivalent or exceed the requirements in the EO.

Section 9. National Security Systems – Opinion

This is a very short section and there isn’t much to comment on.

Section 10. Definitions – Summary

Eleven definitions are provided for words and/or terms used in the EO. There are useful definitions for “cyber incident”, “Federal Civilian Executive Branch Information Systems”, “Software Bill of Materials”, and “Zero Trust Architecture”.

Section 10. Definitions – Opinion

They are definitions and definitions are good for clarity. Interesting how the definition of “Zero Trust Architecture” is 227 words long. I like simple, so our simple definition is only two words long, “default deny”.

Section 11. General Provisions – Summary

Looks like some legal stuff. No information security requirements cited in this section.

Section 11. General Provisions – Opinion

No opinion on this section.


There’s plenty to unpack in this Executive Order. Most of the requirements in the EO were reasonable and should result in a net positive in terms of better cybersecurity protection. Requirements that are a little concerning are the Zero Trust Architecture (ZTA) requirements (which we think are premature), prioritized movement to cloud services (which we think could be unjustified from a security standpoint), quick adoption of an endpoint detection and response (EDR) initiative (adding more to manage to environments that are already complex), and unauthorized (by the FCEB Agency) threat hunting.

Other points to consider:

  • Would this prevent or mitigate some of our current attacks? This is a longer discussion.
  • The timeline is extremely aggressive.
  • The requirements are very expensive.
  • Those who benefit the most include the Federal Government itself, (big) cloud service providers, ZTA solution providers, and EDR software makers.
  • Those who benefit less are private sector organizations, state and local governments, education (K12 and higher ed), small to mid-sized businesses, and people at home.

This EO is essentially law; therefore, like it or not, (our) compliance is mandatory.


Estimate your score or book free demo today