4(g): Government cybersecurity leaders publish a definition for “critical software” that addresses topics such as level of privilege or access required, integration and dependencies, and potential for harm if compromised.
7(g): NSA submits recommendations for improving detection of cyber incidents affecting National Security Systems, including EDR approaches and how they will operate.
3(b): Agencies share updated plans for adoption and use of cloud technology and implementation plans for zero trust architecture. 3(c-iii): DHS/CISA issue a cloud service governance framework for FCEB agencies. 3(c-i): Agencies provide progress reports about multifactor authentication and data encryption; new reports are required every 60 days until full adoption is achieved. 3(f): GSA/OMB/Agencies start modernizing FedRAMP by establishing training, improving communication, incorporating automation, digitizing and streamlining documentation, and identifying relevant compliance frameworks and mapping them onto requirements.
4(r): Commerce/NIST/DoD/NSA release guidelines for minimum standards for vendors’ testing of software source code, including manual and automated testing.
7(j-i): DoD/DHS establish procedures for immediate sharing of incident response orders, emergency directives, and binding operational directives about their information networks.
4(h): DHS/CISA/Commerce/NIST identify and make available to agencies a list of software categories and products in use or in the acquisition process that meet definition of critical software.
7(j-i): Agencies establish or update their Memoranda of Agreement (MOA) for the CDM Program to ensure object-level data are available and accessible to CISA.
3(c-ii): OMB/DHS/CISA/GSA/FedRAMP release a Federal cloud security strategy and guidance for agencies, to include guidance to help agencies move closer to zero trust.
3(c-ii): DHS/CISA/OMB/GSA/FedRAMP issue cloud security technical reference architecture documentation with recommendations on cloud migration and data protection for FCEB agencies.
3(c-iv): Agencies provide reports to DHS/CISA/OMB evaluating types and sensitivity of their unclassified data, including prioritization and appropriate processing and storage.
3(6): DHS/CISA/AG/FBI/GSA/FedRAMP establish framework to collaborate on cybersecurity and incident response activities related to FCEB cloud technology.
7(h): DoD/ODNI/CNSS establish policies that effectuate NSA’s recommendations for improving detection of cyber incidents affecting National Security Systems.
7(i): CISA reports to OMB/APNSA on how authorities granted to conduct threat hunting on FCEB networks without agency authorization are being implemented and makes recommendations for ensuring mission-critical systems are not disrupted.
7(d): OMB/DHS issue requirements for FCEB agencies to adopt the federal government-wide EDR approaches to engage in cyber hunt, detection, and response activities.
3(d): Agencies adopt multifactor authentication and encryption for data at rest and in transit; those unable to comply, provide a written rationale to DHS/CISA/OMB/APNSA.
4(k): OMB takes appropriate steps to require that agencies comply with secure software guidelines with respect to software procured after May 12, 2021.
4(n): DHS/DoD/AG/OMB recommend contract language to FAR Council requiring suppliers of software available for purchase by agencies to comply with critical software security requirements.
4(w): NIST reviews the effectiveness of Section 4’s pilot programs, determines improvements that can be made, and submits a report to APNSA.
4(x): Commerce/Agencies provide the President with a progress report and outline additional steps needed to secure the software supply chain.
