Improve software supply chain security by establishing baseline security standards

• Remove barriers to sharing information on cyber threats and incidents on Federal systems.
• Increase collaboration between service providers and Federal agencies during investigation of incidents or potential incidents.
• Maintain greater visibility into their software and make security data publicly available.

Modernize and implement stronger cybersecurity standards 

• Cloud service governance framework for secure cloud services. 
• Implement zero trust architecture.
• Mandate deployment of multifactor authentication and encryption of data at rest and transit.

Improve the Federal Government’s investigative and remediation capabilities

• Threat information sharing between the government and the private sector.
• Standard playbook for responding to cyber incidents.
• Cybersecurity Safety Review Board, co-chaired by the government and private sector leads.
• Endpoint Detection and Response (EDR) deployment.

• Develop effective policies and procedures for usage of third-party applications, cloud services, and personal devices.
• Audit ‘Shadow IT’ infrastructure to mitigate ‘Shadow IT’ risks.
• Identify, establish, assess, and manage Software Supply Chain Risk Management processes. Leverage contract clauses to ensure that software suppliers implement appropriate safeguards to meet the objectives of an organization’s cyber program.
• Establish solid third party governance by creating effective policies and procedures for supplier on boarding, classification and profiling, supplier assessment, relationship monitoring, and relation severance.
• Develop processes and methodologies for continuously monitoring third parties based on risks, leveraging technology solutions.

Modernize and Implement stronger cybesecurity standards

• Establish a cloud service governance framework for securing cloud services covering the cloud operation center, protection of information during transit and rest, protection of cloud infrastructure and applications, and the implementation of secure identity and access management.
• Conduct Threat Modelling based on the known vulnerabilities pulled from authoritative sources, understanding business needs, security operations, and the various compliance requirements. 
• Conduct Security Architecture Assessment covering security operations layer, data management layer, application layer, information transfer layer.
• Enforce Multi-factor authentication using advanced secure, password-less authentication services implemented across the organization for secure access of data that’s stored and processed on cloud. 
• Discover and classify data, implement DLP, anonymize data where possible, encrypt data, implement strong data governance frameworks, monitor and manage data.
• Implement Zero Trust Architecture using Continuous Adaptive Risk Assessment.
• Develop strategies to enhance the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on cyber resources​.
• Build secure software update processes as part of SDLC by adopting a builder and breaker strategy. Consider runtime application self-protection (RASP) and other client-side protection tools.