Executive Order on Improving the Nation’s Cybersecurity
关于加强国家网络安全的行政命令
2021年5月12日
By the authority vested in me as President by the Constitution and the laws of the United States of America, it is hereby ordered as follows:
根据美利坚合众国宪法和法律赋予我作为总统的权力,现命令如下:
Section 1. Policy. The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy. The Federal Government must improve its efforts to identify, deter, protect against, detect, and respond to these actions and actors. The Federal Government must also carefully examine what occurred during any major cyber incident and apply lessons learned. But cybersecurity requires more than government action. Protecting our Nation from malicious cyber actors requires the Federal Government to partner with the private sector. The private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace. In the end, the trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is, and to the consequences we will incur if that trust is misplaced.
第一部分。政策。美国面临着持续不断、日益复杂的恶意网络攻击,这些攻击威胁到公共部门、私营部门,最终威胁到美国人民的安全和隐私。联邦政府必须加强努力,识别、阻止、防范、发现和应对这些行为和参与者。联邦政府还必须仔细审查在任何重大网络事件中发生的情况,并应用所吸取的经验教训。但网络安全需要的不仅仅是政府的行动。保护我们的国家免受恶意网络行为者的侵害,需要联邦政府与私营部门合作。私营部门必须适应不断变化的威胁环境,确保其产品的生产和安全运作,并与联邦政府合作,促进更安全的网络空间。最后,我们对我们的数字基础设施的信任应该与这种基础设施的可信度和透明度成正比,并与如果这种信任放错了地方,我们将承担的后果成正比。
Incremental improvements will not give us the security we need; instead, the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life. The Federal Government must bring to bear the full scope of its authorities and resources to protect and secure its computer systems, whether they are cloud-based, on-premises, or hybrid. The scope of protection and security must include systems that process data (information technology (IT)) and those that run the vital machinery that ensures our safety (operational technology (OT)).
渐进式的改善不会给我们带来我们需要的安全; 相反,联邦政府需要做出大胆的改变和重大投资,以保护支撑美国生活方式的重要机构。联邦政府必须调动其全部权力和资源来保护和确保其计算机系统的安全,无论它们是基于云的、内部的还是混合的。保护和安全的范围必须包括处理数据(信息技术(IT))的系统和运行确保我们安全的重要机器(操作技术(OT))的系统。
It is the policy of my Administration that the prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security. The Federal Government must lead by example. All Federal Information Systems should meet or exceed the standards and requirements for cybersecurity set forth in and issued pursuant to this order.
本届政府的政策是,网络事件的预防、检测、评估和补救是国家和经济安全的首要任务。联邦政府必须以身作则。所有联邦信息系统都应达到或超过本命令规定并根据本命令颁布的网络安全标准和要求。
Sec. 2. Removing Barriers to Sharing Threat Information.
第二节消除共享威胁信息的障碍。
(a) The Federal Government contracts with IT and OT service providers to conduct an array of day-to-day functions on Federal Information Systems. These service providers, including cloud service providers, have unique access to and insight into cyber threat and incident information on Federal Information Systems. At the same time, current contract terms or restrictions may limit the sharing of such threat or incident information with executive departments and agencies (agencies) that are responsible for investigating or remediating cyber incidents, such as the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and other elements of the Intelligence Community (IC). Removing these contractual barriers and increasing the sharing of information about such threats, incidents, and risks are necessary steps to accelerating incident deterrence, prevention, and response efforts and to enabling more effective defense of agencies’ systems and of information collected, processed, and maintained by or for the Federal Government.
(a)联邦政府与 IT 和 OT 服务提供商签订合同,在联邦信息系统上执行一系列日常职能。这些服务提供商,包括云服务提供商,有独特的访问途径和洞察联邦信息系统的网络威胁和事件信息。与此同时,现行的合同条款或限制可能会限制与负责调查或补救网络事件的行政部门和机构(机构)分享此类威胁或事件信息,例如网络安全和基础设施安全局(CISA)、联邦调查局(FBI)和情报界(IC)的其他部门。消除这些合同障碍,增加关于这些威胁、事件和风险的信息共享,是加快事件威慑、预防和应对工作的必要步骤,也是更有效地保护机构系统以及由联邦政府或为联邦政府收集、处理和维护的信息的必要步骤。
(b) Within 60 days of the date of this order, the Director of the Office of Management and Budget (OMB), in consultation with the Secretary of Defense, the Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence, shall review the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement contract requirements and language for contracting with IT and OT service providers and recommend updates to such requirements and language to the FAR Council and other appropriate agencies. The recommendations shall include descriptions of contractors to be covered by the proposed contract language.
(b)在本命令发布之日起60天内,管理和预算办公室(OMB)主任将与国防部长、司法部长、国土安全部长和国家情报总监磋商,审查《联邦采办条例》(FAR)和《国防联邦采办条例补充合同要求和与 IT 和 OT 服务提供商签订合同的语言,并向 FAR 理事会和其他适当机构建议更新这些要求和语言。建议应包括拟议合同语文所涵盖的承包商的说明。
(c) The recommended contract language and requirements described in subsection (b) of this section shall be designed to ensure that:
(c)本条(b)款所述的建议合约语文及规定,其设计须确保:
(i) service providers collect and preserve data, information, and reporting relevant to cybersecurity event prevention, detection, response, and investigation on all information systems over which they have control, including systems operated on behalf of agencies, consistent with agencies’ requirements;
(i)服务提供商按照机构的要求,收集和保存与其控制的所有信息系统(包括代表机构运行的系统)的网络安全事件预防、检测、响应和调查有关的数据、信息和报告;
(ii) service providers share such data, information, and reporting, as they relate to cyber incidents or potential incidents relevant to any agency with which they have contracted, directly with such agency and any other agency that the Director of OMB, in consultation with the Secretary of Defense, the Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence, deems appropriate, consistent with applicable privacy laws, regulations, and policies;
(ii)服务提供商共享数据、信息和报告,因为这些数据、信息和报告涉及网络事件或与其签约的任何机构有关的潜在事件,直接与管理和预算办公室主任经与国防部长、司法部长、国土安全部长和国家情报总监磋商后认为适当的任何其他机构共享,符合适用的隐私法律、法规和政策;
(iii) service providers collaborate with Federal cybersecurity or investigative agencies in their investigations of and responses to incidents or potential incidents on Federal Information Systems, including by implementing technical capabilities, such as monitoring networks for threats in collaboration with agencies they support, as needed; and
(iii)服务提供商与联邦网络安全或调查机构合作,调查和应对联邦信息系统上的事件或潜在事件,包括在必要时与其支持的机构合作,实施监测网络以应对威胁等技术能力; 以及
(iv) service providers share cyber threat and incident information with agencies, doing so, where possible, in industry-recognized formats for incident response and remediation.
(iv)服务供应商与机构共享网络威胁和事件信息,并尽可能以业界认可的格式进行事件应对和补救。
(d) Within 90 days of receipt of the recommendations described in subsection (b) of this section, the FAR Council shall review the proposed contract language and conditions and, as appropriate, shall publish for public comment proposed updates to the FAR.
(d)在接获本条(b)款所述的建议后90天内,渔农自然护理署理事会须检讨建议的合约语文及条件,并在适当情况下,公布对渔农自然护理署的建议更新,以征询公众意见。
(e) Within 120 days of the date of this order, the Secretary of Homeland Security and the Director of OMB shall take appropriate steps to ensure to the greatest extent possible that service providers share data with agencies, CISA, and the FBI as may be necessary for the Federal Government to respond to cyber threats, incidents, and risks.
(f) It is the policy of the Federal Government that:
(i) information and communications technology (ICT) service providers entering into contracts with agencies must promptly report to such agencies when they discover a cyber incident involving a software product or service provided to such agencies or involving a support system for a software product or service provided to such agencies;
(ii) ICT service providers must also directly report to CISA whenever they report under subsection (f)(i) of this section to Federal Civilian Executive Branch (FCEB) Agencies, and CISA must centrally collect and manage such information; and
(iii) reports pertaining to National Security Systems, as defined in section 10(h) of this order, must be received and managed by the appropriate agency as to be determined under subsection (g)(i)(E) of this section.
(iii)与本命令第10(h)条所界定的国家安全系统有关的报告,必须由根据本条第(g)(i)(E)款决定的适当机构接收和管理。
(g) To implement the policy set forth in subsection (f) of this section:
(g)执行本条(f)款规定的政策:
(i) Within 45 days of the date of this order, the Secretary of Homeland Security, in consultation with the Secretary of Defense acting through the Director of the National Security Agency (NSA), the Attorney General, and the Director of OMB, shall recommend to the FAR Council contract language that identifies:
(i)在本命令发布之日起45天内,国土安全部部长与国防部部长通过国家安全局(NSA)局长、司法部长和管理和预算局局长进行磋商后,应向 FAR 委员会建议确定以下合同语言:
(A) the nature of cyber incidents that require reporting;
(A)需要报告的网上事故的性质;
(B) the types of information regarding cyber incidents that require reporting to facilitate effective cyber incident response and remediation;
(乙)需要汇报的网上事故资料类别,以便作出有效的网上事故应变及补救;
(C) appropriate and effective protections for privacy and civil liberties;
(C)适当和有效地保护隐私和公民自由;
(D) the time periods within which contractors must report cyber incidents based on a graduated scale of severity, with reporting on the most severe cyber incidents not to exceed 3 days after initial detection;
(丁)承办商须按严重程度分级报告网上事故的时限,而最严重的网上事故在初步侦测后不得超过3天报告;
(E) National Security Systems reporting requirements; and
(五)国家安全系统报告要求;
(F) the type of contractors and associated service providers to be covered by the proposed contract language.
(F)拟议合约语文所涵盖的承办商及相关服务提供者的类别。
(ii) Within 90 days of receipt of the recommendations described in subsection (g)(i) of this section, the FAR Council shall review the recommendations and publish for public comment proposed updates to the FAR.
(ii)在接获本条第(g)(i)款所述的建议后90天内,渔农自然护理署理事会须检讨有关建议,并公布对渔农自然护理署的建议更新,以征询公众意见。
(iii) Within 90 days of the date of this order, the Secretary of Defense acting through the Director of the NSA, the Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence shall jointly develop procedures for ensuring that cyber incident reports are promptly and appropriately shared among agencies.
(iii)在本命令发布之日起90天内,国防部长通过国家安全局局长、司法部长、国土安全部长和国家情报总监共同制定程序,以确保网络事件报告在各机构之间得到及时和适当的共享。
(h) Current cybersecurity requirements for unclassified system contracts are largely implemented through agency-specific policies and regulations, including cloud-service cybersecurity requirements. Standardizing common cybersecurity contractual requirements across agencies will streamline and improve compliance for vendors and the Federal Government.
(h)目前对非保密系统合同的网络安全要求主要是通过特定机构的政策和法规实施的,包括云服务网络安全要求。使各机构的共同网络安全合同要求标准化,将简化和改善供应商和联邦政府的遵守情况。
(i) Within 60 days of the date of this order, the Secretary of Homeland Security acting through the Director of CISA, in consultation with the Secretary of Defense acting through the Director of the NSA, the Director of OMB, and the Administrator of General Services, shall review agency-specific cybersecurity requirements that currently exist as a matter of law, policy, or contract and recommend to the FAR Council standardized contract language for appropriate cybersecurity requirements. Such recommendations shall include consideration of the scope of contractors and associated service providers to be covered by the proposed contract language.
(i)在本命令发布之日起60天内,国土安全部部长通过中国国际安全行动局局长与国防部部长通过国家安全局局长、管理局局长和总务署署长进行磋商,审查目前作为法律、政策或合同事项存在的机构特有的网络安全要求,并向 FAR 委员会建议适当的网络安全要求的标准化合同语言。此类建议应包括审议拟议合同语文所涵盖的承包商和相关服务提供商的范围。
(j) Within 60 days of receiving the recommended contract language developed pursuant to subsection (i) of this section, the FAR Council shall review the recommended contract language and publish for public comment proposed updates to the FAR.
(j)在收到根据本条第(i)款制订的建议合约语文后的60天内,渔农自然护理署理事会须检讨建议合约语文,并公布对渔农自然护理署的建议更新,以征询公众意见。
(k) Following any updates to the FAR made by the FAR Council after the public comment period described in subsection (j) of this section, agencies shall update their agency-specific cybersecurity requirements to remove any requirements that are duplicative of such FAR updates.
(k)在本条第(j)款所述的公众意见期之后,FAR 理事会对 FAR 作出任何更新后,各机构应更新其针对特定机构的网络安全要求,以删除任何与此类 FAR 更新重复的要求。
(l) The Director of OMB shall incorporate into the annual budget process a cost analysis of all recommendations developed under this section.
(l)管理专员办公室主任须在年度预算程序中纳入根据本条拟订的所有建议的成本分析。
Sec. 3. Modernizing Federal Government Cybersecurity.
第三节联邦政府网络安全现代化。
(a) To keep pace with today’s dynamic and increasingly sophisticated cyber threat environment, the Federal Government must take decisive steps to modernize its approach to cybersecurity, including by increasing the Federal Government’s visibility into threats, while protecting privacy and civil liberties. The Federal Government must adopt security best practices; advance toward Zero Trust Architecture; accelerate movement to secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS); centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks; and invest in both technology and personnel to match these modernization goals.
(a)为了跟上当今充满活力和日益复杂的网络威胁环境,联邦政府必须采取果断措施,使其网络安全方法现代化,包括提高联邦政府对威胁的可见度,同时保护隐私和公民自由。联邦政府必须采取安全最佳实践; 推进零信任架构; 加快云服务的安全运动,包括软件即服务(SaaS)、基础设施即服务(IaaS)和平台即服务(PaaS) ; 集中和简化对网络安全数据的访问,以推动识别和管理网络安全风险的分析; 投资于技术和人员,以符合这些现代化目标。
(b) Within 60 days of the date of this order, the head of each agency shall:
(b)自本命令发布之日起60天内,各机构负责人应:
(i) update existing agency plans to prioritize resources for the adoption and use of cloud technology as outlined in relevant OMB guidance;
(i)更新现有的机构计划,按照相关管理和预算办公室指南的概述,优先安排采用和使用云技术的资源;
(ii) develop a plan to implement Zero Trust Architecture, which shall incorporate, as appropriate, the migration steps that the National Institute of Standards and Technology (NIST) within the Department of Commerce has outlined in standards and guidance, describe any such steps that have already been completed, identify activities that will have the most immediate security impact, and include a schedule to implement them; and
(ii)制定实施零信任架构的计划,该计划应酌情纳入商务部国家标准和技术研究所(NIST)在标准和指导中概述的移植步骤,描述已经完成的任何此类步骤,确定将对安全产生最直接影响的活动,并包括实施这些步骤的时间表; 以及
(iii) provide a report to the Director of OMB and the Assistant to the President and National Security Advisor (APNSA) discussing the plans required pursuant to subsection (b)(i) and (ii) of this section.
(iii)向行政管理及预算办公室主任及总统助理兼国家安全顾问(APNSA)提交报告,讨论根据本条第(b)(i)及(ii)款规定的计划。
(c) As agencies continue to use cloud technology, they shall do so in a coordinated, deliberate way that allows the Federal Government to prevent, detect, assess, and remediate cyber incidents. To facilitate this approach, the migration to cloud technology shall adopt Zero Trust Architecture, as practicable. The CISA shall modernize its current cybersecurity programs, services, and capabilities to be fully functional with cloud-computing environments with Zero Trust Architecture. The Secretary of Homeland Security acting through the Director of CISA, in consultation with the Administrator of General Services acting through the Federal Risk and Authorization Management Program (FedRAMP) within the General Services Administration, shall develop security principles governing Cloud Service Providers (CSPs) for incorporation into agency modernization efforts. To facilitate this work:
(i) Within 90 days of the date of this order, the Director of OMB, in consultation with the Secretary of Homeland Security acting through the Director of CISA, and the Administrator of General Services acting through FedRAMP, shall develop a Federal cloud-security strategy and provide guidance to agencies accordingly. Such guidance shall seek to ensure that risks to the FCEB from using cloud-based services are broadly understood and effectively addressed, and that FCEB Agencies move closer to Zero Trust Architecture.
(i)在本命令发布之日起90天内,管理和预算办公室主任应与通过 CISA 主任行事的国土安全部部长和通过 FedRAMP 行事的总务管理局局长协商,制定联邦云安全战略,并据此向各机构提供指导。此类指导应力求确保 FCEB 广泛理解和有效应对使用云服务所带来的风险,并确保 FCEB 机构更接近于零信任架构。
(ii) Within 90 days of the date of this order, the Secretary of Homeland Security acting through the Director of CISA, in consultation with the Director of OMB and the Administrator of General Services acting through FedRAMP, shall develop and issue, for the FCEB, cloud-security technical reference architecture documentation that illustrates recommended approaches to cloud migration and data protection for agency data collection and reporting.
(ii)在本命令发布之日起90天内,国土安全部部长通过中国国际安全局局长,与管理事务办公室主任和通过 FedRAMP 行事的总务管理局局长协商,应为 FCEB 制定和发布云安全技术参考架构文件,说明推荐的云迁移和机构数据收集和报告的数据保护方法。
(iii) Within 60 days of the date of this order, the Secretary of Homeland Security acting through the Director of CISA shall develop and issue, for FCEB Agencies, a cloud-service governance framework. That framework shall identify a range of services and protections available to agencies based on incident severity. That framework shall also identify data and processing activities associated with those services and protections.
(iii)在本命令生效之日起60天内,国土安全部部长通过中国国际战略情报局(CISA)局长行事,应为 FCEB 机构制定并发布一个云服务治理框架。该框架应根据事件的严重程度确定各机构可获得的一系列服务和保护。该框架还应确定与这些服务和保护有关的数据和处理活动。
(iv) Within 90 days of the date of this order, the heads of FCEB Agencies, in consultation with the Secretary of Homeland Security acting through the Director of CISA, shall evaluate the types and sensitivity of their respective agency’s unclassified data, and shall provide to the Secretary of Homeland Security through the Director of CISA and to the Director of OMB a report based on such evaluation. The evaluation shall prioritize identification of the unclassified data considered by the agency to be the most sensitive and under the greatest threat, and appropriate processing and storage solutions for those data.
(iv)在本命令发布之日起90天内,FCEB 各机构的负责人应与国土安全部部长(通过 CISA 主任行事)协商,评估各自机构的非机密数据的类型和敏感性,并通过 CISA 主任向国土安全部部长和 OMB 主任提供基于此评估的报告。评价应优先确定机构认为最敏感和面临最大威胁的非保密数据,并对这些数据采取适当的处理和储存解决办法。
(d) Within 180 days of the date of this order, agencies shall adopt multi-factor authentication and encryption for data at rest and in transit, to the maximum extent consistent with Federal records laws and other applicable laws. To that end:
(d)在本命令生效之日起180天内,各机构应在最大程度上与联邦记录法和其他适用法律相一致的情况下,对静止和过境的数据采用双重身份验证和加密。为此:
(i) Heads of FCEB Agencies shall provide reports to the Secretary of Homeland Security through the Director of CISA, the Director of OMB, and the APNSA on their respective agency’s progress in adopting multifactor authentication and encryption of data at rest and in transit. Such agencies shall provide such reports every 60 days after the date of this order until the agency has fully adopted, agency-wide, multi-factor authentication and data encryption.
(i) FCEB 机构的负责人应通过 CISA 主任、 OMB 主任和 APNSA 向国土安全部部长提交报告,说明各自机构在采用多因素认证和加密静止和过境数据方面的进展。这些机构应在本命令生效日期后每60天提供此类报告,直至该机构在全机构范围内完全采用双重身份验证和数据加密。
(ii) Based on identified gaps in agency implementation, CISA shall take all appropriate steps to maximize adoption by FCEB Agencies of technologies and processes to implement multifactor authentication and encryption for data at rest and in transit.
(ii)根据已查明的机构执行方面的差距,CISA 应采取一切适当步骤,最大限度地使 FCEB 机构采用技术和程序,对静止和过境数据实施多因素认证和加密。
(iii) Heads of FCEB Agencies that are unable to fully adopt multi-factor authentication and data encryption within 180 days of the date of this order shall, at the end of the 180-day period, provide a written rationale to the Secretary of Homeland Security through the Director of CISA, the Director of OMB, and the APNSA.
(iii)在本命令发布之日起180天内不能完全采用双重身份验证和数据加密的 FCEB 机构的负责人,应在180天期限结束时,通过中国国际安全局局长、管理局局长和美国国家安全局局长向国土安全部部长提供书面理由。
(e) Within 90 days of the date of this order, the Secretary of Homeland Security acting through the Director of CISA, in consultation with the Attorney General, the Director of the FBI, and the Administrator of General Services acting through the Director of FedRAMP, shall establish a framework to collaborate on cybersecurity and incident response activities related to FCEB cloud technology, in order to ensure effective information sharing among agencies and between agencies and CSPs.
(e)在本命令发布之日起90天内,国土安全部部长通过中国国际安全局(CISA)署长,与司法部长、联邦调查局(FBI)局长以及通过联邦应急管理局(FedRAMP)署长行事的总务署署长协商,应建立一个框架,就与联邦应急管理局云技术有关的网络安全和事件应对活动开展合作,以确保各机构之间以及各机构与中央应急服务提供商之间有效地。
(f) Within 60 days of the date of this order, the Administrator of General Services, in consultation with the Director of OMB and the heads of other agencies as the Administrator of General Services deems appropriate, shall begin modernizing FedRAMP by:
(f)在本命令的日期起计60天内,总务署署长在谘询行政管理科署长及总务署署长认为适当的其他机构首长后,须通过以下方式,开始将联邦移民局现代化:
(i) establishing a training program to ensure agencies are effectively trained and equipped to manage FedRAMP requests, and providing access to training materials, including videos-on-demand;
(i)建立培训方案,确保各机构得到有效的培训和装备,以管理 FedRAMP 的请求,并提供获取培训材料的机会,包括视频点播;
(ii) improving communication with CSPs through automation and standardization of messages at each stage of authorization. These communications may include status updates, requirements to complete a vendor’s current stage, next steps, and points of contact for questions;
(ii)通过在每个授权阶段实现消息的自动化和标准化,改善与 CSP 的通信。这些沟通可能包括状态更新、完成供应商当前阶段的要求、下一步骤以及问题的联系点;
(iii) incorporating automation throughout the lifecycle of FedRAMP, including assessment, authorization, continuous monitoring, and compliance;
(iv) digitizing and streamlining documentation that vendors are required to complete, including through online accessibility and pre-populated forms; and
(v) identifying relevant compliance frameworks, mapping those frameworks onto requirements in the FedRAMP authorization process, and allowing those frameworks to be used as a substitute for the relevant portion of the authorization process, as appropriate.
Sec. 4. Enhancing Software Supply Chain Security.
(a) The security of software used by the Federal Government is vital to the Federal Government’s ability to perform its critical functions. The development of commercial software often lacks transparency, sufficient focus on the ability of the software to resist attack, and adequate controls to prevent tampering by malicious actors. There is a pressing need to implement more rigorous and predictable mechanisms for ensuring that products function securely, and as intended. The security and integrity of “critical software” — software that performs functions critical to trust (such as affording or requiring elevated system privileges or direct access to networking and computing resources) — is a particular concern. Accordingly, the Federal Government must take action to rapidly improve the security and integrity of the software supply chain, with a priority on addressing critical software.
(a)联邦政府使用的软件的安全性对联邦政府履行其关键职能的能力至关重要。商业软件的开发往往缺乏透明度,对软件抵御攻击的能力缺乏足够的重视,缺乏防止恶意行为者篡改的适当控制。迫切需要实施更严格和更可预测的机制,以确保产品按预期安全运作。“关键软件”(执行对信任至关重要的功能(例如提供或要求提高系统特权或直接访问网络和计算资源)的软件)的安全性和完整性尤其令人担忧。因此,联邦政府必须采取行动,迅速提高软件供应链的安全性和完整性,优先解决关键软件问题。
(b) Within 30 days of the date of this order, the Secretary of Commerce acting through the Director of NIST shall solicit input from the Federal Government, private sector, academia, and other appropriate actors to identify existing or develop new standards, tools, and best practices for complying with the standards, procedures, or criteria in subsection (e) of this section. The guidelines shall include criteria that can be used to evaluate software security, include criteria to evaluate the security practices of the developers and suppliers themselves, and identify innovative tools or methods to demonstrate conformance with secure practices.
(b)在本命令发布之日起30天内,商务部长通过 NIST 主任征求联邦政府、私营部门、学术界和其他适当行为者的意见,以确定现有的或开发新的标准、工具和最佳实践,从而遵守本节(e)分节中的标准、程序或标准。准则应包括可用于评价软件安全的标准,包括评价开发人员和供应商本身的安全做法的标准,并确定证明符合安全做法的创新工具或方法。
(c) Within 180 days of the date of this order, the Director of NIST shall publish preliminary guidelines, based on the consultations described in subsection (b) of this section and drawing on existing documents as practicable, for enhancing software supply chain security and meeting the requirements of this section.
(c)在本命令发出日期起计的180天内,NIST 处长须根据本条(b)段所述的谘询,并在切实可行范围内参考现有文件,发表初步指引,以加强软件供应链的保安,并符合本条的规定。
(d) Within 360 days of the date of this order, the Director of NIST shall publish additional guidelines that include procedures for periodic review and updating of the guidelines described in subsection (c) of this section.
(d)在本命令发布之日起360天内,NIST 主任应发布附加指南,其中包括定期审查和更新本条(c)款所述指南的程序。
(e) Within 90 days of publication of the preliminary guidelines pursuant to subsection (c) of this section, the Secretary of Commerce acting through the Director of NIST, in consultation with the heads of such agencies as the Director of NIST deems appropriate, shall issue guidance identifying practices that enhance the security of the software supply chain. Such guidance may incorporate the guidelines published pursuant to subsections (c) and (i) of this section. Such guidance shall include standards, procedures, or criteria regarding:
(e)在依据本条(c)款公布初步指引的90天内,商务部部长通过 NIST 主任,在咨询 NIST 主任认为适当的机构负责人的意见后,应发布指导识别实践,以加强软件供应链的安全性。这种指导可以纳入根据本节(c)和(i)分节公布的指导方针。这种指导应包括有关下列方面的标准、程序或标准:
(i) secure software development environments, including such actions as:
(i)保障软件开发环境的安全,包括采取以下行动:
(A) using administratively separate build environments;
(A)使用行政上独立的建造环境;
(B) auditing trust relationships;
(B)审计信托关系;
(C) establishing multi-factor, risk-based authentication and conditional access across the enterprise;
(c)在整个企业建立多因素、基于风险的认证和条件接收;
(D) documenting and minimizing dependencies on enterprise products that are part of the environments used to develop, build, and edit software;
(D)记录和尽量减少对企业产品的依赖,这些产品是用于开发、构建和编辑软件的环境的一部分;
(E) employing encryption for data; and
(F) monitoring operations and alerts and responding to attempted and actual cyber incidents;
(ii) generating and, when requested by a purchaser, providing artifacts that demonstrate conformance to the processes set forth in subsection (e)(i) of this section;
(ii)产生并应买方要求提供证明符合本条第(e)(i)款所述工序的工件;
(iii) employing automated tools, or comparable processes, to maintain trusted source code supply chains, thereby ensuring the integrity of the code;
(iii)采用自动化工具或类似程序,以维持可信赖的源代码供应链,从而确保代码的完整性;
(iv) employing automated tools, or comparable processes, that check for known and potential vulnerabilities and remediate them, which shall operate regularly, or at a minimum prior to product, version, or update release;
(iv)采用自动化工具或类似程序,检查已知和潜在的漏洞并对其进行补救,这些工具应定期运行,或至少在产品、版本或更新发布之前运行;
(v) providing, when requested by a purchaser, artifacts of the execution of the tools and processes described in subsection (e)(iii) and (iv) of this section, and making publicly available summary information on completion of these actions, to include a summary description of the risks assessed and mitigated;
(v)在购买人提出要求时,提供执行本条第(e)(iii)及(iv)款所述工具及程序的工件,并在完成这些行动后公开提供简要资料,以包括已评估及减轻的风险的简要说明;
(vi) maintaining accurate and up-to-date data, provenance (i.e., origin) of software code or components, and controls on internal and third-party software components, tools, and services present in software development processes, and performing audits and enforcement of these controls on a recurring basis;
(vi)保存准确和最新的数据、软件代码或组件的来源(即来源) ,以及对软件开发过程中的内部和第三方软件组件、工具和服务的控制,并定期进行审计和执行这些控制;
(vii) providing a purchaser a Software Bill of Materials (SBOM) for each product directly or by publishing it on a public website;
(vii)直接向购买人提供每项产品的软件物料清单(SBOM) ,或在公众网站刊登该等产品;
(viii) participating in a vulnerability disclosure program that includes a reporting and disclosure process;
(viii)参与包括报告和披露程序的脆弱性披露程序;
(ix) attesting to conformity with secure software development practices; and
(ix)证明符合安全的软件开发惯例; 及
(x) ensuring and attesting, to the extent practicable, to the integrity and provenance of open source software used within any portion of a product.
(x)在切实可行的范围内,确保和证明在产品的任何部分内使用的开放源码软件的完整性和来源。
(f) Within 60 days of the date of this order, the Secretary of Commerce, in coordination with the Assistant Secretary for Communications and Information and the Administrator of the National Telecommunications and Information Administration, shall publish minimum elements for an SBOM.
(f)在本命令发布之日起60天内,商务部部长须与通讯及信息部助理部长及国家电信及信息管理局局长协调,公布《国家统计数据库管理办法》的最低要素。
(g) Within 45 days of the date of this order, the Secretary of Commerce, acting through the Director of NIST, in consultation with the Secretary of Defense acting through the Director of the NSA, the Secretary of Homeland Security acting through the Director of CISA, the Director of OMB, and the Director of National Intelligence, shall publish a definition of the term “critical software” for inclusion in the guidance issued pursuant to subsection (e) of this section. That definition shall reflect the level of privilege or access required to function, integration and dependencies with other software, direct access to networking and computing resources, performance of a function critical to trust, and potential for harm if compromised.
(g)在本命令发布之日起45天内,商务部长通过 NIST 主任,与通过 NSA 主任行事的国防部长、通过 CISA 主任行事的国土安全部长、 OMB 主任和国家情报总监协商,应公布“关键软件”一词的定义,以纳入根据本条(e)款发布的指南。该定义应反映功能所需的特权或访问级别、与其他软件的集成和依赖关系、对网络和计算资源的直接访问、对信任至关重要的功能的性能以及如果受到损害的潜在危害。
(h) Within 30 days of the publication of the definition required by subsection (g) of this section, the Secretary of Homeland Security acting through the Director of CISA, in consultation with the Secretary of Commerce acting through the Director of NIST, shall identify and make available to agencies a list of categories of software and software products in use or in the acquisition process meeting the definition of critical software issued pursuant to subsection (g) of this section.
(h)在本条(g)款所规定的定义公布后30天内,通过 CISA 署长行事的国土安全部部长,在谘询通过 NIST 署长行事的商务部部长后,须确定正在使用或在获取过程中符合依据本条(g)款发出的关键软件定义的软件及软件产品类别的清单,并将该清单提供予各机构。
(i) Within 60 days of the date of this order, the Secretary of Commerce acting through the Director of NIST, in consultation with the Secretary of Homeland Security acting through the Director of CISA and with the Director of OMB, shall publish guidance outlining security measures for critical software as defined in subsection (g) of this section, including applying practices of least privilege, network segmentation, and proper configuration.
(i)在本命令发布之日起60天内,通过 NIST 主管行事的商务部长,在与通过 CISA 主管行事的国土安全部长以及 OMB 主管协商后,应发布指南,概述本节(g)款所定义的关键软件的安全措施,包括应用最小特权、网络分割和适当配置的做法。
(j) Within 30 days of the issuance of the guidance described in subsection (i) of this section, the Director of OMB acting through the Administrator of the Office of Electronic Government within OMB shall take appropriate steps to require that agencies comply with such guidance.
(j)在本条第(i)款所述的指引发出后30天内,管理及预算局局长须透过管理及预算局内的电子政府办公室管理员采取适当步骤,规定各机构遵从该等指引。
(k) Within 30 days of issuance of the guidance described in subsection (e) of this section, the Director of OMB acting through the Administrator of the Office of Electronic Government within OMB shall take appropriate steps to require that agencies comply with such guidelines with respect to software procured after the date of this order.
(k)在本条第(e)款所述的指引发出后的30天内,管理科署长须透过管理科内的电子政府办公室管理员采取适当步骤,规定各机构就在本命令发出日期后采购的软件遵从该等指引。
(l) Agencies may request an extension for complying with any requirements issued pursuant to subsection (k) of this section. Any such request shall be considered by the Director of OMB on a case-by-case basis, and only if accompanied by a plan for meeting the underlying requirements. The Director of OMB shall on a quarterly basis provide a report to the APNSA identifying and explaining all extensions granted.
(l)代理机构可要求延期遵守依据本条(k)款发出的任何规定。任何此类请求均应由管理和预算司司长在个案基础上进行审议,并且只有在附有满足基本要求的计划的情况下才能进行审议。行政管理和预算办公室主任应每季度向亚太安全局提交一份报告,确定并解释所批准的所有延期。
(m) Agencies may request a waiver as to any requirements issued pursuant to subsection (k) of this section. Waivers shall be considered by the Director of OMB, in consultation with the APNSA, on a case-by-case basis, and shall be granted only in exceptional circumstances and for limited duration, and only if there is an accompanying plan for mitigating any potential risks.
(m)代理机构可要求对依据本条(k)款发出的任何要求放弃要求。管理和预算办公室主任应与亚太核安全倡议协商,在个案基础上审议豁免,只有在特殊情况下和有限期间,并且只有在有减轻任何潜在风险的相应计划的情况下,才应给予豁免。
(n) Within 1 year of the date of this order, the Secretary of Homeland Security, in consultation with the Secretary of Defense, the Attorney General, the Director of OMB, and the Administrator of the Office of Electronic Government within OMB, shall recommend to the FAR Council contract language requiring suppliers of software available for purchase by agencies to comply with, and attest to complying with, any requirements issued pursuant to subsections (g) through (k) of this section.
(n)在本命令的日期起计1年内,国土安全部部长在谘询国防部长、律政司、管理局局长及管理局内电子政府办公室的管理员后,须向 FAR Council 建议合约语文,规定可供各机构购买的软件的供应商须遵从并证明遵从依据本条第(g)至(k)款发出的任何规定。
(o) After receiving the recommendations described in subsection (n) of this section, the FAR Council shall review the recommendations and, as appropriate and consistent with applicable law, amend the FAR.
(o)收到本条第(n)款所述的建议后,渔农自然护理署理事会须检讨该等建议,并在适当及符合适用法律的情况下,修订渔农自然护理署。
(p) Following the issuance of any final rule amending the FAR as described in subsection (o) of this section, agencies shall, as appropriate and consistent with applicable law, remove software products that do not meet the requirements of the amended FAR from all indefinite delivery indefinite quantity contracts; Federal Supply Schedules; Federal Government-wide Acquisition Contracts; Blanket Purchase Agreements; and Multiple Award Contracts.
(p)在发布本节(o)分节所述的任何修正 FAR 的最终规则之后,各机构应在适当且符合适用法律的情况下,将不符合修正 FAR 要求的软件产品从所有无限期交付的无限量合同、联邦供应计划、联邦政府范围的采购合同、一揽子采购协议和多重授标合同中删除。
(q) The Director of OMB, acting through the Administrator of the Office of Electronic Government within OMB, shall require agencies employing software developed and procured prior to the date of this order (legacy software) either to comply with any requirements issued pursuant to subsection (k) of this section or to provide a plan outlining actions to remediate or meet those requirements, and shall further require agencies seeking renewals of software contracts, including legacy software, to comply with any requirements issued pursuant to subsection (k) of this section, unless an extension or waiver is granted in accordance with subsection (l) or (m) of this section.
(q)管理科署长透过管理科内的电子政府办公室管理员行事,须规定使用在本命令的日期前开发和采购的软件(遗留软件)的机构,须遵从根据本条第(k)款发出的任何规定,或提供一份概述补救或符合该等规定的行动的计划,并须进一步规定寻求续订软件合约(包括遗留软件)的机构,须遵从根据本条第(k)款发出的任何规定,除非按照本条第(l)或(m)款批予延展或豁免。
(r) Within 60 days of the date of this order, the Secretary of Commerce acting through the Director of NIST, in consultation with the Secretary of Defense acting through the Director of the NSA, shall publish guidelines recommending minimum standards for vendors’ testing of their software source code, including identifying recommended types of manual or automated testing (such as code review tools, static and dynamic analysis, software composition tools, and penetration testing).
(r)在本命令发布之日起60天内,商务部长通过 NIST 主任,与国防部长通过 NSA 主任进行磋商,应发布建议供应商对其软件源代码进行测试的最低标准的指导方针,包括确定推荐类型的人工或自动测试(如代码审查工具、静态和动态分析、软件组合工具和渗透测试)。
(s) The Secretary of Commerce acting through the Director of NIST, in coordination with representatives of other agencies as the Director of NIST deems appropriate, shall initiate pilot programs informed by existing consumer product labeling programs to educate the public on the security capabilities of Internet-of-Things (IoT) devices and software development practices, and shall consider ways to incentivize manufacturers and developers to participate in these programs.
(s)商务部长通过 NIST 主管,与 NIST 主管认为适当的其他机构的代表协调,启动由现有消费者产品标签计划通知的试点项目,教育公众物联网(IoT)设备和软件开发实践的安全能力,并应考虑如何激励制造商和开发商参与这些计划。
(t) Within 270 days of the date of this order, the Secretary of Commerce acting through the Director of NIST, in coordination with the Chair of the Federal Trade Commission (FTC) and representatives of other agencies as the Director of NIST deems appropriate, shall identify IoT cybersecurity criteria for a consumer labeling program, and shall consider whether such a consumer labeling program may be operated in conjunction with or modeled after any similar existing government programs consistent with applicable law. The criteria shall reflect increasingly comprehensive levels of testing and assessment that a product may have undergone, and shall use or be compatible with existing labeling schemes that manufacturers use to inform consumers about the security of their products. The Director of NIST shall examine all relevant information, labeling, and incentive programs and employ best practices. This review shall focus on ease of use for consumers and a determination of what measures can be taken to maximize manufacturer participation.
(u) Within 270 days of the date of this order, the Secretary of Commerce acting through the Director of NIST, in coordination with the Chair of the FTC and representatives from other agencies as the Director of NIST deems appropriate, shall identify secure software development practices or criteria for a consumer software labeling program, and shall consider whether such a consumer software labeling program may be operated in conjunction with or modeled after any similar existing government programs, consistent with applicable law. The criteria shall reflect a baseline level of secure practices, and if practicable, shall reflect increasingly comprehensive levels of testing and assessment that a product may have undergone. The Director of NIST shall examine all relevant information, labeling, and incentive programs, employ best practices, and identify, modify, or develop a recommended label or, if practicable, a tiered software security rating system. This review shall focus on ease of use for consumers and a determination of what measures can be taken to maximize participation.
(v) These pilot programs shall be conducted in a manner consistent with OMB Circular A-119 and NIST Special Publication 2000-02 (Conformity Assessment Considerations for Federal Agencies).
(w) Within 1 year of the date of this order, the Director of NIST shall conduct a review of the pilot programs, consult with the private sector and relevant agencies to assess the effectiveness of the programs, determine what improvements can be made going forward, and submit a summary report to the APNSA.
(x) Within 1 year of the date of this order, the Secretary of Commerce, in consultation with the heads of other agencies as the Secretary of Commerce deems appropriate, shall provide to the President, through the APNSA, a report that reviews the progress made under this section and outlines additional steps needed to secure the software supply chain.
Sec. 5. Establishing a Cyber Safety Review Board.
(a) The Secretary of Homeland Security, in consultation with the Attorney General, shall establish the Cyber Safety Review Board (Board), pursuant to section 871 of the Homeland Security Act of 2002 (6 U.S.C. 451).
(b) The Board shall review and assess, with respect to significant cyber incidents (as defined under Presidential Policy Directive 41 of July 26, 2016 (United States Cyber Incident Coordination) (PPD 41)) affecting FCEB Information Systems or non-Federal systems, threat activity, vulnerabilities, mitigation activities, and agency responses.
(c) The Secretary of Homeland Security shall convene the Board following a significant cyber incident triggering the establishment of a Cyber Unified Coordination Group (UCG) as provided by section V(B)(2) of PPD-41; at any time as directed by the President acting through the APNSA; or at any time the Secretary of Homeland Security deems necessary.
(d) The Board’s initial review shall relate to the cyber activities that prompted the establishment of a UCG in December 2020, and the Board shall, within 90 days of the Board’s establishment, provide recommendations to the Secretary of Homeland Security for improving cybersecurity and incident response practices, as outlined in subsection (i) of this section.
(d)委员会的初步审查须与促使在2020年12月成立 UCG 的网络活动有关,而委员会须在委员会成立后90天内,如本条第(i)款所述,向国土安全部部长提供改善网络安全和事件应对做法的建议。
(e) The Board’s membership shall include Federal officials and representatives from private-sector entities. The Board shall comprise representatives of the Department of Defense, the Department of Justice, CISA, the NSA, and the FBI, as well as representatives from appropriate private-sector cybersecurity or software suppliers as determined by the Secretary of Homeland Security. A representative from OMB shall participate in Board activities when an incident under review involves FCEB Information Systems, as determined by the Secretary of Homeland Security. The Secretary of Homeland Security may invite the participation of others on a case-by-case basis depending on the nature of the incident under review.
(e)理事会成员应包括联邦官员和私营部门实体的代表。该委员会应包括国防部、司法部、 CISA、 NSA 和 FBI 的代表,以及由国土安全部部长确定的适当私营部门网络安全或软件供应商的代表。当所审查的事件涉及由国土安全部长确定的 FCEB 信息系统时,管理和预算局的代表应参与委员会的活动。国土安全部部长可根据所审查事件的性质,在个案基础上邀请其他人参加。
(f) The Secretary of Homeland Security shall biennially designate a Chair and Deputy Chair of the Board from among the members of the Board, to include one Federal and one private-sector member.
(f)国土安全部部长应每两年从董事会成员中指定一名董事会主席和副主席,其中包括一名联邦成员和一名私营部门成员。
(g) The Board shall protect sensitive law enforcement, operational, business, and other confidential information that has been shared with it, consistent with applicable law.
(g)委员会应保护与其共享的敏感执法、业务、业务和其他机密信息,并遵守适用的法律。
(h) The Secretary of Homeland Security shall provide to the President through the APNSA any advice, information, or recommendations of the Board for improving cybersecurity and incident response practices and policy upon completion of its review of an applicable incident.
(h)国土安全部部长在完成对适用事件的审查后,应通过 APNSA 向总统提供委员会关于改进网络安全和事件应对实践及政策的任何建议、信息或建议。
(i) Within 30 days of completion of the initial review described in subsection (d) of this section, the Secretary of Homeland Security shall provide to the President through the APNSA the recommendations of the Board based on the initial review. These recommendations shall describe:
(i)在本条(d)款所述初步审查完成后30天内,国土安全部部长应通过亚太安全局向总统提供委员会根据初步审查提出的建议。这些建议应说明:
(i) identified gaps in, and options for, the Board’s composition or authorities;
(i)找出理事会的组成或权限方面的不足之处及可供选择的方案;
(ii) the Board’s proposed mission, scope, and responsibilities;
(二)董事会拟议的使命、范围和职责;
(iii) membership eligibility criteria for private sector representatives;
(iii)私营机构代表的成员资格准则;
(iv) Board governance structure including interaction with the executive branch and the Executive Office of the President;
(iv)董事会治理结构,包括与行政部门和主席办公室的互动;
(v) thresholds and criteria for the types of cyber incidents to be evaluated;
(v)评估网上事故类别的界限及准则;
(vi) sources of information that should be made available to the Board, consistent with applicable law and policy;
(vi)应根据适用的法律和政策向委员会提供的资料来源;
(vii) an approach for protecting the information provided to the Board and securing the cooperation of affected United States individuals and entities for the purpose of the Board’s review of incidents; and
(vii)保护提供给委员会的信息并确保受影响的美国个人和实体为委员会审查事件的目的提供合作的方法; 以及
(viii) administrative and budgetary considerations required for operation of the Board.
(viii)委员会运作所需的行政和预算考虑。
(j) The Secretary of Homeland Security, in consultation with the Attorney General and the APNSA, shall review the recommendations provided to the President through the APNSA pursuant to subsection (i) of this section and take steps to implement them as appropriate.
(j)国土安全部部长在与司法部长及国土安全局局长磋商后,应审查依据本条第(i)款通过国土安全局局长向总统提交的建议,并采取适当步骤予以实施。
(k) Unless otherwise directed by the President, the Secretary of Homeland Security shall extend the life of the Board every 2 years as the Secretary of Homeland Security deems appropriate, pursuant to section 871 of the Homeland Security Act of 2002.
(k)除总统另有指示外,国土安全部部长须依据2002年《国土安全法》第871条,按国土安全部部长认为适当而每2年延长委员会的任期。
Sec. 6. Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents.
第六节规范联邦政府应对网络安全漏洞和事件的手册。
(a) The cybersecurity vulnerability and incident response procedures currently used to identify, remediate, and recover from vulnerabilities and incidents affecting their systems vary across agencies, hindering the ability of lead agencies to analyze vulnerabilities and incidents more comprehensively across agencies. Standardized response processes ensure a more coordinated and centralized cataloging of incidents and tracking of agencies’ progress toward successful responses.
(a)目前用于识别、补救和恢复网络安全漏洞以及影响其系统的事件的网络安全漏洞和事件应对程序因机构而异,这妨碍了牵头机构更全面地分析各机构的漏洞和事件的能力。标准化的应对程序确保对事件进行更加协调和集中的编目,并跟踪各机构在成功应对方面的进展。
(b) Within 120 days of the date of this order, the Secretary of Homeland Security acting through the Director of CISA, in consultation with the Director of OMB, the Federal Chief Information Officers Council, and the Federal Chief Information Security Council, and in coordination with the Secretary of Defense acting through the Director of the NSA, the Attorney General, and the Director of National Intelligence, shall develop a standard set of operational procedures (playbook) to be used in planning and conducting a cybersecurity vulnerability and incident response activity respecting FCEB Information Systems. The playbook shall:
(b)在本命令发布之日起120天内,国土安全部部长通过 CISA 主任,与管理和预算办公室主任、联邦首席信息官委员会和联邦首席信息安全委员会协商,并与国防部部长通过 NSA 主任、司法部长和国家情报总监协调,应制定一套标准的操作程序(剧本) ,用于规划和实施与 FCEB 信息系统有关的网络安全漏洞和事件应对活动。剧本须:
(i) incorporate all appropriate NIST standards;
(i)纳入所有适当的 NIST 标准;
(ii) be used by FCEB Agencies; and
(ii)由 FCEB 机构使用; 及
(iii) articulate progress and completion through all phases of an incident response, while allowing flexibility so it may be used in support of various response activities.
(iii)在事故应变的所有阶段阐明进度和完成情况,同时给予灵活性,使其可用于支持各种应变活动。
(c) The Director of OMB shall issue guidance on agency use of the playbook.
(c)行政管理及预算办公室主任须就机构使用指引发出指引。
(d) Agencies with cybersecurity vulnerability or incident response procedures that deviate from the playbook may use such procedures only after consulting with the Director of OMB and the APNSA and demonstrating that these procedures meet or exceed the standards proposed in the playbook.
(d)具有网络安全漏洞或事故应变程序偏离剧本的机构,只有在咨询管理和预防措施办公室主任和预防措施办公室主任,并证明这些程序符合或超出剧本所建议的标准后,才可使用这些程序。
(e) The Director of CISA, in consultation with the Director of the NSA, shall review and update the playbook annually, and provide information to the Director of OMB for incorporation in guidance updates.
(五)中国国际学生体育联合会会长在咨询国家体育总会会长的意见后,每年检讨和更新该剧本,并向管理事务办公室会长提供资料,以纳入指引更新内。
(f) To ensure comprehensiveness of incident response activities and build confidence that unauthorized cyber actors no longer have access to FCEB Information Systems, the playbook shall establish, consistent with applicable law, a requirement that the Director of CISA review and validate FCEB Agencies’ incident response and remediation results upon an agency’s completion of its incident response. The Director of CISA may recommend use of another agency or a third-party incident response team as appropriate.
(六)为确保事故应变活动的全面性,以及建立信心,确保未经授权的网络行为者不会再使用联邦紧急事故应变委员会的资讯系统,剧本须根据适用的法律,订立一项规定,要求中国国际安全评估署署长在有关机构完成事故应变后,检讨及核实联邦紧急事故应变委员会机构的事故应变和补救结果。CISA 主任可酌情建议使用其他机构或第三方事件应对小组。
(g) To ensure a common understanding of cyber incidents and the cybersecurity status of an agency, the playbook shall define key terms and use such terms consistently with any statutory definitions of those terms, to the extent practicable, thereby providing a shared lexicon among agencies using the playbook.
(七)为确保大家对网络事故及机构的网络安全状况有共同的认识,剧本须在切实可行的范围内,界定主要用语,并使用与该等用语的任何法定定义一致的用语,从而为使用剧本的机构提供共用词典。
Sec. 7. Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks.
第七节改进对联邦政府网络上的网络安全漏洞和事件的检测。
(a) The Federal Government shall employ all appropriate resources and authorities to maximize the early detection of cybersecurity vulnerabilities and incidents on its networks. This approach shall include increasing the Federal Government’s visibility into and detection of cybersecurity vulnerabilities and threats to agency networks in order to bolster the Federal Government’s cybersecurity efforts.
(a)联邦政府应利用一切适当的资源和权力,最大限度地及早发现其网络上的网络安全漏洞和事件。这种方法应包括提高联邦政府对网络安全漏洞和对机构网络的威胁的可见度和检测,以支持联邦政府的网络安全努力。
(b) FCEB Agencies shall deploy an Endpoint Detection and Response (EDR) initiative to support proactive detection of cybersecurity incidents within Federal Government infrastructure, active cyber hunting, containment and remediation, and incident response.
(b) FCEB 机构应部署一个端点检测和响应(EDR)计划,以支持在联邦政府基础设施内主动检测网络安全事件、积极的网络搜寻、遏制和补救以及事件响应。
(c) Within 30 days of the date of this order, the Secretary of Homeland Security acting through the Director of CISA shall provide to the Director of OMB recommendations on options for implementing an EDR initiative, centrally located to support host-level visibility, attribution, and response regarding FCEB Information Systems.
(c)在本命令发布之日起30天内,国土安全部部长通过 CISA 主任向 OMB 主任提供关于实施 EDR 计划的备选方案的建议,该计划位于中心位置,以支持 FCEB 信息系统的主机级可见性、归属和响应。
(d) Within 90 days of receiving the recommendations described in subsection (c) of this section, the Director of OMB, in consultation with Secretary of Homeland Security, shall issue requirements for FCEB Agencies to adopt Federal Government-wide EDR approaches. Those requirements shall support a capability of the Secretary of Homeland Secretary, acting through the Director of CISA, to engage in cyber hunt, detection, and response activities.
(d)在收到本条(c)款所述建议的90天内,管理局局长应与国土安全部部长磋商,发布要求 FCEB 机构采用联邦政府范围内的 EDR 方法。这些要求应支持国土安全部部长通过中国国际安全情报局(CISA)局长参与网络搜寻、侦查和应对活动的能力。
(e) The Director of OMB shall work with the Secretary of Homeland Security and agency heads to ensure that agencies have adequate resources to comply with the requirements issued pursuant to subsection (d) of this section.
(e)行政管理和预算办公室主任应与国土安全部部长和机构负责人合作,确保各机构有足够的资源来遵守根据本条(d)款发布的要求。
(f) Defending FCEB Information Systems requires that the Secretary of Homeland Security acting through the Director of CISA have access to agency data that are relevant to a threat and vulnerability analysis, as well as for assessment and threat-hunting purposes. Within 75 days of the date of this order, agencies shall establish or update Memoranda of Agreement (MOA) with CISA for the Continuous Diagnostics and Mitigation Program to ensure object level data, as defined in the MOA, are available and accessible to CISA, consistent with applicable law.
(f)为 FCEB 信息系统辩护,要求国土安全部部长通过中国国际安全情报局(CISA)局长获得与威胁和脆弱性分析相关的机构数据,以及用于评估和威胁搜寻目的的数据。在本命令发布之日起75天内,各机构应与 CISA 建立或更新持续诊断和缓解计划的协议备忘录(MOA) ,以确保根据适用法律,CISA 能够获得和访问 MOA 定义的目标级数据。
(g) Within 45 days of the date of this order, the Director of the NSA as the National Manager for National Security Systems (National Manager) shall recommend to the Secretary of Defense, the Director of National Intelligence, and the Committee on National Security Systems (CNSS) appropriate actions for improving detection of cyber incidents affecting National Security Systems, to the extent permitted by applicable law, including recommendations concerning EDR approaches and whether such measures should be operated by agencies or through a centralized service of common concern provided by the National Manager.
(g)在本命令发布之日起45天内,国家安全局局长作为国家安全系统国家经理(国家经理) ,应在适用法律允许的范围内,向国防部长、国家情报局局长和国家安全系统委员会(CNSS)建议采取适当行动,改进对影响国家安全系统的网络事件的侦测,包括关于电子数据记录方法的建议,以及这些措施是应由机构实施,还是应由国家经理提供共同关心的集中服务。
(h) Within 90 days of the date of this order, the Secretary of Defense, the Director of National Intelligence, and the CNSS shall review the recommendations submitted under subsection (g) of this section and, as appropriate, establish policies that effectuate those recommendations, consistent with applicable law.
(h)在本命令发布之日起90天内,国防部长、国家情报总监和国家安全委员会应审查根据本条(g)款提交的建议,并酌情制定符合适用法律的实施该等建议的政策。
(i) Within 90 days of the date of this order, the Director of CISA shall provide to the Director of OMB and the APNSA a report describing how authorities granted under section 1705 of Public Law 116-283, to conduct threat-hunting activities on FCEB networks without prior authorization from agencies, are being implemented. This report shall also recommend procedures to ensure that mission-critical systems are not disrupted, procedures for notifying system owners of vulnerable government systems, and the range of techniques that can be used during testing of FCEB Information Systems. The Director of CISA shall provide quarterly reports to the APNSA and the Director of OMB regarding actions taken under section 1705 of Public Law 116-283.
(i)在本命令生效日期起计的90天内,CISA 署长须向行政管理和预算局局长及预算安全局局长提交一份报告,说明根据《公法》第116-283条第1705条授予的权力,如何在未经机构事先授权的情况下,在 FCEB 网络上进行威胁搜寻活动。本报告还应建议确保关键任务系统不受干扰的程序,向系统所有者通报易受攻击的政府系统的程序,以及在测试 FCEB 信息系统期间可使用的各种技术。CISA 主任应就根据第116-283号公法第1705节采取的行动向亚太安全局和行政管理和预算办公室主任提供季度报告。
(j) To ensure alignment between Department of Defense Information Network (DODIN) directives and FCEB Information Systems directives, the Secretary of Defense and the Secretary of Homeland Security, in consultation with the Director of OMB, shall:
(j)为确保国防部信息网络(DODIN)指令与 FCEB 信息系统指令之间的一致性,国防部长和国土安全部长在与管理和预算办公室主任协商后,应:
(i) within 60 days of the date of this order, establish procedures for the Department of Defense and the Department of Homeland Security to immediately share with each other Department of Defense Incident Response Orders or Department of Homeland Security Emergency Directives and Binding Operational Directives applying to their respective information networks;
(i)在本命令的日期起计60天内,设立程序,使国防部与国土安全部能够立即彼此分享适用于各自信息网络的国防部事件应急命令或国土安全部紧急指令及具约束力的行动指令;
(ii) evaluate whether to adopt any guidance contained in an Order or Directive issued by the other Department, consistent with regulations concerning sharing of classified information; and
(ii)评估是否采纳另一部门发布的命令或指令中所载的任何指导,以符合有关分享机密信息的规定; 以及
(iii) within 7 days of receiving notice of an Order or Directive issued pursuant to the procedures established under subsection (j)(i) of this section, notify the APNSA and Administrator of the Office of Electronic Government within OMB of the evaluation described in subsection (j)(ii) of this section, including a determination whether to adopt guidance issued by the other Department, the rationale for that determination, and a timeline for application of the directive, if applicable.
(iii)在接获依据本条第(j)(i)款所订立的程序而发出的命令或指示的通知后7天内,将本条第(j)(ii)款所述的评估,包括决定是否采纳另一部门所发出的指示、作出该决定的理据,以及适用该指示的时限(如适用的话) ,通知管理局内的电子政府办公室主任及电子政务主任。
Sec. 8. Improving the Federal Government’s Investigative and Remediation Capabilities.
第八节提高联邦政府的侦查和救济能力。
(a) Information from network and system logs on Federal Information Systems (for both on-premises systems and connections hosted by third parties, such as CSPs) is invaluable for both investigation and remediation purposes. It is essential that agencies and their IT service providers collect and maintain such data and, when necessary to address a cyber incident on FCEB Information Systems, provide them upon request to the Secretary of Homeland Security through the Director of CISA and to the FBI, consistent with applicable law.
(a)来自联邦信息系统的网络和系统日志的信息(包括内部系统和由第三方托管的连接,例如 CSP)对于调查和补救目的都是非常宝贵的。各机构及其信息技术服务提供商必须收集和维护这些数据,并在必要时根据适用法律,应国土安全部部长通过中国国际安全局局长和联邦调查局的请求,向其提供这些数据,以应对 FCEB 信息系统上的网络事件。
(b) Within 14 days of the date of this order, the Secretary of Homeland Security, in consultation with the Attorney General and the Administrator of the Office of Electronic Government within OMB, shall provide to the Director of OMB recommendations on requirements for logging events and retaining other relevant data within an agency’s systems and networks. Such recommendations shall include the types of logs to be maintained, the time periods to retain the logs and other relevant data, the time periods for agencies to enable recommended logging and security requirements, and how to protect logs. Logs shall be protected by cryptographic methods to ensure integrity once collected and periodically verified against the hashes throughout their retention. Data shall be retained in a manner consistent with all applicable privacy laws and regulations. Such recommendations shall also be considered by the FAR Council when promulgating rules pursuant to section 2 of this order.
(b)在本命令的日期起计14天内,国土安全部部长须在谘询司法部长及管理局内电子政府办公室的行政长官后,向管理局局长提供有关记录事件及在机构的系统及网络内保留其他有关数据的规定的建议。此类建议应包括拟维护的日志类型、保存日志和其他相关数据的时间段、各机构实施建议的日志和安全要求的时间段,以及如何保护日志。日志应采用加密方法加以保护,以确保一旦收集并在整个保存期间定期核实哈希值的完整性。数据应以符合所有适用的隐私法律和条例的方式保留。卢旺达武装部队理事会在根据本命令第2节颁布规则时也应考虑这些建议。
(c) Within 90 days of receiving the recommendations described in subsection (b) of this section, the Director of OMB, in consultation with the Secretary of Commerce and the Secretary of Homeland Security, shall formulate policies for agencies to establish requirements for logging, log retention, and log management, which shall ensure centralized access and visibility for the highest level security operations center of each agency.
(c)在收到本条(b)款所述的建议后90天内,管理和预算局局长应与商务部长和国土安全部长协商,制定政策,以便各机构确立伐木、原木保存和原木管理的要求,这些要求应确保每个机构最高级别的安全操作中心的集中访问和可见性。
(d) The Director of OMB shall work with agency heads to ensure that agencies have adequate resources to comply with the requirements identified in subsection (c) of this section.
(d)行政管理专员须与机构首长合作,确保机构有足够资源遵守本条第(c)款所述的规定。
(e) To address cyber risks or incidents, including potential cyber risks or incidents, the proposed recommendations issued pursuant to subsection (b) of this section shall include requirements to ensure that, upon request, agencies provide logs to the Secretary of Homeland Security through the Director of CISA and to the FBI, consistent with applicable law. These requirements should be designed to permit agencies to share log information, as needed and appropriate, with other Federal agencies for cyber risks or incidents.
(e)为应对网络风险或事件,包括潜在的网络风险或事件,根据本条(b)款发布的建议应包括以下要求: 确保各机构根据适用法律,应要求通过 CISA 局长向国土安全部部长和联邦调查局提供日志。这些要求的目的应该是允许各机构根据需要和适当的情况与其他联邦机构共享日志信息,以应对网络风险或事件。
Sec. 9. National Security Systems.
(a) Within 60 days of the date of this order, the Secretary of Defense acting through the National Manager, in coordination with the Director of National Intelligence and the CNSS, and in consultation with the APNSA, shall adopt National Security Systems requirements that are equivalent to or exceed the cybersecurity requirements set forth in this order that are otherwise not applicable to National Security Systems. Such requirements may provide for exceptions in circumstances necessitated by unique mission needs. Such requirements shall be codified in a National Security Memorandum (NSM). Until such time as that NSM is issued, programs, standards, or requirements established pursuant to this order shall not apply with respect to National Security Systems.
(b) Nothing in this order shall alter the authority of the National Manager with respect to National Security Systems as defined in National Security Directive 42 of July 5, 1990 (National Policy for the Security of National Security Telecommunications and Information Systems) (NSD-42). The FCEB network shall continue to be within the authority of the Secretary of Homeland Security acting through the Director of CISA.
第九节。国家安全系统。(a)在本命令生效之日起60天内,国防部长通过国家经理行事,与国家情报总监和国家安全局协调,并与国家安全局协商,应采纳相当于或超过本命令中规定的网络安全要求的国家安全系统要求,否则不适用于国家安全系统。这些要求可能规定了特派团特殊需要所必需的例外情况。这些要求应编入国家安全备忘录(NSM)。在 NSM 发布之前,根据本命令制定的程序、标准或要求不适用于国家安全系统。(b)本命令不得改变1990年7月5日第42号国家安全指令(国家安全电信和信息系统安全政策)(NSD-42)所界定的国家安全系统方面的国家经理的权力。FCEB 网络应继续由国土安全部部长通过中国国际安全局局长行使权力。
Sec. 10. Definitions. For purposes of this order:
第10节定义为本命令的目的:
(a) the term “agency” has the meaning ascribed to it under 44 U.S.C. 3502.
(a)“代理”一词具有《美国法典》第44编第3502节所赋予的含义。
(b) the term “auditing trust relationship” means an agreed-upon relationship between two or more system elements that is governed by criteria for secure interaction, behavior, and outcomes relative to the protection of assets.
(b)术语“审计信任关系”是指两个或多个系统要素之间的一致同意的关系,这种关系受安全交互、行为和与资产保护相关的结果的标准控制。
(c) the term “cyber incident” has the meaning ascribed to an “incident” under 44 U.S.C. 3552(b)(2).
(c)术语“网络事件”具有《美国法典》第44编第3552节(b)(2)款所规定的“事件”的含义。
(d) the term “Federal Civilian Executive Branch Agencies” or “FCEB Agencies” includes all agencies except for the Department of Defense and agencies in the Intelligence Community.
(d)术语“联邦民事行政分支机构”或“ FCEB 机构”包括除国防部和情报界机构以外的所有机构。
(e) the term “Federal Civilian Executive Branch Information Systems” or “FCEB Information Systems” means those information systems operated by Federal Civilian Executive Branch Agencies, but excludes National Security Systems.
(e)“联邦民政行政部门信息系统”或“ FCEB 信息系统”一词,系指由联邦民政行政部门机构经营的信息系统,但不包括国家安全系统。
(f) the term “Federal Information Systems” means an information system used or operated by an agency or by a contractor of an agency or by another organization on behalf of an agency, including FCEB Information Systems and National Security Systems.
(f)“联邦信息系统”一词系指由一个机构或由一个机构的承包商或由代表一个机构的另一个组织使用或操作的信息系统,包括 FCEB 信息系统和国家安全系统。
(g) the term “Intelligence Community” or “IC” has the meaning ascribed to it under 50 U.S.C. 3003(4).
(g)术语“情报共同体”或“集成电路”具有《美国法典》第50编第3003(4)节所赋予的含义。
(h) the term “National Security Systems” means information systems as defined in 44 U.S.C. 3552(b)(6), 3553(e)(2), and 3553(e)(3).
(h)术语“国家安全系统”指《美国法典》第44编第3552(b)(6)、3553(e)(2)和3553(e)(3)节中定义的信息系统。
(i) the term “logs” means records of the events occurring within an organization’s systems and networks. Logs are composed of log entries, and each entry contains information related to a specific event that has occurred within a system or network.
(i)术语“日志”指组织系统和网络内发生的事件的记录。日志由日志条目组成,每个条目包含与系统或网络中发生的特定事件相关的信息。
(j) the term “Software Bill of Materials” or “SBOM” means a formal record containing the details and supply chain relationships of various components used in building software. Software developers and vendors often create products by assembling existing open source and commercial software components. The SBOM enumerates these components in a product. It is analogous to a list of ingredients on food packaging. An SBOM is useful to those who develop or manufacture software, those who select or purchase software, and those who operate software. Developers often use available open source and third-party software components to create a product; an SBOM allows the builder to make sure those components are up to date and to respond quickly to new vulnerabilities. Buyers can use an SBOM to perform vulnerability or license analysis, both of which can be used to evaluate risk in a product. Those who operate software can use SBOMs to quickly and easily determine whether they are at potential risk of a newly discovered vulnerability. A widely used, machine-readable SBOM format allows for greater benefits through automation and tool integration. The SBOMs gain greater value when collectively stored in a repository that can be easily queried by other applications and systems. Understanding the supply chain of software, obtaining an SBOM, and using it to analyze known vulnerabilities are crucial in managing risk.
(j)“软件材料清单”或“ SBOM”一词系指包含建筑软件中使用的各种组件的细节和供应链关系的正式记录。软件开发人员和供应商通常通过组装现有的开源和商业软件组件来创建产品。SBOM 枚举产品中的这些组件。它类似于食品包装上的成分表。SBOM 对于那些开发或制造软件的人、那些选择或购买软件的人以及那些操作软件的人是有用的。开发人员经常使用可用的开源和第三方软件组件来创建产品; SBOM 允许开发人员确保这些组件是最新的,并对新的漏洞作出快速响应。买家可以使用 SBOM 来执行脆弱性或许可证分析,这两者都可以用来评估产品的风险。那些操作软件的人可以使用 SBOM 快速而方便地确定他们是否处于新发现的漏洞的潜在风险中。广泛使用的、机器可读的 SBOM 格式允许通过自动化和工具集成获得更大的好处。当 SBOM 集体存储在其他应用程序和系统可以轻松查询的存储库中时,SBOM 获得更大的价值。理解软件的供应链,获得一个 SBOM,并使用它来分析已知的脆弱性是管理风险的关键。
(k) the term “Zero Trust Architecture” means a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries. The Zero Trust security model eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses. In essence, a Zero Trust Architecture allows users full access but only to the bare minimum they need to perform their jobs. If a device is compromised, zero trust can ensure that the damage is contained. The Zero Trust Architecture security model assumes that a breach is inevitable or has likely already occurred, so it constantly limits access to only what is needed and looks for anomalous or malicious activity. Zero Trust Architecture embeds comprehensive security monitoring; granular risk-based access controls; and system security automation in a coordinated manner throughout all aspects of the infrastructure in order to focus on protecting data in real-time within a dynamic threat environment. This data-centric security model allows the concept of least-privileged access to be applied for every access decision, where the answers to the questions of who, what, when, where, and how are critical for appropriately allowing or denying access to resources based on the combination of sever.
(k)“零信任架构”一词是指一种安全模式、一套系统设计原则,以及基于承认传统网络边界内外都存在威胁的协调网络安全和系统管理策略。零信任安全模型消除了对任何一个元素、节点或服务的隐式信任,而是要求通过来自多个来源的实时信息对操作图片进行连续验证,以确定访问和其他系统响应。本质上,零信任架构允许用户完全访问,但仅限于他们执行工作所需的最低限度。如果设备受到损害,零信任可以确保损害得到控制。零信任架构(Zero Trust Architecture)安全模型假设一个漏洞是不可避免的,或者可能已经发生了,因此它不断地限制访问,只访问需要访问的内容,并寻找异常或恶意的活动。零信任架构在基础设施的所有方面以协调的方式嵌入了全面的安全监测、基于风险的细粒度访问控制和系统安全自动化,以便在动态威胁环境中实时保护数据。这种以数据为中心的安全模型允许将最低权限访问的概念应用于每个访问决策,其中,对于基于服务器组合的适当允许或拒绝对资源的访问,对于谁、什么、什么时候、在哪里以及如何进行访问的问题的答案是至关重要的。
Sec. 11. General Provisions.
第十一节一般规定。
(a) Upon the appointment of the National Cyber Director (NCD) and the establishment of the related Office within the Executive Office of the President, pursuant to section 1752 of Public Law 116-283, portions of this order may be modified to enable the NCD to fully execute its duties and responsibilities.
(一)根据第116-283号公法第1752条,在国家数码主任获委任及在总统行政办公室内设立有关办公室后,本命令的部分内容可予修改,使国家数码主任能全面履行其职责。
(b) Nothing in this order shall be construed to impair or otherwise affect:
(b)本命令不得解释为损害或以其他方式影响:
(i) the authority granted by law to an executive department or agency, or the head thereof; or
(i)法律授予行政部门或机构或其负责人的权力; 或
(ii) the functions of the Director of the Office of Management and Budget relating to budgetary, administrative, or legislative proposals.
(ii)管理和预算办公室主任与预算、行政或立法建议有关的职能;。
(c) This order shall be implemented in a manner consistent with applicable law and subject to the availability of appropriations.
(c)本命令应以符合适用法律的方式实施,但须视可获得的拨款而定。
(d) This order is not intended to, and does not, create any right or benefit, substantive or procedural, enforceable at law or in equity by any party against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person.
(d)本命令的目的并不是,也不会产生任何实质性或程序性的权利或利益,可由任何一方在法律上或衡平法上对美国、其部门、机构或实体、其官员、雇员或代理人或任何其他人强制执行。
(e) Nothing in this order confers authority to interfere with or to direct a criminal or national security investigation, arrest, search, seizure, or disruption operation or to alter a legal restriction that requires an agency to protect information learned in the course of a criminal or national security investigation.
(e)本命令并无授权干预或指挥刑事或国家安全调查、逮捕、搜查、扣押或扰乱行动,或更改要求机构保护在刑事或国家安全调查过程中获得的信息的法律限制。
JOSEPH R. BIDEN JR.
THE WHITE HOUSE,
May 12, 2021.
升级VIP 