operator working surrounded by displays showing relevant data

How the government is prioritizing cybersecurity

Cyber threats are increasing quickly; organizations must improve their cyber posture and can utilize the recent government cyber initiatives.

In brief

  • Understanding legislation will help government agencies improve their cyber positioning.
  • States need to know what legislation is coming, how to plan for it and how it will impact cyber spending.
  • Efforts are underway to bring public and private entities together to coordinate cyber activities.

An update on recent cybersecurity government guidance

With cyber threats increasing at an alarming rate, there has been a whirlwind of government activity related to cybersecurity. This includes the Cyber Executive Order (EO) from the Biden Administration; the Investment Infrastructure and Jobs Act (IIJA), which includes extensive cyber initiatives; and several government-issued frameworks and models to help organizations improve their cyber posture.

1. Cyber Executive Order from the Biden Administration

The Biden Administration’s EO 14028 on cybersecurity was issued in May 2021 and is focused primarily on modernization and information sharing between the US government and the private sector. There are seven core elements to the EO that include agency-specific actions to strengthen and protect federal government networks. The EO impacts both commercial and government entities, requiring them to adapt to the continuously changing threat environment. Each target audience below benefits from planning, managing and tracking actions against EO policies, standards and playbooks.

EO tracker

The tracker lists actions specific for federal agencies to implement as stated in the Executive Order and is meant to provide federal agencies with a single view of all the actions to be performed. The tracker also provides agencies means to track the implementation status of the actions to be performed to meet the objectives of the EO.

Download the full article: Executive order on improving the nation’s cybersecurity

Next steps for government agencies

  • Federal agencies should consider their approach to the EO and plan a strategic path forward. They are feeling the increasingly public and widespread cyber-attacks that have created malicious data breaches. These fully illustrate the vulnerability, exposure, ramifications and need to take immediate action. Read more about President Biden’s Executive Order.
  • US government contractors need to proactively and strategically manage their cybersecurity. They must consider how they will be affected by the EO, examining their software supply chain security and third-party risk management.
  • US government agencies have submitted recommendations on how to strengthen the US supply chain to assure continuous production of critical goods. View a 60-minute webcast with  global trade, supply chain and policy professionals focused on the Executive Orders' effects on multinational corporations’ supply chains.
  • Organizations should look at the cybersecurity EO as more than a check-the-box mandate. New guidelines and processes based on the order are expected within the year and will likely become new industry standards with global ramifications.

2. Cyber impact of IIJA on state and local governments

In November 2021, Congress passed the IIJA legislation that provides $973b over five years, including $550b in new investments across transportation, water, power and energy; environmental remediation; public lands; broadband; and multiple approaches to improving resilience. The investment affords the opportunity to make improvements at state, city and county levels. Realizing these benefits requires thoughtful strategy and engaged management of funding to prioritize, allocate and monitor.

IIJA designates over $2b in funding for cybersecurity resiliency and innovation. The bill includes funds to reduce cyber vulnerabilities in public water systems and drinking/clean water technology. Additionally, the bill allocates state and local funding via grant programs for cyber functions to include detecting and recovering from cyber threats and emergencies. The law requires states to create cybersecurity plans in order to receive grants.

IIJA cybersecurity allocation
in funding for cybersecurity resiliency and innovation.

The specific funding allotment (as per Sect. 70612) follows a formula grant, which requires state matching funds starting at 10% and growing to 40% over four years; 1% will go to each state, 0.25% will go to all four US territories, and another 3% will go to tribal governments with the following authorized annual appropriations: FY22 – $200m, FY23 – $400m, FY24 – $300m, FY25 – $100m. The rest of the funding will be split between states based on population size and rural population statistics.

There also been new guidance at the state and local level within the education space with the signing of the K-12 Cybersecurity Act in October 2021.  The law requires the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) to evaluate cyber needs for the K-12 sector in order to provide tools and guidance.  Additional proposals, such as the Enhancing K-12 Cybersecurity Act, call for additional funding for a K-12 Cybersecurity Technology Improvement Program.

IIJA: Reframing the future of infrastructure

The IIJA’s historic investment – from clean energy to broadband – would significantly reframe the future of infrastructure in the US. Click here for the EY update on the legislation.

3. Additional cyber guidance from the government

In addition to the EO and the IIJA legislation, multiple government agencies have been issuing cyber guidance to help organizations improve their cyber posture by providing frameworks, architectures, maturity models and strategy documents to provide support.

For example, DHS CISA issued the Zero Trust Maturity Model for agencies to reference as they transition toward a Zero Trust architecture. In addition, DHS issued the Cloud Security Technical Reference Architecture to illustrate recommended approaches to cloud migration and data protection (as outlined in Section 3(c)(ii) of EO 14028). Furthermore, the Office of Management and Budget (OMB) published the Federal Zero Trust Strategy designed to move the US government toward a Zero Trust architecture.

EY professionals have worked with organizations like the Information Technology Industry Council (ITI) to provide recommendations about the new guidance. View the ITI Summary and ITI Full Whitepaper.

In addition to published guidance, DHS established the Joint Cyber Defense Collaborative (JCDC) in July 2021 to bring together public and private sector entities to unify deliberate and crisis action planning while coordinating the integrated execution of these plans.

Zero trust architecture

The US government is adopting Zero Trust architecture across federal agencies, with recommendations that the firm supports.


Viewing cybersecurity government guidance through many lenses will help agencies strengthen their cybersecurity efforts – enabling the strategies, architectural models and investments to move forward..

About this article