Cybersecurity Baselines Retrospective Briefing — December 10, 2021

Executive briefing: The 2020–2021 threat cycle reshaped baseline expectations for enterprise cybersecurity. NIST formalised zero trust architecture (ZTA) guidance, CISA issued emergency directives following the SolarWinds compromise, Executive Order 14028 mandated software assurance and logging requirements, DHS stood up the Cyber Safety Review Board (CSRB), and CISA created the Joint Cyber Defense Collaborative (JCDC) while issuing Binding Operational Directive 22-01 to enforce vulnerability remediation timelines.¹²³⁴⁵⁶ These actions collectively define the control stack that boards, regulators, and customers expect heading into 2022.

Timeline of foundational actions

September 2020 — NIST SP 800-207 Zero Trust Architecture. NIST codified principles for identity-centric access, continuous verification, policy decision points, and microsegmentation, providing reference deployment models for agencies and critical infrastructure.¹ The document emphasises strong identity governance, device health telemetry, and dynamic access policies.

December 2020 — CISA Emergency Directive 21-01. In response to the SolarWinds Orion supply-chain compromise, CISA ordered federal civilian agencies to disconnect affected systems, collect forensic images, and report indicators within days, signalling regulators’ expectations for rapid incident response.²

May 2021 — Executive Order 14028. The order requires federal agencies and suppliers to adopt zero trust strategies, deliver software bills of materials (SBOMs), enable logging and event retention, and improve incident reporting.³ It directed NIST and other agencies to publish ZTA reference architectures and secure software development criteria.

July 2021 — DHS establishes the CSRB. DHS operationalised EO 14028 Section 5 by chartering the CSRB to review significant cyber incidents, coordinate lessons learned, and recommend systemic improvements.⁴

August 2021 — CISA launches the JCDC. The collaborative unites federal agencies, cloud providers, and critical infrastructure operators to conduct joint cyber defence planning, share real-time telemetry, and release coordinated advisories.⁵

November 2021 — CISA Binding Operational Directive 22-01. BOD 22-01 created the Known Exploited Vulnerabilities (KEV) catalogue with enforceable remediation deadlines for federal agencies, raising the bar for vulnerability management across industries.⁶

Strategic implications for enterprises

These actions cemented identity-centric security, rapid incident response, and collaborative defence as baseline expectations. Boards should integrate zero trust roadmaps into strategic plans, allocate funding for identity and access management (IAM), endpoint detection and response (EDR), and logging infrastructure, and ensure supply chain risk management aligns with EO 14028 requirements.¹³

Public-private collaboration through the JCDC and CSRB indicates regulators expect transparent information sharing and continuous improvement after major incidents.⁴⁵ Organisations that participate in such initiatives can influence guidance, access threat intelligence, and demonstrate maturity to regulators and customers.

Control priorities

• Zero trust adoption. Map current network and identity architectures to NIST SP 800-207 components: policy enforcement points, policy engines, continuous diagnostics, and session protection. Implement least-privilege access, multi-factor authentication, device posture checks, and microsegmentation.¹³
• Incident response readiness. Align response plans with CISA emergency directive expectations—capable of disconnecting systems, capturing forensic images, and providing rapid situational reports. Maintain pre-approved maintenance windows and executive communication protocols.²
• Software supply chain security. Build SBOM generation into development pipelines, adopt secure software development frameworks, and require vendors to attest to EO 14028-aligned practices, including vulnerability disclosure programs.³
• Collaborative defence. Establish points of contact for JCDC-style information sharing, subscribe to KEV catalogue updates, and participate in industry ISAC/ISAO activities to enhance situational awareness.⁵⁶
• Vulnerability governance. Implement risk-based patch management aligned with KEV deadlines (e.g., 2-week remediation for critical federal vulnerabilities). Track exceptions, compensating controls, and executive sign-off.⁶

Implementation roadmap

1. Assessment. Perform a maturity assessment against zero trust, incident response, and vulnerability management baselines. Use NIST’s ZTA maturity models and EO 14028 guidance to identify capability gaps.
2. Strategic planning. Develop a multi-year zero trust roadmap covering identity, device, network, application, and data pillars. Align capital expenditure and operational budgets with planned capabilities.
3. Process refinement. Update incident response playbooks, vulnerability triage workflows, and vendor risk assessments to reflect KEV timelines and emergency directive scenarios.
4. Technology deployment. Implement identity federation, privileged access management, microsegmentation, and continuous monitoring tools. Integrate logging into centralised SIEM platforms with long-term retention.
5. Training and exercises. Conduct tabletop exercises simulating SolarWinds-style supply-chain attacks, run zero trust pilot rollouts, and practice KEV-driven patch sprints with cross-functional teams.
6. Metrics and reporting. Establish dashboards that track zero trust adoption milestones, incident response readiness scores, and KEV remediation progress for board oversight.

Metrics and assurance

• Key risk indicators. Monitor the percentage of high-value assets lacking multi-factor authentication, time to isolate compromised systems during exercises, and count of overdue KEV vulnerabilities.
• Key performance indicators. Track completion of zero trust capabilities (e.g., identity federation coverage, microsegmented workloads), mean time to patch critical vulnerabilities, and SBOM generation rates.
• Assurance activities. Align internal audit with EO 14028 requirements, test controls using red/blue team exercises, and document remediation of findings from CSRB reviews or JCDC advisories.
• Stakeholder reporting. Provide quarterly board updates summarising zero trust progress, incident simulations, and vulnerability metrics. Include lessons from JCDC intelligence or CSRB reports.

Sector-specific emphasis

• Financial services. Align zero trust and KEV remediation with FFIEC guidance, ensuring resilience for real-time payment and trading systems.
• Healthcare. Integrate zero trust controls into clinical networks without disrupting patient care; coordinate with HHS for incident reporting stemming from supply-chain attacks.
• Energy. Coordinate with DOE and sector coordinating councils on JCDC initiatives addressing pipeline and grid threats; implement segmentation between IT and OT environments.
• Technology vendors. Embed secure development practices mandated by EO 14028 and provide customer attestations covering SBOMs, logging, and incident notification commitments.

Programme risks and mitigations

• Legacy systems. Mitigation: implement segmentation, application gateways, and identity overlays to extend zero trust principles without disrupting legacy operations.
• Resource constraints. Mitigation: prioritise high-value assets, leverage managed services (MDR, MSSP) for monitoring, and seek cyber grants or shared services when available.
• Change fatigue. Mitigation: sequence initiatives, communicate business benefits, and align zero trust adoption with user experience improvements (single sign-on, adaptive access).
• Vendor dependencies. Mitigation: embed zero trust and KEV requirements into contracts, demand SBOMs, and maintain alternative suppliers where feasible.

Forward look

EO 14028 and BOD 22-01 have triggered cascading guidance: OMB issued memoranda requiring federal agencies to implement zero trust by FY 2024, while CISA continues to expand the KEV catalogue.³⁶ Organisations should expect regulators and customers to demand evidence of zero trust progress, SBOM availability, and rapid vulnerability remediation. Participation in CSRB reviews and JCDC planning will shape future best practices, so investing in collaborative defence capabilities offers both compliance and resilience dividends.

Sources

• ¹ NIST Special Publication 800-207: Zero Trust Architecture.
• ² CISA Emergency Directive 21-01.
• ³ Executive Order 14028: Improving the Nation’s Cybersecurity.
• ⁴ DHS determination establishing the Cyber Safety Review Board.
• ⁵ CISA press release launching the Joint Cyber Defense Collaborative.
• ⁶ CISA Binding Operational Directive 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities.

Zeph Tech aligns cybersecurity programmes with zero trust, incident response, and vulnerability governance expectations emerging from 2020–2021 federal actions.

Related briefings

Curated signals from the same pillar or overlapping topics.

Cybersecurity · Credibility 40/100 · December 9, 2021

Security Incident Briefing — December 9, 2021

The Log4Shell zero-day (CVE-2021-44228) exposed internet-facing Java stacks to remote code execution; enterprises must patch iteratively, harden configurations, and deploy continuous threat hunting to contain widespread…

Cybersecurity · Credibility 92/100 · March 15, 2022

Cybersecurity Retrospective Briefing — March 15, 2022

A 2020–2022 cybersecurity retrospective charts pandemic-driven attack expansion, zero-trust policy waves, and ransomware economics—guiding security leaders on operational, governance, and sourcing priorities for the next…

Cybersecurity · Credibility 92/100 · October 20, 2020

ENISA Threat Landscape 2020 Insights — October 20, 2020

Enterprise guide to the ENISA Threat Landscape 2020 with sector-specific risks, supply-chain defenses, architecture priorities, and governance actions for EU-aligned security programs.

Cybersecurity · Credibility 40/100 · May 31, 2023

Cybersecurity Briefing — MOVEit Transfer zero-day exploited at scale

Progress Software disclosed CVE-2023-34362 on 31 May 2023 after mass exploitation of a SQL injection in MOVEit Transfer that allowed unauthenticated data exfiltration, prompting emergency patches and mandatory…

Cybersecurity · Credibility 93/100 · January 19, 2024

CISA Issues Emergency Directive 24-01 on Ivanti Exploitation — January 19, 2024

CISA’s Emergency Directive 24-01 compels civilian agencies to treat Ivanti Connect Secure and Policy Secure gateways as compromised, enforcing rapid disconnect, forensic triage, credential resets, and attestation before…

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Cybersecurity Operations Playbook — Zeph Tech

  Use Zeph Tech research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.