On May 12, 2021, President Biden issued an Executive Order aimed at improving cybersecurity of the federal government, with assistance from the private sector. The 18-page Executive Order does not set forth specific requirements, but rather sets deadlines for named agencies to develop requirements, standards, or guidelines on specific cybersecurity areas. The Executive Order also states that “All Federal Information Systems should meet or exceed the standards and requirements for cybersecurity set forth in and issued pursuant to this order.” Any company subject to either the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement (DFARS) contract requirements may be seeing substantial changes in the future.
Some of the areas covered by the Executive Order include:
Sharing Threat Information
The Executive Order states that IT service providers (including cloud service providers) have contract terms that may prevent the sharing of cyber threats or information on federal information systems. Therefore, within 60 days of the date of the Executive Order (July 11), the Office of Management and Budget, in consultation with other named federal agencies, will make recommendations for contract language changes, including:
- descriptions of contractors to be covered by the proposed contract language.
- service providers collect and preserve data, information, and reporting relevant to cybersecurity event prevention, detection, response, and investigation on all information systems over which they have control, including systems operated on behalf of agencies, consistent with agencies’ requirements;
- service providers share such data, information, and reporting, as they relate to cyber incidents or potential incidents relevant to any agency with which they have contracted, directly with such agency and any other agency that the Director of OMB, in consultation with the Secretary of Defense, the Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence, deems appropriate, consistent with applicable privacy laws, regulations, and policies;
- service providers collaborate with Federal cybersecurity or investigative agencies in their investigations of and responses to incidents or potential incidents on Federal Information Systems, including by implementing technical capabilities, such as monitoring networks for threats in collaboration with agencies they support, as needed;
Proposed changes to the FAR will be published within 120 days after receipt of the recommendations (November 8).
Cyber Incident Reporting
A government contractor that provides software or services would be required to report cyber incidents to the relevant federal agencies based upon a sliding scale of risk assessment, with the highest risk requiring notice within 3 days of discovery. The Executive Order incorporates the definition of incident from 44 U.S.C. § 3552(b)(2):
(2) The term “incident” means an occurrence that—
(A) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or
(B) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.
Within 45 days (June 28), Homeland Security, in consultation with other named federal agencies, is directed to recommend changes to the FAR including the nature of the cyber incidents that would require reporting, the government contractors and service providers that would be covered, the time periods for reporting based on “a graduated scale of severity,” and “appropriate and effective protections for privacy and civil liberties.” Within 90 days of the recommendations (September 27), the FAR Council will publish the proposed FAR updates for public comment. (With respect to cybersecurity requirements for unclassified systems contracts, the timeline is a bit different, commencing 60 days after the date of the Order (July 11), but the FAR Council would have only 60 days (September 9) to review and publish the recommended changes for public comment.)
Enhancing Software Supply Chain Security
Within 30 days of the Order (June 11), NIST, in consultation with other named federal agencies, is directed to solicit “input from the Federal Government, private sector, academia, and other appropriate actors to identify existing or develop new standards, tools, and best practices for complying with the standards, procedures, or criteria.” Within 180 days of the Order (November 8), NIST is directed to publish preliminary guidelines for enhancing software supply chain security. The guidance must include standards, procedures, or criteria, including multi-factor authentication, encryption for data, “employing automated tools, or comparable processes, that check for known and potential vulnerabilities and remediate them, which shall operate regularly, or at a minimum prior to product, version, or update release;” “providing a purchaser a Software Bill of Materials (SBOM) for each product directly or by publishing it on a public website;” and “participating in a vulnerability disclosure program that includes a reporting and disclosure process.”
The Executive Order includes several other topics, including modernizing federal government cybersecurity, establishing a Cyber Safety Review Board, standardizing the federal government’s playbook for responding to cybersecurity vulnerabilities and incidents, improving detection of cybersecurity vulnerabilities and incidents on federal government networks, and improving the federal government’s investigative and remediation capabilities.
The Executive Order also states: “This order is not intended to, and does not, create any right or benefit, substantive or procedural, enforceable at law or in equity by any party against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person.”
The Executive Order is an important step for the Biden administration’s efforts to enhance cybersecurity at the federal government level, including standardizing cybersecurity requirements and policies among agencies, and strengthening collaboration and cybersecurity information sharing with government contractors. Note the agencies charged with rulemaking will have to act quickly to meet near-term deadlines and flesh out the specific requirements/details to achieve the policy directives.