GOVERNMENT CONTRACTING INSIGHTS CYBERSECURITY
Biden Signs Order to Bolster Cybersecurity
On May 12, President Joe Biden issued the “Executive Order on Improving the Nation’s Cybersecurity.”
The directive aims to strengthen the federal government’s ability to respond to and prevent cybersecurity threats, including by modernizing federal networks, enhancing the federal government’s software supply chain security, implementing enhanced cybersecurity practices and procedures in the federal government, and creating government-wide plans for incident response.
Private sector entities, including federal contractors and service providers, will have opportunities to provide input to some of these actions.
The directive covers a wide array of issues and processes, setting numerous deadlines for recommendations and actions by federal agencies, and focusing on enhancing the protection of federal networks in partnership with the service providers on which federal agencies rely.
It seeks to remove obstacles to sharing threat information between the private sector and federal agencies; mandates that software purchased by the federal government meet new cybersecurity standards; discusses securing cloud-based systems, including information-technology systems that process data, and operational-technology systems that run vital machinery and infrastructure.
It also aims to impose new cyber incident reporting requirements on certain IT and OT providers and software product and service vendors, and establishes a cyber safety review board to evaluate and assess such cyber incidents and other cyber events; and addresses the creation of pilot programs related to consumer labeling in connection with the cybersecurity capabilities of internet-of-things devices.
The order acknowledges that the federal government regularly contracts with IT and OT service providers who have “unique access to and insight into cyber threat and incident information” on “federal information systems.” However, it notes that “contract terms” can restrict the ability of those companies to share threat or incident information with federal agencies. It requires a review of the current regulations for revisions to improve data reporting.
The directive addresses the modernization of federal systems, including investment in technology and personnel, increasing the adoption and user security of cloud services, evaluation of the types and sensitivity of unclassified information on federal networks, the use of multi-factor authentication and encryption, and other issues. It mandates the director of the Office of Management and Budget to develop a federal cloud security strategy, enhance the FedRAMP program authorization and compliance requirements, and develop a plan for implementing zero-trust architectures.
The directive aims to “implement more rigorous and predictable mechanisms” for evaluating the security of commercial software used by the federal government. After seeking input from the private sector, academics, and others, the secretary of commerce — through the National Institute of Standards and Technology — must develop guidelines for evaluating the security of commercial software. Importantly, these guidelines will include providing the purchaser a Software Bill of Materials for each product in accordance with minimum elements published by NIST.
After these guidelines are published, the order requires agencies to ensure that procured software meets the guidelines. It will also require software suppliers to self-certify in their contractual agreements with federal civilian agencies that they have met the guidelines.
Additionally, the secretary of homeland security must establish a cyber safety review board to assess significant cyber incidents affecting federal civilian agency systems or non-federal systems. The board’s membership will include representatives from the Departments of Defense and Justice, Cybersecurity and Infrastructure Security Agency, National Security Agency, FBI, and private sector cybersecurity or software suppliers.
The directive seeks to standardize the federal government’s response to cyber incidents by requiring the secretary of homeland security to develop a standard set of procedures, or “playbook,” to be used for planning and conducting cyber incident response. It requires CISA to review and update the playbook annually.
To improve early detection of cyber vulnerabilities and incidents, the order directs all federal civilian agencies to deploy an endpoint detection and response initiative. OMB will set government-wide requirements for the initiatives and agencies will be required to coordinate their efforts with CISA.
To enhance the ability of the federal government to investigate and remediate cyber incidents, the order requires the secretary of homeland security to provide the director of OMB recommendations for logging events and preserving data within agencies’ systems. Agencies are directed to protect logs via encryption to ensure forensic integrity. It also directs federal civilian agencies to share these logs with CISA and the FBI upon request, consistent with applicable law.
Within 60 days of the order, the secretary of defense shall adopt requirements for “national security systems” that “are equivalent to or exceed the cybersecurity requirements set forth in this order,” that are not otherwise already applicable to such systems. The directive allows for exceptions to such requirements “in circumstances necessitated by unique mission needs” and mandates that the requirements be codified in a “national security memorandum.”
The order is an important step on what undoubtedly will be a collaborative effort across numerous federal agencies to improve government cybersecurity, and private stakeholders will have an important role to play to help the government achieve these goals.
Susan B. Cassidy, Trisha Anderson and Micaela McMurrough are partners, Robert Huffman is senior of counsel, and Tyler Holbrook is an associate at Covington & Burling LLP.