On May 12, President Biden signed an executive order (EO) that seeks to improve the federal government’s cybersecurity. This comes in the wake of sweeping cyber incidents, such as the SolarWinds incident. The EO calls on both the federal government and the private sector to work collaboratively to identify, deter, detect, and respond to cyber incidents, stating that “bold changes and significant investments” are needed to defend the nation’s computer systems from attack.
Of note, the EO:
- Creates New IT Security Rules for Certain Contractors. The EO requires revisions to the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement (DFARS). IT and operational technology contractors may be required to preserve and share data with federal agencies about cyber threats, incidents, and risks and may be required to work with federal agencies in investigating and in responding to such incidents. These additional obligations — which will likely be implemented via FAR and DFARS provisions not yet drafted — are in addition to those already established at FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems, DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting, and the soon-to-be implemented requirements obtaining a Cybersecurity Maturity Model Certification (CMMC), DFARS Case 2019-D041 (interim rule effective as of November 30, 2020 and subject to congressional review).
- Requires Federal Agencies to Update and Modernize Their Cybersecurity Standards. The EO directs federal agencies to adopt security best practices, including moving to secure cloud services, adopting a “zero trust architecture,” developing secure data storage solutions, evaluating and classifying the types and sensitivity of data, adopting multifactor authentication and data encryption to the maximum extent possible, and establishing training programs.
- Sets Baseline Security Standards for the Federal Government’s Software Supply Chain Security. The EO requires software developers to now provide greater visibility into their products and will be required to provide federal agencies with a “software bill of materials” for each software product.
- Establishes a National Review Board. The EO creates a cybersecurity safety review board that is under the purview of the secretary of homeland security and tasked with reviewing and assessing cyber incidents that affect the federal civilian executive branch information systems or nonfederal systems.
- Instructs Federal Agencies to Develop an Incident Response Playbook. The EO instructs the Department of Homeland Security to collaborate and coordinate with DOD, OMB, DOJ, and NSA, among others to create a standardized incident response plan (or playbook) for the government. The playbook will outline the agencies’ plan to incorporate all appropriate NIST standards and to respond to incidents.
As evidenced by this EO, we can expect the Biden administration to continue to focus on cybersecurity and related laws and regulations. And regardless of whether you are a government contractor or vendor, this EO should remind all companies that they should assess their information security program and practices to ensure they are continuing to update, modernize, and adopt, at a minimum, the security best practices now required for all federal agencies.