On May 12, the Biden Administration issued an “Executive Order on Improving the Nation’s Cybersecurity.”  The Order seeks to strengthen the federal government’s ability to respond to and prevent cybersecurity threats, including by modernizing federal networks, enhancing the federal government’s software supply chain security, implementing enhanced cybersecurity practices and procedures in the federal government, and creating government-wide plans for incident response.  The Order covers a wide array of issues and processes, setting numerous deadlines for recommendations and actions by federal agencies, and focusing on enhancing the protection of federal networks in partnership with the service providers on which federal agencies rely.  Private sector entities, including federal contractors and service providers, will have opportunities to provide input to some of these actions.

In particular, and among other things, the Order:

  • seeks to remove obstacles to sharing threat information between the private sector and federal agencies;
  • mandates that software purchased by the federal government meet new cybersecurity standards;
  • discusses securing cloud-based systems, including information technology (IT) systems that process data, and operational technology (OT) systems that run vital machinery and infrastructure;
  • seeks to impose new cyber incident[i] reporting requirements on certain IT and OT providers and software product and service vendors and establishes a Cyber Safety Review Board to review and assess such cyber incidents and other cyber incidents, and;
  • addresses the creation of pilot programs related to consumer labeling in connection with the cybersecurity capabilities of Internet of Things (IoT) devices.

The Order contains eight substantive sections, which are listed here, and discussed in more detail below:

  • Section 2 – Removing Barriers to Sharing Threat Information
  • Section 3 – Modernizing Federal Government Cybersecurity
  • Section 4 – Enhancing Software Supply Chain Security
  • Section 5 – Establishing a Cyber Safety Review Board
  • Section 6 – Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents
  • Section 7 – Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks
  • Section 8 – Improving the Federal Government’s Investigative and Remediation Capabilities
  • Section 9 – National Security Systems

The summaries below discuss highlights from these sections, and the full text of the Order can be found here.

Section 2 – Removing Barriers to Sharing Threat Information

The Order acknowledges that the Federal Government regularly contracts with IT and OT service providers, who have “unique access to and insight into cyber threat and incident information” on “Federal Information Systems”.[ii]  Notwithstanding that special knowledge, the Order notes that “contract terms” can restrict the ability of those companies to share threat or incident information with federal agencies.  (It is unclear from the Order whether such “contract terms” are limited to those in federal government prime and subcontracts, or whether the Government is also focusing on commercial terms and conditions that contractors use in their non-government contracts work.) The Order requires the Director of the Office of Management and Budget (OMB) to review the current regulations for contracting with IT and OT service providers and recommend updates to improve the ability of those providers to preserve and report data relevant to cyber incident prevention and remediation. The Order also requires that regulations be adopted to require information and communications technology (ICT) service providers entering into contracts with agencies to report cyber incidents involving a software product or service provided to such agencies or involving a support system for a software product or service provided to such agencies.

Additionally, the Order requires the Secretary of Homeland Security to recommend contract language requiring incident reporting, including the kinds of incidents that must be reported, the types of information that must be reported, the time period for reporting, and other issues.

Section 3 – Modernizing Federal Government Cybersecurity

This section discusses the modernization of federal systems, including investment in technology and personnel, increasing the adoption and use security of cloud services provided to the government systems, the evaluation of the types and sensitivity of unclassified information on federal networks, the use of multi-factor authentication (MFA) and encryption, and other issues.  Among other things, this section mandates the Director of OMB to develop a federal cloud security strategy, enhance the FedRAMP program authorization and compliance requirements, and develop a plan for implementing Zero Trust Architecture (an approach to network security that focuses on user authentication and limiting access on a need-to-know basis).

Section 4 – Enhancing Software Supply Chain Security

This section seeks to “implement more rigorous and predictable mechanisms” for evaluating the security of commercial software used by the Federal Government.  After seeking input from the private sector, academics, and others, the Order directs the Secretary of Commerce (through the National Institute of Standards and Technology, “NIST”) to develop guidelines for evaluating the security of commercial software.  These guidelines will include, among other things, standards for secure software development environments, authenticating and auditing user access, encrypting data, monitoring and alerting of cyber incidents, remediating vulnerabilities, authenticating the origin of software code, and disclosure of vulnerabilities and of conformity with secure development practices. Importantly, these guidelines will include providing the purchaser a Software Bill of Materials (SBOM)[iii] for each product in accordance with minimum elements published by NIST.

After these guidelines are published, the Order requires agencies to ensure that procured software meets the guidelines.  The Order will also require software suppliers to self-certify in their contractual agreements with federal civilian agencies that they have met the guidelines, will impose requirements on providers to submit documentation of compliance when asked, and orders agencies to remove software products that do not provide this certification from federal procurement lists.

This section also directs the Secretary of Commerce, through NIST, to create pilot programs to educate the public on the security capabilities of IoT devices and software through consumer labeling programs, and to create incentives to encourage manufacturers and developers to participate in these pilot programs.

Section 5 – Establishing a Cyber Safety Review Board

This section requires the Secretary of Homeland Security to establish a Cyber Safety Review Board to assess significant cyber incidents affecting federal civilian agency systems or non-Federal systems.  The Board’s membership will include representatives from the Department of Defense, the Department of Justice, the Cybersecurity and Infrastructure Security Agency (CISA), the NSA, and the FBI, and representatives from private sector cybersecurity or software suppliers.

The Board will begin by conducting an initial review related to the SolarWinds hack that resulted in the creation of a Cyber Unified Coordination Group in December 2020.  This initial review will also consider the Board’s mission, scope, and responsibilities, create the Board governance structure, and set thresholds and criteria for the types of cyber incidents it will evaluate.  The Board will then be convened in response to significant cyber incidents or at the direction of the President.

Section 6 – Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents

This section seeks to standardize the Federal Government’s response to cyber incidents by requiring the Secretary of Homeland Security to develop a standard set of procedures (a “playbook”) to be used for planning and conducting cyber incident response. The playbook will incorporate all appropriate NIST standards and should be used by all federal civilian agencies.  The playbook will define key terms and use those terms consistently to provide federal civilian agencies with a common vocabulary for incident response. This section also requires CISA to review and update the playbook annually.

The playbook must include a process for CISA to review and validate federal civilian agencies’ incident response and remediation results upon completion of incident response, either directly or with the assistance of another agency or third-party incident response team.

Section 7 – Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks

To improve early detection of cyber vulnerabilities and incidents, the Order directs all federal civilian agencies to deploy an Endpoint Detection and Response (EDR) initiative.  Agencies are required to coordinate their EDR initiatives with CISA.  This section directs OMB to set government-wide requirements for EDR initiatives and to ensure that agencies have adequate resources to meet those requirements.

This section also directs CISA to evaluate threat-hunting activities on federal civilian agency networks to ensure those activities do not disrupt mission-critical systems and that system owners are notified of vulnerabilities.

Section 8 – Improving the Federal Government’s Investigative and Remediation Capabilities

In order to improve the ability of the Federal Government to investigate and remediate cyber incidents, this section requires the Secretary of Homeland Security to provide the Director of OMB recommendations for logging events and preserving data within an agency’s systems, including the time period for logging, and recommended logging and security requirements.  It directs agencies to protect logs via encryption to ensure forensic integrity.

This section also directs OMB to provide agencies with adequate resources to meet these requirements, and directs federal civilian agencies to share these logs with CISA and the FBI upon request, consistent with applicable law.

Section 9 – National Security Systems

This section specifies that, within 60 days of the Order, the Secretary of Defense shall adopt requirements for “National Security Systems” “that are equivalent to or exceed the cybersecurity requirements set forth in this order,” that are not otherwise already applicable to such systems.  The Order allows for exceptions to such requirements “in circumstances necessitated by unique mission needs” and mandates that the requirements be codified in a “National Security Memorandum.”

  

[i] The Order defines an “incident” according to the definition in 44 U.S.C. 3552(b)(2):

The term “incident” means an occurrence that-

(A) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or

(B) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.

[ii] The Order defines a “Federal Information System” as “an information system used or operated by an agency or by a contractor of an agency or by another organization on behalf of an agency, including Federal Civilian Executive Branch Information Systems and National Security Systems.”

[iii] A Software Bill of Materials is a formal record containing the details and supply chain relationships of various components used in building software.  The Order provides a full definition of a SBOM in section 10(j).

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Robert Huffman Robert Huffman

Bob Huffman represents defense, health care, and other companies in contract matters and in disputes with the federal government and other contractors. He focuses his practice on False Claims Act qui tam investigations and litigation, cybersecurity and supply chain security counseling and compliance…

Bob Huffman represents defense, health care, and other companies in contract matters and in disputes with the federal government and other contractors. He focuses his practice on False Claims Act qui tam investigations and litigation, cybersecurity and supply chain security counseling and compliance, contract claims and disputes, and intellectual property (IP) matters related to U.S. government contracts.

Bob has leading expertise advising companies that are defending against investigations, prosecutions, and civil suits alleging procurement fraud and false claims. He has represented clients in more than a dozen False Claims Act qui tam suits. He also represents clients in connection with parallel criminal proceedings and suspension and debarment.

Bob also regularly counsels clients on government contracting supply chain compliance issues, including cybersecurity, the Buy American Act/Trade Agreements Act (BAA/TAA), and counterfeit parts requirements. He also has extensive experience litigating contract and related issues before the Court of Federal Claims, the Armed Services Board of Contract Appeals, federal district courts, the Federal Circuit, and other federal appellate courts.

In addition, Bob advises government contractors on rules relating to IP, including government patent rights, technical data rights, rights in computer software, and the rules applicable to IP in the acquisition of commercial items and services. He handles IP matters involving government contracts, grants, Cooperative Research and Development Agreements (CRADAs), and Other Transaction Agreements (OTAs).

Photo of Micaela McMurrough Micaela McMurrough

Micaela McMurrough has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other complex commercial litigation matters, and serves as co-chair of Covington’s global and multi-disciplinary Internet of Things (IoT) group. She also represents and advises domestic and international…

Micaela McMurrough has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other complex commercial litigation matters, and serves as co-chair of Covington’s global and multi-disciplinary Internet of Things (IoT) group. She also represents and advises domestic and international clients on cybersecurity and data privacy issues, including cybersecurity investigations and cyber incident response. Micaela has advised clients on data breaches and other network intrusions, conducted cybersecurity investigations, and advised clients regarding evolving cybersecurity regulations and cybersecurity norms in the context of international law.

In 2016, Micaela was selected as one of thirteen Madison Policy Forum Military-Business Cybersecurity Fellows. She regularly engages with government, military, and business leaders in the cybersecurity industry in an effort to develop national strategies for complex cyber issues and policy challenges. Micaela previously served as a United States Presidential Leadership Scholar, principally responsible for launching a program to familiarize federal judges with various aspects of the U.S. national security structure and national intelligence community.

Prior to her legal career, Micaela served in the Military Intelligence Branch of the United States Army. She served as Intelligence Officer of a 1,200-member maneuver unit conducting combat operations in Afghanistan and was awarded the Bronze Star.

Photo of Susan B. Cassidy Susan B. Cassidy

Ms. Cassidy represents clients in the defense, intelligence, and information technologies sectors.  She works with clients to navigate the complex rules and regulations that govern federal procurement and her practice includes both counseling and litigation components.  Ms. Cassidy conducts internal investigations for government…

Ms. Cassidy represents clients in the defense, intelligence, and information technologies sectors.  She works with clients to navigate the complex rules and regulations that govern federal procurement and her practice includes both counseling and litigation components.  Ms. Cassidy conducts internal investigations for government contractors and represents her clients before the Defense Contract Audit Agency (DCAA), Inspectors General (IG), and the Department of Justice with regard to those investigations.  From 2008 to 2012, Ms. Cassidy served as in-house counsel at Northrop Grumman Corporation, one of the world’s largest defense contractors, supporting both defense and intelligence programs. Previously, Ms. Cassidy held an in-house position with Motorola Inc., leading a team of lawyers supporting sales of commercial communications products and services to US government defense and civilian agencies. Prior to going in-house, Ms. Cassidy was a litigation and government contracts partner in an international law firm headquartered in Washington, DC.