On May 12, the Biden Administration issued an “Executive Order on Improving the Nation’s Cybersecurity.” The Order seeks to strengthen the federal government’s ability to respond to and prevent cybersecurity threats, including by modernizing federal networks, enhancing the federal government’s software supply chain security, implementing enhanced cybersecurity practices and procedures in the federal government, and creating government-wide plans for incident response. The Order covers a wide array of issues and processes, setting numerous deadlines for recommendations and actions by federal agencies, and focusing on enhancing the protection of federal networks in partnership with the service providers on which federal agencies rely. Private sector entities, including federal contractors and service providers, will have opportunities to provide input to some of these actions.
In particular, and among other things, the Order:
- seeks to remove obstacles to sharing threat information between the private sector and federal agencies;
- mandates that software purchased by the federal government meet new cybersecurity standards;
- discusses securing cloud-based systems, including information technology (IT) systems that process data, and operational technology (OT) systems that run vital machinery and infrastructure;
- seeks to impose new cyber incident[i] reporting requirements on certain IT and OT providers and software product and service vendors and establishes a Cyber Safety Review Board to review and assess such cyber incidents and other cyber incidents, and;
- addresses the creation of pilot programs related to consumer labeling in connection with the cybersecurity capabilities of Internet of Things (IoT) devices.
The Order contains eight substantive sections, which are listed here, and discussed in more detail below:
- Section 2 – Removing Barriers to Sharing Threat Information
- Section 3 – Modernizing Federal Government Cybersecurity
- Section 4 – Enhancing Software Supply Chain Security
- Section 5 – Establishing a Cyber Safety Review Board
- Section 6 – Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents
- Section 7 – Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks
- Section 8 – Improving the Federal Government’s Investigative and Remediation Capabilities
- Section 9 – National Security Systems
The summaries below discuss highlights from these sections, and the full text of the Order can be found here.
Section 2 – Removing Barriers to Sharing Threat Information
The Order acknowledges that the Federal Government regularly contracts with IT and OT service providers, who have “unique access to and insight into cyber threat and incident information” on “Federal Information Systems”.[ii] Notwithstanding that special knowledge, the Order notes that “contract terms” can restrict the ability of those companies to share threat or incident information with federal agencies. (It is unclear from the Order whether such “contract terms” are limited to those in federal government prime and subcontracts, or whether the Government is also focusing on commercial terms and conditions that contractors use in their non-government contracts work.) The Order requires the Director of the Office of Management and Budget (OMB) to review the current regulations for contracting with IT and OT service providers and recommend updates to improve the ability of those providers to preserve and report data relevant to cyber incident prevention and remediation. The Order also requires that regulations be adopted to require information and communications technology (ICT) service providers entering into contracts with agencies to report cyber incidents involving a software product or service provided to such agencies or involving a support system for a software product or service provided to such agencies.
Additionally, the Order requires the Secretary of Homeland Security to recommend contract language requiring incident reporting, including the kinds of incidents that must be reported, the types of information that must be reported, the time period for reporting, and other issues.
Section 3 – Modernizing Federal Government Cybersecurity
This section discusses the modernization of federal systems, including investment in technology and personnel, increasing the adoption and use security of cloud services provided to the government systems, the evaluation of the types and sensitivity of unclassified information on federal networks, the use of multi-factor authentication (MFA) and encryption, and other issues. Among other things, this section mandates the Director of OMB to develop a federal cloud security strategy, enhance the FedRAMP program authorization and compliance requirements, and develop a plan for implementing Zero Trust Architecture (an approach to network security that focuses on user authentication and limiting access on a need-to-know basis).
Section 4 – Enhancing Software Supply Chain Security
This section seeks to “implement more rigorous and predictable mechanisms” for evaluating the security of commercial software used by the Federal Government. After seeking input from the private sector, academics, and others, the Order directs the Secretary of Commerce (through the National Institute of Standards and Technology, “NIST”) to develop guidelines for evaluating the security of commercial software. These guidelines will include, among other things, standards for secure software development environments, authenticating and auditing user access, encrypting data, monitoring and alerting of cyber incidents, remediating vulnerabilities, authenticating the origin of software code, and disclosure of vulnerabilities and of conformity with secure development practices. Importantly, these guidelines will include providing the purchaser a Software Bill of Materials (SBOM)[iii] for each product in accordance with minimum elements published by NIST.
After these guidelines are published, the Order requires agencies to ensure that procured software meets the guidelines. The Order will also require software suppliers to self-certify in their contractual agreements with federal civilian agencies that they have met the guidelines, will impose requirements on providers to submit documentation of compliance when asked, and orders agencies to remove software products that do not provide this certification from federal procurement lists.
This section also directs the Secretary of Commerce, through NIST, to create pilot programs to educate the public on the security capabilities of IoT devices and software through consumer labeling programs, and to create incentives to encourage manufacturers and developers to participate in these pilot programs.
Section 5 – Establishing a Cyber Safety Review Board
This section requires the Secretary of Homeland Security to establish a Cyber Safety Review Board to assess significant cyber incidents affecting federal civilian agency systems or non-Federal systems. The Board’s membership will include representatives from the Department of Defense, the Department of Justice, the Cybersecurity and Infrastructure Security Agency (CISA), the NSA, and the FBI, and representatives from private sector cybersecurity or software suppliers.
The Board will begin by conducting an initial review related to the SolarWinds hack that resulted in the creation of a Cyber Unified Coordination Group in December 2020. This initial review will also consider the Board’s mission, scope, and responsibilities, create the Board governance structure, and set thresholds and criteria for the types of cyber incidents it will evaluate. The Board will then be convened in response to significant cyber incidents or at the direction of the President.
Section 6 – Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents
This section seeks to standardize the Federal Government’s response to cyber incidents by requiring the Secretary of Homeland Security to develop a standard set of procedures (a “playbook”) to be used for planning and conducting cyber incident response. The playbook will incorporate all appropriate NIST standards and should be used by all federal civilian agencies. The playbook will define key terms and use those terms consistently to provide federal civilian agencies with a common vocabulary for incident response. This section also requires CISA to review and update the playbook annually.
The playbook must include a process for CISA to review and validate federal civilian agencies’ incident response and remediation results upon completion of incident response, either directly or with the assistance of another agency or third-party incident response team.
Section 7 – Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks
To improve early detection of cyber vulnerabilities and incidents, the Order directs all federal civilian agencies to deploy an Endpoint Detection and Response (EDR) initiative. Agencies are required to coordinate their EDR initiatives with CISA. This section directs OMB to set government-wide requirements for EDR initiatives and to ensure that agencies have adequate resources to meet those requirements.
This section also directs CISA to evaluate threat-hunting activities on federal civilian agency networks to ensure those activities do not disrupt mission-critical systems and that system owners are notified of vulnerabilities.
Section 8 – Improving the Federal Government’s Investigative and Remediation Capabilities
In order to improve the ability of the Federal Government to investigate and remediate cyber incidents, this section requires the Secretary of Homeland Security to provide the Director of OMB recommendations for logging events and preserving data within an agency’s systems, including the time period for logging, and recommended logging and security requirements. It directs agencies to protect logs via encryption to ensure forensic integrity.
This section also directs OMB to provide agencies with adequate resources to meet these requirements, and directs federal civilian agencies to share these logs with CISA and the FBI upon request, consistent with applicable law.
Section 9 – National Security Systems
This section specifies that, within 60 days of the Order, the Secretary of Defense shall adopt requirements for “National Security Systems” “that are equivalent to or exceed the cybersecurity requirements set forth in this order,” that are not otherwise already applicable to such systems. The Order allows for exceptions to such requirements “in circumstances necessitated by unique mission needs” and mandates that the requirements be codified in a “National Security Memorandum.”
[i] The Order defines an “incident” according to the definition in 44 U.S.C. 3552(b)(2):
The term “incident” means an occurrence that-
(A) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or
(B) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.
[ii] The Order defines a “Federal Information System” as “an information system used or operated by an agency or by a contractor of an agency or by another organization on behalf of an agency, including Federal Civilian Executive Branch Information Systems and National Security Systems.”
[iii] A Software Bill of Materials is a formal record containing the details and supply chain relationships of various components used in building software. The Order provides a full definition of a SBOM in section 10(j).