This is the twenty-fifth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”). The first blog summarized the Cyber EO’s key provisions and timelines, and the subsequent blogs described the actions taken by various government agencies to implement the Cyber EO from June 2021 through April 2023. This blog describes key actions taken to implement the Cyber EO, as well as the U.S. National Cybersecurity Strategy, during May 2023.
White House Releases U.S. National Standards Strategy for Critical and Emerging Technology
At the beginning of the month, the White House released a new U.S. Government National Standards Strategy for Critical and Emerging Technology (“CET”) to “prioritize efforts for standards development for a subset of CET that are essential for U.S. competitiveness and national security.” The Standards Strategy identifies several critical areas related to cybersecurity as areas of focus for standards development, including communication and network technologies, artificial intelligence and machine learning, and quantum information technologies, among others. The Standards Strategy is aligned around four objectives:
- Investment – bolstering “support for R&D in CET and further increas[ing] investment in pre-standardization research.”
- Participation – working “closely with the private sector and academia to minimize gaps in coverage within [Standards Developing Organizations], work[ing] collectively to address challenges to accelerate standards development in CET, bolster[ing] private-sector participation, and ensur[ing] that the government plays an active – but appropriate – role in the private sector-led system.”
- Workforce – investing “in educating and training a cadre of professionals that can effectively contribute to and drive technical standards development.”
- Integrity & Inclusivity – harnessing “the support of like-minded allies and partners to promote the integrity of the international standards system and work[ing] to ensure that international standards are established on the basis of technical merit and fair-processes.”
As noted in the White House’s fact sheet, the Standards Strategy aligns with the principles set forth in the National Cybersecurity Strategy to protect the integrity of standards development and promote US innovation.
Proposed Rules on Standardizing Cybersecurity Requirements Across the Executive Branch And Cyber Incident Reporting in Last Stage of Review
In the most recent Open Federal Acquisition Regulation (“FAR”) Cases Agenda, the Federal Acquisition Regulatory Council noted that two important FAR rules in the cybersecurity area were in their last stage of review. Both of these are in response to sections 2(i) and 8(b) of the Cyber EO, and both are expected to be issued as proposed rules. According to the FAR Agenda, on May 11, 2023, the draft rule was sent to the Office of Management and Budget’s (“OMB”) Office of Information and Regulatory Affairs (“OIRA”) for final review.
The first rule would amend the FAR to standardize common cybersecurity contractual requirements across all Executive agencies for unclassified information systems. It is expected that the security controls in NIST Special Publication (“SP”) 800-171 (which currently applies to DoD procurements involving covered defense information) will be applied across the Executive Branch. On May 10, NIST released a draft revision 3 of NIST SP 800-171 for comment. According to NIST, the changes include the following:
- updates to reflect changes in NIST SP 800-53, Revision 5 and the NIST SP 800-53B moderate control baseline, including new supply chain controls;
- updates to tailoring criteria;
- more specificity on how to implement security requirements;
- addition of organization-defined parameters in selected security requirements to increase flexibility and help organizations better manage risk; and
- a prototype CUI overlay.
The second rule proposes to amend the FAR to increase the sharing of information about cyber threats and incident information between the Government and certain providers in accordance with section 8(b) of the Cyber EO. In addition, the rule would require certain contractors to report cyber incidents to the Federal Government to facilitate effective cyber incident response and remediation, pursuant to Department of Homeland Security recommendations in accordance with sections 2(g)(i) of the Cyber EO.