On May 12, the Biden Administration issued an “Executive Order on Improving the Nation’s Cybersecurity.” The Order seeks to strengthen the federal government’s ability to respond to and prevent cybersecurity threats, including by modernizing federal networks, enhancing the federal government’s software supply chain security, implementing enhanced cybersecurity practices and procedures in the federal government, and creating government-wide plans for incident response. The Order covers a wide array of issues and processes, setting numerous deadlines for recommendations and actions by federal agencies, and focusing on enhancing the protection of federal networks in partnership with the service providers on which federal agencies rely. Private sector entities, including federal contractors and service providers, will have opportunities to provide input to some of these actions.
In particular, and among other things, the Order:
- seeks to remove obstacles to sharing threat information between the private sector and federal agencies;
- mandates that software purchased by the federal government meet new cybersecurity standards;
- discusses securing cloud-based systems, including information technology (IT) systems that process data, and operational technology (OT) systems that run vital machinery and infrastructure;
- seeks to impose new cyber incident[i] reporting requirements on certain IT and OT providers and software product and service vendors and establishes a Cyber Safety Review Board to review and assess such cyber incidents and other cyber incidents, and;
- addresses the creation of pilot programs related to consumer labeling in connection with the cybersecurity capabilities of Internet of Things (IoT) devices.
The Order contains eight substantive sections, which are listed here, and discussed in more detail below:
- Section 2 – Removing Barriers to Sharing Threat Information
- Section 3 – Modernizing Federal Government Cybersecurity
- Section 4 – Enhancing Software Supply Chain Security
- Section 5 – Establishing a Cyber Safety Review Board
- Section 6 – Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents
- Section 7 – Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks
- Section 8 – Improving the Federal Government’s Investigative and Remediation Capabilities
- Section 9 – National Security Systems
The summaries below discuss highlights from these sections, and the full text of the Order can be found here.