On May 12, 2021, President Biden signed an executive order (EO) mandating that the federal government significantly improve cybersecurity within its networks and modernize federal cyber defenses. The EO acknowledges that the United States "faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people's security and privacy." This move follows a series of sweeping cyberattacks on private companies and federal government networks over the past year, including a recent incident that resulted in gasoline shortages across the U.S. East Coast.

In the past year, two major hacks targeted U.S. government agencies and corporations, both believed to have been sponsored by China and Russia. In one of the largest breaches in U.S. history, government contractor SolarWinds was hacked in December 2020, which compromised the cybersecurity of various federal agencies and thousands of private companies. In March 2021, Microsoft announced that its email service, Microsoft Exchange, had been compromised in an aggressive hacking campaign that affected businesses and government agencies in the United States.

As noted in a White House fact sheet, this EO aims to "make a significant contribution toward modernizing cybersecurity defenses by protecting federal networks, improving information-sharing between the U.S. government and the private sector on cyber issues, and strengthening the United States' ability to respond to incidents when they occur." The EO includes seven substantive sections, described in detail below, that impose standards and requirements for federal information systems. The standards will require federal contractors to review and potentially upgrade their cybersecurity systems and policies. Federal contractors should take note of possible key changes to:

  • increase cybersecurity incident intelligence-sharing with federal agencies and reporting requirements;
  • standardize cybersecurity requirements with the possibility of expanded NIST 800-171 compliance requirements;
  • implement zero-trust architecture requirements;
  • require multifactor authentication and encryption for data at rest and in transit across all federal information systems;
  • increase usage of secure cloud services and an accelerated shift away from on-premises software and data storage for certain federal agencies;
  • re-evaluate and change FedRAMP cloud security requirements; and
  • increase reporting and compliance requirements related to logging events and retaining other relevant data within an agency's systems and networks.

The EO is certain to have many significant impacts on federal contractors and across the private sector at large, and the White House fact sheet describes the EO as "the first of many ambitious steps the Administration is taking to modernize national cyber defenses." The broad and ambitious scope of the EO directives requires several agencies to implement new regulations and engage in significant rule-making activity. Federal contractors should expect federal agencies to release interim final rules and subsequently seek public comment on an accelerated basis, given the aggressive timelines in the EO. Please contact the authors for more information about rule-making timelines and for assistance providing public comment.

Contractor Requirements to Share Threat Information With the Government

Section 2 of the EO addresses contractual barriers to sharing cybersecurity threat information between the U.S. government and the private sector. An issue many companies face related to cyber-incident reporting is certain contractual provisions that restrict government contractors from sharing information with federal agencies, outside of the contracting agency, when those agencies have experienced a cybersecurity event.

First, this section of the EO creates broad cyber-incident reporting requirements for federal contractors who are "information and communications technology (ICT) service providers." To that end, ICT service providers who are federal contractors "must promptly report to such agencies when they discover a cyber incident." In 45 days, the secretary of the U.S. Department of Homeland Security, in consultation with various agencies, must recommend contract language that identifies requirements for federal contractors to share breach information that could impact government networks to the Federal Acquisition Regulatory Council (FAR Council). In turn, the FAR Council must, within 90 days, publish for public comment proposed updates to the Federal Acquisition Regulations (FAR). Federal contractors should note the aggressive timelines imposed throughout the EO and closely track rule-making activity by various federal agencies that has been triggered by the EO. This rule-making will have an outsized impact on certain federal contractors because the EO does not define the term "service provider," and the EO directs the FAR Council to determine which "contractors and associated service providers [will] be covered by the proposed contract language."

Next, this section of the EO requires federal contractors who are "IT and OT service providers" to share information with the government related to cybersecurity events. Currently, there is a voluntary information-sharing regime, which both industry participants and governmental entities have criticized. The EO requires covered government service providers to "collect and preserve data, information, and reporting relevant to cybersecurity event prevention, detection, response, and investigation on all information systems over which they have control." These reporting obligations created by the EO will include measures to ensure, to the greatest extent possible, that service providers share data with federal law enforcement agencies and the U.S. intelligence community. This section also creates centralized reporting to the Cybersecurity and Infrastructure Security Agency (CISA) whenever contractors report to any federal civilian executive branch agency (FCEB), and specific reporting for national security systems.

Finally, this section of the EO also directs the creation of "standardized contract language for appropriate cybersecurity requirements" for federal contractors. Currently, federal agencies use agency-specific cybersecurity requirements, with some federal agencies implementing requirements significantly less stringent than NIST 800-171. Standardized cybersecurity obligations may result in more burdensome compliance duties for certain federal contractors.

Implementing Stronger Cybersecurity Standards in the Federal Government

Section 3 of the EO orders the implementation of stronger cybersecurity standards within the federal government. The main component of these stronger cybersecurity standards is the advancement toward zero-trust architecture, within 60 days of the issuance of this EO. The main concept behind zero-trust architecture is that devices or user accounts should not be trusted by default, even if they are connected to a managed network or were previously verified. In August 2020, the National Institute of Standards and Technology (NIST) issued a special publication, NIST 800-207, which defines and provides deployment models and use cases for zero-trust architecture within federal information systems. Consistent with zero-trust architecture, the EO mandates multifactor authentication and encryption within 180 days of the issuance of this EO. In addition, Section 3 requires the federal government to facilitate access to cybersecurity data and analytics to provide intelligence for identifying and managing cybersecurity risks.

This section of the EO also requires federal agencies to "accelerate movement" toward secure cloud services, as opposed to relying on commercial, off-the-shelf software solutions and on-premises data storage. To that end, the EO orders the re-evaluation of the Federal Risk and Authorization Management Program (FedRAMP) standards, including the development of new "security principles" for cloud service providers and "approaches to cloud migration and data protection." The EO requires the CISA to develop governance frameworks for cloud-based activities for both service providers and federal agencies to standardize intelligence data collection and reporting related to cybersecurity and incident response.

The EO requires FCEBs to identify and determine the sensitivity of unclassified data and evaluate appropriate processing and storage solutions for such data. This evaluation process may require extensive mapping of federal information, including data residing in cloud-based platforms and legacy systems.

Improving Software Supply Chain and Security

Section 4 of the EO addresses supply chain issues and seeks to standardize and stabilize the marketplace for certain software and related devices. To that end, the EO instructs federal agencies to "take action to rapidly improve the security and integrity of the software supply chain, with a priority on addressing critical software." These requirements develop baseline security standards, "security by design," to be embedded in all phases of software development sold to the government, including requiring developers to maintain greater visibility into their software and making security data publicly available. Initially, these requirements will be limited to the security of what NIST deems "critical software," but it appears clear that the government is concerned with establishing a baseline security standard for software security. At a minimum, required security measures for critical software will include least privilege, network segmentation and proper configuration standards.

Federal contractors should note that within 30 days, NIST must solicit input from federal government agencies, the private sector, academia and other appropriate actors "to identify existing or develop new standards, tools, and best practices for complying with the standards, procedures, or criteria" within the EO. The standards will include criteria that can be used to evaluate software security and the security practices of the developers and suppliers themselves, and identify innovative tools or methods to demonstrate conformance with secure practices.

Federal contractors should expect significant regulatory changes related to this requirement, and the EO requires, within a year of the EO, the removal of all software that does not comply with these new regulations from all indefinite delivery indefinite quantity contracts (IDIQ), federal supply schedules, federal government-wide acquisition contracts (GWACs), blanket purchase agreements (BPAs) and multiple award contracts (GSA Schedules).

This section of the EO also creates as a pilot program a long-anticipated, industrywide cybersecurity rating scale for software companies. The EO requires NIST to develop "pilot programs informed by existing consumer product labeling programs to educate the public on the security capabilities of Internet-of-Things (IoT) devices and software development practices, and shall consider ways to incentivize manufacturers and developers to participate in these programs." The White House fact sheet further explains that the goal of this pilot program is to create an "energy star type of label" that will inform government agencies and public consumers of the software vulnerabilities included in IoT devices and software.

Establishing a Cybersecurity Safety Review Board

Section 5 of the EO creates a Cybersecurity Safety Review Board (CSRB), modeled after the National Transportation Safety Board, which will review significant cybersecurity incidents to analyze the event and make recommendations for improved security. Government and private sector leads will co-chair the CSRB, and the secretary of the U.S. Department of Homeland Security will convene the CSRB following a significant cyber incident triggering the establishment of a Cyber Unified Coordination Group.

The CSRB will comprise representatives from the U.S. Department of Defense, U.S. Department of Justice, Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency and the Federal Bureau of Investigation, as well as representatives from appropriate private-sector cybersecurity or software suppliers as determined by the secretary of the U.S. Department of Homeland Security. The CSRB will report directly to the assistant to the president and national security adviser regarding recommendations for improving federal information systems cyber defenses and incident response policies.

Responding to Cyber Incidents

Section 6 of the EO requires the creation of a uniform response to cyber incidents. This section mandates the creation and implementation of a "playbook" that incorporates all NIST standards, for cyber incident response by federal departments and agencies. The EO instructs that "[w]ithin 120 days of the date of this order, the Secretary of Homeland Security acting through the Director of CISA, in consultation with the Director of OMB, the Federal Chief Information Officers Council, and the Federal Chief Information Security Council, and in coordination with the Secretary of Defense acting through the Director of the NSA, the Attorney General, and the Director of National Intelligence, shall develop a standard set of operational procedures (playbook) to be used in planning and conducting a cybersecurity vulnerability and incident response activity respecting FCEB Information Systems." The goal of a standardized playbook is to coordinate and centralize incident response to facilitate more successful government responses. Deviation from the playbook is permitted only upon consultation with the director of the Office of Management and Budget (OMB) and the assistant to the president and national security adviser (APNSA), and a finding that the alternative response procedures meet or exceed the standards in the playbook.

Improving Detection of Incidents on Federal Networks

Section 7 of the EO seeks to improve detection of cybersecurity incidents on federal government networks by enabling a government-wide endpoint detection and response system and improved information-sharing within the federal government. This section also empowers CISA to engage in cyber-hunt, detection and response activities through increased access to federal networks.

Improving Investigative and Remediation Capabilities

Section 8 of the EO creates cybersecurity event log requirements for federal departments and agencies, with the goal of improving the investigative and remediation capabilities of the federal government. This section of the EO requires the secretary of the U.S. Department of Homeland Security, working in consultation with the attorney general and the OMB, to recommend requirements for logging events and retaining other relevant data within an agency's systems and networks, within 14 days of the date of the EO. Federal contractors should note that the FAR Council must consider these recommendations within 90 days of receipt and promulgate rules related to federal contractor reporting requirements.

This extensive EO will trigger wide-reaching changes for federal contractors and private sector industry participants. The EO seeks to mandate dramatically increased cybersecurity standards for the federal government to aggressively amend the cyber-defense policy for the government and private sector.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.