On Wednesday, May 12, 2021, President Biden issued an ambitious and sweeping Executive Order focused on combating digital threats to US networks and infrastructure. The Executive Order on Improving the Nation’s Cybersecurity (Cybersecurity EO) sets out to improve cybersecurity, particularly in relation to federal government systems, and follows several significant cyber incidents affecting the nation’s critical infrastructure. By leveraging the federal government’s significant purchasing power to direct agencies to develop and ultimately impose a variety of new cybersecurity mandates, the Biden Administration seeks to increase cybersecurity requirements across the federal government and a range of critical industries.
Although some of the specific requirements of the Cybersecurity EO will be developed by agencies over the next year, the order includes several sweeping mandates that may require immediate and complex engineering efforts. For example, the Cybersecurity EO mandates that within 180 days, federal government agencies adopt multifactor authentication and encryption for data at rest and in transit. Such a task, particularly encrypting data at rest within agency networks, may be challenging to accomplish within six months. Additionally, while the Cybersecurity EO is ambitious in its scope, it does not specify the source of funding and engineering resources for the directive.
For companies that supply information technology systems and software to the federal government, the many guidelines to be developed pursuant to the Cybersecurity EO are destined to have significant impact on the development of information technology (IT) systems. Affected companies will need to carefully monitor implementation guidelines to prepare for the potential impacts. Agencies (and companies supporting the federal government) may require significant private sector assistance to bring their systems into compliance with the Cybersecurity EO, which may present contracting opportunities for companies in the cybersecurity industry.
The Cybersecurity EO outlines a complex set of requirements. Key provisions are outlined here:
- Information Sharing Between Government and Private Sector. The Cybersecurity EO directs the Office of Management and Budget (OMB) Director to initiate updates to standard contract language in the Federal Acquisition Regulations to remove barriers to sharing threat information between IT and operational technology (OT) service providers and federal agencies. Specifically, the Cybersecurity EO contemplates standard contract clauses designed to require contractors to, among other things, collect and preserve cyber threat data, share such data with agencies with which they contract, and collaborate with federal cybersecurity or investigative agencies in their investigations and response to data security incidents.
- Federal Government Cybersecurity Standards. The Cybersecurity EO requires federal agencies to prioritize adoption of cloud technology using Zero Trust Architecture (or a “least permission”-based model) to limit user access on an as-needed basis. It also requires the implementation of multifactor authentication and encryption for data at rest and in transit. The Cybersecurity and Infrastructure Security Agency (CISA) must issue guidance related to cloud security and incident response, among other guidance. Each agency must report to CISA and other organizations every 60 days until it has fully adopted multifactor authentication and data encryption; agencies that fail to do so within 180 days must provide a written rationale to the Secretary of Homeland Security and other entities.
Finally, the Cybersecurity EO mandates a modernization of Federal Risk and Authorization Management Program (FedRAMP), which prescribes standards for security authorizations for cloud service offerings, by establishing training and automating and standardizing communications with cloud service providers (CSPs), among other enhancements.
- Supply Chain Security. The Cybersecurity EO will require baseline security standards for software developed for or licensed to the government. The baseline security standards are intended to, among other things, require developers to maintain greater visibility into their software and make security data publicly available. For example, contractors will be required to provide contracting agencies with a Software Bill of Materials (analogous to a list of ingredients on food packaging) for each software product directly or by publishing it on its public website.
The Cybersecurity EO also calls for a pilot program to create an “energy star” type of label so the government—and the public—can quickly determine whether software was developed securely.
- Cybersecurity Safety Review Board. The Secretary of Homeland Security is required to establish a Cyber Safety Review Board (the Board), to review and assess significant incidents affecting Federal Civilian Executive Branch (FCEB) Information Systems or non-federal systems, threat activity, vulnerabilities, mitigation activities, and agency responses. The Board, which will be comprised of government and private sector representatives, appears to be modeled on the National Transportation Safety Board, which conducts after-the-fact reviews major transportation incidents. After its initial review of a recent incident, the Board will provide recommendations to further build out its composition, membership, mission and approach.
- Standard Playbook for Contractors. Within 120 days, the Department of Homeland Security, OMB and other federal agencies will be required to develop a standard set of operational procedures (or a playbook) to be used in planning and conducting a cybersecurity vulnerability and incident response activity with respect to FCEB Information Systems. According to the Cybersecurity EO, the playbook must (i) incorporate all appropriate NIST standards, (ii) be used by FCEB agencies, and (iii) articulate progress and completion through all phases of an incident response. According to the White House’s Cybersecurity EO Fact Sheet, the playbook is intended to “ensure all Federal agencies meet a certain threshold and are prepared to take uniform steps to identify and mitigate a threat. The playbook will also provide the private sector with a template for its response efforts.”
- Detection of Cybersecurity Incidents on Federal Government Networks. The Cybersecurity EO is also focused on early detection of incidents, and it requires agencies to deploy Endpoint Detection and Response (EDR) initiatives to support proactive detection of cybersecurity incidents within federal government infrastructure, active cyber hunting, containment and remediation, and incident response. These requirements will be based on recommendations from reports that CISA and OMB are required to issue in the next 30 and 90 days, respectively.
- Investigative and Remediation Capabilities. Finally, the Cybersecurity EO calls for the Secretary of Homeland Security, along with other federal agencies, to develop standardized requirements for maintaining information event logs for federal agencies. Along those lines, the requirements should include the types of logs to be maintained, the time periods to retain the logs and how to protect those logs. These requirements are intended to also establish standards for ensuring centralized access and visibility for the highest-level security operations center of each agency.
The Cybersecurity EO imposes ambitious timelines and goals; it remains to be seen whether all are achievable in the timeline laid out across the entirety of the US government and its wide variety of federal systems, software and missions. The guidelines required to be issued over the next few months will have a significant impact on how this Cybersecurity EO is implemented and on companies providing technology to the US government. Given the government’s purchasing power, the Cybersecurity EO’s requirements may have downstream effects in improving private sector cybersecurity as contractors work to meet heightened standards.