In response to recent highly publicized cybersecurity incidents, President Biden signed an Executive Order on May 12, 2021, that contains eight key initiatives aimed at modernizing the federal government’s response to cyberattacks.
Although the initiatives outlined in the Executive Order only apply to federal contractors (many of which already comply with agency-specific cybersecurity rules), all companies and organizations should pay attention to them, as they could be used as models for other laws and as the “baseline” for what security measures businesses will be expected to implement.
Removing Barriers to Sharing Threat Information / National Security Systems
Overview: The Executive Order calls for updates to federal information technology and operational technology service contract terms to allow federal contractors to share threat intelligence and information about cybersecurity incidents with different federal agencies. Specifically, the Executive Order is asking that such contracts be designed to ensure that these contractors “collect and preserve data, information, and reporting relevant to cybersecurity event prevention, detection, response, and investigation on all information systems over which they have control, including systems operated on behalf of agencies.”
In addition, the Executive Order also calls for a review of existing agency-specific cybersecurity requirements and the creation of standardized contract language for cybersecurity requirements. Also, to ensure consistency across the federal government, the Executive Order calls for the creation of National Security Systems requirements “that are equivalent to or exceed the cybersecurity requirements set forth in this order that are otherwise not applicable to National Security Systems.”
Potential Impact on Business: The changes to contractual terms may impose new requirements on government contractors related to data collection practices, incident response plans and incident notification procedures. It is also possible that the revised contractual terms and cybersecurity requirements could be adopted by the private sector and would require companies to update their business practices accordingly.
Modernizing Federal Government Cybersecurity
Overview: To put the federal government in a better position to address increasingly sophisticated cyber threats, the Executive Order requires that federal agencies take steps to modernize their approach to cybersecurity. These steps include:
- Adopting security best practices.
- Advancing toward Zero Trust Architecture.
- Accelerating movement to cloud services, including software as a service, infrastructure as a service and platform as a service.
- Centralizing and streamlining access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks.
- Investing in both technology and personnel to meet these modernization goals.
- National Security Systems.
- (a) Within 60 days of the date of this order, the Secretary of Defense acting through the National Manager, in coordination with the Director of National Intelligence and the CNSS, and in consultation with the APNSA, shall adopt National Security Systems requirements that are equivalent to or exceed the cybersecurity requirements set forth in this order that are otherwise not applicable to National Security Systems. Such requirements may provide for exceptions in circumstances necessitated by unique mission needs. Such requirements shall be codified in a National Security Memorandum (NSM). Until such time as that NSM is issued, programs, standards, or requirements established pursuant to this order shall not apply with respect to National Security Systems.
- (b) Nothing in this order shall alter the authority of the National Manager with respect to National Security Systems as defined in National Security Directive 42 of July 5, 1990 (National Policy for the Security of National Security Telecommunications and Information Systems) (NSD-42). The FCEB network shall continue to be within the authority of the Secretary of Homeland Security acting through the Director of CISA.
Potential Impact on Business: These requirements are in line with what many companies in the private sector are already doing to address the evolving cyber-risk landscape and can serve as a road map for organizations that are in the process of making improvements to their cybersecurity posture.
Enhancing Software Supply Chain Security
Overview: Following the widely publicized SolarWinds vulnerability incident, there has been heightened concern surrounding the security of software used by the federal government. The Executive Order calls for the creation of baseline security standards for the development of software sold to the government, including requiring developers to be more transparent and to make security data related to their software publicly available. The Executive Order creates a pilot program to create an “Energy Star”-type label so the government and consumers can quickly determine whether software was developed securely.
Potential Impact on Business: This initiative has the potential to help companies make more-informed decisions related to their software acquisition strategies. However, federal contractors should also keep this pilot program in mind as they enter into contracts with software providers now, as there is the potential that their government contracts could require that they only use technologies with the “approved” label. If a federal contractor’s software does not meet the new standard, the contractor may need to migrate to another software solution, which could present contractual issues.
Establishing a Cybersecurity Safety Review Board
Overview: The Executive Order establishes a Cybersecurity Safety Review Board, consisting of stakeholders from the federal government and the private sector, that would convene following a significant cyber incident to analyze what happened and make concrete recommendations for improving cybersecurity. This board is modeled after the National Transportation Safety Board, which investigates civil transportation accidents.
Potential Impact on Business: It will be interesting to see what role this new board will play in responding to cybersecurity incidents and what involvement companies that experience such incidents will play. Depending on how the board is utilized, it might inspire states to create their own boards to evaluate cybersecurity incidents that have a significant impact on their states.
Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents
Overview: Under the Executive Order, the Commerce Department’s National Institute of Standards and Technology (NIST) is tasked with publishing guidelines for software supply chain security. The guidance will include recommendations on how to check for vulnerabilities, how to find evidence of flaws and how to ensure up-to-date provenance of source code, as well as instructions for using automated tools to validate trusted code. NIST must also define “critical software” and require federal agencies to adopt security measures for such software.
Potential Impact on Business: Companies, regardless of whether they are federal contractors, should pay attention to NIST’s forthcoming guidelines. As we have seen with other NIST guidance, it is very common for the private sector to adopt NIST guidelines as the standards with which vendors and other contractors must comply. NIST guidance can also be used as a road map for an organization’s cybersecurity planning process.
Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks
Overview: The Executive Order calls for the deployment of a government-wide endpoint detection and response (EDR) system to better detect malicious cyber activity on federal networks and to improve information sharing among federal agencies.
Potential Impact on Business: This initiative is in line with the increased deployment of endpoint monitoring solutions in the private sector and should encourage those companies “on the fence” about EDR to move forward with implementation.
Improving the Federal Government’s Investigative and Remediation Capabilities
Overview: To help improve investigative and remediation efforts, the Executive Order announced that the federal government will be establishing policies for logging, log retention and log management.
Potential Impact on Business: Once these policies are publicized, companies should review them to see whether they align with their logging procedures and protocols and consider making revisions as needed.