The Biden administration issued a lengthy Executive Order, “Improving the Nation’s Cybersecurity,” on May 12, which it described as the “first of many ambitious steps” toward modernizing U.S. cybersecurity defenses. The White House simultaneously issued an explanatory fact sheet and background press call.
Pursuant to the Order, government agencies will be required to deploy multifactor authentication, encryption, endpoint detection response, and logging and operate under the principle of a “zero-trust” environment. A clear purpose of the Order is to improve the security of commercial software, including by establishing baseline security requirements based on industry best practices. As the White House press briefer stated, the Order will impose “the power of federal procurement to say, ‘If you’re doing business with us, we need you to practice really good — really good cybersecurity. And, most importantly, we really need you to focus on secure software development.’”
While reportedly in the works for some time, the release of the Order this week is particularly well timed as the nation’s attention is focused on another large-scale cyberincident, the Colonial Pipeline ransomware attack. The Order, however, is focused on steps to be taken to harden the federal government’s cyber-defenses, and President Biden has made public statements on limitations to force changes in the private sector through the Executive Order process. The Order notes opportunities for the Federal Government to partner with the private sector and urges the private sector to adapt to the changing threat environment.
The Order announces the administration’s intention to make “bold changes and significant investments” to defend the nation’s computer infrastructure and “vital institutions that underpin the American way of life.” It details a host of new requirements that will apply to federal departments and agencies as well as private entities that do business with the federal government, particularly software suppliers, including the following.
- Requiring Federal Contractors to Share Information Regarding Security Incidents. Federal contractors that process data or provide other operational technology for the federal government, including cloud service providers, will be contractually required to share more information about data security incidents with their federal agency customers as well as other federal agencies responsible for investigating or remediating cyberincidents, such as the Cybersecurity Infrastructure Security Agency (CISA) and the FBI. The Order directs the Office of Management and Budget (OMB) to coordinate rulemaking efforts to amend federal contract requirements to mandate new reporting and data-sharing obligations around cybersecurity incidents, including a 72-hour notification requirement for the most severe incidents. The Order also mandates that once reported, information about cyberincidents be shared among relevant agencies. These rules will standardize cybersecurity contractual requirements across agencies, removing agency-specific policies and procedures and streamlining compliance for vendors and the government.
- Modernizing and Strengthening Federal Cybersecurity Controls. The Order includes a roadmap to accelerate the movement of the federal government to secure cloud services, including by implementing “zero trust” architecture informed by National Institute of Standards and Technology (NIST) guidance, and developing a uniform set of security principles governing all cloud service providers that serve the federal government. CISA will be required to issue a cloud-service governance framework applicable to all federal civilian agencies, and each agency will need to conduct an initial risk assessment of its unclassified data and work to address security gaps. All civilian agencies will be required to adopt multifactor authentication and encrypt data at rest and in transit, with target implementation by mid-November 2021 and rolling 60-day status reports. Cybersecurity trainings will also be required.
- Improving and Incentivizing Software Supply Chain Security. To address what the Order describes as the “long-standing” and “well-known problem” of vulnerability-riddled software, the administration aims to use the power of the federal government to incentivize a push toward secure software development. The Order requires software sold to the federal government to include baseline security standards and will require developers to make security data publicly available. The Order also creates a pilot program to create an Energy Star-type of label so the government and the public can easily determine whether software was securely developed.
- Establishing Cybersecurity Safety Review Board. Borrowing from the National Transportation Safety Board model, the Order will create a new Cybersecurity Safety Review Board (Board) to review and assess significant cyberincidents in the public and private sectors and provide recommendations for improved cybersecurity and incident response. The Board will include government representatives as well as representatives from private-sector cybersecurity or software suppliers and will be co-chaired by a representative from each. It will convene following a significant security incident as defined under previous Presidential Policy Directives and already has its first assignment: review of last year’s SolarWinds incident. The Order requires the Board to protect sensitive law enforcement, operational, business, and other confidential information shared with it.
- Standardizing Federal Government Incident Response. The Order requires the creation of a standard incident response playbook for federal departments and agencies, much like incident response plans in the private sector. The playbook is to be based on NIST standards and be updated annually by CISA and the National Security Agency. Currently, incident response plans vary across agencies, and that variability has hindered the government’s ability to efficiently coordinate its response to and analysis of security incidents.
- Stronger Cybersecurity Detection Systems. The Order mandates the use of technical safeguards to protect against intrusions. Federal departments and agencies will be required to deploy an endpoint detection and response initiative based on recommendations by CISA and to institute cybersecurity event logging requirements.
The Order did not place prime responsibility or accountability on any one official, though the President’s National Security Advisor, Secretary of Homeland Security, and Director of OMB appear to have particularly salient roles among the vast number of agencies mentioned in the Order. The new National Cyber Director recommended by the Cyberspace Solarium Commission and mandated by Congress in the National Defense Authorization Act is relegated to an afterthought: “Upon the appointment of the National Cyber Director (NCD) and the establishment of the related Office within the Executive Office of the President, pursuant to section 1752 of Public Law 116-283, portions of this order may be modified to enable the NCD to fully execute its duties and responsibilities.”
The Order also does not mention the very substantial cybersecurity information-sharing authorities and protections already enacted into law in the Cybersecurity Information Sharing Act of 2015, or the joint guidance issued thereunder in 2016 by the Departments of Homeland Security and Justice. Companies should be aware of the “notwithstanding any other provision of law” immunities in the act as well as “no waiver” of legal privilege and restrictions on further use and sharing of cyberthreat information provided to the government (e.g., “shall not be used by any Federal, State, tribal, or local government to regulate, including an enforcement action …”).
The Order also does not address any new government efforts or commitment to investigate, apprehend, and deter cybercriminals or impose sanctions on foreign governments that commission or coddle such cybercrime.