In response to recommendations contained in the Solarium Commission report and the Solar Winds cybersecurity incident, President Biden issued an Executive Order on May 12, 2021 (EO), outlining new requirements for information technology (IT) providers that do business with the federal government. The purpose of the requirements is to protect federal networks from malicious cyber-attacks and to improve information-sharing between the U.S. government and the private sector on cyber issues, thereby strengthening the United States’ ability to respond to incidents when they occur. The EO is available here.
This much-anticipated and lengthy EO is intended to make bold changes to the way the federal government approaches cybersecurity, identifying a new policy of prevention, detection, assessment, and remediation of cyber incidents as a top priority which is essential to national and economic security. The EO is intended to quickly identify and respond to threats from both foreign and domestic adversaries.
The Solarium Commission and Government Cyber Security experts recognized that there are certain vulnerabilities inherent in the current supply chain. Accordingly, there is a need to further enhance partnerships with private sector companies that control critical infrastructure, such as internet service providers or software development. The EO includes emphasis on partnering with those private sector companies that are current federal government contractors.
The EO further builds upon direction contained in prior Presidential Policy Directives to use the federal government’s purchasing power to direct economic policy around cyber security executive branch agencies and departments are instructed to review internal policies and standard contractual language with an eye toward removing contractual barriers and increasing the sharing of information about threats, incidents, and risks to allow for accelerated incident deterrence, prevention, and response. Agencies are also required to provide recommendations and revised contractual language to the Federal Acquisition Regulation (FAR) Council by mid-July. This revised language must address the nature and type of cyber incidents that will need to be reported and timelines for reporting them, as well as protections for privacy and civil liberties. The EO provides agencies with short timeframes for submitting these deliverables.
The EO also tasks the heads of several national security-related and defense-related agencies with joint development of cyber incident report sharing procedures, so federal agencies will be made aware of incidents sooner and can quickly take steps to mitigate the impact of the incident. A Cyber Safety Review Board will be established with the Secretary of Homeland Security at the helm.
The EO sets goals for modernizing the federal government’s approach to cybersecurity, which includes adopting security best practices; moving toward Zero Trust Architecture and better secure cloud services; centralized and streamlined access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks; and investment in both technology and personnel to match these modernization goals. The EO identified certain measures that will soon be required across executive agencies, such as multi-factor authentication and data encryption.
In terms of the commercial supply chain, the EO directs broad regulatory changes. One notable change is establishing baseline security standards for the development of software sold to the government, including requiring developers to maintain greater visibility into their software and making security data publicly available. Another is the creation of a pilot program – similar to the Energy Star program used in consumer product labeling – so the government and private consumers can quickly determine whether certain software was developed securely.
Federal agencies will be busy in the coming weeks and months developing the new policies to address these heightened cybersecurity needs. Then comes the rulemaking process to create new regulations or amend existing regulations to address the new policies. Government contractors, specifically those that are IT providers, need to be prepared to implement any new requirements.
If you have questions regarding the EO, contact the authors or Graham Hill or Clayton Heil of Taft's Public Affairs Strategies Group.