In a lengthy Executive Order issued on May 12, 2021 (the “Order”), the Biden Administration has taken steps “to make bold changes and significant investments” in both public and private sector cybersecurity “in order to defend the vital institutions that underpin the American way of life.” The full scope of the Order remains to be seen. Much will depend on the recommendations and rules issued by various agencies over the coming months. Nonetheless, the Order itself signals several areas where significant changes can be expected.
Expect Increased Reporting Obligations For Government Contractors.
Under Section 2 of the Order, the Administration’s goal is to remove “contractual barriers” that may limit sharing threat or incident information with the Cybersecurity and Infrastructure Security Agency (“CISA”), the Federal Bureau of Investigation (“FBI”), and other elements of the Intelligence Community (“IC”). In order to accelerate incident deterrence, prevention, and response efforts and to enable more effective defense of agencies’ systems and of information collected, processed, and maintained by or for the Federal Government, the Order requires, among other things, a review of the Federal Acquisition Regulations and recommendations for updates to such requirements and language. These recommendations must include, however, new provisions for contractors to share threat and incident information with any agency they have contracted with as well as other agency deemed appropriate by the Office of Management and Budget, the Secretary of Defense, the Attorney General, and other stakeholders. While the specifics are to be determined (including what would constitute an incident that must be reported), the government is to “ensure to the greatest extent possible that service providers share data with agencies, CISA, and the FBI.”
Importantly, we do not yet know the full scope of contractors who will be subject to these new reporting requirements. Yet, the scope of reporting obligations will cover not only the systems used by the federal customer but “all information systems over which [the contractors] have control, including systems operated on behalf of agencies, consistent with agencies’ requirements.” The recommendations must also require the contractors to collaborate with federal investigators in government investigations of and responses to incidents or potential incidents on Federal Information Systems.
Expect An Expanded Role for CISA In Collecting And Managing Incident Reporting Information
The Order requires contractors to promptly report to agencies they contract with when they discover a cyber incident involving a software product or service provided to such agencies or involving a support system for a software product or service provided to such agencies. It also requires they must also directly report to CISA, and CISA must centrally collect and manage such information. The specifics of what must be reported is still unknown, but the forthcoming requirements will detail:
• Information needed to “facilitate effective cyber incident response and remediation”;
• Appropriate and effective protections for privacy and civil liberties;
• The time periods within which contractors must report cyber incidents; and
• The type of contractors and associated service providers to be covered by the proposed contract language.
Expect Standardized Common Cybersecurity Contractual Requirements Across Agencies
The Defense Industrial Base has already seen the push for standardized cybersecurity contractual requirements through the Cybersecurity Maturity Model Certification program, and there has been industry speculation that similar standards could be rolled out across the federal government. The Order indicates that some level of standardized cybersecurity contracting requirements will be forthcoming to all agencies.
Expect New Private Sector Recommendations For Supply Chain Security
The Order requires new NIST guidelines for evaluating software security, including criteria to evaluate the security practices of the developers and suppliers themselves, and identifying innovative tools or methods to demonstrate conformance with secure practices. The guidance shall include standards, procedures, or criteria for several aspects of the development process including:
• Secure software development environments;
• Generating artifacts that demonstrate conformance to the new NIST guidelines;
• Maintaining trusted source code supply chains;
• Checking for known and potential vulnerabilities and remediating them;
• Making publicly available summary information on the completion of the vulnerability analyses, to include a summary description of the risks assessed and mitigated;
• Participating in a vulnerability disclosure program that includes a reporting and disclosure process; and,
• Attesting to conformity with secure software development practices.
The Order also requires the government to define what constitutes “critical software,” to identify and make available to agencies a list of categories of software and software products in use or in the acquisition process meeting the definition of critical software, to publish guidance outlining security measures for critical software, and to require that agencies comply with such guidance. For any software procured prior to the date of the Order, agencies must either comply with these requirements or must provide a plan outlining actions to remediate or meet those requirements.
Expect Other Significant Organizational Changes To Cybersecurity Response and Management In The Federal Government
Among other things, the Order requires establishing a cyber safety review board comprised of private and public sector stakeholders, standardizing the government’s playbook for responding to cybersecurity vulnerabilities and incidents, modernizing federal government cybersecurity, improving detection on federal government networks, and improving the government’s investigative and remediation capabilities.