On May 12, 2021, President Biden issued a lengthy Executive Order on Improving the Nation’s Cybersecurity (the “Executive Order”). The senior administration official providing a background press call that evening explained that the Executive Order:
- makes “a down payment towards modernizing our cyber defenses”
- reflects “a fundamental shift in our mindset – from incident response to prevention, from talking about security to doing security”
- sets “aggressive but achievable goals to make the federal government a leader in cybersecurity, and improve software security and incident response”
- uses “the power of federal procurement to jumpstart this market because everything we buy has to be built securely, beginning in the – beginning in a short timeframe”
- “push[es] the authority as far as we could” and
- is “the first of many ambitious steps”
There is much more to this Executive Order. Its directives are wide-ranging, cover the entire federal government, and demand coordinated action on exceptionally tight timelines.
On its face, the Executive Order directs action only by government officials. Nevertheless, the herculean lift commanded will immediately impact federal contractors performing agency technical or executive support roles (e.g. data collection and processing, preparing recommendations, drafting reports). Involvement by the remainder of the government contracting community should be triggered no later than August, by which time the FAR Council has been directed to consider new cybersecurity requirements in federal contracts and to open public comment periods. Other parts of the Executive Order direct agencies to solicit input from the private sector by June 11, 2021.
The actions directed by this Executive Order may swiftly and profoundly alter the government’s expectations of federal contractors on numerous fronts and give rise to new certification requirements, disclosure obligations, and supply chain diligence mandates.
Those in the defense contracting community who followed DoD’s long march towards the CMMC (“Cybersecurity Maturity Model Certification”) framework will have a particular appreciation for how ambitious the Executive Order is. Ward & Berry prepared the following high-level summary of the Executive Order’s many mandates and associated deadlines to assist contractors in preparing for the changes to come. We hope you find it helpful; and we look forward to representing many of you as you navigate this time of rapid change.
I. Sharing Cybersecurity Threat Information
The Executive Order seeks to (1) remove any contractual barriers to threat information sharing between government and the private sector and (2) require information and communications technology (“ICT”) providers to share breach information that could impact government networks.
By June 11, 2021, the Office of Management and Budget (“OMB”) will review the current Federal Acquisition Regulation (“FAR”) and Defense Federal Acquisition Regulation Supplement (“DFARS”) to recommended new requirements concerning contract language. Within 90 days of receiving those recommendations, the FAR Council will review the proposed contract language, and post their recommendations on the FAR for public comment.
By June 11, 2021, the Secretary of Homeland Security will review the agency-specific requirements that currently exist with respect to cybersecurity, and will make recommendations to the FAR Council regarding new contract language. Within 60 days of receiving those recommendations, the FAR Council will publish their recommended contract language to the FAR for public comment. After the public comments period has ended, agencies need to update their requirements.
By June 26, 2021, the Secretary of Homeland Security and the Secretary of Defense will recommend contract language to the FAR to implement policies regarding sharing data with agencies. Within 90 days of receiving those recommendations, the FAR Council will review the proposed contract language, and post their recommendations on the FAR for public comment.
By August 10, 2021, the Secretary of Defense will develop procedures to ensure the cyber security incident reports are being shared in accordance with these new policies.
By September 9, 2021, the Secretary of Homeland Security and the Director of OMB will take steps to ensure that service providers are sharing data with agencies, the Cybersecurity and Infrastructure Security Agency (“CISA”), and the Federal Bureau of Investigations (“FBI”) as necessary “to respond to cyber threats, incidents, and risks.” This includes:
- ICT service providers promptly reporting cyber incidents upon discovery.
- ICT service providers must also report any cyber incidents to CISA that it reports to the Federal Civilian Executive Branch (“FCEB”) Agencies so that the CISA can centrally collect and manage the information.
- Any reports pertaining to National Security Systems.
II. Modernizing Cybersecurity
The Executive Order seeks to swiftly move the government to secure cloud services and a zero-trust architecture. It seeks to ‘lead the way’ and rapidly adopt security best practices, including deploying foundational security tools such as multifactor authentication and encryption, and to invest in technology and personnel training.
By June 11, 2021, the Administrator of General Services will begin modernizing FedRAMP by:
- Establishing a training program;
- Improving communication with Cloud Service Providers (“CSPs”) through automation and standardization of messages;
- Incorporating automating throughout FedRAMP, including assessment, authorization, continuous monitoring, and compliance;
- Digitizing and streamlining documentation that vendors are required to complete, including online accessibility and pre-populated forms; and
- Identifying relevant compliance frameworks, mapping those frameworks onto requirements in the FedRAMP authorization process, and allowing those frameworks to be used as a substitute for the relevant portion of the authorization process.
By June 11, 2021, the head of each agency must:
- Update existing plans to prioritize resources for the use of cloud technology as outlined in OMB guidance in a coordinated, deliberate manner;
- By June 11, 2021, the Secretary of Homeland Security will develop and issue a cloud-service governance framework for agencies to follow.
- By August 10, 2021, the Director of the OMB will develop a Federal cloud-security strategy, and will provide guidance to agencies. The Secretary of Homeland Security will develop and issue a cloud-security technical reference architecture documentation showing recommended approaches to implementing the cloud system. The heads of federal civilian executive branch (“FCEB”) agencies will evaluate the types and sensitivity of their agency’s unclassified data and will create a report prioritizing data that is “most sensitive and under the greatest threat.”
- Develop a plan to implement Zero Trust Architecture in accordance with migration steps outlined by the National Institute of Standards and Technology (“NIST”);
- Provide a report to the Director of OMB and the Assistant to the President and National Security Advisor (“APNSA”) discussing their plans to comply with the requirements.
By August 10, 2021, the Secretary of Homeland Security will establish a framework for cybersecurity and incident response activities related to FCEB cloud technology to ensure proper sharing of information.
By November 8, 2021, agencies must adopt multi-factor authentication and encryption for data at rest and in transit. To that end, the following must happen.
- Heads of FCEB Agencies must provide reports every 60 days to the Secretary of Homeland Security through the Director of CISA, the Director of OMB, and the APNSA on their respective agency’s progress in adopting multifactor authentication and encryption of data at rest and in transit. These reports must continue until the agency has fully adopted the multi-factor authentication and data encryption.
- If heads of FCEB Agencies cannot fully adopt multi-factor authentication and encryption by November 8, 2021, they must provide a written rationale (by that date) to the Secretary of Homeland Security through the Director of CISA, the Director of OMB, and the APNSA.
III. Enhancing Software Supply Chain Security
The Executive Order pursues improved security of software by establishing baseline security standards for development of software sold to the government, including requiring developers to maintain greater visibility into their software and making security data publicly available. It will stand up public-private processes to create new approaches to software development and use federal procurement to incentivize change in the commercial market. It will also create a pilot program for an “energy start” type of label for secure software development.
By June 11, 2021, the Secretary of Commerce will solicit input from the federal government, the private sector, academia, etc. to identify existing or develop new standards, tools, and best practices for complying with the new standards and procedures set forth below.
By June 26, 2021, the Secretary of Commerce must publish a definition of the term “critical software.” Within 30 days of that publication, the Secretary of Homeland Security must identify and make available a list of categories of software and products that meet the definition.
By July 11, 2021, the Secretary of Commerce must publish minimum elements for a Software Bill of Materials (“SBOM”).
By July 11, 2021, the Secretary of Commerce must publish guidelines outlining security measures for critical software. Within 30 days of that publication, the Director of OMB must take steps to require agencies compliance, including software products that are procured after the date of the Executive Order. For products procured after the Executive Order issued, agencies must request an extension from the Director of the OMB who will consider the requests on a case-by-case basis.
By November 8, 2021, the Director of NIST must publish preliminary guidelines to follow. By May 7, 2022, the Director of NIST must publish additional guidelines that include procedures for periodic reviews.
- Within 90 days of the original publication, the Secretary of Commerce must issue guidance identifying practices that enhance the security of the software supply chain.
By February 6, 2022, the Secretary of Commerce must identify IoT cybersecurity criteria for a consumer labeling program and must consider whether it will be operated in conjunction with or modeled after any similar already-existing program. The Secretary of Commerce must also identify secure software development practices or criteria for a consumer software labeling program. The Director of the NIST will examine all relevant information, labeling, and incentive programs, employ best practices, and identify, modify, or develop a recommended label or rating system.
By May 12, 2022, the Secretary of Homeland Security must recommend to the FAR Council contract language that requires software suppliers to comply with, and attest to their compliance, the requirements stated in subsections (g) through (k) of section 4 of the Executive Order. After receiving the recommendations, the FAR Council shall review and amend the FAR. Following any new rules, agencies must remove software products that do not meet the new requirements from all indefinite delivery indefinite quantity contracts, Federal Supply Schedules, Federal Government-wide Acquisition Contracts, Blanket Purchase Agreements, and Multiple Award Contracts.
- The Director of OMB must require agencies to comply with the requirements set forth in this Executive Order even for software developed prior to May 12, 2021. If compliance is not applicable, the agency must provide a plan outlining actions to remediate or meet the requirements.
By May 12, 2022, the Director of the NIST must conduct a review of the pilot programs. The Secretary of Commerce must provide a report to the President that reviews the progress made.
IV. Cyber Safety Review Board
The Secretary of Homeland Security will establish a Cyber Safety Review Board (the “Board”), which will review and asses “significant” cybersecurity incidents. The Board will consist of Federal officials and private-sector representatives. The Secretary of Homeland Security will convene the board after a significant event, which will trigger the establishment of a Cyber Unified Coordination Group (“UCG”). Within 90 days of the Board’s establishment, it must provide recommendations to the Secretary of Homeland Security for improving cybersecurity and incident response practices. Within 30 days of the initial review, the Secretary of Homeland Security will provide the President with the recommendations of the Board.
V. Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Incidents
The Executive Order will create a ‘standardized playbook’ and set of definitions for cyber incident response by federal departments and agencies. It endeavors to have all federal agencies meet a certain threshold and be prepared to take uniform steps to identify and mitigate threats. The ‘playbook’ will also provide the private sector with a template for response efforts.
By September 9, 2021, the Secretary of Homeland Security must develop a standard set of operational procedures – a playbook – to use when planning and conducting a cybersecurity vulnerability and incident response activity. The Director of OMB must issue guidance on an agency’s use of the playbook. The Director of CISA will review and update the playbook annually. The playbook will define key terms and allow for a standard use of terms across agencies.
VI. Improving Detection of Cybersecurity Vulnerabilities and Incidents
The Executive Order seeks to improve the ability of the government to detect malicious cyber activity on federal networks. To comply, all FCEB Agencies must deploy an Endpoint Detection and Response (“EDR”) initiative to support proactive detection of cybersecurity incidents within the Federal Government’s infrastructure.
By June 11, 2021, the Secretary of Homeland Security must provide the Director of OMB recommendations on how to implement the EDR initiative. Within 90 days of receiving the recommendations, the Director of OMB must issue requirements for FCEB Agencies to adopt Federal Government-wide EDR approaches. The Director of OMB and the Secretary of Homeland Security must help agencies to ensure they have adequate resources to comply with the requirements.
By June 26, 2021, the Director of the NSA must recommend to the Secretary of Defense, the Director of National Intelligence, and the Committee on National Security Systems (“CNSS”) appropriate actions for improving detection of cyber incidents affecting National Security Systems, including recommendations for EDR approaches. By August 10, 2021, the Secretary of Defense, the Director of National Intelligence, and the CNSS must review the recommendations submitted and establish policies that effectuate those recommendations.
To ensure alignment between the Department of Defense Information Network (“DODIN”) directives and FCEB Information Systems directives, the Secretary of Defense and Secretary of Homeland Security must:
- By July 11, 2021, establish procedures for the DoD and Department of Homeland Security to immediately share incident response orders or emergency directives and binding operational directives;
- Evaluate whether to adopt any guidance; and
- Within 7 days of receiving notice of an Order or Directive, notify the APNSA and Administrator of the Office of Electronic Government within the OMB of the evaluation.
By July 26, 2021, agencies must establish or update the Memoranda of Agreement (“MOA”) with CISA for the Continuous Diagnostic and Mitigation Program to ensure object level data is available and accessible to CISA.
By August 10, 2021, the Director of CISA must provide the Director of OMB and the APNSA a report describing how authorities granted under section 1705 of Public Law 116-283 are being implemented.
VII. Improving the Federal Government’s Investigative and Remediation Capabilities
The Executive Order creates cybersecurity event log requirements for federal departments and agencies. When a cybersecurity incident occurs, this information must be provided to the Secretary of Homeland Security through the Director of CISA and to the FBI.
By May 26, 2021, the Secretary of Homeland Security must provide recommendations on requirements for logging events and retaining other relevant data within an agency’s systems and networks to the Director of OMB. Within 90 days of receiving the recommendations, the Director of OMB must formulate policies for agencies to establish requirements for logging, log retention, and log management. The Director of OMB must work with agency heads to ensure they have the proper resources to comply.
VIII. National Security Systems
By July 11, 2021, the Secretary of Defense, in coordination with the Director of National Intelligence and the CNSS, and in consultation with the APNSA, must adopt National Security Systems requirements equivalent to or exceeding the cybersecurity requirements set forth in the Executive Order.