On May 12, President Biden signed an Executive Order (EO) aimed at improving the federal government’s cybersecurity. This is due to widespread cyber incidents like the SolarWinds incident. The PO urges both the federal government and the private sector to work together to identify, deter, detect and respond to cyber incidents, stating that “bold changes and significant investments” are required to protect the country’s computer systems from attack .
Noteworthy, the EO:
- Creates new IT security rules for specific contractors. The EO calls for revisions to the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement (DFARS). IT and operational technology contractors may need to retain and share data about cyber threats, incidents, and risks with federal agencies and work with federal agencies to investigate and respond to such incidents. These additional obligations – which are likely to be implemented by FAR and DFARS provisions that have not yet been drawn up – are in addition to those already in FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems, DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting, and the requirements to be implemented shortly for obtaining a Cybersecurity Maturity Model Certification (CMMC), DFARS Case 2019-D041 (interim regulation, valid from November 30, 2020 and subject to review by the Congress).
- Urges federal agencies to update and modernize their cybersecurity standards. The PO instructs federal authorities to implement best security practices, including the move to secure cloud services, the introduction of a “zero trust architecture”, the development of secure data storage solutions, the assessment and classification of the types and confidentiality of data, the introduction of multifactor -Authentication and data encryption for the largest possible scope and the establishment of training programs.
- Defines basic security standards for the security of the federal government’s software supply chain. The PO requires software developers to have a better view of their products and to provide federal authorities with a “software bill of materials” for each software product.
- Establishment of a National Review Board. The PO sets up a cybersecurity security review body that reports to the Secretary for Homeland Security and is charged with reviewing and assessing cyber incidents that affect the information systems of the federal civil executive or non-federal systems.
- Instructs federal agencies to develop an incident response playbook. The EO instructs the Department of Homeland Security to work and coordinate with DOD, OMB, DOJ, and NSA, among others, to create a standardized incident response plan (or playbook) for the government. The playbook will outline the agencies’ plan to incorporate any appropriate NIST standards and respond to incidents.
As indicated by this EO, we can expect the Biden government to continue to focus on cybersecurity and related laws and regulations. And whether you are a government contractor or a provider, this EO should remind all companies that they should evaluate their information security program and practices to ensure that they continue to update, modernize, and at least adopt security best practices now for all federal agencies required.