Issue in Brief: President Biden signed an executive order aimed at improving federal cybersecurity, with the order coming on the heels of multiple major and damaging cyber attacks.

Key Takeaway: The goal of the executive order is to modernize cybersecurity defenses by protecting federal networks and improving information-sharing between the government and private entities on cyber matters.

On the Horizon: As a result of the executive order, federal contractors should expect heightened federal oversight and new standards related to cybersecurity, while the private sector should expect that these standards and practices will set a new baseline for cybersecurity defense and response.

On May 12, 2021, President Biden signed the "Executive Order on Improving the Nation's Cybersecurity" ("EO"). The EO was developed in response to the SolarWinds incident and comes in the immediate wake of the recent ransomware attack that caused a vital U.S. pipeline to shut down, leading to significant fuel shortages.

A Step in the Right Direction:

The EO is the "first of many ambitious steps" to "make a significant contribution toward modernizing cybersecurity defenses by protecting federal networks, improving information-sharing between the U.S. government and the private sector on cyber issues, and strengthening the United States' ability to respond to incidents when they occur." While the EO's practices generally apply to federal government agencies, networks, and contractors, the administration expects "private sector companies to follow the Federal government's lead and take ambitious measures to augment and align cybersecurity investments with the goal of minimizing future incidents to Companies will need to be more cooperative and transparent with the federal government on cybersecurity to comply with new guidelines."

New Requirements:

The EO includes the following key initiatives:

  • Requires information technology (IT) service providers that do business with the government to share breach information that could impact government networks.
  • Accelerates movement of the federal government to secure cloud services and mandates deployment of multifactor authentication and encryption.
  • Establishes baseline security standards for development of software sold to the government, including requiring developers to maintain greater visibility into their software and making security data publicly available.
  • Creates a pilot program to create a federally sponsored labeling program, similar to "energy star," so that the government and public at large can easily see whether software was developed securely.
  • Establishes a Cybersecurity Safety Review Board, co-chaired by government and private sector leads. The Board, modeled after the National Transportation Safety Board, may convene after significant cyber incidents to analyze causes and make specific recommendations.
  • Creates a standard playbook and set of definitions for cyber incident response by federal departments and agencies to ensure that all federal agencies are prepared to take uniform steps to identify and mitigate threats and provide the private sector with a template for its response efforts.
  • Enables a government-wide endpoint detection and response system ("EDR") and improved information sharing within the federal government.
  • Creates cybersecurity event log requirements for federal departments and agencies.

Within four months of the EO, the government will publish standardized contract language for cybersecurity requirements across government agencies. Separately, the Commerce Department has six months to publish preliminary guidelines for software security in the federal supply chain, and one year to publish final guidelines. Unlike past administrations' efforts to address cybersecurity in this area, the E.O. requires significant cooperation from the private sector and more transparency between the federal government and private companies.

How the Private Sector Should Respond:

In the coming months, both federal contractors and other private sector companies should consider taking the following steps in response to the EO:

  • Evaluate current cybersecurity practices for opportunities for improvement. The first step to understanding how to comply with any new guidelines or best practices is to do a baseline assessment of current practices and understand where any weaknesses are.
  • Comment on proposed software security guidelines once available.  If given the opportunity to comment on new guidelines, it is critical to provide feedback on any concerns regarding real-world implementation.
  • Create systems to implement any new guidelines.  Once new guidelines or best practices are released, it is important to create internal systems to track whether and how any new requirements or best practices will be implemented.
  • Keep channels of communication open with federal agencies regarding cybersecurity.  An overarching theme of the EO is increased communication and transparency between the federal government and the private sector regarding cybersecurity practices and incidents in the procurement chain and more broadly. If an incident should occur, it will be easier to facilitate an effective incident response if channels of communication with relevant agencies are already open.

The EO is available here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.