On 12 May 2021, President Biden issued an Executive Order (EO) on Improving the Nation’s Cybersecurity aimed at strengthening U.S. federal cyber protections. The EO, which has undergone development for months, lands amid mounting public concern due to a wave of recent high-profile cyberattacks. These include:
- Last week’s ransomware attack on the Colonial Pipeline;
- Microsoft Exchange server intrusion uncovered in March; and
- SolarWinds hack that compromised nine federal agencies late last year.
Indeed, the EO follows multiple lawmaker calls for tighter federal rules and guidance to secure ICT supply chains and critical infrastructure. Just last week, both the House and Senate held hearings on the state of federal cybersecurity and increasing digital attacks.
Part of a promised “whole of government response” by the Biden Administration, the EO requests an overhaul of the federal government’s approach to cybersecurity, in addition to a re-evaluation of agency software acquisitions and existing measures to block cyber threats. Importantly, it targets federal networks, rather than critical infrastructure operated by private entities––such as the Colonial Pipeline. As such, there will most certainly be additional federal and congressional activity to close domestic infrastructure vulnerabilities. Key provisions of the EO, which outline preventive actions for both the federal government and private sector, include:
- Accelerating federal agency efforts to secure cloud services, including updating existing plans to prioritize resources for adoption and use of cloud technology;
- Requiring agencies to deploy multi-factor authentication and encryption, as well as endpoint detection and response software;
- Logging requirements for agencies to retain cyber event and other relevant data on their networks to improve federal investigations and remediation; and
- New cyber threat incident reporting requirements for ICT service providers who have contracts with the federal government;
The EO also authorizes a line-up of new interagency initiatives to remove barriers to sharing threat information, modernize federal cybersecurity standards, improve software supply chain security, and create a standard federal playbook for responding to cyber threats:
- The Office of Management and Budget (OBM), Cybersecurity and Infrastructure Security Agency (CISA), and government-wide Federal Risk and Authorization Management Program (FedRAMP) will develop a federal cloud-security strategy to provide guidance, including new policies for restricting agency usage of old, unsupported software;
- CISA and FedRAMP will also develop principles based on Zero Trust Architecture to govern cloud service provider users in agency modernization efforts;
- OMB, the Pentagon, the Departments of Justice and Homeland Security, and the Office of the Director of National Intelligence (ODNI) will review and update the Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS) and implement new standardized cybersecurity contractual requirements;
- OMB and the General Services Administration (GSA) will modernize FedRAMP to ensure agencies are able to manage FedRAMP requests, improve communication with cloud service providers, and incorporate review automation, among others;
- The National Institute of Standards and Technology (NIST) will develop guidance and standards to enhance software supply chain security regarding secure development environments, software bill of materials (SBOM), and participation in vulnerability disclosure programs, among others;
- NIST will work with the National Security Agency (NSA) to develop minimum-standard guidelines for vendor testing of software source code;
- With the Federal Trade Commission (FTC), NIST will also determine the need for a consumer software labeling program or tiered software security rating system;
- Secretary of Homeland Security Alejandro Mayorkas will lead a new Cyber Safety Review Board––comprising federal officials and representatives from private-sector cybersecurity or software entities––to review and assess significant cyber incidents, threat activity, vulnerabilities, mitigation efforts, and agency responses;
- Finally, Secretary Mayorkas will lead an interagency task force to develop a standard set of operational procedures to be used in planning and conducting a cybersecurity vulnerability and incident response.
The EO represents the most significant attempt yet by the Biden Administration to close large cybersecurity gaps that have been exploited in the last year. The order includes both new requirements for agencies and higher standards for vendors. Importantly, it sets the stage for requiring federal contracts to report data breaches and meet new software security requirements. The directive also emphasizes the need for public-private cooperation in developing new cybersecurity standards and processes, as well as mitigating and resolving future attacks.
What Companies Should Do
Cybersecurity companies, companies in designated critical infrastructure sectors, and federal ICT contractors should:
- Engage with the federal entities identified in the EO to provide feedback on draft processes and procedures;
- Monitor open and ongoing policy processes to update federal procurement and vendor security rules to ensure that private-sector involvement––critical for rapid threat identification, response, and mitigation––is optimized;
- Educate policymakers in Congress and the Executive branch about what your company is doing to respond to evolving cybersecurity threat actors and government guidance; and
- Seek business development opportunities with the US government to reduce cybersecurity vulnerabilities.