Biden’s Executive Order Strengthens Government’s Cybersecurity Practices

The Legal Intelligencer

On May 12, President Joseph Biden signed the executive order on improving the nation’s cybersecurity (the order) in the wake of cybersecurity incidents affecting SolarWinds Corp., on-premises Microsoft Exchange Servers, Colonial Pipelines and JBS. In the SolarWinds attack, Russian hackers exploited a routine software update to install malicious code, allowing the hackers to infiltrate nine federal agencies and about 100 companies. Microsoft Exchange’s server vulnerabilities are estimated to have affected about 60,000 organizations. The May 6, ransomware attack on Colonial Pipeline shut down the largest oil pipeline in the United States and disrupted supplies of gasoline and fuel to the East Coast. In June, JBS, America’s largest processor of beef, poultry, and pork, paid $11 million ransom in a cyberattack that affected one-fifth of the nation’s meat supply.

The order outlines several initiatives that will be rolled out on an aggressive timetable this year intended to enhance the federal government’s cybersecurity practices, particularly with respect to the software supply chain, and to contractually obligate government contractors to align with such enhanced security practices. The order directly impacts government contractors, including cloud service providers and software developers.

The order:

  • Removes Barriers to Threat Information Sharing between the Government and the Private Sector. The order removes certain contractual barriers that prevent contractors who provide data processing systems—information technology (IT)—and those who “run the vital machinery that ensures our safety”—operational technology (OT)—from sharing information about cyber incidents with government agencies, and requires the covered contractors to promptly notify such agencies of a cyber incident involving their software and support-related products or services. The order requires the Federal Acquisition Regulation (FAR) Council to update the FAR and the Defense Federal Acquisition Regulation Supplement (DFARS) in conformity with this focus. 

Within 45 days of the order—late June—designated agencies will recommend to the FAR Council contract language providing details on what type of information must be reported, and when it must be reported. The government will recommend updates for IT and OT contractors within 60 days of the order—mid-July—and the FAR Council will publish proposed changes within 90 days of receipt of those recommendations—mid-October. A new cyber incident reporting rule on how covered contractors should share cyber incident data with the government is expected to be published by the FAR Council this September. We expect that these proposed changes will look similar to current requirements, such as DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.

The order also requires IT service providers to cooperate with federal agencies to investigate and respond to incidents on federal information systems. Department of Defense (DoD) contractors are already subject to similar cyber reporting and cooperation requirements through the Cybersecurity Maturity Model Certification (CMMC), which is the current cybersecurity certification process requiring varying levels of cyber hygiene consistent with the sensitivity of procurement. The lack of reference to the CMMC in the order may indicate the U.S. government’s intent to replace the CMMC with a new federal-wide set of standards extending to civilian agency contracts.

  • Modernizes and Implements Stronger Cybersecurity Standards in the Federal Government. The order mandates government agencies to move to secure cloud services and a “Zero-Trust Architecture,” which refers to strict access limitations requiring authentication and authorization before access to an enterprise resource is established, regardless of the location of the user or device used for access. Government agencies must develop a Zero-Trust plan by July 11, and the director of the Office of Management and Budget (OMB) is expected to provide guidance by Aug. 10. The Cybersecurity and Infrastructure Security Agency (CISA) is tasked with the development of cloud adoption practices and guidelines within 90 days of the order. 

The order further mandates deployment of multifactor authentication, encryption, and data classification for data at rest and in transit for all Federal Civilian Executive Branch (FCEB) entities within 180 days of the date of the order (Nov. 8). The entire cycle of the federal government’s main security authorization program for cloud services, FedRAMP, will also be modernized under the order. 

  • Improves Software Supply Chain Security. The order requires all software purchased by the federal government to meet, within 180 days of the order (Nov. 8), a series of new baseline security standards. The order seeks to amend the FAR/DFARS to include language requiring government software suppliers to attest to complying with the new security standards, and further establishes a pilot certification program so that the government and general public can quickly determine whether software was developed securely. The order directs the Secretary of Commerce, through the National Institute of Standards and Technology (NIST), to consult with federal agencies, the private sector, academia, and other stakeholders in identifying standards, tools, best practices, and other guidelines to enhance software supply chain security. NIST  hosted a virtual workshop on June 2 and 3 to share and discuss NIST’s plans to develop software-related standards and guidelines called for by the order and define categories of “critical software” that will be subject to additional security standards. NIST is expected to provide a definition of “critical software” by June 26 and publish guidance outlining software security measures by July 11.
  • Establishes Cybersecurity Safety Review Board. The order establishes a Cybersecurity Safety Review Board (CSRB), modeled after the National Transportation Safety Board, which will be comprised of government official and private-sector representatives to review and assess significant cyber incidents and provide cybersecurity recommendations. “Significant cyber incidents” are defined as any event occurring on or conducted through a computer network that jeopardizes the integrity, confidentiality, or availability of virtual networks or information systems to such an extent that is likely to result in demonstratable harm to the United States or its people. The first incident to be reviewed by CSRB is the SolarWinds attack.
  • Creates Standard Playbook for Responding to Cyber Incidents. The order creates a standardized playbook of operating procedures and definitions for cyber incident response by federal departments and agencies that incorporates NIST standards. This will allow agencies to identify and respond to cyber incident threats more efficiently across federal departments and provide the private sector with a template for its response efforts.

Within 60 days of the executive order—mid-July—designated agencies will recommend to the FAR Council standardized contract language for appropriate cybersecurity requirements. Within 60 days of receiving these recommendations, the FAR Council will propose updates to the FAR implementing these changes.

  • Improves Detection of Cybersecurity Incidents on Federal Government Networks. The order requires initiatives to identify deployment options for a government-wide endpoint detection and response system, and enable improved information sharing and malicious cyber activity detection within the federal government.
  • Improves Investigative and Remediation Capabilities. The order creates cybersecurity event log requirements, specifically relating to the collection and maintenance of information from network and system logs, for federal departments and agencies. 
  • Adopts National Security Systems. The order requires the DoD to adopt equivalent standards at a minimum for “National Security Systems” not otherwise provided for within the order as a catch-all provision. 

Following the order, on June 2, the deputy assistant to the president and deputy national security advisor for cyber and emerging technology issued a letter addressed to executives and business leaders, recommending best practices for immediate adoption, including: implementing the order’s best practices (e.g., multifactor authentication, endpoint detection, encryption); backing up data and other information with regular testing and offline storage;  promptly updating and patching systems; testing incident response plan(s); using a third-party penetration tester to test the security of systems; and segmenting networks. Also, on June 6, the National Telecommunications and Information Administration (NTIA) issued a request for public comments on NTIA’s approach to developing a software bill of materials to comply with the order. Comments were due June 17. The Department of Justice’s (DOJ) recently established Ransomware and Digital Extortion Task Force further announced it had seized 63.7 Bitcoins, valued at the time of seizure at approximately $2.3 million, allegedly representing proceeds of the Colonial Pipeline ransomware attack.

Some federal agencies are moving ahead of the order’s compliance schedules. For example, the Transportation Security Administration (TSA) released a security directive, effective May 28, ordering private-sector pipeline companies to report actual or potential cybersecurity incidents to CISA within 12 hours of discovery. The report must include details on the potential impact of the incident and, in the case of a ransomware attack, information on the malicious software, domains, and IP addresses being used by attackers. 

Implementation of the order requires cooperation from the private sector and seeks to establish a partnership between the federal government and the private sector and incentivizes private-sector contractors to comply with regulations. Contractors who can demonstrate compliance with the order and other cybersecurity initiatives will be more competitive than their noncompliant counterparts. With the Biden administration’s push toward strengthening data privacy and cybersecurity, the private sector and government contractors should closely monitor new guidelines and federal laws, and ensure compliance with existing cybersecurity requirements, such as applicable NIST standards. For a more detailed timeline on the initiatives to be taken under the order, please see our previous article, A Gov’t Contractor’s Road Map To Biden Cybersecurity Order (Law360, June 11, 2021). 

“Biden’s Executive Order Strengthens Government’s Cybersecurity Practices,” by Sharon R. Klein, Jennifer J. Daniels, Alex C. Nisenbaum, and Karen H. Shin* was published in the Cybersecurity special supplement of The Legal Intelligencer on July 12, 2021.

Reprinted with permission from the July 12, 2021, edition of The Legal Intelligencer © 2021 ALM Media Properties, LLC. All rights reserved. Further duplication without permission is prohibited.

*The authors would like to thank Justin A. Chiarodo, partner and chair of Blank Rome’s government contracts practice group, and his government contracts team for their assistance in the writing of this article.