President Biden issued the Executive Order on Improving the Nation’s Cybersecurity (“Cyber EO”) on May 12, 2021. The Cyber EO is ambitious in scope and sets aggressive timelines for its implementation. It seeks to both strengthen the cybersecurity of the federal government and push the private sector to further strengthen its approach to cybersecurity. Indeed, the Cyber EO appears designed to have broad impact on the private sector, not just on companies that do business with the government. As a result, companies across the economy will be well-served to understand the Cyber EO and its potential implications for their businesses going forward. In addition, the policies emphasized in the Cyber EO may serve as a roadmap for Congressional cybersecurity legislation that could apply to most, if not all, of the private sector.
The Cyber EO addresses four general topics across eight operative sections: (a) increasing information sharing from the private sector to the federal government (Section 2); (b) enhancing the security of software purchased by federal agencies (Section 4); (c) establishing a Cyber Safety Review Board (Section 5); and (d) improving the cybersecurity posture of the federal government (Section 3 and Sections 6-9). The Cyber EO generally does not address the security of consumer products, with one exception: security labeling programs for Internet of Things (“IoT”) devices and consumer software.
The Cyber EO leverages the government’s procurement power to accomplish many of its goals. Because it lacks the force of a statute, the Cyber EO does not directly dictate changes in private sector behavior for businesses that are not contractors or suppliers to federal agencies. However, the Cyber EO appears crafted with the goal of substantially changing private sector behavior. In a press release accompanying the Cyber EO, for example, the White House calls on companies to “follow the federal government’s lead and take ambitious measures to augment and align cybersecurity investments with the goal of minimizing future incidents.”1 The Cyber EO also addresses the “development of commercial software” used by the federal government, asserting that it “often lacks transparency, sufficient focus on the ability of the software to resist attack, and adequate controls to prevent tampering by malicious actors.” Companies should expect the Administration to bring this view that the private sector should do more to secure systems and software both to its implementation of the Cyber EO and to its cybersecurity policies more broadly.
Companies that provide information technology (“IT”) or operational technology (“OT”) software or cloud services to the government are likely to experience the most immediate impact of the Cyber EO, particularly as new requirements are implemented by contract. However, all sectors of the economy likely will be affected by the Cyber EO. New guidance on software supply chain security is likely to be relevant to any company that develops software, even for its internal use, and the Cyber Safety Review Board may play a significant role in drawing post-incident lessons learned that will guide public and private sector activities going forward. Moreover, the Cyber EO’s focus on both IT and OT means that the ripple effects of the Cyber EO across the economy are likely to reach manufacturers and operators of industrial systems, not just enterprise systems.
Increasing Information Sharing from the Private Sector to the Federal Government
The Cyber EO seeks to advance the longstanding prioritization of cybersecurity information sharing, building on the Cybersecurity Information Sharing Act of 2015. The Cyber EO draws on the federal government’s procurement power with the goal of expanding information sharing from the private sector to the federal government.
The Cyber EO states that information sharing has been limited by existing contractual language that restricts the manner in and extent to which private vendors of IT and OT systems can share information on threats or incidents with federal agencies, including the Federal Bureau of Investigation (“FBI”) and the Cybersecurity and Infrastructure Security Administration (“CISA”). To address this issue, the Cyber EO tasks the Director of the Office of Management and Budget (“OMB”), in consultation with the leadership of other agencies, to make recommendations to ensure that the Federal Acquisition Regulation (“FAR”) and the Defense Federal Acquisition Regulation Supplement require IT and OT service providers to take steps to collect, preserve, and share information with federal agencies and to specify which contractors would be covered by these requirements. Specifically, covered contractors and suppliers will be required to: (i) collect and preserve data relevant to cybersecurity events, including “event prevention” information; (ii) share such data directly with federal agencies with which they have contracted, and any other agency designated by OMB, when that relates to a cyber incident or potential incident; (iii) collaborate with federal cybersecurity or investigative agencies in their investigations and responses to incidents or potential incidents; and (iv) share cyber threat and incident information with federal agencies. The FAR Council has responsibility for reviewing the proposed contract language and conditions and publishing proposed updates to the FAR for public comment.
The Department of Homeland Security (“DHS”) and OMB are tasked with ensuring that service providers “to the greatest extent possible” share all data necessary for federal agencies to “respond to cyber threats, incidents, and risks.” For information and communications technology (“ICT”) service providers contracting with federal agencies, the information sharing section of the Cyber EO also directs the development of reporting procedures by the Director of the National Security Agency (“NSA”), the Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence. These reporting procedures, which will be developed within 90 days of the Cyber EO, must ensure ICT providers “promptly” report incidents involving a software product or service provided to federal agencies, with a maximum three-day deadline for the “most severe” incidents. As above, the FAR Council has responsibility for issuing any updates to the FAR for public comment. (Likewise, while straying somewhat from information sharing, this section of the Cyber EO directs agencies to undertake work to standardize common cybersecurity contractual requirements more generally, which will lead to the FAR Council publishing proposed updates to the FAR for public comment.)
The Cyber EO focuses on information sharing requirements for federal contractors or suppliers. However, other companies will likely benefit from evaluating whether these changes will raise expectations they may face for sharing cyber incident information with federal agencies. For example, businesses may benefit from tracking guidance and expectations regarding what information to share and when. For example, forthcoming guidance may help inform companies with respect to how to manage information sharing, which can often be time-consuming, while resources are stretched during the response to a cyber incident. Notably, while mentioning privacy considerations (which have typically featured very prominently in debates over information sharing), the Cyber EO clearly expects that increased sharing can occur while adhering to privacy laws, regulations, and policies.
Enhancing the Security of Software Purchased by Federal Agencies
The Cyber EO aims to “use the purchasing power of the Federal Government to drive the market to build security into all software from the ground up.”2 To achieve this goal, the Cyber EO sets out several new initiatives that will establish secure development guidelines for software sold to the federal government, prioritize “critical software,” and create pilot consumer labeling programs for IoT devices and secure software development practices. In practice, these initiatives—and the rapid and significant changes they contemplate—likely will serve as important benchmarks for software developers and their customers outside the federal government.
With regard to establishing security standards for software development, the Cyber EO directs the Director of the National Institute of Standards and Technology (“NIST”), in conjunction with appropriate federal agencies, to solicit input, including from the private sector and academia, and then issue first guidelines and then guidance on practices to enhance software supply chain security. That guidance must include standards, procedures, or criteria regarding: secure software development environments; demonstrating conformance; employing automated tools to maintain trusted source code supply chains and to check for and remediate known and potential vulnerabilities; providing, upon request, artifacts of the execution of the tools and processes described above; maintaining accurate and up-to-date data and controls on internal and third-party software components, tools, and services present in software development processes; providing a Software Bill of Materials (“SBOM”) for each product (separately, the Cyber EO directs the Secretary of Commerce to publish the “minimum elements of an SBOM”); participating in a vulnerability disclosure program; attesting to conformity with secure software development practices; and ensuring and attesting, as practicable, to the integrity and provenance of open source software used within any portion of a product. The Director of OMB is directed to take appropriate steps to require agencies to comply with this guidance with respect to software they procure.
The Cyber EO prioritizes the security of “critical software”—which the Cyber EO describes as “software that performs functions critical to trust (such as affording or requiring elevated system privileges or direct access to networking and computing resources).” Within 45 days of the Cyber EO, the Director of NIST, in consultation with designated agency heads, must publish a definition of the term “critical software.” Subsequently, within 30 days of publication of that definition, the Director of CISA, in consultation with the Director of NIST, is tasked with identifying and making available to federal agencies a list of categories of software and software products in use or in the acquisition process meeting the definition of critical software. In addition, within 60 days of the Cyber EO, the Director of NIST will publish “guidance outlining security measures for critical software.” The Director of OMB is tasked with taking “appropriate steps to require that agencies comply with such guidance” within 30 days of its issuance.
The Cyber EO provides for the imposition of the requirements described above by contract. The Secretary of DHS has primary responsibility for recommending appropriate changes, within one year of the Cyber EO, and the FAR Council has responsibility for making appropriate changes to the FAR. Such final rule amending the FAR will be the basis for removal of non-conforming software products from contract categories enumerated in the Cyber EO. (Beyond these contractual requirements, the Director of OMB has responsibility for implementing provisions relating to legacy software under the Cyber EO and the Director of NIST is responsible for issuing guidelines recommending minimum standards for vendors’ testing of their software source code.)
Section 4 of the Cyber EO also sets out a consumer labeling program focused on “ease of use for consumers” and intended to “maximize participation by manufacturers.” The Director of NIST, acting in coordination with appropriate federal agencies, will create pilot consumer-labeling programs for IoT devices and secure software development. Criteria or practices for these pilot programs will be developed in conjunction with the Federal Trade Commission (“FTC”) and appropriate federal agencies. The White House described this initiative as similar to the “energy star” label, with the intent to inform both the federal government and the public on whether the software was developed in compliance with security requirements. Notably, proposals for such labeling programs have been considered in the past but were not included in the IoT cybersecurity legislation passed into law last year (“Internet of Things Cybersecurity Improvement Act of 2020”).3 Advocates for such labeling programs have argued that they will provide simple, readily understandable tools to inform consumer decision-making. Concerns have been raised, however, that labeling programs do not translate readily to the cybersecurity context, in part because of the lack of objective measures of a device or software’s cybersecurity and concerns that the programs could encourage a checklist-based approach to cybersecurity that distracts from appropriate risk-based approaches. Relevant companies accordingly will likely benefit from monitoring and engaging with the federal government’s forthcoming work in this field.
Establishing a Cyber Safety Review Board
The Cyber EO establishes a Cyber Safety Review Board to review “threat activity, vulnerabilities, mitigation activities, and agency responses” after “significant cyber incidents,” a term that has yet to be defined. Within 90 days of its establishment, the board will also “provide recommendations to the Secretary of Homeland Security for improving cybersecurity and incident response practices.” The Cyber Safety Review Board will include members from multiple federal government agencies as well as from the private sector and will be co-chaired by a representative from each. It appears to be generally modeled after the National Transportation Safety Board (“NTSB”), which investigates and evaluates lessons learned after major transportation accidents. However, the Cyber Safety Review Board is not established as an independent agency in the manner of the NTSB (which would require action by Congress). Still, the Cyber Safety Review Board appears likely to be an important source of lessons learned—and recommended technical, administrative, and policy changes—after major cyber incidents in the future. Thus, the Cyber Safety Review Board’s future findings and recommendations are likely to influence companies across the economy.
Improving the Security Posture of the Federal Government
Five sections of the Cyber EO focus on improving the security posture of the federal government: Section 3, Modernizing Federal Government Cybersecurity; Section 6, Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents; Section 7, Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks; and Section 8, Improving the Federal Government’s Investigative and Remediation Capabilities. While these sections are less directly relevant to the private sector, they still may have significant implications for federal contractors or suppliers, as well as provide guideposts for future cybersecurity policy or best practices.
Modernizing Federal Government Cybersecurity
The Cyber EO sets forth several measures for federal agencies to adopt to enhance the cybersecurity resilience of the federal government. The measures include adopting security best practices, advancing toward “Zero Trust Architecture,” accelerating movement to cloud services, centralizing and streamlining access to cybersecurity data, and investing in technology and personnel to match modernization goals. With regard to cybersecurity best practices, for example, there is a 180-day deadline for all Federal Civilian Executive Branch (“FCEB”) agencies to adopt multi-factor authentication and data encryption practices (for data at rest and in transit), and they will owe progress reports to CISA throughout this process.
Cloud security is a notable focus of this section, and the federal government’s approach could inform broadly applicable best practices in this field. The Cyber EO tasks CISA with ensuring that its current cybersecurity programs, services, and capabilities are fully functional with cloud-computing environments with Zero Trust Architecture. In addition, the Cyber EO directs various federal agencies to develop strategies and governance frameworks related to the use of cloud services.
Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents
With regard to the federal government’s incident response preparedness, the Cyber EO seeks to address a lack of uniformity among federal government agency incident response playbooks by directing the Director of CISA, in consultation with other federal agencies, to develop “a standard set of operational procedures (playbook) to be used in planning and conducting a cybersecurity vulnerability and incident response activity.” The playbook will incorporate NIST standards, and federal agencies will only be allowed to use an alternative playbook if the agency demonstrates that it meets or exceeds the standards of the uniform playbook. For the federal government, the uniform playbook is intended to help coordinate incident response. For the private sector, the standardized playbook will be a potentially valuable reference point as companies evaluate their own incident response policies and procedures.
Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks
Organizations often face challenges in detecting and remediating incidents due to limited logging information available and the lack of information tracked in real time through Endpoint Detection and Response (“EDR”) services. To address these challenges, the Cyber EO requires federal agencies to deploy an EDR tool to support proactive detection of cyber incidents within federal government infrastructure, active cyber threat-hunting, containment and remediation, and incident response. The Cyber EO also requires federal agencies to establish or update their Memoranda of Agreement with CISA to ensure that CISA has access to relevant agency data through the Continuous Diagnostics and Mitigation Program.
Improving the Federal Government’s Investigative and Remediation Capabilities
The Cyber EO directs the Secretary of DHS to provide recommendations to the Director of OMB on logging requirements. The Director of OMB, in consultation with the Secretary of Commerce and the Secretary of DHS, will then formulate logging, log retention, and log management policies for federal agencies and work with federal agencies on resourcing and implementation.
National Security Systems
Many provisions of the Cyber EO focus on systems operated by FCEB agencies, rather than National Security Systems. To close any resulting gap, the Secretary of Defense, in coordination with the Director of National Intelligence, and the Committee on National Security Systems (“CNSS”), is directed to adopt National Security Systems requirements that are either equivalent to or exceed the cybersecurity requirements set forth in the Cyber EO and that are otherwise not applicable to National Security Systems.