Strengthening the nation’s cybersecurity has been a top priority for the Biden administration, as reflected in its collaboration with industry, regulatory actions, and the legislation it has supported in Congress, including the Cyber Incident Reporting for Critical Infrastructure Act of 2022. Executive action has been a key tool in the Biden administration’s cyber policymaking toolkit. Today marks the one-year anniversary of President Biden’s ambitious and wide-ranging Executive Order on Improving the Nation’s Cybersecurity (“Cyber EO”) (which we discussed in a May 17, 2021, Legal Update).
The Biden administration has undertaken numerous initiatives under the Cyber EO, many of which have important implications for private sector entities with respect to their contracts with the government, incident reporting and response, software security, and more. Below, we provide a high-level summary of key actions taken pursuant to the Cyber EO in the past year, as well as key actions directed by the Cyber EO that remain forthcoming. While the details of these various initiatives merit close attention by potentially affected companies, we hope that this summary provides a useful reference as companies continue to track cyber policy developments that may affect their businesses.
Enhancing Cyber Information Sharing (Sec. 2)
Section 2 of the Cyber EO focused on increasing information sharing from the private sector to the federal government through updates to federal contracting language. This includes updates to Federal Acquisition Regulation (“FAR”) and Defense Federal Acquisition Regulation Supplement (“DFARS”) contract requirements and language for contracting with Information Technology and Operational Technology service providers, cyber incident reporting, and a review of existing agency cybersecurity requirements. While the FAR Council has added two separate rules relating to the proposal stage of these contractual provisions (as well as certain provisions from Section 8) of the Cyber EO to its agenda, these rules are behind schedule and are still being drafted by Defense Acquisition Regulations staff as of May 6, 2022.1 Notably, these rules would add to the reporting and disclosure requirements contemplated by, respectively, the recently passed Cyber Incident Reporting for Critical Infrastructure Act (discussed in our March 16, 2022, Legal Update) and the proposed rule issued by the Securities and Exchange Commission regarding disclosure of material cyber incidents (discussed in our March 14, 2022, Legal Update).
Enhancing Software Supply Chain Security (Sec. 4)
Section 4 of the Cyber EO directed a number of federal government actions related to enhancing the security of software purchased by federal agencies, including related to critical software and minimum security guidelines and requirements, source code testing and verification, and cybersecurity labeling for consumers. Although currently applicable only to federal agencies, these developments have been paired with external outreach by the National Institute of Standards and Technology (“NIST”) and are likely to serve as guides for cybersecurity best practices. Actions taken pursuant to Section 4 include the following, many of which have been updated since the initial releases:
- In July 2021, NIST issued guidance defining “EO-critical software” and outlining “fundamental security measures for EO-critical software use.”2
- In July 2021, the Department of Commerce published a white paper, “Minimum Elements For a Software Bill of Materials (SBOM),” outlining and describing the contents of an SBOM as well as other future options, as directed by Section 4(e) of the Cyber EO.3
- In August 2021, the Office of Management and Budget (“OMB”) issued a memorandum to the heads of executive departments and agencies, “Protecting Critical Software Through Enhanced Security Measures,” detailing measures for agencies to take in securing critical software.4
- In October 2021, NIST issued an updated white paper addressing Section 4(g) and defining “critical software,” clarifying how the term “critical software” is used in different contexts, and providing a preliminary list of covered software categories (with a final list of categories pursuant to Section 4(h) to be issued by the Cybersecurity and Infrastructure Security Agency (“CISA”)). This white paper defined “EO-critical software” as “any software that has, or has direct software dependencies upon, one or more components with at least one of these attributes:
- is designed to run with elevated privilege or manage privileges;
- has direct or privileged access to networking or computing resources;
- is designed to control access to data or operational technology;
- performs a function critical to trust; or,
- operates outside of normal trust boundaries with privileged access.”5
- In October 2021, NIST issued “Guidelines on Minimum Standards for Developer Verification of Software,” pursuant to Section 4(e) of the Cyber EO, recommending minimum source code testing for federal government software vendors.6
- In February 2022, NIST issued multiple documents associated with requirements articulated in the Cyber EO. These included:
- An updated “Secure Software Development Framework (SSDF) Version 1.1,” detailing secure software development best practices, in line with Section 4 of the Cyber EO.7
- An updated Supply Chain Security Guidance pursuant to Section 4(e) of the Cyber EO, which includes recommendations for federal agencies for software procurement and for open-source software and agency-developed software.8
- “Recommended Criteria for Cybersecurity Labeling of Consumer Software,” which recommends criteria for a consumer software labeling pilot program, as envisioned by Section 4(s) of the Cyber EO.9
- “Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products,” which provides recommendations for IoT labeling criteria, as directed by Section 4(u) of the Cyber EO.10
- Notably, there has already been legislative action in California building on this product-labelling work: Assembly Bill 2392, which allows IoT devices that conform to NIST’s cybersecurity labeling guidance for consumers for IoT devices (as demonstrated through bearing a label from a NIST-confirming labeling scheme) to be considered to meet existing California law relating to device security requirements.11
- In March 2022, OMB issued the “Implementation of Software Supply Chain Security Guidance under Executive Order (EO) 14028 Section 4(k),” directing federal agencies to begin incorporating NIST’s Software Supply Chain Security Guidance into software maintenance and acquisition.12 OMB also issued a statement directing federal agencies to begin adopting NIST’s Secure Software Development framework and related Software Supply Chain Security Guidance.13
- In May 2022, NIST issued an updated “Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations,” setting forth guidance on how to identify, assess, and mitigate cybersecurity risks in an organization’s supply chain.14
A number of the Cyber EO’s directives under Section 4 remain outstanding. These include amendments to the FAR, as contemplated by Section 4(o) of the Cyber EO, relating to certain software requirements as contemplated by Section 4(g)-(k) of the Cyber EO. Additionally, NIST remains in consultation on pilot programs for IoT labeling but is expected to issue a report later today.15 It is also highly likely that the already-issued guidance will continue to be updated.
Cyber Safety Review Board (Sec. 5)
Section 5 of the Cyber EO directed the establishment of a Cyber Safety Review Board (the “Board”) to review “threat activity, vulnerabilities, mitigation activities, and agency responses” after “significant cyber incidents.” The Board was established by the Department of Homeland Security on February 3, 2022, and is composed of federal government and private sector leaders.16 The Board’s first task, anticipated this summer, will focus on the widespread Log4j vulnerabilities. It will include conducting a review and assessment of Log4j vulnerabilities, issuing recommendations for addressing ongoing vulnerabilities and threat activity, and providing recommendations for the improvement of cybersecurity and incident response practices.
Federal Government Cybersecurity (Secs. 3, 6-9)
Sections 3, 6, 7, 8, and 9 of the Cyber EO directed a series of actions intended to improve the cybersecurity posture of the federal government. While not immediately relevant to businesses, the actions taken under these sections may serve as helpful guides for cybersecurity best practices and potential future cybersecurity-related actions that may be undertaken by the federal government. Key, publicly available actions include:
- In June 2021, CISA released a pre-decisional “Zero Trust Maturity Model,” pursuant to Section 3(b)(ii) of the Cyber EO, to serve as a roadmap for the federal government’s transition to a zero-trust architecture.17
- On August 27, 2021, OMB issued a memorandum to the heads of executive departments and agencies on “Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents,” addressing logging, log retention, and log management requirements set forth in Section 8 of the Cyber EO and establishing agency cyber incident information sharing requirements.18
- In November 2021, CISA issued “Cybersecurity Incident & Vulnerability Response Playbooks” pursuant to Section 6(a) of the Cyber EO and targeted at developing standard procedures for civilian federal agencies.19
- On January 26, 2022, OMB issued a memorandum, “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles,” that outlined measures to move the federal government to a zero-trust architecture framework.20
- On January 19, 2022, President Biden issued National Security Memorandum-8, “Memorandum on Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems,” addressing the Cyber EO’s Section 9 directives related to National Security Systems, independent of civilian systems.
- On March 7, 2022, CISA issued a white paper titled “Applying Zero Trust Principles to Enterprise Mobility,” providing guidance for government agencies to apply zero-trust principles to enterprise security on mobile devices, pursuant to Section 3 of the Cyber EO.21