On May 12, 2021, the US president issued an “Executive Order on Improving the Nation’s Cybersecurity.” The EO follows on the heels of the Colonial Pipeline ransomware attack, along with the Codecov and Solar Winds supply-chain attacks. While the EO focuses primarily on internal-government actions, the presidential order expresses hope that private sector companies will follow the US government’s lead and take “ambitious measures to augment and align cybersecurity investments” to reduce the number, frequency and intensity of future cybersecurity incidents.
The EO imposes well over 40 reporting or action requirements on various US government agencies with immediate effect. It seeks to achieve several goals, such as:
- eliminating barriers (real or perceived) to information sharing between the federal government and the private sector
- modernizing applicable cybersecurity standards to the federal government and implementing those standards
- improving software supply chain security
- establishing a cybersecurity safety review, co-chaired by both the federal government and private sector
- improving cyber event detection capabilities on federal government networks
- improving the federal government’s investigating and remediating cyber events
Sec. 2 focuses on information sharing. The EO imposes (after federal agency review) specific contract requirements on information technology and operation technology providers to the government. Sec. 2’s goal is to remove barriers (real or perceived) to information sharing as a result of the current contracting process. Further, Sec. 2 seeks to increase (i) the federal government’s collaborating with the private sector and (ii) the sharing of intelligence across federal agencies. Sec. 2(b) mandates that, within 60 days of the EO, the US Office of Management and Budget (in consultation with other agencies) report on proposed revisions to contract provisions. Any such revisions will require federal government service providers to collect and preserve information related to cybersecurity events, share such information with relevant agencies and collaborate in cyber-event investigations.
Further, Sec. 2 focuses on responding to and mandatory reporting of cyber incidents. Sec. 2(e) requires the US Department of Homeland Security and OMB, within 120 days of the EO’s date, to “take appropriate steps to ensure to the greatest extent possible that service providers share data with agencies, [Cybersecurity and Infrastructure Security Agency (“CISA”)], and the FBI as may be necessary for the Federal Government to respond to cyber threats, incidents, and risks.” Within 45 days of the date of the EO, DHS, in consultation with NSA, the attorney general and OMB, must recommend FAR contract language addressing various topics, including the nature of cyber incidents experienced by information and communications technology service providers, the types of information to be reported, protections of privacy and civil liberties, time periods for reporting, and entities to be covered by the proposed contract language. In addition to the above requirements, the federal government must propose procedures for sharing cyber incident reports among agencies and recommend standardized contract language for specifying cybersecurity requirements.
Sec. 2 will likely have some of the most direct effects on private sector entities by imposing new contractual obligations that did not exist in the past. In particular, the cyber incident reporting requirements will likely cause a ripple effect through multiple levels of the supply chain.
Sec. 3 focuses on cybersecurity modernization. To accomplish this goal, federal agency leaders must, within 60 days of the EO, develop a zero trust architecture plan, update existing plans for prioritizing and implementing cloud technology and report on such plans.
Sec. 3 mandates the development of a federal cloud-security strategy and associated guidance for agencies. In conjunction with the cloud-security strategy, each agency will analyze its unclassified data to determine what is sensitive and to specify appropriate processing requirements.
In perhaps one of the most impactful near-term requirements, Sec. 3(d) mandates, within 180 days of the EO, the adoption of multifactor authentication and encryption of both data-at-rest and data-in-motion “to the maximum extent consistent with…applicable laws.” If an agency cannot meet such requirements, it must provide a written rationale of why it cannot do so. Additional requirements on the government in this section include (i) mandated collaboration on cybersecurity and incident response and (ii) modernization of FedRAMP through training, improved communications, automation, digitizing documentation and identifying compliance frameworks.
Supply chain security
Sec. 4 focuses on software supply chain security. First, there is a requirement in Sec. 4(g) to “publish a definition for the term ‘critical software’” that builds on the short description of critical software in the EO as software that performs functions critical to trust. In addition, the EO outlines a two-phase process for publishing guidelines to enhance software supply chain security. One, under Sec. 4(c) the director of NIST must, within 180 days of the EO, publish preliminary guidelines on supply chain security. Two, within 360 days of the EO, Sec. 4(d) requires the director of NIST to publish additional guidelines for updating and reviewing the preliminary guidelines.
Within 90 days of the publication of the preliminary guidelines, additional guidance to agencies will be required from the Secretary of Commerce and NIST under Sec. 4(e) that would cover a variety of topics, including separate build environments for production and any other software, auditing of relationships with trusted entities, implementation of multifactor authentication, encryption of data, monitoring of alerts, responding to incidents, use of automated tools for vulnerability scanning, providing a software bill-of-materials, and participating in vulnerability disclosure programs.
Additionally, the EO requires the federal government to produce a list of categories of software that meet the definition of critical software and guidance regarding security measures for critical software (specifically including application of least privilege, network segmentation and proper configuration).
Importantly for suppliers of software to the federal government, Sec. 4(n) establishes a one-year window within which DHS, the Secretary of Defense, the attorney general and OMB must recommend contract language that requires software suppliers to comply with the software supply chain security requirements and attest to such compliance. Federal agencies would be required, after final rule issuance, to remove noncompliant software from any indefinite delivery indefinite quantity contracts, federal supply schedules, federal government-wide acquisition contracts, blanket purchase agreements and multiple award contracts. Legacy software will be required to comply as well. In addition, testing of vendor source code will be subject to minimum standards to be described under guidelines that Sec. 4(r) requires Commerce, NIST and other agencies to publish within 60 days of the EO.
The provisions of Sec. 4(s) through Sec. 4(w) describe certain aspects of consumer labeling of IoT devices and software development practices. These include labeling requirements, incentives to manufacturers and developers to engage in such programs, and conduct of pilot programs for such consumer labeling. A report after one year will be required from participating agencies.
Cyber Safety Review Board
Sec. 5 focuses on creating a Cyber Safety Review Board by DHS that will assess “significant cyber incidents” as defined by PPD 41 that affect either federal or non-federal systems. This will include evaluating threat activity, vulnerabilities, mitigation and response by affected agencies. The board will perform similar to an incident response team, such as convening after any significant cyber incident, when directed by the president, or at any time deemed necessary by DHS’ director.
The board will be comprised of both federal officials and representatives from private sector entities including members from DoD, DoJ, CISA, NSA and FBI, along with representatives from cybersecurity or software suppliers. Various other sections under Sec. 5 cover designation of the chair and deputy chair of the board, protection of information shared with the board, provision of advice to the EOP, recommendations of parameters under which the board will operate and a variety of other considerations.
Playbook for vulnerability and incident response
Sec. 6 focuses on standardizing the federal governments IR procedures. Sec. 6(b) requires CISA, in consultation with a number of other governmental entities, to develop a standard set of procedures for IR activity across federal civilian systems. The procedures will be based on NIST standards.
Vulnerability and incident detection
Sec. 7 focuses on vulnerability and incident detection. To address this issue, the EO proposes an Endpoint Detection and Response initiative. Sec. 7(b) describes EDR activities to support detection of cyber incidents within federal government networks, “active cyber hunting,” containment of incidents followed by appropriate remediation, and incident response. Other parts of Sec. 7 require information sharing with CISA related to threats and vulnerabilities within federal civilian systems, improvement of detection of cyber incidents through various potential operating models and a report to be generated describing how authorities for sanctioning threat hunting activities without prior authorization are being implemented. In addition, Sec. 7(j) seeks to align DoD Information Network directives and directives applicable to the Federal Civilian Executive Branch Information Systems by mandating procedures for sharing information between the two.
National Security Systems
For National Security Systems that are outside the FCEB systems, Sec. 9 requires adoption of requirements, equivalent to or exceeding those in the EO, on those National Security Systems. Exceptions would be made for mission needs, but the goal would be to improve National Security Systems as well.
The EO wraps up in Sec. 10 with a number of important definitions, including for a software bill-of-materials and zero trust architecture, and in Sec. 11 with a set of general provisions.
Stakeholders have long sought a comprehensive set of federal cybersecurity requirements. Various cyberattacks, data breaches and general network disruptions have created an environment where a significant number of stakeholders agree that change is needed across a number of different policy, process and technology areas. The EO addresses many of those areas with a focus primarily on government systems because of jurisdictional limitations. However, for private entities in the federal government’s supply chain, due to the federal agencies’ obligation to flow down contractual requirements, the impact on such entities could be significant.