Biden Cybersecurity Executive Order Raises the Bar on Contractor Data Safeguarding, Incident Reporting & Software Securing Requirements
Days after the Colonial Pipeline ransomware attack and just a few months after discovery of the SolarWinds cyber-attack, the Biden Administration issued a detailed
Executive Order on Improving the Nation’s Cybersecurity on May 12, 2021. This comprehensive directive tasks numerous federal agencies to overhaul the way the federal government safeguards against and responds to online threats. The primary focus of the Order is on improving supply chain security, making cybersecurity information sharing easier and more effective and raising the bar on incident response practices. A senior White House official speaking about the Order’s background summarized its goal as making a “down payment towards modernizing our cyber-defenses and safeguarding many of the services” used by the government and the private sector.
While the Order aims many of its directives at agencies’ internal policies and procedures, it also leverages the Executive Branch’s procurement authority to direct the Federal Acquisition Regulations (FAR) Council to propose new cybersecurity-related rules for government contractors. Beyond the requirements for government and contractor cybersecurity, the Order is likely to also trickle down greater focus on security issues in the non-governmental procurement space as new standards and practices take hold.
The Order has numerous directives, including three that government contractors should monitor:
Sharing Cyber-Threat Information on IT/OT Contracts
Driven by the urgency from increased threats to industrial control systems connected to the internet, the Order requires designated government agencies to recommend updates to the FAR and Defense Federal Acquisition Regulation Supplement (DFARS) for contracts that involve information technology (IT) and operational technology (OT). Previously, contractors objected to sharing cyber-attack information with federal agencies charged with investigating federal cybersecurity incidents, such as the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), by claiming that FAR clause terms prohibited these contractors from sharing such information. The Order removes that barrier and requires IT/OT contractors to share threat information. By mid-July, 2021, the Order requires the Director of the Office of Management and Budget (OMB) to recommend FAR clause updates designed to ensure that IT and OT contractors collect and preserve data relevant to cybersecurity event prevention, detection, response and investigation; share this data with their government customers and other agencies involved in cybersecurity; and collaborate with Federal cybersecurity or investigative agencies. With that recommendation, the FAR Council will publish proposed updates for public comment by October 2021. Collecting and sharing threat information is a complex undertaking, which makes sense regardless of the Order’s forthcoming requirement.
New Cyber-Incident Reporting & Safeguarding Requirement for Information Communications Technology Contractors
The Order also seeks to establish a new reporting obligation for information communications technology (ICT) contractors and new data and network safeguarding standards. Civilian agencies have trailed behind the Department of Defense (DoD) in enhancing cybersecurity requirements through procurement.
Compare FAR 52.204-21 Basic Safeguarding rule
to DFARS 252.204-7012 Safeguarding and Cyber Incident Reporting requirements. This Order appears to borrow a few pages from the DoD’s book. For example, the Order seeks to require ICT contractors to “promptly report” to their customer agencies “when they discover a cyber-incident involving a software product or service provided to such agencies or involving a support system for a software product or service provided to such agencies.” Like the existing DFARS 72-hour reporting requirement, the Order notes that the time period for ICT contractor reporting for “the most severe cyber-incidents” cannot “exceed 3 days after initial detection.” The Order directs the FAR Council to propose incident response requirements under the FAR for public comment by October 2021.
Similarly, the Order directs the Secretary of Homeland Security to recommend cybersecurity safeguarding requirements by mid-July 2021 that the FAR Council must then propose in updates to the FAR by September 2021.
Fortifying Supply Chain Security for “Critical Software”
A response to the SolarWinds and other supply chain compromises, the Order also aims to harden the security and integrity of “critical software” sold to and used by the federal government. This directive focuses on securing “software that performs functions critical to trust (such as affording or requiring elevated system privileges or direct access to networking and computing resources)”. By August, the Secretary of Commerce acting through the Director of the National Institute of Standards and Technology (NIST) shall solicit input from the government and industry to develop new standards, tools and best practices for securing critical software that government contractors sell to and maintain (and sometimes operate) for the federal government.
By November, the Order requires the Director of NIST to publish preliminary guidelines to secure software supply chain security by instructing IT/OT contractors to do the following:
- Using administratively separate build environments;
- Auditing trust relationships;
- Establishing multi-factor, risk-based authentication and conditional access across the enterprise;
- Documenting and minimizing dependencies on enterprise products that are part of the environment used to develop, build and edit software;
- Employing encryption for data; and
- Monitoring operations and alerts and responding to attempted and actual cyber-incidents.
These guidelines will also address IT/OT contractors controls on the software they incorporate into their systems. Specifically, the Order directs NIST to include in its preliminary guidelines standards and procedures for maintaining accurate and up-to-date data, provenance (i.e., origin) of software code or components; controls on internal and third-party software components, tools and services present in software development processes; and performing audits and enforcement of these controls on a recurring basis. It also aims to instruct contractors to maintain “Software Bill of Materials” for each product. The Order directs NIST to issue this guidance by February 2021.
Connect with Ice Miller for More Details
As various agencies begin preparing to issue detailed requirements, there will be opportunities to provide comments and help to steer the discussion. Our team at Ice Miller can assist contractors or other interested parties in finding openings to express your views and concerns. We expect legislative hearings to continue this year on cybersecurity in the U.S. Senate and the U.S. House of Representatives, which our team will continue to track and engage as appropriate.
This comprehensive and ambitious Order will likely come with numerous developments and directives in the coming year. If you have questions concerning the Order or other federal government cybersecurity requirements, Ice Miller has extensive experience assisting companies to comply with cybersecurity requirements under the FAR and DFARS. Our team includes
Guillermo Christensen, Office Managing Partner, Washington DC, and a former CIA officer with national security experience in the intelligence community and internationally with the U.S. Department of State;
Reena Bajowala, a partner in Ice Miller’s Data Security & Privacy practice who is experienced with cybersecurity requirements related to software and vendor management practices;
Tim Day, Principal at Ice Miller Strategies with federal and state data privacy policy experience; and
Christian Robertson, a former U.S. Air Force intelligence officer who regularly advises clients on FAR/DFARS compliance and government contracting.
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.