On May 12, the Biden Administration issued an “Executive Order on Improving the Nation’s Cybersecurity.”  The Order seeks to strengthen the federal government’s ability to respond to and prevent cybersecurity threats, including by modernizing federal networks, enhancing the federal government’s software supply chain security, implementing enhanced cybersecurity practices and procedures in the federal government, and creating government-wide plans for incident response.  The Order covers a wide array of issues and processes, setting numerous deadlines for recommendations and actions by federal agencies, and focusing on enhancing the protection of federal networks in partnership with the service providers on which federal agencies rely.  Private sector entities, including federal contractors and service providers, will have opportunities to provide input to some of these actions.

In particular, and among other things, the Order:

  • seeks to remove obstacles to sharing threat information between the private sector and federal agencies;
  • mandates that software purchased by the federal government meet new cybersecurity standards;
  • discusses securing cloud-based systems, including information technology (IT) systems that process data, and operational technology (OT) systems that run vital machinery and infrastructure;
  • seeks to impose new cyber incident[i] reporting requirements on certain IT and OT providers and software product and service vendors and establishes a Cyber Safety Review Board to review and assess such cyber incidents and other cyber incidents, and;
  • addresses the creation of pilot programs related to consumer labeling in connection with the cybersecurity capabilities of Internet of Things (IoT) devices.

The Order contains eight substantive sections, which are listed here, and discussed in more detail below:

  • Section 2 – Removing Barriers to Sharing Threat Information
  • Section 3 – Modernizing Federal Government Cybersecurity
  • Section 4 – Enhancing Software Supply Chain Security
  • Section 5 – Establishing a Cyber Safety Review Board
  • Section 6 – Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents
  • Section 7 – Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks
  • Section 8 – Improving the Federal Government’s Investigative and Remediation Capabilities
  • Section 9 – National Security Systems

The summaries below discuss highlights from these sections, and the full text of the Order can be found here.

Section 2 – Removing Barriers to Sharing Threat Information

The Order acknowledges that the Federal Government regularly contracts with IT and OT service providers, who have “unique access to and insight into cyber threat and incident information” on “Federal Information Systems”.[ii]  Notwithstanding that special knowledge, the Order notes that “contract terms” can restrict the ability of those companies to share threat or incident information with federal agencies.  (It is unclear from the Order whether such “contract terms” are limited to those in federal government prime and subcontracts, or whether the Government is also focusing on commercial terms and conditions that contractors use in their non-government contracts work.) The Order requires the Director of the Office of Management and Budget (OMB) to review the current regulations for contracting with IT and OT service providers and recommend updates to improve the ability of those providers to preserve and report data relevant to cyber incident prevention and remediation. The Order also requires that regulations be adopted to require information and communications technology (ICT) service providers entering into contracts with agencies to report cyber incidents involving a software product or service provided to such agencies or involving a support system for a software product or service provided to such agencies.

Additionally, the Order requires the Secretary of Homeland Security to recommend contract language requiring incident reporting, including the kinds of incidents that must be reported, the types of information that must be reported, the time period for reporting, and other issues.

Section 3 – Modernizing Federal Government Cybersecurity

This section discusses the modernization of federal systems, including investment in technology and personnel, increasing the adoption and use security of cloud services provided to the government systems, the evaluation of the types and sensitivity of unclassified information on federal networks, the use of multi-factor authentication (MFA) and encryption, and other issues.  Among other things, this section mandates the Director of OMB to develop a federal cloud security strategy, enhance the FedRAMP program authorization and compliance requirements, and develop a plan for implementing Zero Trust Architecture (an approach to network security that focuses on user authentication and limiting access on a need-to-know basis).

Section 4 – Enhancing Software Supply Chain Security

This section seeks to “implement more rigorous and predictable mechanisms” for evaluating the security of commercial software used by the Federal Government.  After seeking input from the private sector, academics, and others, the Order directs the Secretary of Commerce (through the National Institute of Standards and Technology, “NIST”) to develop guidelines for evaluating the security of commercial software.  These guidelines will include, among other things, standards for secure software development environments, authenticating and auditing user access, encrypting data, monitoring and alerting of cyber incidents, remediating vulnerabilities, authenticating the origin of software code, and disclosure of vulnerabilities and of conformity with secure development practices. Importantly, these guidelines will include providing the purchaser a Software Bill of Materials (SBOM)[iii] for each product in accordance with minimum elements published by NIST.

After these guidelines are published, the Order requires agencies to ensure that procured software meets the guidelines.  The Order will also require software suppliers to self-certify in their contractual agreements with federal civilian agencies that they have met the guidelines, will impose requirements on providers to submit documentation of compliance when asked, and orders agencies to remove software products that do not provide this certification from federal procurement lists.

This section also directs the Secretary of Commerce, through NIST, to create pilot programs to educate the public on the security capabilities of IoT devices and software through consumer labeling programs, and to create incentives to encourage manufacturers and developers to participate in these pilot programs.

Section 5 – Establishing a Cyber Safety Review Board

This section requires the Secretary of Homeland Security to establish a Cyber Safety Review Board to assess significant cyber incidents affecting federal civilian agency systems or non-Federal systems.  The Board’s membership will include representatives from the Department of Defense, the Department of Justice, the Cybersecurity and Infrastructure Security Agency (CISA), the NSA, and the FBI, and representatives from private sector cybersecurity or software suppliers.

The Board will begin by conducting an initial review related to the SolarWinds hack that resulted in the creation of a Cyber Unified Coordination Group in December 2020.  This initial review will also consider the Board’s mission, scope, and responsibilities, create the Board governance structure, and set thresholds and criteria for the types of cyber incidents it will evaluate.  The Board will then be convened in response to significant cyber incidents or at the direction of the President.

Section 6 – Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents

This section seeks to standardize the Federal Government’s response to cyber incidents by requiring the Secretary of Homeland Security to develop a standard set of procedures (a “playbook”) to be used for planning and conducting cyber incident response. The playbook will incorporate all appropriate NIST standards and should be used by all federal civilian agencies.  The playbook will define key terms and use those terms consistently to provide federal civilian agencies with a common vocabulary for incident response. This section also requires CISA to review and update the playbook annually.

 

The playbook must include a process for CISA to review and validate federal civilian agencies’ incident response and remediation results upon completion of incident response, either directly or with the assistance of another agency or third-party incident response team.

Section 7 – Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks

To improve early detection of cyber vulnerabilities and incidents, the Order directs all federal civilian agencies to deploy an Endpoint Detection and Response (EDR) initiative.  Agencies are required to coordinate their EDR initiatives with CISA.  This section directs OMB to set government-wide requirements for EDR initiatives and to ensure that agencies have adequate resources to meet those requirements.

This section also directs CISA to evaluate threat-hunting activities on federal civilian agency networks to ensure those activities do not disrupt mission-critical systems and that system owners are notified of vulnerabilities.

Section 8 – Improving the Federal Government’s Investigative and Remediation Capabilities

In order to improve the ability of the Federal Government to investigate and remediate cyber incidents, this section requires the Secretary of Homeland Security to provide the Director of OMB recommendations for logging events and preserving data within an agency’s systems, including the time period for logging, and recommended logging and security requirements.  It directs agencies to protect logs via encryption to ensure forensic integrity.

This section also directs OMB to provide agencies with adequate resources to meet these requirements, and directs federal civilian agencies to share these logs with CISA and the FBI upon request, consistent with applicable law.

Section 9 – National Security Systems

This section specifies that, within 60 days of the Order, the Secretary of Defense shall adopt requirements for “National Security Systems” “that are equivalent to or exceed the cybersecurity requirements set forth in this order,” that are not otherwise already applicable to such systems.  The Order allows for exceptions to such requirements “in circumstances necessitated by unique mission needs” and mandates that the requirements be codified in a “National Security Memorandum.”

  

[i] The Order defines an “incident” according to the definition in 44 U.S.C. 3552(b)(2):

The term “incident” means an occurrence that-

(A) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or

(B) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.

[ii] The Order defines a “Federal Information System” as “an information system used or operated by an agency or by a contractor of an agency or by another organization on behalf of an agency, including Federal Civilian Executive Branch Information Systems and National Security Systems.”

[iii] A Software Bill of Materials is a formal record containing the details and supply chain relationships of various components used in building software.  The Order provides a full definition of a SBOM in section 10(j).

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Micaela McMurrough Micaela McMurrough

Micaela McMurrough serves as co-chair of Covington’s global and multi-disciplinary Technology Group, as co-chair of the Artificial Intelligence and Internet of Things (IoT) initiative. In her practice, she has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other…

Micaela McMurrough serves as co-chair of Covington’s global and multi-disciplinary Technology Group, as co-chair of the Artificial Intelligence and Internet of Things (IoT) initiative. In her practice, she has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other complex commercial litigation matters, and she regularly represents and advises domestic and international clients on cybersecurity and data privacy issues, including cybersecurity investigations and cyber incident response. Micaela has advised clients on data breaches and other network intrusions, conducted cybersecurity investigations, and advised clients regarding evolving cybersecurity regulations and cybersecurity norms in the context of international law.

In 2016, Micaela was selected as one of thirteen Madison Policy Forum Military-Business Cybersecurity Fellows. She regularly engages with government, military, and business leaders in the cybersecurity industry in an effort to develop national strategies for complex cyber issues and policy challenges. Micaela previously served as a United States Presidential Leadership Scholar, principally responsible for launching a program to familiarize federal judges with various aspects of the U.S. national security structure and national intelligence community.

Prior to her legal career, Micaela served in the Military Intelligence Branch of the United States Army. She served as Intelligence Officer of a 1,200-member maneuver unit conducting combat operations in Afghanistan and was awarded the Bronze Star.

Photo of Robert Huffman Robert Huffman

Bob Huffman counsels government contractors on emerging technology issues, including artificial intelligence (AI), cybersecurity, and software supply chain security, that are currently affecting federal and state procurement. His areas of expertise include the Department of Defense (DOD) and other agency acquisition regulations governing…

Bob Huffman counsels government contractors on emerging technology issues, including artificial intelligence (AI), cybersecurity, and software supply chain security, that are currently affecting federal and state procurement. His areas of expertise include the Department of Defense (DOD) and other agency acquisition regulations governing information security and the reporting of cyber incidents, the Cybersecurity Maturity Model Certification (CMMC) program, the requirements for secure software development self-attestations and bills of materials (SBOMs) emanating from the May 2021 Executive Order on Cybersecurity, and the various requirements for responsible AI procurement, safety, and testing currently being implemented under the October 2023 AI Executive Order. 

Bob also represents contractors in False Claims Act (FCA) litigation and investigations involving cybersecurity and other technology compliance issues, as well more traditional government contracting costs, quality, and regulatory compliance issues. These investigations include significant parallel civil/criminal proceedings growing out of the Department of Justice’s Cyber Fraud Initiative. They also include investigations resulting from False Claims Act qui tam lawsuits and other enforcement proceedings. Bob has represented clients in over a dozen FCA qui tam suits.

Bob also regularly counsels clients on government contracting supply chain compliance issues, including those arising under the Buy American Act/Trade Agreements Act and Section 889 of the FY2019 National Defense Authorization Act. In addition, Bob advises government contractors on rules relating to IP, including government patent rights, technical data rights, rights in computer software, and the rules applicable to IP in the acquisition of commercial products, services, and software. He focuses this aspect of his practice on the overlap of these traditional government contracts IP rules with the IP issues associated with the acquisition of AI services and the data needed to train the large learning models on which those services are based. 

Bob is ranked by Chambers USA for his work in government contracts and he writes extensively in the areas of procurement-related AI, cybersecurity, software security, and supply chain regulation. He also teaches a course at Georgetown Law School that focuses on the technology, supply chain, and national security issues associated with energy and climate change.

Photo of Susan B. Cassidy Susan B. Cassidy

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors…

Susan is co-chair of the firm’s Aerospace and Defense Industry Group and is a partner in the firm’s Government Contracts and Cybersecurity Practice Groups. She previously served as in-house counsel for two major defense contractors and advises a broad range of government contractors on compliance with FAR and DFARS requirements, with a special expertise in supply chain, cybersecurity and FedRAMP requirements. She has an active investigations practice and advises contractors when faced with cyber incidents involving government information, as well as representing contractors facing allegations of cyber fraud under the False Claims Act. Susan relies on her expertise and experience with the Defense Department and the Intelligence Community to help her clients navigate the complex regulatory intersection of cybersecurity, national security, and government contracts. She is Chambers rated in both Government Contracts and Government Contracts Cybersecurity. In 2023, Chambers USA quoted sources stating that “Susan’s in-house experience coupled with her deep understanding of the regulatory requirements is the perfect balance to navigate legal and commercial matters.”

Her clients range from new entrants into the federal procurement market to well established defense contractors and she provides compliance advices across a broad spectrum of procurement issues. Susan consistently remains at the forefront of legislative and regulatory changes in the procurement area, and in 2018, the National Law Review selected her as a “Go-to Thought Leader” on the topic of Cybersecurity for Government Contractors.

In her work with global, national, and start-up contractors, Susan advises companies on all aspects of government supply chain issues including:

  • Government cybersecurity requirements, including the Cybersecurity Maturity Model Certification (CMMC), DFARS 7012, and NIST SP 800-171 requirements,
  • Evolving sourcing issues such as Section 889, counterfeit part requirements, Section 5949 and limitations on sourcing from China
  • Federal Acquisition Security Council (FASC) regulations and product exclusions,
  • Controlled unclassified information (CUI) obligations, and
  • M&A government cybersecurity due diligence.

Susan has an active internal investigations practice that assists clients when allegations of non-compliance arise with procurement requirements, such as in the following areas:

  • Procurement fraud and FAR mandatory disclosure requirements,
  • Cyber incidents and data spills involving sensitive government information,
  • Allegations of violations of national security requirements, and
  • Compliance with MIL-SPEC requirements, the Qualified Products List, and other sourcing obligations.

In addition to her counseling and investigatory practice, Susan has considerable litigation experience and has represented clients in bid protests, prime-subcontractor disputes, Administrative Procedure Act cases, and product liability litigation before federal courts, state courts, and administrative agencies.

Susan is a former Public Contract Law Procurement Division Co-Chair, former Co-Chair and current Vice-Chair of the ABA PCL Cybersecurity, Privacy and Emerging Technology Committee.

Prior to joining Covington, Susan served as in-house senior counsel at Northrop Grumman Corporation and Motorola Incorporated.