On May 12, 2021, President Biden signed a landmark Executive Order to improve and modernize the federal government’s cybersecurity infrastructure. The Executive Order comes in the wake of numerous cyber incidents targeting the United States, including the so-called SolarWinds, Microsoft Exchange, and Colonial Pipeline incidents. The Executive Order will directly affect government contractors, including companies that sell software to the government or provide IT services. More broadly, but less directly, the Executive Order is likely to influence the informal, and eventually formal, development of cybersecurity standards for software and hardware makers and providers of online services generally, even when the government is not a customer.

President Biden’s Executive Order takes the following steps:

  • Removing barriers to sharing threat information
    • The Executive Order helps facilitate the sharing of cyber threat and incident information between IT service providers and federal government agencies by (1) removing contractual barriers to such exchanges and (2) requiring the reporting of information about cyber incidents to federal agencies.
  • Strengthening federal government cybersecurity
    • The Executive Order requires the federal government to adopt cybersecurity best practices including “advance[ing] toward Zero Trust Architecture; accelerat[ing] movement to secure cloud services…central[izing] and streamlin[ing] access to cybersecurity data to drive analytics for identifying and managing cybersecurity threats; and invest[ing] in both technology and personnel to match these modernization goals.” As part of these efforts, federal agencies are ordered to “adopt multi-factor authentication and encryption for data at rest and in transit, to the maximum extent consistent with Federal records laws and other applicable laws.”
  • Enhancing software supply chain security
    • The Executive Order mandates the establishment of minimum-security standards for software sold to the federal government. In particular, the standards must address:
      • “Secure software development environments;
      • “Generating and, when requested by a purchaser, providing artifacts [e.g. data] that demonstrate conformance to the processes” implemented to ensure secure software development environments”;
      • “Employing automated tools, or comparable processes, to maintain trusted source code supply chains, thereby ensuring the integrity of the code”;
      • “Employing automated tools, or comparable processes, that check for known and potential vulnerabilities and remediate them, which shall operate regularly, or at a minimum prior to product, version, or update release”;
      • “Providing, when requested by a purchaser, artifacts of the execution of the tools and processes described [in the prior two bullets] and making publicly available summary information on completion of these actions, to include a summary description of the risks assessed and mitigated”;
      • “Maintaining accurate and up-to-date data, provenance (i.e., origin) of software code or components, and controls on internal and third-party software components, tools, and services present in software development processes, and performing audits and enforcement of these controls on a recurring basis”;
      • “Providing a purchaser a Software Bill of Materials (SBOM) for each product directly or by publishing it on a public website”;
      • “Participating in a vulnerability disclosure program that includes a reporting and disclosure process”;
      • “Attesting to conformity with secure software development practices”;
      • “Ensuring and attesting, to the extent practicable, to the integrity and provenance of open source software used within any portion of a product.”
    • The Executive Order also directs development of a pilot program to create a labeling system which would allow the government (and the public) to determine whether software was developed securely.
  • Establishing a Cybersecurity Safety Review Board
    • The Board, which is to be led by individuals from the government and the private sector, will convene following major cybersecurity incidents to review and assess such incidents, mitigation, and response efforts. This idea has been likened to the National Transportation Safety Board (NTSB) for transportation incidents.
  • Standardizing the federal government’s playbook for responding to cybersecurity vulnerabilities and incidents
    • The Executive Order promotes the implementation of “standardized response processes [to] ensure a more coordinated and centralized cataloging of incidents and tracking of agencies’ progress toward successful responses.” Various federal agencies are required to coordinate to “develop a standard set of operational procedures (playbook) to be used in planning and conducting a cybersecurity vulnerability and incident response activity respecting [Federal Civilian Executive Branch] Information Systems.”
  • Improving detection of cybersecurity vulnerabilities and incidents on federal government networks
    • The Executive Order requires the federal government to “employ all appropriate resources and authorities to maximize the early detection of cybersecurity vulnerabilities and incidents on its networks.” Such measures must “include increasing the Federal Government’s visibility into and detection of cybersecurity vulnerabilities and threats to agency networks in order to bolster the Federal Government’s cybersecurity efforts.”
  • Enhancing the federal government’s investigative and remediation capabilities
    • The Executive Order requires the formulation of “policies for agencies to establish requirements for logging, log retention, and log management.”
  • Introducing National Security System Requirements
    • The Executive Order mandates the application of the requirements set forth in the Order to National Security Systems (i.e., non-civilian systems).

The Executive Order constitutes a major step forward in strengthening cyber defenses against the sorts of attacks that have bedeviled government agencies and private companies for decades now. Government contractors will need to comply with the new requirements that will result from the Executive Order. But even more broadly, the Executive Order and the rules that flow from it will have an impact on all companies by creating new expectations for threat and incident reporting and new standards (whether informal or formal) for cybersecurity.