President Biden's Cybersecurity Executive Order Leans on Private Contractors to Bolster the Nation's Cyberdefenses
Litigation Alert
On May 12, 2021, the Biden administration released the expansive Executive Order on Improving the Nation's Cybersecurity (the Order) with potentially far-reaching consequences for private industry, the "first of many ambitious steps" the administration says it is taking to modernize the nation's cyber defenses. Issued in response to the "persistent and increasingly sophisticated" cybersecurity attacks on the United States, the Order launches a range of ambitious initiatives aimed primarily at federal government contractors, commercial service providers, and software developers. Those initiatives are detailed in the Order's eight substantive sections:
- Section 2. Removing Barriers to Sharing Threat Information
- Section 3. Modernizing Federal Government Cybersecurity
- Section 4. Enhancing Software Supply Chain Security
- Section 5. Establishing a Cyber Safety Review Board
- Section 6. Standardizing the Federal Government's Playbook for Responding to Cybersecurity Vulnerabilities and Incidents
- Section 7. Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks
- Section 8. Improving the Federal Government's Investigative and Remediation Capabilities
- Section 9. National Security Systems
Below we discuss the key elements of the Order, focusing on the three sections that are likely to have the greatest impact on U.S. government contractors and subcontractors—Section 2 (Removing Barriers to Sharing Threat Information), Section 3 (Modernizing Federal Government Cybersecurity), and Section 4 (Enhancing Software Supply Chain Security).
Section 2: Removing Barriers to Sharing Threat Information
Current cyber-incident reporting requirements vary widely across the federal government and are largely dictated by agency-specific regulations and contract terms. For example, many Department of Defense (DoD) contractors already are familiar with mandatory incident reporting requirements in clauses such as Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. In contrast, contractors who work exclusively with civilian agencies may only be required to implement certain basic information safeguarding requirements (e.g., (Federal Acquisition Regulation) FAR 52.204-21), but are not currently obligated to make incident reports to the government.
The Biden executive order looks to drive a more consistent reporting approach by removing contractual and legal "barriers" that may prevent timely disclosure and information sharing regarding cyber threats, incidents, and risks. According to the Order, removing such barriers will accelerate "incident deterrence, prevention, and response efforts" and enable "more effective defense of agencies' systems and of information collected, processed, and maintained by or for the Federal Government." In this regard, the Order sets the stage for regulations that could impose potentially extensive data preservation and cyber incident reporting requirements on contractors and others in private industry. To achieve these stated goals, the administration directs various actions by a host of federal entities, including requirements to initiate proposed rulemaking aimed at federal government contractors. Specifically, the Order instructs the heads of federal agencies to:
- Review FAR and DFARS contract requirements and language with respect to contracting with information technology (IT) and operational technology (OT) providers. Make recommendations to the FAR Council on ways to ensure that service providers (1) collect and preserve date relevant to cybersecurity event prevention, detection, response, and investigation, (2) share such data with relevant agencies, and (3) collaborate with the federal government on cybersecurity incident investigations.
- Make recommendations to the FAR Council to ensure contract language identifies (1) the nature of cyber incidents that require reporting, (2) the type of information that needs to be reported, (3) reporting timelines, with severe incidents reported no later than 3 days after detection, and (4) National Security Systems reporting requirements for information and communications technology (ICT) providers.
- Review agency-specific cybersecurity requirements currently in place and recommend to the FAR Council standardized contractual language for appropriate cybersecurity requirements.
The Order is noticeably silent on whether the government will extend liability protections to private entities that could be sued for sharing information that may be protected under privacy, consumer protection, or other civil laws. The Order also does not define the term "service provider," nor does it specify the types of contracts or subcontracts that will be subject to these forthcoming regulations. Given the Order's overall reach, however, a shift towards universal mandatory reporting now seems more likely than ever, including for previously exempt categories of contracts and subcontracts, such as those for Commercial-Off-The-Shelf (COTS) items. Like other aspects of the Order, such a shift would immediately produce winners and losers, with DoD contractors perhaps being in the best position to tweak existing reporting procedures, as opposed to developing such procedures from scratch. Contractors and service providers should expect to see proposed incident-reporting regulations within the next six to12 months.
Section 3: Modernizing Federal Government Cybersecurity
In a March 2021 report, the Government Accountability Office (GAO) identified the nation's collective cybersecurity as a high-risk area due to notable regressions since 2019. The Biden executive order looks to address the specific vulnerabilities identified by GAO through modernization, proclaiming that "decisive steps" are needed to advance federal cybersecurity. The Order specifies the need to adopt best practices, favoring Zero Trust Architecture and accelerating the migration of the government to secure cloud services, such as Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS). To accomplish these lofty goals, the Administration details the following directives for the relevant agency heads:
- Modernize the Federal Risk and Authorization Management Program (FedRAMP) by (1) increasing agency training on FedRAMP use, (2) improving communications with cloud service providers (CSPs), (3) incorporating automation into the FedRAMP lifecycle, and (4) streamlining documentation and requirements in the authorization process.
- Develop (1) updated policies to prioritize adoption and use of cloud technology and (2) plans to implement Zero Trust Architecture.
- For Federal Civilian Executive Branch Agencies (FCEB), develop and issue (1) a cloud-security technical reference architecture documentation that illustrates recommended approaches to cloud migration and data protection for agency data collection and reporting, (2) a cloud-service governance framework that identifies a range of services and protections available to agencies based on incident severity, (3) a framework to collaborate on cybersecurity and incident response activities related to FCEB cloud technology, and (4) a federal cloud security strategy.
- Adopt the use of multi-factor authentication and encryption to the maximum extent practicable.
Already a significant source of public spending, the Biden administration's push to increase the use of secured cloud services should produce even more federal contracting opportunities for cloud service providers (CSPs). The focus on modernizing FedRAMP also signals to CSPs that the government could place even greater emphasis on obtaining FedRAMP authorization (e.g., as a source selection criteria). Similarly, contractors with products that are compatible with a Zero Trust Architecture model may soon enjoy a competitive advantage over peers who design their products to fit traditional open systems architecture. The basic business question for each company is straightforward—what will it take for my products to compete in a world where cybersecurity is a key differentiator for the U.S. government?
Section 4: Enhancing Software Supply Chain Security
The bold changes promised in the Biden executive order are perhaps most evident in Section 4, which seeks to overhaul software supply chains through the establishment of uniform software development standards. According to the Order, current commercial software development practices lack transparency and do not consistently prioritize cybersecurity. The security and integrity of "critical software" — software that performs functions critical to trust (such as affording or requiring elevated system privileges or direct access to networking and computing resources) — is a particular concern to the administration. This concern likely is attributable to the SolarWinds attack, which impacted numerous federal agencies and was accomplished by gaining access to SolarWinds' software environment and then pushing a seemingly routine, but malware-infected, software update to end-users. To address these concerns, the Order calls for the creation of new software development standards that will prioritize:
- Securing software development environments, including: (1) using administratively separate build environments; (2) auditing trust relationships; (3) establishing multi-factor, risk-based authentication and conditional access across the enterprise; (4) documenting and minimizing dependencies on enterprise products that are part of the environments used to develop, build, and edit software; (5) employing encryption for data; and (6) monitoring operations and alerts and responding to attempted and actual cyber incidents
- Generating and, when requested by a purchaser, providing artifacts that demonstrate conformance to accepted processes for ensuring a secure development environment
- Employing automated tools, or comparable processes, to maintain trusted source code supply chains, thereby ensuring the integrity of the code
- Employing automated tools, or comparable processes, that check for known and potential vulnerabilities and remediate them, which shall operate regularly, or at a minimum prior to product, version, or update release
- Providing, when requested by a purchaser, artifacts of the execution of such automated tools and processes, and making publicly available summary information on completion of these actions, to include a summary description of the risks assessed and mitigated
- Maintaining accurate and up-to-date data, provenance (i.e., origin) of software code or components, and controls on internal and third-party software components, tools, and services present in software development processes, and performing audits and enforcement of these controls on a recurring basis
- Providing a Software Bill of Materials (SBOM) to purchasers for each product directly or by publishing it on a public website
- Participating in a vulnerability disclosure program that includes a reporting and disclosure process
- Attesting to conformity with secure software development practices
- Ensuring and attesting, to the extent practicable, to the integrity and provenance of open source software used within any portion of a product
Notably, the Order makes no mention of whether these standards will apply to COTS software, which is developed and priced based largely on commercial practices—not practices dictated by the federal government. Further, while it will take time before this guidance is implemented, contractors that offer and sell commercial software to the United States should already circle May 12, 2022 on their calendars. That is the date by which the Department of Homeland Security must recommended contract language to the FAR Council to implement the foregoing software standards, procedures, and criteria. Thereafter, the FAR Council "shall review the recommendations and . . . amend the FAR." This, in turn, will trigger a series of potentially significant changes in the federal marketplace for computer software providers. Specifically, after the FAR Council amends the FAR to codify the new software development standards, the Order requires federal agencies:
- To remove all "non-compliant software" from existing contracting vehicles, including Indefinite Delivery, Indefinite Quantity contracts, Federal Supply Schedules, Federal Government-wide Acquisition Contracts, Blanket Purchase Agreements, and Multiple Award Contracts.
- To mandate providers of "legacy software" update their practices to meet the new development standards.
In addition to these potentially significant changes, contractors also should expect the government to launch pilot programs aimed at educating the public on the security capabilities of Internet-of-Things (IOT) devices and software development practices. These pilots will be "informed by existing consumer labeling programs," such as the ENERGY STAR® program. If nothing else, the investment in these pilot programs demonstrates the Administration's willingness to pursue paradigm-shifting ideas to shore up the nation's cyber-defenses.
Section 4 leaves several important questions unanswered, most notably how the term "critical software" will be defined. It also does not explain the extent to which forthcoming FAR and DFARS rules on software cybersecurity will supplement (or supplant) other cybersecurity compliance frameworks, such as DoD's Cybersecurity Maturity Model Certification (CMMC). At a minimum, however, software providers with federal business should immediately start to determine the feasibility and cost of addressing known vulnerabilities in their products and supply chains. Though the forthcoming regulatory changes may now seem distant, the time and investment required to fix vulnerable software could be significant and put contractors in a race against the clock to avoid termination of their existing contracts.
The Order's Other Key Initiatives
The Order's other sections outline additional initiatives that the administration will employ to support an aggressive posture on cybersecurity. Specifically, the Order mandates:
- The creation of a Cyber Safety Review Board that will review significant cybersecurity attacks, beginning with the SolarWinds attack that prompted the establishment of a Cyber Unified Coordination Group in December 2020. The Board also will provide advise the [president for improving cybersecurity practices based on those reviews
- The creation of a government-wide "playbook" consisting of standardized cybersecurity definitions and response protocols
- The implementation of a government-wide Endpoint Detection and Response initiative that will help FCEB agencies detect suspicious activity or incidents occurring at any connection point to a network
- The adoption of network and system log requirements that will be integrated into the proposed regulations for removing barriers to information sharing
Conclusion
The Biden cybersecurity executive order represents what is arguably the most ambitious cybersecurity initiative in the history of the U.S. government. Though many details remain to be seen, the Order already promises to produce seismic shifts in incident reporting, security infrastructure, and commercial software development. As is often the case, government contractors will shoulder the heaviest burden in this evolving landscape, but only time will tell which companies emerge in the strongest competitive position. If you have questions about how the Order may impact your company, please contact one of the Miller & Chevalier attorneys listed below.
Alex L. Sarria, asarria@milchev.com, 202-626-5822
Jason N. Workmaster, jworkmaster@milchev.com, 202-656-5893
Sarah Barney* and Connor Farrell, Miller & Chevalier law clerks, contributed to this client alert.
*Former Miller & Chevalier attorney
The information contained in this communication is not intended as legal advice or as an opinion on specific facts. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. For more information, please contact one of the senders or your existing Miller & Chevalier lawyer contact. The invitation to contact the firm and its lawyers is not to be construed as a solicitation for legal work. Any new lawyer-client relationship will be confirmed in writing.
This, and related communications, are protected by copyright laws and treaties. You may make a single copy for personal use. You may make copies for others, but not for commercial purposes. If you give a copy to anyone else, it must be in its original, unmodified form, and must include all attributions of authorship, copyright notices, and republication notices. Except as described above, it is unlawful to copy, republish, redistribute, and/or alter this presentation without prior written consent of the copyright holder.