Akin to the exasperations of the newly minted “homeschool teachers” the pandemic has created, the Biden administration’s recent Executive Order on Improving the Nation’s Cybersecurity (Order) is a mix of sound logic and utter frustration. The lengthy and sweeping Order is resoundingly one of the most comprehensive national cybersecurity overhauls to date and ushers the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) into a forward-leaning position of leadership that has been missing since its inception. In addition to requiring significant improvements to the cybersecurity posture of the Federal Civilian Executive Branch (FCEB) agencies, the Order also prescribes (i) the implementation of cyber incident sharing requirements between the Government and private industry; (ii) the necessary demands of security on software development; and (iii) the inclusion of software bills of materials, operational technology (e.g., industrial machining), and the internet of things in the fabric of cybersecurity regulations. Set against the backdrop of an ambitious timeline that calls for drastic changes before the end of this fiscal year—i.e., September 30, 2021—the Order requires that the Federal government scale administrative mountains at breakneck speed while simultaneously working with the industry and developing new regulations with which contractors will have to comply in short order. Accordingly, while a brief summary of the Order is provided below, the size and magnitude of the Order call for a larger analysis. Accordingly, we have prepared a user-friendly Analysis of the Order that includes considerations for manufacturers and government contractors. Additionally, to better explain the compliance timeline associated with the Order, a listing of the EO Key Dates is provided for convenience.
Section 1 – Policy
The Federal government must better its ability to detect, identify, deter, protect against, and respond to cyber threats and will need to partner with private industry in order to do it.
Section 2 – Removing Barriers to Sharing Threat Information
Contracts with providers of federal information technology, operational technology, and cloud services will need to be altered to better allow for sharing of cyber threat information. This effort will result in changes to existing contracts and the development of new and/or revised FAR clauses.
Section 3 – Modernizing Federal Government Cybersecurity
The Government will adopt Zero Trust Architecture in its systems and demand it from those upon which it relies (i.e., cloud service providers) as part of its modernization. This effort essentially means that systems will treat all users as potential threats and require additional authentication. Cloud service providers should expect to see activity here as CISA and the Federal Risk and Authorization Management Program cultivate an enhanced federal cloud-security strategy to provide implementation guidance to FCEB agencies.
Section 4 – Enhancing Software Supply Chain Security
The Government is demanding software manufacturers address build-transparency deficiencies and implement security by design, especially for products that will be identified as or deemed “critical software.” It specifically calls for industry assistance in better understanding the implications of the order and demands that a Software Bill of Material be provided. NIST guidance will be issued over the coming months to distill the Government’s expected procedures for software supply chain security. A new FAR clause is also anticipated.
Section 5 – Establishing a Cyber Safety Review Board
Establishes a Cyber Safety Review Board, presently consisting of members from DHS, DoD, DoJ, CISA, FBI, NSA, and private-sector cybersecurity or software suppliers chosen by the Secretary of Homeland Security. The intent of the board is to examine and assess “significant cyber incidents” that occur in federal and nonfederal systems to better understand and evaluate threat activity, vulnerabilities, mitigation activities, and agency responses. The timeline of the board’s establishment is not nearly as clear as the timelines in the Order’s other sections. It is somewhat surprising that the board lacks representation from the Department of Energy and NIST.
Section 6 – Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents
This effort is intended to standardized vulnerability and incident response processes across the FCEB to provide for a more coordinated and centralized cataloging of incidents and tracking of agencies’ progress toward successful responses.
Section 7 – Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks
Requires the use of “Endpoint Detection and Response” technology throughout the Federal government to better detect suspicious system behavior, block malicious/suspicious activity, and facilitate incident response. The Order requires the development of formalized information-sharing procedures between DoD and DHS.
Section 8 – Improving the Federal Government’s Investigative and Remediation Capabilities
Establishes and prioritizes the requirements for network and system logging events and their retention by Federal agencies in order to facilitate, when needed, incident response investigations. Notably, the Order directs that such logs be encrypted and periodically verified to ensure their integrity.
Section 9 – National Security Systems
Requires that the defense and intelligence communities adopt any requirements in the Order that are not already in operation through their respective regulations.
Section 10 – Definitions
Notable definitions provided include those of “auditing trust relationship,” “Software Bill of Materials,” and “Zero Trust Architecture.”
Section 11 – General Provisions
Addresses the “administrivia” of implementing the Order.
As the text of the Order and its laundry list of deliverables indicate, 2021 will be a significant year in the area of cybersecurity, and significant regulatory changes are afoot. Faced with equal parts risk and opportunity, federal contractors must be prepared to comply, and those in the cloud, IT, and IT services sectors (including distributors, resellers, etc.) should begin taking immediate actions to better understand their respective supply chains for the products and services offered to federal customers. At bottom, while the Order is brimming with the concept of strength through public-private partnerships, it is equally full of weariness and disappointment brought on by years of cyberattacks, data breaches, intrusions, and thefts. It’s clear that, for this administration, enough’s enough.