Additionally, the EO mandates information sharing by requiring the Secretary of Homeland Security and the director of OMB to take steps to ensure, to the greatest extent possible, that service providers share data with agencies, CISA, and the FBI as may be necessary for the federal government to respond to cyber threats, incidents, and risks. Specifically, ICT service providers entering into federal contracts will now be required to promptly report to the contracting officer concerned when they discover a cyber incident involving a software product or service provided to such agencies or involving a support system for a software product or service provided to such agencies. These providers will also be required to report to CISA whenever they report this information to a contracting officer, and CISA is now charged with the central collection and management of this information.

To drive these requirements, the EO directs the Secretary of Homeland Security – in consultation with the Secretary of Defense acting through the director of the National Security Agency (NSA), the attorney general, and the director of OMB – to recommend to the FAR Council contract language that identifies (a) the nature of cyber incidents that require reporting; (b) the types of information regarding cyber incidents that require reporting to facilitate effective cyber incident response and remediation; (c) appropriate and effective protections for privacy and civil liberties; (d) the time periods within which contractors must report cyber incidents based on a graduated scale of severity, with reporting on the most severe cyber incidents not to exceed three days after initial detection; (e) National Security Systems reporting requirements; and (f) the type of contractors and associated service providers to be covered by the proposed contract language.

Finally, the EO directs the Secretary of Defense acting through the director of the NSA, the attorney general, the Secretary of Homeland Security, and the director of National Intelligence to jointly develop procedures for ensuring that cyber incident reports are promptly and appropriately shared among agencies. Recognizing that current cybersecurity requirements for unclassified system contracts are largely implemented through agency-specific policies and regulations, including cloud-service cybersecurity requirements, the EO mandates standardizing common cybersecurity contractual requirements across agencies. This standardization is to be accomplished by key stakeholders reviewing agency-specific cybersecurity requirements that currently exist as a matter of law, policy, or contract and making recommendations to the FAR Council regarding standardized contract language for appropriate cybersecurity requirements.

Adoption of cloud technology and zero trust architecture

The EO also seeks to implement a number of security best practices across the federal government, such as advancing toward zero trust architecture (ZTA);² accelerating movement to secure cloud services; centralizing and streamlining access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks; and investing in both technology and personnel to match these modernization goals. To that end, the EO requires all heads of executive agencies to update existing agency plans to prioritize resources for the adoption and use of cloud technology and a plan to implement ZTA, which shall incorporate, as appropriate, the migration steps that the National Institute of Standards and Technology (NIST) within the Department of Commerce has outlined in standards and guidance. The EO also requires CISA to modernize its current cybersecurity programs, services, and capabilities to be fully functional with cloud-computing environments with ZTA and requires the Secretary of Homeland Security acting through the director of CISA, in consultation with the administrator of General Services acting through the Federal Risk and Authorization Management Program (FedRAMP) within the General Services Administration, to develop security principles governing Cloud Service Providers (CSPs) for incorporation into agency modernization efforts.

Establishment of baseline software security standards

The EO also establishes baseline security standards for the development of software sold to the government. In addition to these standards, the EO will require software developers that sell to the government to maintain greater visibility into their software and making security data publicly available. The Secretary of Commerce working through the NIST is charged with establishing these security standards and will lead this effort. The resulting standards and guidelines will be published by the NIST and eventually be incorporated into the FAR, which will make them binding upon businesses that sell software to the government.³

Creation of the Cybersecurity Safety Review Board

The EO also stablishes a Cybersecurity Safety Review Board (the Board), which will be co-chaired by government and private sector leads. On the federal government side, the Board will be composed of representatives of the Department of Defense, the Department of Justice, CISA, the NSA, and the FBI. On the private sector side, the Board will be composed of representatives from private-sector cybersecurity or software suppliers as determined by the Secretary of Homeland Security. The Secretary of Homeland Security may invite the participation of others on a case-by-case basis depending on the nature of the incident under review. The purpose of this Board will be to convene following a significant cyber incident to analyze what happened and make concrete recommendations for improving cybersecurity.

Creation of a standard playbook for responding to cyber incidents

The EO creates a standardized playbook and a set of definitions for cyber incident response by federal departments and agencies. This playbook will incorporate all appropriate NIST standards, will be used by all federal civilian executive branch agencies, and will detail appropriate progress and completion through all phases of an agency’s response to a cyber incident. The playbook is expected to be drafted in a manner that will allow agencies flexibility so that it may be used by different federal agencies in support of various response activities. Once this playbook is issued, the director of OMB shall issue guidance on agency use of the playbook. The playbook will also provide the private sector with a template for its response efforts, thereby standardizing incident response best practices across the public and private sectors.

Improve detection of cybersecurity incidents on federal government networks

The EO requires the utilization of appropriate resources and authorities to maximize the early detection of cybersecurity vulnerabilities and incidents on federal government networks. The intent of the EO in this regard is to enhance the government’s visibility into and detection of cybersecurity vulnerabilities and threats to agency networks. The EO directs the federal civilian executive branch agencies to deploy an endpoint detection and response (EDR) initiative to support (1) proactive detection of cybersecurity incidents within the federal infrastructure, (2) active cyber hunting, containment, and remediation, and (3) incident response.

Inapplicability to national security systems

The EO is notably focused on civilian agencies, but it requires the Secretary of Defense acting through the National Manager, in coordination with the director of National Intelligence to adopt National Security Systems requirements that are equivalent to or exceed the cybersecurity requirements set forth in this order that are otherwise not applicable to National Security Systems. This must be done within 60 days of the issuance of the EO. These requirements will be documented in a National Security Memorandum (NSM). The EO specifically provides that until that NSM is issued, all programs, standards, or requirements established pursuant to the EO are inapplicable to National Security Systems.

Practical impact

Federal contractors and subcontractors that provide IT to the government will be impacted by the number of FAR changes that will fundamentally change the way federal agencies acquire IT supplies, solutions, and services. Contractors and service providers, including those who provide commercial off-the-shelf software products and services, are urged to monitor proposed regulations and other requirements carefully to remain informed as the EO is implemented through agency action and regulation promulgation. It will be critical to understand the way the government implements the EO’s mandates, particularly considering how broadly IT service providers and software are defined by the forthcoming regulations. The timeline for implementation appears to be ambitiously short, so contractors should provide comments to the proposed changes to the FAR as they are published and ensure that any concerns about complying with the new requirements are presented to those tasked with implementing this EO. The authors of this alert will continue to monitor developments related to this EO and will provide related updates that impact federal contractors.

1. The agencies specifically listed in the EO include the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and other elements of the Intelligence Community (IC). The Biden administration has stated repeatedly that these agencies must play a key role in the defense of U.S. IT and cyber assets and technology.
2. Zero trust is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources. A zero trust architecture (ZTA) uses zero trust principles to plan industrial and enterprise infrastructure and workflows. Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (that is, local area networks versus the Internet) or based on asset ownership (enterprise or personally owned). Authentication and authorization (both subject and device) are discrete functions performed before a session to an enterprise resource is established. Zero trust is a response to enterprise network trends that include remote users, bring-your-own-device (BYOD), and cloud-based assets that are not located within an enterprise-owned network boundary. Zero trust focuses on protecting resources (assets, services, workflows, network accounts, etc.) – not network segments, as the network location is no longer seen as the prime component to the security posture of the resource.
3. To accomplish this, “the Secretary of Commerce acting through the director of NIST shall solicit input from the federal government, private sector, academia, and other appropriate actors to identify existing or develop new standards, tools, and best practices for complying with the standards, procedures, or criteria in [Sec. 4, subsection (e) of the EO].” The guidelines shall include criteria that can be used to evaluate software security, include criteria to evaluate the security practices of the developers and suppliers themselves, and identify innovative tools or methods to demonstrate conformance with secure practices.

In-depth 2021-143