Increasing threat information sharing between government and the private sector
The EO requires the modification of current contract terms that restrict non-federal entities from sharing threat or incident information with executive departments and agencies responsible for investigating or remediating cyber incidents.1 The modifications must ensure that IT service providers are free to share information with the government about security breaches when they occur, and that they are not limited from doing so by contractual obligations currently incorporated into their federal contracts.
Specifically, within 60 days of the EO’s publication date, the director of the Office of Management and Budget (OMB), in consultation with the Secretary of Defense, the attorney general, the secretary of Homeland Security, and the director of National Intelligence, are required to review the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement (DFARS) contract requirements and language for contracting with IT and OT service providers and recommend updates to such requirements and language to the FAR Council and other appropriate agencies. The recommended contract language must ensure that service providers:
- Collect and preserve data, information, and reporting relevant to cybersecurity event prevention, detection, response, and investigation on all information systems over which they have control, including systems operated on behalf of agencies, consistent with those agencies’ requirements;
- Share such data, information, and reporting as they relate to cyber incidents or potential incidents relevant to any agency with which they have contracted, directly with such agency and any other agency that the director of OMB – in consultation with the Secretary of Defense, the attorney general, the Secretary of Homeland Security, and the director of National Intelligence – deem appropriate, consistent with applicable privacy laws, regulations, and policies;
- Collaborate with federal cybersecurity or investigative agencies in their investigations of and responses to incidents or potential incidents on Federal Information Systems, including by implementing technical capabilities, such as monitoring networks for threats in collaboration with agencies they support, as needed; and
- Share cyber threat and incident information with agencies, doing so, where possible, in industry-recognized formats for incident response and remediation.
The FAR Council has 90 days from receipt of the recommendations to review the proposed contract language and conditions and publish for public comment its proposed updates to the FAR. This essentially means that the EO will drive proposed changes to the FAR in this area within the next five months. This aggressive time line suggests that the changes could be implemented by early 2022.