Reed Smith In-depth

On May 12, 2021, President Biden issued an Executive Order on Improving the Nation’s Cybersecurity (EO), which created a new Cyber Safety Review Board to review major cyber incidents and which requires information and communications technology (ICT) service providers entering into contracts with the government to report data breaches. The EO is in direct response to a number of recent high-profile cyberattacks aimed at federal agencies, contractors that do business with the federal government, private sector entities, and, most recently, the massive assault on a major U.S. pipeline company that has had wide-reaching consequences throughout the country. The EO aims to focus the full resources of the federal government on protecting and securing computer systems – whether cloud-based, on-premises, or hybrid – that process data (information technology (IT)) and run vital machinery (operational technology (OT)). The EO will also make changes to a number of contract clauses to accomplish its intent. This alert summarizes the new EO and provides recommendations for entities that will be impacted by these sweeping new requirements.

Increasing threat information sharing between government and the private sector

The EO requires the modification of current contract terms that restrict non-federal entities from sharing threat or incident information with executive departments and agencies responsible for investigating or remediating cyber incidents.1 The modifications must ensure that IT service providers are free to share information with the government about security breaches when they occur, and that they are not limited from doing so by contractual obligations currently incorporated into their federal contracts.

Specifically, within 60 days of the EO’s publication date, the director of the Office of Management and Budget (OMB), in consultation with the Secretary of Defense, the attorney general, the secretary of Homeland Security, and the director of National Intelligence, are required to review the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement (DFARS) contract requirements and language for contracting with IT and OT service providers and recommend updates to such requirements and language to the FAR Council and other appropriate agencies. The recommended contract language must ensure that service providers:

  • Collect and preserve data, information, and reporting relevant to cybersecurity event prevention, detection, response, and investigation on all information systems over which they have control, including systems operated on behalf of agencies, consistent with those agencies’ requirements;
  • Share such data, information, and reporting as they relate to cyber incidents or potential incidents relevant to any agency with which they have contracted, directly with such agency and any other agency that the director of OMB – in consultation with the Secretary of Defense, the attorney general, the Secretary of Homeland Security, and the director of National Intelligence – deem appropriate, consistent with applicable privacy laws, regulations, and policies;
  • Collaborate with federal cybersecurity or investigative agencies in their investigations of and responses to incidents or potential incidents on Federal Information Systems, including by implementing technical capabilities, such as monitoring networks for threats in collaboration with agencies they support, as needed; and
  • Share cyber threat and incident information with agencies, doing so, where possible, in industry-recognized formats for incident response and remediation.

The FAR Council has 90 days from receipt of the recommendations to review the proposed contract language and conditions and publish for public comment its proposed updates to the FAR. This essentially means that the EO will drive proposed changes to the FAR in this area within the next five months. This aggressive time line suggests that the changes could be implemented by early 2022.