Increasing threat information sharing between government and the private sector
The EO requires the modification of current contract terms that restrict non-federal entities from sharing threat or incident information with executive departments and agencies responsible for investigating or remediating cyber incidents.1 The modifications must ensure that IT service providers are free to share information with the government about security breaches when they occur, and that they are not limited from doing so by contractual obligations currently incorporated into their federal contracts.
Specifically, within 60 days of the EO’s publication date, the director of the Office of Management and Budget (OMB), in consultation with the Secretary of Defense, the attorney general, the secretary of Homeland Security, and the director of National Intelligence, are required to review the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement (DFARS) contract requirements and language for contracting with IT and OT service providers and recommend updates to such requirements and language to the FAR Council and other appropriate agencies. The recommended contract language must ensure that service providers:
- Collect and preserve data, information, and reporting relevant to cybersecurity event prevention, detection, response, and investigation on all information systems over which they have control, including systems operated on behalf of agencies, consistent with those agencies’ requirements;
- Share such data, information, and reporting as they relate to cyber incidents or potential incidents relevant to any agency with which they have contracted, directly with such agency and any other agency that the director of OMB – in consultation with the Secretary of Defense, the attorney general, the Secretary of Homeland Security, and the director of National Intelligence – deem appropriate, consistent with applicable privacy laws, regulations, and policies;
- Collaborate with federal cybersecurity or investigative agencies in their investigations of and responses to incidents or potential incidents on Federal Information Systems, including by implementing technical capabilities, such as monitoring networks for threats in collaboration with agencies they support, as needed; and
- Share cyber threat and incident information with agencies, doing so, where possible, in industry-recognized formats for incident response and remediation.
The FAR Council has 90 days from receipt of the recommendations to review the proposed contract language and conditions and publish for public comment its proposed updates to the FAR. This essentially means that the EO will drive proposed changes to the FAR in this area within the next five months. This aggressive time line suggests that the changes could be implemented by early 2022.
Additionally, the EO mandates information sharing by requiring the Secretary of Homeland Security and the director of OMB to take steps to ensure, to the greatest extent possible, that service providers share data with agencies, CISA, and the FBI as may be necessary for the federal government to respond to cyber threats, incidents, and risks. Specifically, ICT service providers entering into federal contracts will now be required to promptly report to the contracting officer concerned when they discover a cyber incident involving a software product or service provided to such agencies or involving a support system for a software product or service provided to such agencies. These providers will also be required to report to CISA whenever they report this information to a contracting officer, and CISA is now charged with the central collection and management of this information.
To drive these requirements, the EO directs the Secretary of Homeland Security – in consultation with the Secretary of Defense acting through the director of the National Security Agency (NSA), the attorney general, and the director of OMB – to recommend to the FAR Council contract language that identifies (a) the nature of cyber incidents that require reporting; (b) the types of information regarding cyber incidents that require reporting to facilitate effective cyber incident response and remediation; (c) appropriate and effective protections for privacy and civil liberties; (d) the time periods within which contractors must report cyber incidents based on a graduated scale of severity, with reporting on the most severe cyber incidents not to exceed three days after initial detection; (e) National Security Systems reporting requirements; and (f) the type of contractors and associated service providers to be covered by the proposed contract language.
Finally, the EO directs the Secretary of Defense acting through the director of the NSA, the attorney general, the Secretary of Homeland Security, and the director of National Intelligence to jointly develop procedures for ensuring that cyber incident reports are promptly and appropriately shared among agencies. Recognizing that current cybersecurity requirements for unclassified system contracts are largely implemented through agency-specific policies and regulations, including cloud-service cybersecurity requirements, the EO mandates standardizing common cybersecurity contractual requirements across agencies. This standardization is to be accomplished by key stakeholders reviewing agency-specific cybersecurity requirements that currently exist as a matter of law, policy, or contract and making recommendations to the FAR Council regarding standardized contract language for appropriate cybersecurity requirements.
Adoption of cloud technology and zero trust architecture
The EO also seeks to implement a number of security best practices across the federal government, such as advancing toward zero trust architecture (ZTA);2 accelerating movement to secure cloud services; centralizing and streamlining access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks; and investing in both technology and personnel to match these modernization goals. To that end, the EO requires all heads of executive agencies to update existing agency plans to prioritize resources for the adoption and use of cloud technology and a plan to implement ZTA, which shall incorporate, as appropriate, the migration steps that the National Institute of Standards and Technology (NIST) within the Department of Commerce has outlined in standards and guidance. The EO also requires CISA to modernize its current cybersecurity programs, services, and capabilities to be fully functional with cloud-computing environments with ZTA and requires the Secretary of Homeland Security acting through the director of CISA, in consultation with the administrator of General Services acting through the Federal Risk and Authorization Management Program (FedRAMP) within the General Services Administration, to develop security principles governing Cloud Service Providers (CSPs) for incorporation into agency modernization efforts.
Establishment of baseline software security standards
The EO also establishes baseline security standards for the development of software sold to the government. In addition to these standards, the EO will require software developers that sell to the government to maintain greater visibility into their software and making security data publicly available. The Secretary of Commerce working through the NIST is charged with establishing these security standards and will lead this effort. The resulting standards and guidelines will be published by the NIST and eventually be incorporated into the FAR, which will make them binding upon businesses that sell software to the government.3
Creation of the Cybersecurity Safety Review Board
The EO also stablishes a Cybersecurity Safety Review Board (the Board), which will be co-chaired by government and private sector leads. On the federal government side, the Board will be composed of representatives of the Department of Defense, the Department of Justice, CISA, the NSA, and the FBI. On the private sector side, the Board will be composed of representatives from private-sector cybersecurity or software suppliers as determined by the Secretary of Homeland Security. The Secretary of Homeland Security may invite the participation of others on a case-by-case basis depending on the nature of the incident under review. The purpose of this Board will be to convene following a significant cyber incident to analyze what happened and make concrete recommendations for improving cybersecurity.
Creation of a standard playbook for responding to cyber incidents
The EO creates a standardized playbook and a set of definitions for cyber incident response by federal departments and agencies. This playbook will incorporate all appropriate NIST standards, will be used by all federal civilian executive branch agencies, and will detail appropriate progress and completion through all phases of an agency’s response to a cyber incident. The playbook is expected to be drafted in a manner that will allow agencies flexibility so that it may be used by different federal agencies in support of various response activities. Once this playbook is issued, the director of OMB shall issue guidance on agency use of the playbook. The playbook will also provide the private sector with a template for its response efforts, thereby standardizing incident response best practices across the public and private sectors.
Improve detection of cybersecurity incidents on federal government networks
The EO requires the utilization of appropriate resources and authorities to maximize the early detection of cybersecurity vulnerabilities and incidents on federal government networks. The intent of the EO in this regard is to enhance the government’s visibility into and detection of cybersecurity vulnerabilities and threats to agency networks. The EO directs the federal civilian executive branch agencies to deploy an endpoint detection and response (EDR) initiative to support (1) proactive detection of cybersecurity incidents within the federal infrastructure, (2) active cyber hunting, containment, and remediation, and (3) incident response.
Inapplicability to national security systems
The EO is notably focused on civilian agencies, but it requires the Secretary of Defense acting through the National Manager, in coordination with the director of National Intelligence to adopt National Security Systems requirements that are equivalent to or exceed the cybersecurity requirements set forth in this order that are otherwise not applicable to National Security Systems. This must be done within 60 days of the issuance of the EO. These requirements will be documented in a National Security Memorandum (NSM). The EO specifically provides that until that NSM is issued, all programs, standards, or requirements established pursuant to the EO are inapplicable to National Security Systems.
Federal contractors and subcontractors that provide IT to the government will be impacted by the number of FAR changes that will fundamentally change the way federal agencies acquire IT supplies, solutions, and services. Contractors and service providers, including those who provide commercial off-the-shelf software products and services, are urged to monitor proposed regulations and other requirements carefully to remain informed as the EO is implemented through agency action and regulation promulgation. It will be critical to understand the way the government implements the EO’s mandates, particularly considering how broadly IT service providers and software are defined by the forthcoming regulations. The timeline for implementation appears to be ambitiously short, so contractors should provide comments to the proposed changes to the FAR as they are published and ensure that any concerns about complying with the new requirements are presented to those tasked with implementing this EO. The authors of this alert will continue to monitor developments related to this EO and will provide related updates that impact federal contractors.
- The agencies specifically listed in the EO include the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and other elements of the Intelligence Community (IC). The Biden administration has stated repeatedly that these agencies must play a key role in the defense of U.S. IT and cyber assets and technology.
- Zero trust is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources. A zero trust architecture (ZTA) uses zero trust principles to plan industrial and enterprise infrastructure and workflows. Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (that is, local area networks versus the Internet) or based on asset ownership (enterprise or personally owned). Authentication and authorization (both subject and device) are discrete functions performed before a session to an enterprise resource is established. Zero trust is a response to enterprise network trends that include remote users, bring-your-own-device (BYOD), and cloud-based assets that are not located within an enterprise-owned network boundary. Zero trust focuses on protecting resources (assets, services, workflows, network accounts, etc.) – not network segments, as the network location is no longer seen as the prime component to the security posture of the resource.
- To accomplish this, “the Secretary of Commerce acting through the director of NIST shall solicit input from the federal government, private sector, academia, and other appropriate actors to identify existing or develop new standards, tools, and best practices for complying with the standards, procedures, or criteria in [Sec. 4, subsection (e) of the EO].” The guidelines shall include criteria that can be used to evaluate software security, include criteria to evaluate the security practices of the developers and suppliers themselves, and identify innovative tools or methods to demonstrate conformance with secure practices.