In the wake of several recent major cyberattacks, President Biden issued a sweeping Executive Order on Improving the Nation’s Cybersecurity (“Order”) on May 12, 2012. The Order reflects the Administration’s policy of “prevention, detection, assessment and remediation of cyber incidents as a top priority and essential to the national and economic security.” President Biden issued the Order following a series of recent cyberattacks on Federal Government and private company networks, including the Colonial Pipeline and the SolarWinds incidents.

​The Order aims to improve the nation’s cybersecurity and protect Federal Government networks against malicious attacks by partnering with the private sector so that the nation may better adapt to a continuously changing cybersecurity threat environment.

The Executive Order’s Eight Initiatives

The Order announces eight key initiatives to improve the nation’s cybersecurity and better protect Federal Government networks:

1. Remove Barriers to Threat Information Sharing Between Government and Private Sector

The Order seeks to remove barriers to threat information sharing between the Government and the private sector by updating Federal information technology and operational technology service contract terms. The Order calls for a review of procurement contract clauses in the Federal Acquisition Regulation (“FAR”) and agency supplements thereto to ensure that contractors collect, preserve and share information related to cyber threats and incidents. It also establishes a Federal Government policy requiring information and communications technology service providers to promptly report the discovery of cyber incidents. The Administration has stated that it expects that the revised contract terms will spur the private sector to share similar information more broadly.

2. Modernize and Implement Stronger Cybersecurity Standards in the Federal Government

Recognizing that the cyber threat environment is “dynamic and increasingly sophisticated,” the Order directs Federal agencies to take decisive steps to modernize their cybersecurity approach, including: (i) adopting security best practices; (ii) advancing toward Zero Trust Architecture; (iii) accelerating movement to secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS); (iv) centralizing and streamlining access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks; and (v) investing in both technology and personnel to match these modernization goals.

3. Enhance Software Supply Chain Security

The Order recognizes that security of supply chain software is vital to the Federal Government’s ability to perform its critical functions. The Order directs Federal Civilian Executive Branch Agencies to take action to rapidly improve the security and integrity of the software supply chain by developing and implementing standards to achieve this goal. It is likely that the standards ultimately will impact not only Government contractors but also commercial companies.

4. Establish a Cybersecurity Safety Review Board

The Order establishes a Cyber Safety Review Board comprised of Federal officials and representatives from private sector entities which will review and assess threat activity, vulnerabilities, mitigation activities and agency responses related to significant cyber. (This Board is modeled after the National Transportation Safety Board, which investigates airplane crashes and other transportation incidents.)

5.  Standardize the Federal Government Playbook for Responding to Cybersecurity Vulnerabilities and Incidents

Federal agencies have different approaches to respond to cybersecurity and vulnerabilities and incidents. The Order directs Federal Civilian agencies to “develop a standard set of operational procedures (playbook) to be used in planning and conducting a cybersecurity vulnerability and incident response activity.” The playbook will (i) incorporate appropriate National Institute of Standards and Technology (NIST) standards; (ii) be used by all Federal agencies; and (iii) articulate progress and completion through all phases of an incident response, while allowing flexibility so it may be used in support of various response activities. The Administration intends that the playbook may also be used by the private sector in connection with its cybersecurity responses.

6.  Improve Detection of Cyber Incidents on Federal Government Networks

The Order aims at improving the detection of malicious cyber activity on Federal Civilian networks by enabling a Government-wide endpoint detection and response system and improved information sharing within the Federal Government.

7.  Improve Investigative and Remediation Capabilities

The Order directs “agencies to establish requirements for logging, log retention, and log management, which shall ensure centralized access and visibility for the highest level security operations center for each agency.” The Order further directs the Federal Acquisition Regulation (“FAR”) Council to consider these requirements when promulgating procurement regulations. It is likely that these recommendations will result in new contractor and supply chain requirements.

8.  Adopt National Security Systems

Finally, the Order directs the Secretary of Defense to adopt National Security Systems requirements equivalent to or that exceed the requirements in the Order. Briefly, a National Security System is any system used by or on behalf of an agency (such as by a contractor or other third party) that involves: intelligence activities; cryptologic activities related to national security; command and control of military forces; equipment that is an integral part of a weapon or weapons system; or is critical to the direct fulfillment of military or intelligence missions.

Key Take-Aways for Federal Contractors and Other Private Companies

The Order establishes an aggressive timetable, with deadlines ranging from 45 to 120 days for agencies to begin implementation of many key requirements. While the full extent of the impact of the Order will become clearer in the coming months as the Government promulgates implementing regulations, nevertheless, it is already evident that:

• The Order’s requirements will impact companies that do business with the Government as prime contractors, subcontractors or suppliers;
• The impact of the Order will extend far beyond the Government contractor channel because the processes, procedures and standards created to comply with the Order will influence industry best practices and a company’s failure to employ these practices could impact whether it exercised “reasonable care” in safeguarding its network and data: and
• While many of the Order’s requirements may have been adopted by large companies, implementation by the Federal Government likely will result in the adoption of these same practices by smaller companies.

In light of this Order, Federal contractors and other private companies should assess their technical, administrative, and physical measures to protect the confidentiality, availability, and integrity of their systems and data. And as Federal agencies work to implement the Order, companies should monitor and respond to changes in regulations, standards, and guidance. As the Order states, “[t]he private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace.” The private sector’s ability to be a good partner with the Federal Government is sure to be tested in the coming months.