In the wake of persistent and increasingly sophisticated malicious cyber attacks, President Biden issued an "Executive Order on Improving the Nation's Cybersecurity" (the "Executive Order") aimed at strengthening cybersecurity in the public and private sectors. As part of this effort, the Executive Order sets forth a framework and specific guidelines for updating and standardizing cybersecurity requirements and procedures relevant to Federal Government contractors. This summary focuses on those directives.
The Executive Order establishes three parallel tracks designed to strengthen and standardize cybersecurity requirements in connection with Federal Government contracts.
Sharing Cyber Threat Information and Collaborating with Response Agencies
The first track relates to contracts involving systems that process data (information technology or "IT") and systems that run the "vital machinery that ensures our safety" (operational technology or "OT"). The Executive Order requires designated government agencies to recommend updates to the Federal Acquisition Regulation ("FAR") and Defense Federal Acquisition Regulation Supplement ("DFARS") regarding IT and OT contracts. These updates should be designed to ensure that IT and OT contractors collect and preserve data relevant to cybersecurity event prevention, detection, response, and investigation, share this data with their government customers and other agencies involved in cybersecurity, and collaborate with Federal cybersecurity or investigative agencies. The timeline established in the Executive Order requires the Federal Acquisition Regulatory Council ("FAR Council") to publish proposed FAR updates related to these areas by October 2021. It further establishes that the government must, by September 2021, establish procedures that require IT and OT contractors to share data with cybersecurity investigation and response agencies, such as the Cybersecurity and Infrastructure Security Agency ("CISA") and the Federal Bureau of Investigation ("FBI").
Mandatory Cyber Incident Reporting for Information Communications Technology Contractors
The second track requires the establishment of a new mandatory reporting obligation for information communications technology ("ICT") contractors. Pursuant to this new requirement, ICT contractors must "promptly report" to their customer agencies "when they discover a cyber incident involving a software product or service provided to such agencies or involving a support system for a software product or service provided to such agencies." Depending on the relevant customer agency, the ICT contractor will also need to file a report with CISA (for civilian agencies) or to a yet-to-be determined recipient for "National Security Systems" (mostly relevant to classified work and to work for Defense or Intelligence Community agencies). While the details regarding this new reporting requirement are yet to be established, the Executive Order notes that the time period for reporting "the most severe cyber incidents" cannot "exceed 3 days after initial detection." Under the timeline established by the Executive Order, the FAR Council must propose updates by October 2021.
Standardization of Cybersecurity Contract Language
The third track relates to Federal Government contracts concerning "unclassified system contracts." The Executive Order calls for designated agencies to develop recommendations regarding cybersecurity requirements for these contracts that are designed to standardize common requirements to "streamline and improve compliance for vendors and the Federal Government." The Executive Order calls for the FAR Council to propose updates to the FAR on this topic by September 2021.
Additional Cybersecurity Initiatives
The Executive Order describes additional cybersecurity reforms, including:
- Setting out a plan to enhance the security and integrity of the software supply chain;
- Directing government agencies to adopt security best practices, advance toward Zero Trust Architecture, accelerate movement to secure cloud services, and invest in both technology and personnel to match these modernization goals;
- Instructing the Department of Homeland Security to establish a Cyber Safety Review Board; and
- Calling for improving the detection of cybersecurity vulnerabilities and incidents on federal government networks, and standardizing and improving the federal government's response to those.
Jones Day will continue to monitor the changing landscape and provide updates.