On May 12, 2021, President Biden issued Executive Order No. 14028, entitled “Improving the Nation’s Cybersecurity”, setting out new and enhanced cybersecurity standards for federal government agencies and the commercial software products utilized by them. The Biden administration’s order comes in the wake of increasingly damaging and sophisticated cyber-attacks on American companies and infrastructure, most notably the recent Colonial Pipeline ransomware attack, which temporarily shuttered the nation’s largest fuel pipeline, creating gasoline shortages and inducing panic-buying at gas stations throughout the southeastern United States. Recognizing the gravity of the cybersecurity threat, President Biden’s order calls for “bold changes and significant investments in [cybersecurity in] order to defend the vital institutions that underpin the American way of life[,]” and identifies “the prevention, detection, assessment, and remediation of cyber incidents [a]s a top priority and essential to national and economic security[.]” The executive order has two main areas of focus: bolstering and harmonizing cybersecurity standards across the federal government, and calling for the creation of new, stricter cybersecurity requirements for commercial software products utilized by federal government agencies.
Commercial software vendors providing services to the federal government may find their contracts under a larger magnifying glass following the new executive order, particularly with respect to their obligations in the event of security incidents and threats, as well as with regard to the granular details of the vendor’s cybersecurity protections. Under the new executive order, such government software vendors will be obligated to implement standard procedures for notifying and cooperating with the federal government in the event of actual or potential security incidents, as well as promptly reporting “cyber threats” (a term that the order does not define) to the contracting agency. Moreover, the executive order directs the Director of the National Institute of Standards and Technology (“NIST”) to issue new guidance, including new standards, procedures, or criteria, designed to enhance the overall security of the federal government’s commercial software supply chain, with such guidance specifically addressing granular areas of cybersecurity concern, including the use of encryption, testing and employing automation to maintain trusted source code, and participation in a vulnerability disclosure program. The NIST Director is further tasked with creating even more stringent guidance for “critical software” utilized by the federal government (as well as creating a uniform definition of what constitutes such “critical software”).
While the executive order will only require software vendors to “attest to” compliance with these new requirements, federal agencies are directed to “remove” products failing to meet these requirements from federal supply schedules and contracts. Such removal could significantly hamper a commercial software vendor’s ability to sell their product in the wider private marketplace, as many companies may be unwilling to utilize software that is insufficiently secure to satisfy federal government standards. Needless to say, software vendors of all stripes, whether current federal government contractors or otherwise, will want to pay very close attention to these forthcoming new NIST standards.
With regard to the federal government itself, while cybersecurity requirements have historically varied on an agency-by-agency basis, under the new executive order, all federal government agencies will be required to implement new, consistent cybersecurity standards, and specifically required to adopt Zero Trust Architecture as well as multifactor authentication (“MFA”) and encryption of data at rest and in transit. While the use of MFA and encryption of data in transit and at rest are well known and widely adopted cybersecurity best practices, Zero Trust Architecture has only recently begun to move into the mainstream. The executive order defines Zero Trust Architecture (“ZTA”) as “a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries.” Based on the existence and recognition of such threats, ZTA “eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses.”
On a related note, the executive order directs agencies to apply the principle of “least privilege” access, whereby a user is only given the minimum level of access credentials that is necessary for the user to perform his or her job duties. ZTA goes a step further than simply “least privilege”, however, and assumes that “a breach is inevitable or has likely already occurred, so it constantly limits access to only what is needed and looks for anomalous or malicious activity.” As more fully described in a 2018 publication by NIST in collaboration with the National Cybersecurity Center of Excellence (NCCoE), ZTA is predicated upon (i) continually authenticating and authorizing the identity and security posture of each access request, and (ii) continuously monitoring and validating that users and devices have the correct privileges, and are exhibiting their expected behaviors and attributes. However, the real-world application of ZTA often varies on an organization-by-organization basis, and depends on a multitude of factors, including the complexity of the organization’s network, the volume of users, and the frequency of external network access. Accordingly, it remains to be seen exactly how federal government agencies will operationalize the executive order’s mandate to employ ZTA.
Overall, the Biden administration observes that the “trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is, and to the consequences we will incur if that trust is misplaced.” Although it remains to be seen whether the requirements of this executive order will be sufficient to bolster the country’s digital infrastructure and avoid harmful consequences such as the recent effects of the Colonial Pipeline attack, it is clear that the Biden administration has recognized the significance of the cybersecurity events threatening the United States, both from a national security and an economic perspective. We will continue to monitor and report on developments across the federal government with respect to implementation of the new rules and requirements resulting from this new executive order.