President Biden Announces Sweeping New Cybersecurity Reforms

Brian Finch, Craig Saperstein
Pillsbury Winthrop Shaw Pittman LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Pillsbury Winthrop Shaw Pittman LLP

The President’s new Executive Order on Improving the Nation’s Cybersecurity includes wide-ranging measures intended to strengthen security standards for the federal government and federal government contractors in response to the recent and increasingly prevalent cyber and ransomware incidents.

TAKEAWAYS

  • On May 12, President Biden issued an Executive Order on Improving the Nation’s Cybersecurity, proposing broad changes aimed at modernizing the federal government’s cybersecurity.
  • The Order includes a push for more widespread adoption of Zero Trust Architecture, Endpoint Detection and Response, and data encryption and multi-factor authentication measures.
  • The Order also directs the development of new cybersecurity requirements for critical software, mandating the removal of legacy software if not updated to comply.

On May 12, 2021, in the wake of the SolarWinds cyberattack and the Colonial Pipeline ransomware incident, President Joe Biden issued the long-awaited “Executive Order on Improving the Nation’s Cybersecurity,” outlining significant changes in cybersecurity requirements for federal government contractors. The Order proposes improving software supply chain security, establishing a Cybersecurity Safety Review Board, creating a consumer labeling program, implementing Zero Trust Architecture and multi-factor authentication, and requiring providers to share breach information that could impact government networks, among other items. Included below is more in-depth information on those components of the Order most relevant to our clients:

Removal of Barriers to Sharing Threat Information

To remove current barriers to information sharing, the Director of the Office of Management and Budget (OMB) will work with the Secretary of Defense, the Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence to review and make recommendations on revising the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement (DFARS). To learn how President Biden’s Executive Order directs sweeping changes to cybersecurity requirements in federal government contracts and calls for the government to “bear the full scope of its authorities and resources,” please view our Government Contracts cybersecurity alert here.

Zero-Trust Architecture

One of the most prominent measures included in the Order is the directive to implement a “Zero Trust Architecture” (ZTA) throughout the federal government. The Order defines a ZTA as a system for “[eliminat[ing] implicit trust in any one element, node, or service and instead requir[ing] continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses.” It limits access and lateral movement, looks for anomalous or malicious activity, and “embeds comprehensive security monitoring; granular risk-based access controls; and system security automation in a coordinated manner throughout all aspects of the infrastructure in order to focus on protecting data in real-time within a dynamic threat environment.” While the Order endorses ZTA, it does not specify what a baseline ZTA looks like.

The Order requires the head of each agency to develop a plan to implement ZTA. Each plan must incorporate migration steps already outlined by the National Institute of Standards and Technology (NIST) and should include any steps already completed and activities that will have the most immediate security impact, along with a schedule to implement them.

The Order also includes a requirement that agencies migrating to cloud technology adopt ZTA specific to that technology. In order to facilitate this transition, the Cybersecurity and Infrastructure Security Agency (CISA) will modernize its current cybersecurity programs, services, and capabilities so that they are compatible with cloud-computing environments with ZTA, and CISA will work with the Secretary of Homeland Security and the Administrator of General Services to work through the FedRAMP program to develop guidance on security principles governing Cloud Service Providers.

Data Encryption and Multi-Factor Authentication

Another measure intended to improve cloud-service cybersecurity is a requirement that agencies adopt multi-factor authentication and encryption for data at rest and transit. Heads of Federal Civilian Executive Branch (FCEB) agencies will begin reporting progress in adopting these security measures 60 days after the order and will continue with those reports until the encryption and authentication measures have been fully adopted. CISA has been charged with taking “all appropriate steps” to facilitate adoption of technologies and processes to be used in implementing these measures.

Protections for Critical Software in the Supply Chain

The Order emphasizes the importance of protecting “critical software.” Critical software is generally defined as “software that performs functions critical to trust (such as affording or requiring elevated system privileges or direct access to networking and computing resources),” but it is currently unclear exactly what the term will cover. A more specific definition will be developed by the NIST in consultation with the National Security Agency (NSA), CISA, Office of Management and Budget (OMB), and Office of the Director of National Intelligence. CISA and NIST will then use that definition to compile a list of software for use by agencies. The two agencies will publish guidelines for critical software that apply least privilege, network segmentation and proper configuration practices.

Within a year after the order, the Secretary of Homeland Security, in consultation with other department heads, will recommend contract language to the FAR council that would require companies supplying software to the government to comply with these new cybersecurity requirements. The FAR Council will then review those recommendations and amend the FAR. Any software products in the supply chain that do not meet the requirements will be removed—legacy software will not be exempt from the more stringent requirements.

NIST will solicit input from the federal government, private sector, and academia in developing new standards, tools and best practices for complying with new software supply chain security requirements and standards.

Improvements to Detection of Cybersecurity Vulnerabilities and Incidents

The Order includes a section devoted to improving detection of cybersecurity vulnerabilities and incidents on federal government networks, stating that the government will “employ all appropriate resources and authorities” to meet that goal. The Order states that FCEB Agencies will deploy an Endpoint Detection and Response (EDR) initiative, which will comply with requirements developed by CISA. Resources will be provided to agencies to enable EDR implementation. This section also requires that agencies will establish or update Memoranda of Agreement with CISA for the Continuous Diagnostics and Mitigation (CDM) program to ensure that object level data are accessible to CISA.

Within 45 days of the order, the Director of the NSA will recommend actions for improving detection of cyber incidents affecting National Security Systems, including recommendations concerning EDR approaches and whether these measures should be operated by agencies or through a centralized service.

Cybersecurity Safety Review Board

The Order establishes a Cybersecurity Safety Review Board (CSRB), to be made up of federal officials as well as representatives from private-sector cybersecurity or software suppliers. The CSRB will review and assess “significant cyber incidents” affecting FCEB Information Systems or non-federal systems, threat activity, vulnerabilities, mitigation activities and agency responses.

The Board’s initial review will relate to the cyber incidents that occurred at the end of 2020, after which the Board will make recommendations on improving cybersecurity and incident response practices as well as on decisions relevant to the makeup and operation of the Board.

Modernization of FedRAMP

One of the steps toward modernizing FedRAMP included in the order is the incorporation of automation throughout the FedRAMP lifecycle, which includes assessment, authorization, continuous monitoring, and compliance. The modernization process will also involve identifying relevant compliance frameworks and allowing them to be used as a substitute for applicable sections of the FedRAMP process, when appropriate.

DEADLINES

Removing Barriers to Sharing Threat Information

  • Within 60 days of the order, OMB, in consultation with the Secretary of Defense, the Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence, shall review the FAR and DFARS and make recommended changes to contract language regarding cybersecurity.
  • Other recommendations related to contract language, regarding reporting requirements, shall be made by the Secretary of Homeland Security in consultation with the Director of the NSA, the Attorney General, and the Director of OMB within 45 days of the order.
  • Within 60 days of the order, the Director of CISA, in consultation with the Director of the NSA, the Director of OMB, and the Administrator of General Services, shall review current agency-specific cybersecurity requirements and recommend standardized contract language to the FAR Council.
  • Within 60 or 90 days of the receipt of the recommendations, depending on the type of recommendation, the FAR Council will review and publish proposed updates.
  • Within 120 days of the order, the Secretary of Homeland Security and the Director of OMB shall take appropriate steps to ensure that service providers share data with relevant agencies, the Central Intelligence Agency and the Federal Bureau of Investigation when appropriate.
  • Within 90 days of the order, the Director of the NSA, the Attorney General, the Secretary of Homeland Security and the Director of National Intelligence shall jointly develop procedures for ensuring that cyber incident reports are promptly and appropriately shared.

Modernizing Federal Government Cybersecurity

  • Within 60 days of the order, the head of each agency shall 1) update existing agency plans to prioritize resources for the adoption and use of cloud technology; 2) develop a plan to implement ZTA; and 3) provide reports on those plans to OMB and the Assistant to the President and National Security Advisor.
  • Within 90 days of the order, OMB, CISA, and FedRAMP shall develop and provide guidance on a Federal cloud-security strategy.
  • Within 90 days of the order, OMB, CISA, and FedRAMP shall issue cloud-security technical reference architecture documentation for the FCEB.
  • Within 60 days of the order, CISA shall develop and issue a cloud-services governance framework for FCEB agencies.
  • Within 90 days of the order, the heads of FCEB agencies will work with CISA to evaluate their unclassified data and provide a report on it to CISA and OMB.
  • Within 180 days of the order, agencies shall adopt multi-factor authentication and encryption for data at rest and in transit. Heads of FCEB agencies must provide progress reports every 60 days until they meet this goal.
  • Within 90 days of the order, the Director of CISA, in consultation with the Attorney General, the Director of FBI, and FedRAMP shall establish a framework to collaborate on cybersecurity and incident response activities related to FCEB cloud technology.
  • Within 60 days of the order, the Administrator of General Services must begin FedRAMP modernization.

Enhancing Software Supply Chain Security

  • Within 30 days of the date of the order, NIST will solicit input to identify or develop new standards, tools and best practices. NIST will publish preliminary guidelines within 180 days of the order and will publish additional guidelines within 360 days of the order.
  • Within 90 days of the publication of preliminary guidelines, NIST will issue guidance on enhancing the security of the software supply chain.
  • Within 60 days of the order, the Secretary of Commerce, in coordination with the Assistant Secretary for Communications and the Administrator of the National Telecommunications and Information Administration, shall publish minimum elements for a Software Bill of Materials.
  • Within 45 days of the order, NIST will work with the Director of NSA, the Director of CISA, the Director of OMB, and the Director of National Intelligence to publish a definition of “critical software.”
  • Within 30 days of the publication of that definition, CISA and NIST will identify and provide to agencies a list of categories of software and software products that meet the definition.
  • Within 60 days of the order, NIST and CISA will publish guidance outlining security measures for critical software.
  • Within 30 days of the issuance of that guidance, OMB shall take appropriate steps to require that agencies comply.
  • Within one year of the order, the Secretary of Homeland Security, in consultation with the Secretary of Defense, the Attorney General and OMB will recommend contract language to the FAR Council requiring that suppliers of software comply with the requirements, and the Council will then review and amend the FAR.
  • Within 60 days of the order, NIST and the NSA will publish guidelines recommending minimum standards for vendors’ testing of their software source code.
  • Within 270 days of the order, NIST and FTC shall identify criteria for a consumer labeling program.
  • Within one year of the order, NIST will conduct a review of consumer labeling program pilots.
  • Within one year of this order, the Secretary of Commerce shall provide the President a report that reviews progress made under this section and outlines additional steps needed to secure the software supply chain.

Establishing a Cyber Safety Review Board

  • Within 90 days of its establishment, the newly established Board shall provide recommendations to the Secretary of Homeland Security for improving cybersecurity and incident response practices.
  • Within 30 days of the Board’s initial review, the Secretary of Homeland Security shall provide to the Assistant to the President and National Security Advisor recommendations of the Board based on that initial review.

Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents

  • Within 120 days of the order, CISA will work with other agencies and departments to develop a standard set of operational procedures to be used in planning and conducting a cybersecurity vulnerability and incident response activity for FCEB Information Systems.

Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks

  • Within 30 days of the order, the Director of CISA will provide OMB with recommendations on options for implementing EDR.
  • Within 90 days of receiving those recommendations, the Director of OMB, in consultation with the Secretary of Homeland Security, will issue requirements for FCEB agencies to adopt EDR approaches.
  • Within 75 days of the order, agencies shall establish or update their MOAs with CISA for the CDM Program.
  • Within 45 days of the order, the NSA shall recommend appropriate actions for improving detection of cyber incidents affecting National Security Systems.
  • Within 90 days of the order, the Secretary of Defense, the Director of National Intelligence, and the Committee on National Security Systems (CNSS) shall review the recommendations and establish policies.
  • Within 90 days of the order, CISA will provide a report on how authorities granted to conduct threat-hunting activities on FCEB networks without prior authorization are being implemented. CISA will also provide quarterly reports on this subject.
  • Within 60 days of the order, the Secretaries of Defense and Homeland Security shall establish procedures for sharing Incident Response Orders or Emergency Directives and Binding Operational Directives.

Improving the Federal Government’s Investigative and Remediation Capabilities

  • Within 14 days of the order, the Secretary of Homeland Security will provide recommendations on requirements for logging events and retaining relevant data.
  • Within 90 days of receiving those recommendations, the Director of OMB, in consultation with the Secretaries of Commerce and Homeland Security, shall formulate policies.

National Security Systems

  • Within 60 days of the order, the Secretary of Defense, in coordination with the Director of National Intelligence and the CNSS, shall adopt National Security Systems requirements that are equivalent to or exceed the other cybersecurity requirements of the order.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Pillsbury Winthrop Shaw Pittman LLP | Attorney Advertising

Written by:

Pillsbury Winthrop Shaw Pittman LLP
Pillsbury Winthrop Shaw Pittman LLP
Contact
more
less

Pillsbury Winthrop Shaw Pittman LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide