On May 12, 2021, President Biden issued an Executive Order on Improving the Nation’s Cybersecurity following a series of highly publicized cybersecurity incidents during the first four months of his presidency, including the Colonial Pipeline attack, which revealed vulnerabilities within the nation’s infrastructure and information systems. While this is not the first executive order issued to enhance the nation’s cyber defenses, it is the executive order most likely to have an impact and result in a change in light of the White House’s statement that “[r]ecent cybersecurity incidents . . . are a sobering reminder that U.S. public and private sector entities increasingly face sophisticated malicious cyber activity from both nation-state actors and cyber criminals . . . [as well as] insufficient cybersecurity defenses that leave public and private sector entities more vulnerable to incidents.”
This should serve as a wake-up call to everyone to review their security protocols and test their systems to ensure they are appropriately secured. This Executive Order establishes standards and requirements for information systems used or operated by federal agencies, their contractors, and other organizations working on behalf of a federal agency, including upgrading cyber defenses; enhancements to logging critical information related to an incident; establishing a straightforward, consistent, and universal methodology for responding to incidents; and establishing and requiring affected entities to share information safely and securely following an incident. The Executive Order aims to strengthen the United States’ cybersecurity defenses by:
- Removing Barriers to Threat Information Sharing Between the Federal Government and the Private Sector: The Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement (DFARS) contract requirements and language will be updated to remove contractual impediments to information sharing about cybersecurity incidents. These updated contractual provisions will establish periods where contractors must report cyber incidents to the appropriate federal agencies, with a three-day deadline for the most severe incidents.
- Modernizing and Implementing Stronger Cybersecurity Standards in the Federal Government: Federal agencies must update their existing agency plans to prioritize a move to secure cloud services and a zero-trust architecture. Zero-trust is a security concept wherein organizations do not automatically trust anything, whether inside or outside the organization. Instead, they must verify every device trying to connect to its environment before granting access. The Executive Order also mandates the implementation and deployment of multifactor authentication and encryption at rest and in transit within 180 days of the Executive Order’s issuance.
- Improving Software Supply Chain Security: The National Institute of Standards and Technology (NIST) will develop and issue guidance establishing strict baseline security standards for software sold to the government, including a requirement to make software security data publicly available. Failure to comply with these standards could result in the supplier being blacklisted. The Executive Order also creates a pilot program and seeks to develop an “energy star” type of label that will allow buyers to quickly and easily determine whether the software was developed in compliance with the requirements.
- Establishing a Cybersecurity Safety Review Board: The Executive Order establishes a Cybersecurity Safety Review Board, to be comprised of representatives from the Department of Defense, Department of Justice, Cybersecurity & Infrastructure Security Agency, National Security Agency, and Federal Bureau of Investigation as well as selected private-sector cybersecurity or software suppliers. Modeled after the National Transportation Safety Board, the Cybersecurity Safety Review Board will convene after a “significant cyber incident” and provide recommendations for improvements to the Secretary of Homeland Security for improving cybersecurity and incident response practices. The Board will also be charged with the development of a standardized approach or “playbook” for incident response by governmental agencies. This Board will be first deployed to investigate the SolarWinds attack.
- Creating a Standard Playbook for Responding to Cyber Incidents: The Executive order recognizes the need to standardize cybersecurity incident and vulnerability response efforts across federal departments and agencies. By creating a playbook that establishes a set of definitions and uniform steps for identifying and mitigating a threat, the Executive Order ensures all federal agencies meet a certain preparedness threshold. The playbook will also serve as a guide for the private sector when responding to cyber incidents.
- Improving Detection of Cybersecurity Incidents on Federal Government Networks: A government-wide endpoint detection and response (EDR) system will be deployed across federal networks. This will be coupled with improved intra-governmental information sharing capabilities to vastly improve the ability to detect malicious cyber activity on federal networks.
- Improving Investigative and Remediation Capabilities: Federal agencies will be required to generate and retain robust and consistent cybersecurity event logs according to detailed requirements, to be published within 90 days of this Executive Order. The requirements will also establish policies for log management to ensure centralized access and to permit sharing of log information with other federal agencies when needed and appropriate. This will help with intrusion attempt detection, mitigation of in-progress intrusions, post-event forensic analysis, and minimization of potential cyber risks.
While this Executive Order does not introduce anything new that has not been discussed or known for years, implementing the steps outlined in the Executive Order will be critical in light of the recent increase in cybersecurity attacks. While additional regulations will still need to be drafted, the Executive Order establishes a baseline of cybersecurity best practices that all companies should consider.