President Biden’s Cybersecurity Executive Order

Morgan Lewis - Tech & Sourcing
Contact

Morgan Lewis - Tech & Sourcing

As many of our readers are aware, President Joseph Biden issued an executive order on May 12 to improve the nation’s cybersecurity. While much of the executive order focuses on strengthening the federal government’s networks from cybersecurity threats, “[t]he private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace.” The Biden-Harris administration hopes that the private sector will follow the federal government’s example. Among the improvements listed in the executive order are:

Enhancing Software Supply Chain Security

The executive order requires the federal government to issue guidance identifying practices that enhance the security of the software supply chain. The guidance must address secure software development environments, including the following actions:

  1. Using administratively separate build environments
  2. Auditing trust relationships (as further defined in the executive order)
  3. Establishing multifactor, risk-based authentication and conditional access across the enterprise
  4. Documenting and minimizing dependencies on enterprise products that are part of the environments used to develop, build, and edit software
  5. Employing encryption for data
  6. Monitoring operations and alerts and responding to attempted and actual cyber incidents

The guidance must also address the creation and provision of artifacts demonstrating use of a secure development environment; the use of automated tools to maintain trusted source code supply chains and check for known and potential vulnerabilities; remediation of such vulnerabilities prior to product release; publication of a summary of such risks that were discovered and remediated; maintenance of accurate and up-to-date data, provenance of software code and components, and controls on internal and third-party software code or components; performance of audits of these controls regularly; provision to purchasers of a Software Bill of Materials (which is defined in the executive order) for each product (either directly or on a website); participation in a vulnerability disclosure program; attestation to secure software development practices; and attestation to the integrity and provenance of open source software used within any product.

Further, the executive order calls for the creation of pilot programs for consumer software labels addressing IoT (Internet of Things) cybersecurity criteria and secure software development practices. The criteria must reflect increasingly comprehensive levels of testing and assessment. The federal government should also consider ways to incentivize manufacturers and developers to participate in the programs.

Establishing a Cyber Safety Review Board

The executive order also calls for the creation of a Cyber Safety Review Board to review and assess significant cyber incidents (as defined under Presidential Policy Directive 41 of July 26, 2016 (United States Cyber Incident Coordination) (PPD–41)). The board will be modeled on the National Transportation Safety Board, which is used to investigate transportation accidents. The board’s membership will consist of both federal officials and representatives from the private sector. The board’s purpose will be to analyze significant cyber incidents and provide recommendations for improving cybersecurity.

We encourage our readers to read the executive order for details on the initiatives summarized in this post, as well as the other initiatives proposed by the Biden-Harris administration. The Biden-Harris administration also published a fact sheet summarizing the executive order.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morgan Lewis - Tech & Sourcing | Attorney Advertising

Written by:

Morgan Lewis - Tech & Sourcing
Contact
more
less

Morgan Lewis - Tech & Sourcing on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.