On May 12, 2021, President Joe Biden issued a comprehensive Executive Order (EO) on Improving the Nation's Cybersecurity that promises sweeping changes in federal contracts for information technology (IT), cloud services and operational technology. The EO was issued in response to the growing cybersecurity threat and in the wake of the late 2020 SolarWinds Orion security breach that impacted numerous U.S. government agencies, business customers and consulting firms.
The EO will likely result in major reform over the next year of cybersecurity-related requirements in federal contracts. Eschewing incremental improvements, the EO seeks to make "bold changes and significant investments" to protect and secure government computer systems, whether they are cloud-based, on-premises or hybrid. Contractors can expect new contract clauses during the next six to 12 months regarding their obligations to prevent, detect and report information regarding cyber incidents.
In addition, the EO directs the establishment of new standards for "critical software" and mandates the removal of legacy software from federal contracts. Because the EO has not yet been committed to regulation, it is unknown how broad its scope will be, but contractors and service providers (including commercial off-the-shelf (COTS) software providers) should monitor proposed regulations and other requirements carefully. Central to that will be how the government defines IT service providers and software covered by this EO and subsequent regulations.
Parts of the EO that impact federal contracts include Section 2, "Removing Barriers to Sharing Threat Information," and Section 4, "Enhancing Software Supply Chain Security." However, these changes must be viewed in the context of policy changes in IT requirements and centralization of investigations of cyber incidents. The EO directs agencies to adopt security best practices (such as multifactor authentication and encryption of data at rest and in transit), adopt "Zero Trust Architecture;" and accelerate movement to secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS) and Platform as a Service (PaaS). It also seeks to centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks, and invest in both technology and personnel to match these modernization goals.
The EO establishes a Cyber Safety Review Board (in Section 5) to review and assess significant cyber incidents befalling civilian agencies and seeks to standardized the cybersecurity vulnerability and response procedures across all agencies to ensure a centralized cataloging of incidents and tracking of agencies' responses. Once established, the EO requires the Cyber Safety Review Board to make recommendations within 90 days aimed at improving cybersecurity and incident response practices.
For civilian agencies, Section 7 of the EO requires deployment of an Endpoint Detection and Response (EDR) initiative to support proactive detection of cybersecurity incidents within federal government infrastructure, active cyber hunting, containment and remediation, and incident response.
The EO recognizes that contractors are central to implementing many of these broader policies and that this will require changes in requirements, terms and conditions to federal contracts. The EO notes that the government "contracts with IT and OT service providers to conduct an array of day-to-day functions on Federal Information Systems" and that these contractors "have unique access to and insight into cyber threat and incident information on Federal Information Systems." The EO highlights that "current contract terms or restrictions may limit the sharing of such threat or incident information with executive departments and agencies (agencies) that are responsible for investigating or remediating cyber incidents, such as the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and other elements of the Intelligence Community (IC)." The EO directs the Federal Acquisition Regulatory (FAR) Council to issue new rulemaking to "remove[e] these contractual barriers and increas[e] the sharing of information about such threats, incidents, and risks." The policy is that these contractual changes will accelerate "incident deterrence, prevention, and response efforts" and enable "more effective defense of agencies' systems and of information collected, processed, and maintained by or for the Federal Government."
The EO also directs the U.S. Department of Homeland Security (DHS) to recommend within 14 days the types of information that system logs on Federal Information Systems should capture. This analysis also will be forwarded to the FAR Council for possible rulemaking. Contractors that help maintain Federal Information Systems may have to capture information they are not currently tracking following additional rulemaking.
The EO directs the Office of Management and Budget (OMB) to review current FAR and Defense Federal Acquisition Regulation Supplement (DFARS) provisions and provide recommended updates to the FAR Council, including which contracts and contractors should be covered by the proposed language. The EO provides parameters for the OMB's recommended contract language and requirements. Specifically, the proposed revisions must ensure that:
Furthermore, the EO establishes as federal policy that "information and communications technology (ICT) service providers entering into contracts with agencies must 'promptly report' to such agencies when they discover a cyber incident involving a software product or service provided to such agencies or involving a support system for a software product or service provided to such agencies." To implement this policy, the EO directs the Secretary of Homeland Security to recommend to the FAR Council contract language that identifies:
This can potentially require contractors that use software in performance of a government contract to monitor security incidents related to that software (even if it is unrelated to the contract) and make an applicable report to CISA.
The EO also notes that current cybersecurity requirements for unclassified system contracts are largely implemented through agency-specific policies and regulations and initiates a process to establish common cybersecurity contractual requirements across agencies. To this end, the Secretary of Homeland Security, in consultation with other agencies, will review agency-specific cybersecurity requirements that currently exist and recommend to the FAR Council standardized contract language for appropriate cybersecurity requirements. Following the adoption of a standardized FAR clause, agencies will then be required to amend their specific agency regulations to remove duplicative language.
In an apparent response to the SolarWinds incident, the EO includes measures to enhance software supply chain security. Noting the vulnerability that was exploited by foreign operatives in software provided by SolarWinds, the EO notes that "the development of commercial software often lacks transparency, sufficient focus on the ability of the software to resist attack, and adequate controls to prevent tampering by malicious actors." The EO states that "the security and integrity of 'critical software' – software that performs functions critical to trust (such as affording or requiring elevated system privileges or direct access to networking and computing resources) – is a particular concern." The EO directs the Director of NIST, in consultation with other agency heads, to issue guidelines to enhance the security of the software supply chain, which will include standards, procedures or criteria for "critical software," including:
The forthcoming definition of the term "critical software" will "reflect the level of privilege or access required to function, integration and dependencies with other software, direct access to networking and computing resources, performance of a function critical to trust, and potential for harm if compromised." The NIST Director will subsequently issue a list of categories of software and software products in use or in the acquisition process meeting the definition of "critical software." These two definitions will be critical in defining the scope of the EO because it is imaginable that most commercially available software can fit within the initial definitions provided in the EO.
Ultimately, the issuance of this new guidance for critical software by NIST will impact federal contracts. By May 2022, the DHS Secretary, in consultation with other agencies, will recommend to the FAR Council contract language "requiring suppliers of software available for purchase by agencies to comply with, and attest to complying with, any requirements" issued by the NIST Director. The FAR Council will then amend the FAR accordingly.
At that point, perhaps as early as mid-to-late 2022, federal agencies will begin purging noncompliant software from existing contracts. The EO directs agencies, upon issuance of FAR rulemaking, to "remove software products that do not meet the requirements of the amended FAR from all indefinite delivery indefinite quantity contracts; Federal Supply Schedules; Federal Government-wide Acquisition Contracts; Blanket Purchase Agreements; and Multiple Award Contracts."
Significantly, agencies employing legacy software developed and procured prior to May 12, 2021 (the date the EO was issued), must either comply with the new NIST requirements or provide a plan outlining actions to remediate or meet those requirements. Moreover, agencies seeking renewals of software contracts, including legacy software, must comply with such NIST requirements unless an extension or waiver is granted by OMB's Office of Electronic Government.
In addition to the forthcoming new requirements for critical software, by mid-July 2021, the NIST Director is required to publish guidelines recommending minimum standards for vendors' testing of their software source code. These testing standards will identify recommended types of manual or automated testing, such as code review tools, static and dynamic analysis, software composition tools, and penetration testing.
This EO will enact sweeping change and impose new barriers to participation in the federal marketplace for IT, cloud services and operational technology. Market participants at every tier of the supply chain (including COTS technology and software providers) should monitor these developments as recommendations, guidance, and proposed rulemaking is issued by responsible federal agencies and the FAR Council over the next year.