On May 12. 2021, President Biden signed an Executive Order aimed at improving the Nation’s Cybersecurity by curtailing data breaches and malicious cyber campaigns. The Order comes in response to a number of recent cybersecurity incidents, including a ransomware attack on the Colonial Pipeline Co. that caused a temporary shutdown, resulting in gas shortages along the Eastern Seaboard and a nationwide spike in fuel prices.
The Order seeks to establish a partnership between the Federal Government and the private sector to ensure a more secure cyber environment, creating a Cyber Safety Review Board comprised of Federal officials and private sector representatives, and streamlining the processes for reporting cyber-attacks to the Government. Particularly, the Order implements reporting requirements on Information Technology (IT) and Operational Technology (OT) sector government contractors to report data breaches that could pose a danger to federal networks.
Biden’s Order lays out a plan for federal agencies to review and update the Federal Acquisition Regulation’s (FAR) and the Defense Federal Acquisition Regulation Supplement’s (DFARS) contract requirements for contracting with IT and OT service providers to ensure they:
The Order also instructs information and communications technology (ICT) service providers entering into contracts with agencies to promptly report when they discover a cyber incident. The Order arranges for the Secretary of Homeland Security and the Director of OMB to be responsible for ensuring that service providers share data with agencies.
The White House reports that this Executive Order is the first of many steps the Administration intends to take aimed at improving the Nation’s cybersecurity.
We will continue to monitor developments and provide updates as the Administration progresses on this front. In the interim, don’t let a good opportunity for security visibility go to waste. Use the potential for more granular federal government contractor cyber regulation to help justify if additional security resources are needed from senior management to meet your present control set. Any further cyber regulation will only build upon your existing control set.