On May 12, 2021, President Biden issued Executive Order (EO) 14,028 on “Improving the Nation’s Cybersecurity.” As noted in the administration’s accompanying Fact Sheet, the EO is a direct response to recent high-profile cybersecurity incidents (e.g., SolarWinds). It should, however, also be viewed in context as a response to years of increasing concern about, and efforts to enhance, cyber and supply chain security within the federal government, its contracting base and the U.S. information and communications technology and services (ICTS) industry more broadly. Building on initiatives such as Section 889, the Commerce Department’s ICTS supply chain regulations, Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity and incident reporting standards, and the Department of Defense’s (DOD) Cybersecurity Maturity Model Certification (CMMC), among other efforts, the EO seeks to harmonize, enhance and extend existing cyber and supply chain security requirements across the government while operationalizing several new programs and frameworks to address existing and emerging threats. As a result, the EO, and its related rulemakings, will have important implications for government contractors, software companies and other ICT service providers, most notably in the form of added or enhanced incident reporting requirements and attestations related to software development and acquisition practices.
The EO consists of 10 sections, eight of which address specific areas or issues in federal cyber and supply chain security:
While the EO is directed toward U.S. federal agencies and their cyber and supply chain policies, several sections will quickly reach beyond the government into the federal contracting community, as well as the wider ICTS, cloud, software and cybersecurity services ecosystem. In the near term, government contractors and other stakeholders will need to pay close attention to developments flowing from EO Sections 2 and 4, while monitoring the longer-term implications of other efforts under the EO for business and compliance considerations.
Section 2 of the EO, “Removing Barriers to Sharing Threat Information,” lays the groundwork for a federal government-wide incident reporting framework for certain (as-yet undefined) information technology (IT) and operational technology (OT) “service providers” and “cloud service providers.” As a first step towards establishing this framework, the EO directs the Office of Management and Budget (OMB) to review and recommend updates to the FAR and DFARS contract requirements and language for “contracting with IT and OT service providers.” Notably, the recommendations are specifically to include descriptions of contractors (i.e., the “service providers”) to be covered by the proposed updates.
The EO also sets the administration’s expectations that the proposed language will address and ensure that these providers adequately collect and share cybersecurity incident information and collaborate with federal agencies in incident response and investigation—including by “monitoring networks for threats in collaboration with agencies they support, as needed” (emphasis added). In addition, the EO previews several minimum standards that will likely manifest in forthcoming rulemakings, including that:
The EO does not define the term “promptly,” “support system” or other key terms. It similarly leaves open the specific scope of and criteria that would trigger this new incident reporting regime, instead directing DHS, in consultation with the National Security Agency, the Attorney General and OMB, to recommend contract language to the Federal Acquisition Regulatory Council (“FAR Council”)—the body generally charged with overseeing federal acquisition rules—within 45 days that identifies:
Once received, the EO calls upon the FAR Council to review the recommendations and publish proposed updates to the FAR for public comment within 90 days.
Alongside these reviews and proposals related to incident reporting, the EO directs CISA to review—within 60 days—agency-specific cybersecurity requirements currently in existence and recommend “standardized contract language” for “appropriate requirements,” taking into consideration the “scope of contractors and associated service providers” that will be covered by the proposed language.
As these efforts unfold over the next several months, they will raise important practical questions about the operation of existing incident reporting and cybersecurity regimes including the FAR “basic” cybersecurity standards, and more significantly the DFARS provisions addressing the protection of CUI, cybersecurity assessments and the CMMC framework.
Broadly, Section 4 of the EO, “Enhancing Software Supply Chain Security,” seeks to establish foundational standards for the security and integrity of software products purchased by U.S. federal agencies. Of particular concern is security and integrity of so-called “critical software,” which the EO broadly defines—preliminarily—to include software that “performs functions critical to trust (such as affording or requiring elevated system privileges or direct access to networking and computing resource).”
The administration’s efforts on this front will advance primarily on two interrelated tracks:
In addition to the security enhancement efforts, the EO directs NIST to issue, within 60 days, guidelines recommending minimum standards for vendors’ testing of their software source code, including identifying recommended types of manual or automated testing (such as code review tools, static and dynamic analysis, software composition tools and penetration testing). Contractors should be prepared for the possibility that agencies—and potentially other commercial customers—begin factoring these standards into their buying decisions, even before promulgation of formal rules and contract language.
The EO also calls for the creation of a pilot program modeled after other consumer product labeling programs to “educate the public” on the security capabilities of Internet-of-Things (IoT) devices and software development practices, which could form the basis for a “tiered security rating system” for such products.
In sum, Section 4 of the EO promises potentially sweeping changes in the software acquisition process and, in the longer term, software development and security practices both in and outside the federal ecosystem.
In addition to the reviews and rulemakings called for under Sections 2 and 4, described above, the EO calls for significant enhancements and initiatives in various other aspects of federal cybersecurity policy, virtually all of which will in some way affect—if indirectly—companies that operate in or with the ICTS and cybersecurity industries. For example:
Although these other developments and initiatives are less direct in their potential effect on the federal contracting community and private sector, they represent important developments in United States cybersecurity and supply chain security policy, and as a result they have the potential to alter the ICTS and cybersecurity industries broadly. In particular, and notably in the view of the Biden-Harris administration, they should be understood as long-term, permanent enhancements to minimum standards that the government—and potentially the private sector—will come to see as the new floor for what is “reasonable” cyber and supply chain security in other related data and technology protection domains (e.g., data privacy, export controls).
With so much of the EO’s scope and implications left to unfold and on such rapid timelines, it will be critical for potentially affected contractors and other stakeholders to closely monitor the various timelines and releases laid out in the order. Each juncture will provide critical opportunities to engage and educate policy-makers as well as gain insights to anticipate the eventual scope of the forthcoming policies and regulations.
To kick-off the engagement period, NIST announced that it will host a virtual workshop on June 2–3 pursuant to the EO’s directive in Section 4 that it consult with federal agencies, the private sector, academia and other stakeholders to identify the standards, tools, best practices and other guidelines that will feed into the policies and rules flowing from the EO. In advance of the workshop, participants are encouraged to submit two-page position papers addressing one or more of five areas:
Position papers should be submitted no later than May 26, 2021.