On May 12, 2021, the Biden administration released a far-reaching executive order intended to improve the U.S. government’s cybersecurity posture, both internally and in any private information technology (IT) systems that “touch” federal IT systems. The executive order is available here, and a related fact sheet is available here. This executive order will work in tandem with existing initiatives, such as the Cybersecurity Maturity Model Certification (CMMC), the Federal Risk and Authorization Management Program, and National Institute of Standards and Technology (NIST) publications. Notably, and unlike CMMC, the executive order is concerned more with improving the entire government’s IT systems to protect all information residing on those systems, and less with scaling protections based on types of information residing on contractor systems. If your contracts require you to access any government systems using your own internal IT systems or if you develop software for or on behalf of the government, this executive order will likely impact you.
The executive order requires the government to take eight general actions:
- Remove barriers to sharing threat information, so information regarding cybersecurity breaches and other incidents can be shared freely across the government, enhancing the government’s ability to respond to such incidents.
- Modernize government cybersecurity, specifically by moving toward a cloud environment and adopting cybersecurity best practices, including Zero Trust Architecture, and by centralizing government access to cybersecurity information.
- Enhance software supply chain security by requiring greater transparency from commercial software developers via new NIST standards and guidelines and by utilizing a public-private partnership to ensure software is secure throughout the entire development process.
- Establish the Cyber Safety Review Board, which will be a sub-component of the Department of Homeland Security and will convene whenever a “significant cyber incident” occurs to determine the government’s response to the incident. This Board will convene for the first time to review the events leading up to the SolarWinds breach that occurred in December 2020 and will be comprised of both industry and government personnel.
- Standardize the government’s strategy for responding to cybersecurity vulnerabilities and incidents by requiring the Cybersecurity and Infrastructure Security Agency (CISA) to draft standard operating procedures in coordination with other agencies such as the Department of Defense.
- Improve detection of cybersecurity vulnerabilities and incidents on government networks by, among other things, deploying Endpoint Detection and Response initiatives.
- Improve the government’s investigative and remediation capabilities by requiring both agencies and their IT services providers to collect and maintain relevant data, and to provide that data to CISA and the Federal Bureau of Investigation as needed.
- Adopt standardized requirements for National Security Systems, which are used to process classified data.
Contractors who do not need to access government systems are unlikely to see much impact from this executive order, but those whose work does require such access should be prepared for changes in their contracts, such as requirements for increased transparency and more stringent cybersecurity incident reporting requirements.
Commercial software developers who provide products to the government will particularly feel the impact because the government will now likely require these developers to also provide information never previously requested.
Further, all contractors who “touch” government systems should be prepared to implement strong data collection and maintenance initiatives.
PilieroMazza will continue to monitor guidance and provide updates in the coming months as agencies work to implement the directives set forth in the executive order.
If you have questions about how the executive order may impact your business, please contact David Shafer and Anna Wright, the authors of this client alert, or a member of PilieroMazza’s Cybersecurity & Data Privacy Team.