Cybersecurity for All: President Biden Issues Sweeping Cybersecurity Executive Order
On May 12, 2021, President Joe Biden issued a comprehensive Executive Order (EO) on Improving the Nation's Cybersecurity that promises sweeping changes in federal contracts for information technology (IT), cloud services and operational technology. The EO was issued in response to the growing cybersecurity threat and in the wake of the late 2020 SolarWinds Orion security breach that impacted numerous U.S. government agencies, business customers and consulting firms.
The EO will likely result in major reform over the next year of cybersecurity-related requirements in federal contracts. Eschewing incremental improvements, the EO seeks to make "bold changes and significant investments" to protect and secure government computer systems, whether they are cloud-based, on-premises or hybrid. Contractors can expect new contract clauses during the next six to 12 months regarding their obligations to prevent, detect and report information regarding cyber incidents.
In addition, the EO directs the establishment of new standards for "critical software" and mandates the removal of legacy software from federal contracts. Because the EO has not yet been committed to regulation, it is unknown how broad its scope will be, but contractors and service providers (including commercial off-the-shelf (COTS) software providers) should monitor proposed regulations and other requirements carefully. Central to that will be how the government defines IT service providers and software covered by this EO and subsequent regulations.
Parts of the EO that impact federal contracts include Section 2, "Removing Barriers to Sharing Threat Information," and Section 4, "Enhancing Software Supply Chain Security." However, these changes must be viewed in the context of policy changes in IT requirements and centralization of investigations of cyber incidents. The EO directs agencies to adopt security best practices (such as multifactor authentication and encryption of data at rest and in transit), adopt "Zero Trust Architecture;" and accelerate movement to secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS) and Platform as a Service (PaaS). It also seeks to centralize and streamline access to cybersecurity data to drive analytics for identifying and managing cybersecurity risks, and invest in both technology and personnel to match these modernization goals.
The EO establishes a Cyber Safety Review Board (in Section 5) to review and assess significant cyber incidents befalling civilian agencies and seeks to standardized the cybersecurity vulnerability and response procedures across all agencies to ensure a centralized cataloging of incidents and tracking of agencies' responses. Once established, the EO requires the Cyber Safety Review Board to make recommendations within 90 days aimed at improving cybersecurity and incident response practices.
For civilian agencies, Section 7 of the EO requires deployment of an Endpoint Detection and Response (EDR) initiative to support proactive detection of cybersecurity incidents within federal government infrastructure, active cyber hunting, containment and remediation, and incident response.
The EO recognizes that contractors are central to implementing many of these broader policies and that this will require changes in requirements, terms and conditions to federal contracts. The EO notes that the government "contracts with IT and OT service providers to conduct an array of day-to-day functions on Federal Information Systems" and that these contractors "have unique access to and insight into cyber threat and incident information on Federal Information Systems." The EO highlights that "current contract terms or restrictions may limit the sharing of such threat or incident information with executive departments and agencies (agencies) that are responsible for investigating or remediating cyber incidents, such as the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and other elements of the Intelligence Community (IC)." The EO directs the Federal Acquisition Regulatory (FAR) Council to issue new rulemaking to "remove[e] these contractual barriers and increas[e] the sharing of information about such threats, incidents, and risks." The policy is that these contractual changes will accelerate "incident deterrence, prevention, and response efforts" and enable "more effective defense of agencies' systems and of information collected, processed, and maintained by or for the Federal Government."
The EO also directs the U.S. Department of Homeland Security (DHS) to recommend within 14 days the types of information that system logs on Federal Information Systems should capture. This analysis also will be forwarded to the FAR Council for possible rulemaking. Contractors that help maintain Federal Information Systems may have to capture information they are not currently tracking following additional rulemaking.
The EO directs the Office of Management and Budget (OMB) to review current FAR and Defense Federal Acquisition Regulation Supplement (DFARS) provisions and provide recommended updates to the FAR Council, including which contracts and contractors should be covered by the proposed language. The EO provides parameters for the OMB's recommended contract language and requirements. Specifically, the proposed revisions must ensure that:
- service providers collect and preserve data, information and reporting relevant to cybersecurity event prevention, detection, response and investigation on all information systems over which they have control, including systems operated on behalf of agencies, consistent with agencies' requirements
- service providers share such data, information and reporting as they relate to cyber incidents or potential incidents relevant to any agency with which they have contracted, directly with such agency and any other agency that the Director of OMB, in consultation with the Secretary of Defense, the Attorney General, the Secretary of Homeland Security and the Director of National Intelligence, deems appropriate, consistent with applicable privacy laws, regulations and policies
- service providers collaborate with federal cybersecurity or investigative agencies in their investigations of and responses to incidents or potential incidents on Federal Information Systems, including by implementing technical capabilities, such as monitoring networks for threats in collaboration with agencies they support, as needed
- service providers share cyber threat and incident information with agencies, doing so when possible in industry-recognized formats for incident response and remediation
Furthermore, the EO establishes as federal policy that "information and communications technology (ICT) service providers entering into contracts with agencies must 'promptly report' to such agencies when they discover a cyber incident involving a software product or service provided to such agencies or involving a support system for a software product or service provided to such agencies." To implement this policy, the EO directs the Secretary of Homeland Security to recommend to the FAR Council contract language that identifies:
- the nature of cyber incidents that require reporting
- the types of information regarding cyber incidents that require reporting to facilitate effective cyber incident response and remediation
- appropriate and effective protections for privacy and civil liberties
- the time periods within which contractors must report cyber incidents based on a graduated scale of severity, with reporting on the most severe cyber incidents not to exceed 3 days after initial detection
- National Security Systems reporting requirements
- the type of contractors and associated service providers to be covered by the proposed contract language
This can potentially require contractors that use software in performance of a government contract to monitor security incidents related to that software (even if it is unrelated to the contract) and make an applicable report to CISA.
The EO also notes that current cybersecurity requirements for unclassified system contracts are largely implemented through agency-specific policies and regulations and initiates a process to establish common cybersecurity contractual requirements across agencies. To this end, the Secretary of Homeland Security, in consultation with other agencies, will review agency-specific cybersecurity requirements that currently exist and recommend to the FAR Council standardized contract language for appropriate cybersecurity requirements. Following the adoption of a standardized FAR clause, agencies will then be required to amend their specific agency regulations to remove duplicative language.
In an apparent response to the SolarWinds incident, the EO includes measures to enhance software supply chain security. Noting the vulnerability that was exploited by foreign operatives in software provided by SolarWinds, the EO notes that "the development of commercial software often lacks transparency, sufficient focus on the ability of the software to resist attack, and adequate controls to prevent tampering by malicious actors." The EO states that "the security and integrity of 'critical software' – software that performs functions critical to trust (such as affording or requiring elevated system privileges or direct access to networking and computing resources) – is a particular concern." The EO directs the Director of NIST, in consultation with other agency heads, to issue guidelines to enhance the security of the software supply chain, which will include standards, procedures or criteria for "critical software," including:
- establishing secure software development environments, including such actions as (A) using administratively separate build environments; (B) auditing trust relationships; (C) establishing multi-factor, risk-based authentication and conditional access across the enterprise; (D) documenting and minimizing dependencies on enterprise products that are part of the environments used to develop, build and edit software; (E) employing encryption for data; and (F) monitoring operations and alerts and responding to attempted and actual cyber incidents
- generating and, when requested by a purchaser, providing artifacts that demonstrate conformance to the foregoing processes
- employing automated tools, or comparable processes, to maintain trusted source code supply chains and to check for known and potential vulnerabilities and remediate them, which shall operate regularly, or at a minimum prior to product, version or update release
- providing, when requested by a purchaser, artifacts of the execution of such tools and processes and making publicly available summary information on completion of these actions, to include a summary description of the risks assessed and mitigated
- maintaining accurate and up-to-date data, provenance (i.e., origin) of software code or components, and controls on internal and third-party software components, tools and services present in software development processes, and performing audits and enforcement of these controls on a recurring basis
- providing a purchaser a Software Bill of Materials (SBOM) for each product directly or by publishing it on a public website
- participating in a vulnerability disclosure program that includes a reporting and disclosure process
- attesting to conformity with secure software development practices
- ensuring and attesting, to the extent practicable, to the integrity and provenance of open source software used within any portion of a product
The forthcoming definition of the term "critical software" will "reflect the level of privilege or access required to function, integration and dependencies with other software, direct access to networking and computing resources, performance of a function critical to trust, and potential for harm if compromised." The NIST Director will subsequently issue a list of categories of software and software products in use or in the acquisition process meeting the definition of "critical software." These two definitions will be critical in defining the scope of the EO because it is imaginable that most commercially available software can fit within the initial definitions provided in the EO.
Ultimately, the issuance of this new guidance for critical software by NIST will impact federal contracts. By May 2022, the DHS Secretary, in consultation with other agencies, will recommend to the FAR Council contract language "requiring suppliers of software available for purchase by agencies to comply with, and attest to complying with, any requirements" issued by the NIST Director. The FAR Council will then amend the FAR accordingly.
At that point, perhaps as early as mid-to-late 2022, federal agencies will begin purging noncompliant software from existing contracts. The EO directs agencies, upon issuance of FAR rulemaking, to "remove software products that do not meet the requirements of the amended FAR from all indefinite delivery indefinite quantity contracts; Federal Supply Schedules; Federal Government-wide Acquisition Contracts; Blanket Purchase Agreements; and Multiple Award Contracts."
Significantly, agencies employing legacy software developed and procured prior to May 12, 2021 (the date the EO was issued), must either comply with the new NIST requirements or provide a plan outlining actions to remediate or meet those requirements. Moreover, agencies seeking renewals of software contracts, including legacy software, must comply with such NIST requirements unless an extension or waiver is granted by OMB's Office of Electronic Government.
In addition to the forthcoming new requirements for critical software, by mid-July 2021, the NIST Director is required to publish guidelines recommending minimum standards for vendors' testing of their software source code. These testing standards will identify recommended types of manual or automated testing, such as code review tools, static and dynamic analysis, software composition tools, and penetration testing.
This EO will enact sweeping change and impose new barriers to participation in the federal marketplace for IT, cloud services and operational technology. Market participants at every tier of the supply chain (including COTS technology and software providers) should monitor these developments as recommendations, guidance, and proposed rulemaking is issued by responsible federal agencies and the FAR Council over the next year.
Holland & Knight will continue to monitor this EO and the forthcoming regulations, and update this blog as developments warrant.