On Wednesday, the White House released a widely anticipated Executive Order on Improving the Nation’s Cybersecurity (EO). The EO addresses four major areas of cybersecurity maturity for the federal government and its private sector contractors and suppliers: information sharing and incident reporting, enhancing software supply chain security, modernizing the cybersecurity of federal systems, and standardizing and improving how the federal government detects, responds to, and remediates cyber threats and incidents.
The EO calls for federal agencies to develop various rules and guidance that will have significant effects on government contractors and suppliers, especially (but not only) cloud service providers and software developers. These include:
- Changes to federal contracts requiring prompt notification of cyber incidents—in some cases, within three days of detection or sooner—and sharing of detailed information about cyber threats and incidents with the Cybersecurity Infrastructure & Security Agency (CISA), law enforcement, and elements of the intelligence community.
- Detailed security and transparency standards for software sold to the government. For example, the EO calls for agencies to require their software vendors to provide a “software bill of materials” (SBOM), which is “a formal record containing the details and supply chain relationships of various components used in building software.” Presumably, these provisions are in part a response to the high-profile Solar Winds supply chain attack reported in December 2020, and the release of the EO may have been accelerated by the Colonial Pipeline ransomware attack.
- Requirements that federal agencies accelerate their movement to cloud computing systems and adopt security practices and controls such as zero-trust architecture (ZTA),1 multifactor authentication and encryption of data at rest and in transit. While these requirements formally apply to government agencies, federal contractors and suppliers will need to support, implement, and service these requirements for their contracting agencies.
The EO sets a blistering implementation schedule for many of its provisions. The EO directs agencies to develop guidance and publish draft rules within the next several months. For example, the EO requires the National Institute of Standards and Technology (NIST) to publish preliminary guidelines for software supply chain security within 180 days. Then, 90 days later, the Department of Commerce must publish more detailed guidelines, including provisions for secure software development, the use of code integrity tools and vulnerability scanning, and the SBOM, among other things. Just 30 days later, federal agencies must comply with those guidelines when procuring software.
Final implementation of the EO updates to the Federal Acquisition Regulation (FAR) will take longer because those rules cannot be effective until the end of a public comment period. Those rules—including a requirement that some contractors notify the federal government of an incident within three days or fewer—could be in effect as early as next year.
Separately, the EO directs NIST and the Federal Trade Commission (FTC) to develop cybersecurity criteria for consumer labeling programs (similar to the Energy Star program for labeling products, homes, and buildings with energy efficiency symbols) for Internet of Things (IoT) and consumer software.
The EO will generate massive amounts of administrative activity as agencies tasked with implementing its directives begin their work. Continue to follow DWT’s blog series on the EO and its implications as we deep dive various sections of the EO and track the resulting administrative developments.
Jean Hyun, a Law Clerk in DWT’s Privacy and Security practice, contributed to this alert.
1 Zero-trust architecture (ZTA) is a security model that breaks down the traditional notion of security based on a network “perimeter.” “Its focus on protecting resources rather than network segments is a response to enterprise trends that include remote users and cloud-based assets that are not located within an enterprise-owned network boundary.” Computing assets are trusted only if they meet rigorous authentication and authorization requirements. NIST describes ZTA in detail in its Special Publication 800-27.