The Colonial Pipeline cyberattack prompted the issuance of a long-awaited executive order (EO) on improving U.S. cybersecurity. The EO mandates that, within six months, all federal agencies implement multi-factor authentication (MFA) and both at-rest and in-transit encryption. It also calls for agencies to comprehensively log, share, and analyze information about cyber incidents and creates a Cyber Safety Review Board to that end. The EO sets deadlines for agencies to write guidelines for securing software and detecting threats.
Bradley has authored prior articles and alerts regarding the U.S. governments’ increasing attention to cybersecurity — including at the Department of Defense, federal government as a whole, and even at the state level. With its focus on timelines and deadlines, this EO emphasizes the urgency of improving cybersecurity across industries.
Three goals, with a focus on timing
In a press call, the White House highlighted three goals of the EO:
- Protect federal networks with specific tools, such as encryption, MFA, endpoint detection and response (EDR), logging, and Zero Trust Architecture.
- Improve the security of commercial software by establishing security requirements; by using the power of the purse to prime the market for secure software; and by labelling consumer products with a cybersecurity grade.
- Pool agencies’ information about incidents and enhance incident responses, including through a Cyber Incident Review Board (modelled on the national board that investigates plane crashes).
Reflecting the urgency of better cybersecurity, the EO sets clear, tight deadlines — more than 40 of them. The earliest deadline is set only 14 days after the EO’s release. More than 15 agencies — including the Office of Management and Budget, the Attorney General, the DoD, CISA, and NIST — are tasked with specific responsibilities to write, implement, or enforce the new measures.
Outline of the executive order
The Biden administration’s stated policy is that cybersecurity is a “top priority and essential to national and economic security.” To that end the provisions of the EO apply to “all Federal Information Systems.”
The EO specifically addresses the following issues:
- Removing barriers to sharing threat information. The White House’s fact sheet uses the phrase “sharing between government and the private sector.” This section aims to expand the requirements on the private sector to provide incident information to the government. To that end, the EO calls for revision of both the FAR and DFARS reporting requirements. Defense contractors are already familiar with the DFARS requirement to “rapidly report” cyber incidents within 72 hours. New requirements may require less rapid reporting for less sensitive incidents.
- Modernizing federal government cybersecurity. This section mandates specific security requirements. Before November 8, 2021, all federal agencies must implement MFA and encryption. Additionally, the EO sets a timeline for adoption of more secure cloud services and for government-wide Zero Trust Architecture. Importantly, this section repeats that the administration’s policy of “protecting privacy and civil liberties” is in tension with modern cybersecurity.
- Enhancing software supply chain security. As chartered, NIST will shoulder the burden for establishing baseline security standards for software, including defining “critical software” and secure procedures for software development. One important component will be providing a Software Bill of Materials (SBOM), which is a record of the details and supply-chain relationships of components used to build software. The SBOM is similar to a list of ingredients on food packaging. It will allow tracking of open-source and other third-party components through a supply chain so that risks can be more easily evaluated — and patched. A second important component is a “consumer labeling program” similar to Singapore’s, for grading the cybersecurity of IoT devices.
- Establishing a Cyber Safety Review Board. When a plane crashes, the National Transportation Safety Board investigates and makes recommendations to improve the safety of air transportation. There is no similar body for reviewing cyber incidents. The EO mandates that the Department of Homeland Security (DHS) establish just such a board, with both government and private-sector representatives having seats at the table. A senior administration official explained that the board’s first task will be to review the SolarWinds incident.
- Standardizing the federal government’s playbook. The EO calls for creation of a “playbook” for agencies to use in responding to cybersecurity vulnerabilities and incidents. Recognizing that some such guidance has been in place for many years, the EO expressly requires that the guidance “incorporate all appropriate NIST standards.”
- Improving detection of vulnerabilities and incidents. Agencies are called to actively hunt for threats and vulnerabilities. Each agency must submit its plan to CISA for a Continuous Diagnostics and Mitigation Program. This program has been around since 2012. The EO seeks to enhance threat-hunting activities and deployment of other Endpoint Detection and Response (EDR) initiatives.
- Improving investigative and remediation capabilities. The very earliest deadline set by the EO is May 26 for DHS to recommend requirements for logging events and retaining other relevant incident data. The EO invites the FAR Council to consider the recommendations in its revision of the FAR and the DFARS reporting requirements.
What this means for industry
Much of the EO mandates actions by government agencies. But it does create action items for private entities. Above all, government contractors should watch for impactful changes to FAR and DFARS cybersecurity clauses. These have been revised multiple times recently, and we expect the Biden administration to revise them again — especially amid ongoing delays of the CMMC rollout. Software developers should begin inventorying their products and preparing SBOMs, especially for those in use by government agencies. Manufacturers of IoT devices should also expect that their devices must soon bear a label that marks their security level. Market forces may encourage production of higher-security devices.