Following months of cyber-attacks from nation states, Present Biden issued an executive order that may usher in a new era of the federal government’s approach to cybersecurity. The Executive Order, which the White House has indicated was forthcoming for several weeks now, represents the Biden administration’s first step in taking decisive action to remedy systemic vulnerabilities that were discovered in the wake of recent cybersecurity attacks from nation-states like Russia and China and prevent the occurrence of similar attacks that could affect federal agencies and critical supply-chain infrastructure in the future. The extensive order leverages the federal government’s significant role as a purchaser of cybersecurity goods and services in order to make its effects felt on the private sector. It focuses on five key objectives:
- increasing information sharing;
- bolstering cybersecurity requirements for agencies and vendors;
- establishing a cyber safety review board;
- setting standard incident response protocol for federal agencies; and
- prioritizing early detection and remediation of cybersecurity risks.
Read on for our analysis and takeaway on each of these objectives.
Increasing Information Sharing
As with every major cybersecurity effort, the Order’s first priority is the need for increased sharing of information about cyber threats between technology vendors who contract with the Federal Government and the executive departments and agencies that investigate cyber incidents, such as CISA and the FBI. Confronting Congress’ failure to require cybersecurity incident report, the Order seeks to alter the chain of contractual reporting obligations. It posits that vendor contract terms can limit such sharing. To address this vendor contract term issue, the Order requires that the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplementation (DFARS) be updated so that service providers are required to report cybersecurity incidents that could affect a federal agency within a timeline that could be as short as 3 days after detection of the incident in the most severe cases.
Robust cooperation and communication between the private and public sectors will be crucial to cybersecurity defense. Contractual requirements are key first step in that process by requiring information sharing from vendors to the federal government. The requirements, however, do nothing to require the more comprehensive sharing of information that involve the federal government sharing certain information with its critical contractors.
Bolstering Cybersecurity Requirements
In addition to sharing information about cybersecurity incidents, the Order directly increases cybersecurity requirements for federal agencies and the vendors that contract with them. These measures include requiring agencies to move toward a Zero Trust Architecture. This increasingly popular concept combines three key ideas:
- requiring authentication and authorization before connecting to systems instead of relying on implicit rights that a hacker who is already in the system might be able to manufacture;
- secure, coordinated use of cloud services by agencies; and
- use of multi-factor authentication procedures and encryption to secure systems and data against unauthorized access.
In addition, while President Biden has publicly acknowledged that he cannot dictate cybersecurity measures for private companies, the Order does require stricter software security standards for vendors and publication of enhanced NIST guidelines that address supply chain security. These provisions would require vendors who provide technology—and possibly other—services to meet these standards before they could contract with federal agencies.
One aspect that the Order does not specifically address, but rather leaves for regulators to concretize, is which types of vendors will have to comply with the stricter standards. We will be watching to see whether this is applied narrowly to large technology contracts only, or more broadly to vendors across the federal government. Small and medium-sized vendors, including many minority-owned businesses, have fewer IT or cybersecurity experts in-house, and may have trouble implementing all of the requirements if they are not carefully tailored. Regardless of the application, as some companies begin to adopt these guidelines in order to contract with federal agencies, the stricter standards could begin to set norms across the private sector as well.
Establishing a Cyber Safety Review Board
President Biden also ordered the establishment of a Cyber Safety Review Board comprising private-sector representatives as well as public officials from the DOD, the DOJ, CISA, the NSA, and the FBI. The Board—modeled after the National Transportation Safety Board (NTSB)—will be convened by the DHS Secretary in the wake of cybersecurity incidents. Just as the NTSB issues formal safety recommendations to agencies and institutions with the power to implement those recommendations, the Board will be tasked with providing executable recommendations to DHS for improving cybersecurity and incident response procedures
Setting Standard Incident Response Protocol for Federal Agencies
The Order also instructed agencies to create a standardized response playbook to coordinate incident response. Currently, agencies use a variety of practices and procedures to respond to and document incidents, which hinders the Federal Government’s ability to analyze cybersecurity comprehensively across agencies. The new playbook, which would be developed by the DHS Secretary, in consultation with the Director of CISA, the Director of OMB and other federal officials, in coordination with the Secretary of Defense, the Attorney General, and the Director of National Intelligence, would incorporate NIST standards and would be implemented across agencies. The Order balances the need to have a standard language for articulating progress and completion of incident response while also allowing the flexibility for response measures to be tailored to the severity of the incident.
Prioritizing Early Detection and Remediation of Cybersecurity Risks
The Order also addressed the need to maximize early detection of incidents by increasing the Federal Government’s capability to identify and act on cybersecurity threats and risks. It ordered agencies to adopt consistent requirements for detection of—and response to—cybersecurity threats. This section also ordered the Director of OMB to ensure that there were sufficient resources within the agencies to support these capabilities. As with all of the Order’s provisions, availability of resources, including adequate budget allocations, will be the key to successful execution.
Private Sector Significance
As with all Executive Orders, this cybersecurity order will be most significant for the executive branch itself, the defense industrial base, and large government contractors. Enhancing information sharing has been a mantra for a decade, and this Order adds another verse to that hymn. The perhaps most immediately important innovation for the private sector will be its championing of Zero Trust Architecture as the leading approach to advanced persistent threat response. Eventually, however, the development of the Cyber Safety Review Board may prove to be even more useful if significant attacks are explained in detail that is adequate for other companies to learn from victims, without of course providing other attackers with a road map for success. Whatever its limitations, the Executive Order is certainly intended to underscore President Biden’s commitment to a robust cybersecurity strategy that appreciates the complex reliance of the federal government on extensive private sector technology infrastructure.