A pair of government contract-related initiatives may mark a new path for federal cybersecurity efforts. Past federal initiatives have attempted to use the enormous leverage of federal contract spending to incentivize contractors to protect governmental data, but 2021 saw the Biden Administration launch a significant two-pronged attack on the issue through a new Executive Order and a new civil fraud initiative at the Department of Justice.
Significantly, the Biden Administration’s approach of using an Executive Order to mandate cybersecurity requirements for government contractors and their vendors will affect a large portion of the U.S. economy, without the need for congressional action. While an Executive Order cannot dictate cybersecurity measures for private companies, the Order does require stricter software security standards for vendors and publication of enhanced National Institute of Standards and Technology (NIST) guidelines that address supply chain security. These provisions would require all vendors who provide services to meet these standards before they could contract with federal agencies.
Improving the Nation’s Cybersecurity
Although one may have thought that the White House was looking at little other than the pandemic and congressional budget battles in 2021, President Biden issued a significant Executive Order on Improving the Nation’s Cybersecurity (EO 14028). The Order, issued on May 12, 2021, directed agencies to strengthen their own cybersecurity posture and focused on five key objectives:
- increasing information sharing;
- bolstering cybersecurity requirements for agencies and vendors;
- establishing a cyber safety review board;
- setting standard incident response protocol for federal agencies; and
- prioritizing early detection and remediation of cybersecurity risks.
The Order focuses on systems operated by Federal Civilian Executive Branch agencies and recommends actions for the Federal Acquisition Regulation (FAR) and the Federal Risk and Authorization Management Program (FedRAMP). In general, the Order aims to “use the purchasing power of the Federal Government to drive the market to build security into all software from the ground up.”
Dropping the SBOM
To achieve this goal, the Order also directs NIST, to develop practices to enhance software supply chain security, such as providing a Software Bill of Materials (“SBOM”) for each product, and establishes a Cyber Safety Review Board to review “threat activity, vulnerabilities, mitigation activities, and agency responses” after “significant cyber incidents.”
Zeroing in
In addition to sharing information about cybersecurity incidents, the Order directly increases cybersecurity requirements for federal agencies and the vendors that contract with them. These measures include requiring agencies to move toward a Zero Trust Architecture. This increasingly popular concept combines three key ideas:
- requiring authentication and authorization before connecting to systems instead of relying on implicit rights that a hacker who is already in the system might be able to manufacture;
- secure, coordinated use of cloud services by agencies; and
- use of multi-factor authentication procedures and encryption to secure systems and data against unauthorized access.
The False Claims Act Stick
This approach pairs nicely with the recent announcement from the U.S. Department of Justice (DOJ) of a new Civil Cyber-Fraud Initiative, which will attempt to use the False Claims Act to pursue cybersecurity related fraud by government contractors and grant recipients. The False Claims Act is a fearsome investigative tool with penalties between $5,500 to $11,000 for each false claim plus treble actual damages. Significantly, it includes a qui tam whistleblower provision, which allows private parties to assist the government in identifying and pursing fraudulent conduct and to share in any recovery and protects whistleblowers who report these violations and failures from retaliation. Under this initiative, the DOJ plans to bring enforcement against acts that could include non-compliance with cybersecurity standards, deceptive or misleading statements regarding cybersecurity policies and practices, and failure to report breaches in a timely manner. Given the fear of qui tam claims, however, some companies could feel compelled to report issues, even if they are not in full compliance.
For more detailed coverage of DOJ’s new Cyberfraud initiative, check out the great article on Law 360, What DOJ’s Cyberfraud Initiative Means For Health Cos. (Dec.. 22, 2021) by Ropes attorneys Deborah Gersh, Christine Moundas, and Andrew O’Connor.