Biden’s Cybersecurity Order and You
by Ariel Grant
- If you provide IT services or equipment to the government…
- If you develop software…
- If you consult with the government…
- Ultimately, the EO will impact everyone
What do you need to do in the wake of the President’s groundbreaking action?
On May 12, 2021, President Biden signed the Executive Order on Improving the Nation’s Cybersecurity (EO). Driven in part by recent cyberattacks on network tools, enterprise software, and critical infrastructure, the EO implements (or attempts to implement; more on that later) a veritable wish-list of cybersecurity provisions. What the EO means to you will vary based on industry.
If you provide IT services or equipment to the government…
Your logging and reporting requirements are going to increase.
IT service and equipment providers will have several new FAR and DFARS clauses in the coming months, generally related to information sharing and incident response. First, various government agencies will review existing FAR clauses and suggest updates to require service providers to:
- preserve significant data related to cybersecurity event prevention and detection;
- share that data as it relates to potential cybersecurity incidents;
- collaborate with federal investigative agencies in response to potential incidents; and
- share cyberthreat information in industry-recognized formats.
Next, government agencies will review existing FAR clauses and suggest updates that address:
- the types of security incidents that require reporting;
- what information must be included in reports;
- appropriate privacy protections for these reports;
- time periods for reporting (but not more than 72 hours for most serious breaches);
- additional reporting requirements; and
- which contractors need to report breaches.
The EO is attempting to get more information quicker so that the government can respond to problems, and ideally, potential problems faster. The administration recognizes that much of the information necessary resides in the hands of government contractors. The government’s lack of visibility will increase as the government pushes more of its IT infrastructure into the cloud, as discussed below.
It is too early to say definitively what these new clauses will look like, as it will likely take more than a month before proposed language is circulated. However, if post is prologue, look for STIX and TAXII requirements, and a web-based breach reporting portal with certificate requirements.
There will be lots of opportunity for work.
There are significant IT modernization goals in the EO. The EO pushes the government to fully adopt cloud services and move towards Zero Trust Architecture. IT modernization has been a government “priority” for years, but the EO provides more direction. What it does not provide is funding.
Parts of the government have been moving to the cloud for years, but the challenge is perfectly illustrated by DoD’s JEDI contract. IT modernization has been notoriously underfunded for years, and a complete change architecture is an enormous lift.
Service providers who can assist with this transition and cloud providers should have significant opportunities as federal agencies grapple with this transition.
If you develop software…
Your development life cycle may fundamentally change.
The EO has a section focused on securing the software supply chain. Recognizing government’s lack of expertise in this area, the EO directs NIST to solicit input from both public and private sector to develop guidelines for enhancing software supply chain security. The preliminary guidelines are supposed to be published within six months, so the solicitation will happen quickly.
The guidelines will address:
- separate build environments;
- auditing trust relationships;
- multi-factor, risk based authentication and conditional access;
- documented dependencies;
- minimized dependencies on build environments;
- data encryption; and
Further, the government will likely require that software developers keep artifacts showing compliance with these guidelines, as well as automation to meet the requirements. In fact, it sounds like DevSecOps, but instead of referencing that concept, the EO spells it out at length.
The EO also calls for a Software Bill of Materials (SBOM) for each product. Various organizations have been calling for SBOM requirements for years. If SBOMs are required, software developers will have to be more diligent in documenting what components their developers use in creating new software and providing that list to the government. This is a requirement that will need to flow-down to ensure that the end product actually represents all of the components that exist in a piece of software. Part of the EO will include attestations to the integrity of open source software used in a product, which would naturally be part of an SBOM.
Ultimately, organizations developing software that will be sold to the government, either directly or through the supply chain, will need to develop a robust software development life cycle that involves robust infrastructure, advanced automation, mature compliance and documentation, and vulnerability monitoring.
If you consult with the government…
There are a lot of opportunities.
The EO calls for the development of new FAR clauses, organizations, programs, and documents.
First, if the EO is followed closely, a number of new FAR and DFARS clauses related to cybersecurity will be proposed and developed in the coming months. These clauses will address data collection, breach notification, software development requirements, among others.
Second, the EO orders the establishment of a Cyber Safety Review Board, which will, among other things, review and assess significant cyber incidents. The Board will include representatives from various agencies, private sector suppliers, and others.
Third, the EO calls a standardization of the government’s playbook for incident response. This playbook will be a set of standard operational procedures for planning and conducting cybersecurity vulnerability and incident response activities.
Fourth, the EO requires the government to improve the detection of cybersecurity vulnerabilities and incidents on federal networks as a separate task from the FAR clauses and playbook discussed above. This includes the deployment of EDR software throughout the government’s IT infrastructure, the development of a continuous diagnostic and mitigation program, the writing of a report on how to conduct threat hunting on certain federal networks without prior authorization from agencies, and other tasks.
Ultimately, the EO will impact everyone
The EO has a lot of moving parts. Some will be scaled back, while others won’t be sufficiently funded. But even a scaled back version of the EO will result in increased breach and vulnerability reporting requirements, more mature compliance programs, and disruption of the federal IT infrastructure. The EO will impact some industries more than others, but no one will completely escape its reach.
Prudent organizations will watch the proposed FAR clauses and take the opportunity to guide the discussion, either through submitting comments or through less formal mechanisms. The federal government has a long way to go to adequately securing its IT infrastructure, but this EO should be a good first step.