Executive Order on Cybersecurity Expands Mandatory Breach Notification and Supply Chain Security Requirements for Government Contractors
Executive Order on Cybersecurity Expands Mandatory Breach Notification and Supply Chain Security Requirements for Government Contractors
On May 12, 2021, the Biden administration issued an ambitious Executive Order on Improving the Nation’s Cybersecurity (EO) declaring the prevention, detection, assessment, and remediation of cyber incidents to be a “top priority and essential to national and economic security.” Over 8,000 words long, the EO establishes a series of initiatives designed to better equip the U.S. federal government to respond to cybersecurity threats. The most notable provisions of the EO are as follows:
The EO reflects the government’s heightened concerns about cyber threats, particularly following the SolarWinds, Microsoft Exchange, and Colonial Pipeline incidents. It also reflects the Administration’s efforts to leverage the buying power of the federal government to incentivize the software market to build security into the software development lifecycle, and to expand and enhance the information sharing between the private sector and the government.
Currently, federal contractors’ cyber incident reporting requirements are primarily based on a patchwork of agency-specific policies, regulations, and contract clauses. For example, the Defense Federal Acquisition Regulation Supplement (DFARS) requires reporting of incidents that affect “covered defense information,” while other agencies require reporting in the form of contract clauses or agency information security policies and only if agency-specific information or certain categories of information held by the agency (such as personally identifiable information or protected health information) have been compromised.
The Federal Acquisition Regulation (FAR) has a basic safeguarding clause, FAR 52.204-21, that applies to nearly all federal contractor information systems. This clause currently stops short of requiring breach notification. Instead, it merely imposes basic safeguarding requirements and procedures amounting to good cybersecurity hygiene. By contrast, DFARS 252.204-7012, requires defense contractors to “rapidly report” – i.e., within 72 hours – any “cyber incident” following a review for evidence of compromise.
In sum, many government contractors are already subject to security incident notification requirements, but they vary depending upon the agencies with which those companies contract, and the nature of the information traversing their information technology (IT) systems.
The new EO seeks to expand existing cyber breach notification requirements by modifying contract terms to require all providers of IT and operational technology (OT) services to the federal government, including, but not limited to, cloud service providers, to share threat and security incident information with select executive departments and agencies responsible for investigation and remediation of cyber incidents. These include the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the other elements of the Intelligence Community (IC).
To implement this process, the EO requires a review and update of the current FAR and DFARS contract requirements for IT and OT service providers. As revised, these clauses will be designed to ensure that covered contractors collect and preserve cyber incident and cyber threat-related information, and share such information with the designated government agencies. Moreover, the EO requires federal agencies to propose contract language to the FAR Council that would require information and communications technology service providers to report certain types of cyber incidents to federal agencies, and CISA in particular, within a prescribed period of time. Among the specifics requested by the White House are a maximum three days from detection reporting requirement for “the most severe cyber incidents.” The EO sets a rather aggressive timeline for the FAR Council to review and publish for public comment the proposed new regulations, which could mean that we will see proposed updates to the FAR before the end of the year.
The EO also requires the removal of barriers that inhibit the sharing of threat information, such as contractors’ incident response data, within the federal government. The EO directs the Office of Management and Budget (OMB), in consultation with other agencies, to propose updates to contract language to ensure contracts do not contain obstacles to the sharing of threat and cyber incident information within government. Such sharing will improve prevention, detection, and response and also foster collaboration among agencies, the FBI and CISA in their investigations of cyber incidents.
Finally, new standardized cybersecurity requirements for all government contractors may be considered and adopted by the FAR Council.
Much work remains to be done before new clauses are implemented in federal contracts, but contractors are now on notice of a potential sea change on the horizon.
The EO calls for the modernization of the federal government’s approach to cybersecurity, including adoption of best practices like the use of multifactor authentication and encryption, movement towards zero-trust architecture, and acceleration of adoption of cloud service solutions. The EO requires agencies to take steps toward implementation of these goals. In addition, the EO establishes a framework for the modernization of FedRAMP, suggesting a potential revamping of the currently cumbersome FedRAMP authorization process used for vendors seeking permission to provide cloud service offerings to government customers. This modernization effort offers significant opportunities for software vendors and IT service providers to expand their reach within the government.
The EO also seeks to enhance supply chain security, particularly for “critical software” that has or enables privileged or direct access to networking and computing resources. The EO directs the National Institute of Standards and Technology (NIST) to develop guidelines for software vendors and promulgate a list of secure software development lifecycle standards with which all commercial suppliers to the government must comply.
Among the criteria to be examined and regulated will be: (1) the development environment, including examination of access controls and use of automated tools to maintain integrity; (2) the developers’ transparency regarding security data; and (3) the provenance of the software, including review of a software bill of materials (SBOM) for each product. There may also be procedures for agencies to request artifacts demonstrating product integrity and for software providers to participate in a vulnerability disclosure program.
Only software that is compliant with these newly established rules will be eligible for federal procurement. Non-compliant software will be removed from all indefinite delivery, indefinite quantity contracts; federal supply schedules, federal government-wide acquisition contracts; blanket purchase agreements, and multiple award contracts. Legacy software must either meet the new requirements or be redesigned to do so.
It is worth keeping in mind the broader context of these supply chain reforms as part of a coordinated response to recent high-profile attacks. U.S. intelligence agencies have already begun reviewing supply chain risks, especially those associated with Russian companies. Of particular concern are any back-end software designs and coding done in Russia or other untrustworthy countries with the capacity for sophisticated cyber intrusions. The EO thus requires the FAR Council to propose supply chain security requirements, to be applicable to all government contractors. Those products and services that do not meet the government’s requirements will not be able to be sold to federal agencies.
In addition to its requirements for enhanced information sharing and supply chain security, the EO advances several other measures aimed at bolstering federal cybersecurity coordination and standardizing responses to cyber incidents.These include:
Although the EO previews desired and forthcoming new requirements, full implementation of the new rules will take time. The EO simply puts contractors on notice of the government’s plan to adopt new heightened cybersecurity standards and reporting obligations that will be implemented in the near future. Because the responsible agencies, in conjunction with the FAR Council, must still work to implement the EO, contractors will have time to prepare to meet the new standards and the opportunity to comment on the proposed FAR regulations (a process that we will be monitoring closely).
That being said, unlike the existing DFARS 252.204-7012 cyber incident notification requirements, the new requirements have the potential to directly affect nearly all government contractors. While the new requirements may simplify notification requirements for contractors by creating a federal government-wide standardized approach, companies that have not previously implemented rigorous cybersecurity measures and incident response protocols may find themselves unprepared for this new era of cybersecurity. The new rules will also force scrutiny of the development cycle and supply chain for software and service providers in a manner not previously seen. The stakes are high for IT companies with significant government sales, and the opportunities are potentially ripe for new contractors seeking to replace them.
Markus Speidel, a Law Clerk in the Morrison & Foerster LLP Government Contracts + Public Procurement practice, contributed to this alert.