To print this article, all you need is to be registered or login on Mondaq.com.
Executive Order released by the Biden administration last
month (the Cybersecurity EO) seeks to bolster the federal
government’s cybersecurity defenses and resilience by imposing
a variety of requirements on federal agencies and government
contractors that are likely to have spillover effects in the
private sector.1 While many federal agencies and
contractors already abide by existing agency-specific cybersecurity
measures, the Cybersecurity EO establishes additional criteria to
ensure that all information systems used or operated by federal
agencies “meet or exceed” the cybersecurity requirements
set forth in the Cybersecurity EO.2 In particular,
the Cybersecurity EO will directly affect companies that provide
information technology (IT) and operational technology (OT)
services, cloud computing software, and other technology to the
federal government. In turn, the private sector, even when not
servicing the federal government, is expected to see a renewed
emphasis on security requirements and assessment standards.
President Biden signed the highly anticipated Cybersecurity EO
just a few months after the discovery of major cybersecurity
incidents that targeted the United States, including Solar Winds
(the reported Russian cyber espionage operation that affected nine
federal agencies and about 100 American companies), a reported
Chinese cyber hacking campaign that compromised tens of thousands
of small and midsize firms that used Exchange email servers, and,
most recently, the largest known cyberattack on the US energy
sector, which led to the shutdown of the Colonial
Pipeline.3 Referencing these events, the
Cybersecurity EO and corresponding White House
fact sheet (1) make clear that the directives are aimed at
improving the government’s “insufficient cybersecurity
defenses,” (2) cast remediation of these incidents as a
“top priority and essential to national and economic
security,” and (3) order several dozen actions be taken
beginning as soon as this summer.4
We highlight here the key initiatives and imminent deadlines
that the EO sets out:
- Remove barriers to threat information-sharing
between the government and private
sector.5Contractual barriers that prevent
IT and OT service providers from sharing threat information will be
removed, and such providers will be required to share certain
breach information with the government.6 This
structure is intended to facilitate a more robust
information-sharing regime. Traditionally, only defense contractors
have been subject to federal requirements regarding breach
reporting,7 and while the Federal Acquisition
Regulation (FAR) imposes basic safeguarding requirements, it stops
short of requiring breach notification.8 The
Cybersecurity EO now extends the reporting requirement to all
providers of IT and OT services to the federal government.
Contractors will also be required to collect and share information
related to cyber threats, incidents, and risks with the
Cybersecurity and Information Security Agency (CISA), the Federal
Bureau of Investigation, and other agencies.9 While
changes to government contracts will take time to implement,
deadlines have been imposed on federal agencies to hasten these
initiatives, beginning as soon as this month:
- June 2021: The Secretary of Homeland Security,
in consultation with other agency heads, is directed to recommend
to the FAR Council the nature and type of information pertaining to
cyber incidents that require reporting.10
- July 2021: The Director of the Office of
Management and Budget (OMB), in consultation with other agency
heads, is directed to review and recommend updates to contractual
requirements and language for IT and OT service providers to report
- September 2021: The Secretary of Homeland
Security and the Director of OMB are directed to take
“appropriate steps” to ensure service providers are
sharing data with certain agencies.12 This
requirement is broad; it implicates information that
“may be necessary for the Federal government to
respond to cyber threats, incidents, and risks,” and that
information must be shared “to
the greatest extent
possible.”13 It remains to be seen whether
these open-ended directives are ultimately cabined by their
- June 2021: The Secretary of Homeland Security,
- Modernize and implement stronger cybersecurity
standards in federal government.14Over the
next several months, the government must develop “security
best practices,” such as the use of zero-trust architecture,
cloud service solutions, and multi-factor authentication and
encryption.15 The government must also modernize
the FedRAMP program—the federal government’s main
security authorization program for cloud security—to include
training for agencies and improved communication with cloud service
- Improve software supply chain
security.17Over the next year, the
Department of Commerce’s National Institute of Standards and
Technology (NIST) is directed to develop guidance to
“enhance[e] software supply chain security criteria,”
with an emphasis on “critical software,” that will
include standards, procedures, or criteria regarding data
encryption, multi-factor authentication, and other
measures.18 Eventually, and critically, only
software that abides by these new rules will be eligible for
federal procurement; non-compliant software will be removed from
federal contracts and purchase agreements, and legacy software will
need to be redesigned as necessary to comply with these new
requirements.19 Further, the Secretary of Commerce,
acting through the Director of NIST, is also directed to develop
criteria for product labels to explain for consumers the
cybersecurity capacities of commercial (including
Internet-of-Things) devices and software, including the
“levels of testing and assessment” that a product may
have undergone.20 From the perspective of companies
concerned about potential Federal Trade Commission enforcement, the
labelling regime will be especially important to bear in mind so as
to ensure that device or software development processes meet or
exceed the stated criteria, and accurately reflect existing
- Establish a cyber safety review
board.21An incident review board will
convene when there are “significant” cybersecurity
incidents.22 The board reflects a public-private
partnership centered on digital defense and identifying lessons
learned. It will be co-led by the Secretary of Homeland Security
and others, including representatives from private sector entities,
who will be selected based on the particular incident being
- Create a standard playbook for responding to cyber
incidents.24By September 2021, the
Department of Homeland Security (DHS), OMB, and other federal
agencies will be required to develop a
“playbook”—e., a standard set of operating
procedures—to be used in planning and conducting
cybersecurity vulnerability and incident response activity with
respect to Federal Civilian Executive Branch (FCEB) Information
Systems.25 The playbook must (1) incorporate all
appropriate NIST standards, (2) be used by FCEB agencies, and (3)
articulate progress and completion through all phases of incident
- Improve detection of cybersecurity incidents on
federal government networks.27In order to
detect incidents early, agencies must deploy Endpoint Detection and
Response initiatives to support proactive detection of
cybersecurity incidents within federal government infrastructure,
active cyber hunting, containment and remediation, and incident
response.28 These requirements will be based on
requirements issued by OMB in consultation with
- Improve investigative and remediation
capabilities.30Over the next three months,
the Secretary of Homeland Security, in consultation with other
federal agencies, is directed to develop standardized requirements
for maintaining information event logs for federal
agencies.31 The requirements will include the types
of logs to be maintained, the time periods to retain the logs, and
guidance for protecting those logs.32
As written, the Cybersecurity EO is designed to have a
meaningful impact not only on the federal government but also on
its contractors and, ultimately, the private sector. Yet for all of
the Cybersecurity EO’s ambitious directives and timelines,
execution of these directives will take time, and the Cybersecurity
EO’s ultimate effect will be heavily informed by implementing
regulations that have not yet been announced. It remains to be seen
how soon the new initiatives envisioned by the Cybersecurity EO
will actually take effect, but IT and OT providers most likely to
be directly impacted are on notice that change is on the horizon,
and that the security community as a whole is contemplating new
benchmarks for what cybersecurity looks like.
Of course, the Cybersecurity EO only offers one vector of the
federal government’s cybersecurity response, and therefore is
equally notable for what it does not, and cannot, address. For
example, in the wake of the hack of Solar Winds and the ransomware
attack on Colonial Pipeline, it is natural to ask what the Biden
Administration’s response will be to continued Russian and
Chinese state-sponsored cyber intrusions and, relatedly, foreign
safe-harbors provided to criminal groups.33 The
Cybersecurity EO does not say. Separately, will Congress go beyond
the Cybersecurity EO to impose broad-sweeping and mandatory breach
disclosure requirements, as some have alluded
to?34 From that perspective, the Cybersecurity EO
may signal just the beginning of a broader effort within the
federal government that is likely to continue in the coming
1 White House, Executive Order on Improving the
Nation’s Cybersecurity (May 12, 2021),
2 Cybersecurity EO § 1.
3 Ellen Nakashima, Biden Signs Executive Order
Designed to Strengthen Federal Digital Defenses, Washington
Post (May 12, 2021),
4 Cybersecurity EO § 1; White House, Fact
Sheet: President Signs Executive Order Charting New Course to
Improve the Nation’s Cybersecurity and Protect Federal
Government Networks (May 12, 2021),
5 Cybersecurity EO § 2.
6 Cybersecurity EO § 2.
7 DFARS 252.204.7012.
8 FAR 52.204-21.
9 Cybersecurity EO §§ 2(a), 2(e).
10 Cybersecurity EO § 2(g)(i).
11 Cybersecurity EO § 2(b).
12 Cybersecurity EO § 2(e).
13 Cybersecurity EO § 2(e) (emphasis
14 Cybersecurity EO § 3.
15 Cybersecurity EO § 3(d).
16 Cybersecurity EO § 3(f).
17 Cybersecurity EO § 4.
18 Cybersecurity EO §§ 4(c)-(e). Under the EO,
“critical software” is “software that performs
functions critical to trust (such as affording or requiring
elevated system privileges or direct access to networking and
computing resources),” and which will be subject to additional
security guidance. Id. §§ 4(a),
19 Cybersecurity EO §§ 4(p)-(q).
20 Cybersecurity EO §§ 4(s)-(t).
21 Cybersecurity EO § 5.
22 Cybersecurity EO § 5(c).
23 Cybersecurity EO § 5(e).
24 Cybersecurity EO § 6.
25 Cybersecurity EO § 6(b).
26 Cybersecurity EO § 6(b).
27 Cybersecurity EO § 7.
28 Cybersecurity EO § 7(b).
29 Cybersecurity EO §§ 7(c)-(d).
30 Cybersecurity EO § 8.
31 Cybersecurity EO §§ 8(b)-(c).
32 Cybersecurity EO § 8(b).
33 See Mae Anderson & Frank
Bajak, Cyberattack on U.S. Pipeline is Linked to Criminal
Gang, Associated Press (May 9, 2021),
34 See Eric Geller & Martin
Matishak, A Federal Government Left ‘Completely
Blind’ on Cyberattacks Looks to Force Reporting, Politico
(May 15, 2021),
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.