United States:
Strengthening U.S. Cyber Security – New Executive Order
18 May 2021
Taft Stettinius & Hollister
To print this article, all you need is to be registered or login on Mondaq.com.
In response to recommendations contained in the Solarium
Commission report and the Solar Winds cybersecurity incident,
President Biden issued an Executive Order on May 12, 2021 (EO),
outlining new requirements for information technology (IT)
providers that do business with the federal government. The purpose
of the requirements is to protect federal networks from malicious
cyber-attacks and to improve information-sharing between the U.S.
government and the private sector on cyber issues, thereby
strengthening the United States’ ability to respond to
incidents when they occur. The EO is available here.
This much-anticipated and lengthy EO is intended to make bold
changes to the way the federal government approaches cybersecurity,
identifying a new policy of prevention, detection, assessment, and
remediation of cyber incidents as a top priority which is essential
to national and economic security. The EO is intended to quickly
identify and respond to threats from both foreign and domestic
adversaries.
The Solarium Commission and Government Cyber Security experts
recognized that there are certain vulnerabilities inherent in the
current supply chain. Accordingly, there is a need to further
enhance partnerships with private sector companies that control
critical infrastructure, such as internet service providers or
software development. The EO includes emphasis on partnering with
those private sector companies that are current federal government
contractors.
The EO further builds upon direction contained in prior
Presidential Policy Directives to use the federal government’s
purchasing power to direct economic policy around cyber security
executive branch agencies and departments are instructed to review
internal policies and standard contractual language with an eye
toward removing contractual barriers and increasing the sharing of
information about threats, incidents, and risks to allow for
accelerated incident deterrence, prevention, and response. Agencies
are also required to provide recommendations and revised
contractual language to the Federal Acquisition Regulation (FAR)
Council by mid-July. This revised language must address the nature
and type of cyber incidents that will need to be reported and
timelines for reporting them, as well as protections for privacy
and civil liberties. The EO provides agencies with short timeframes
for submitting these deliverables.
The EO also tasks the heads of several national security-related
and defense-related agencies with joint development of cyber
incident report sharing procedures, so federal agencies will be
made aware of incidents sooner and can quickly take steps to
mitigate the impact of the incident. A Cyber Safety Review Board
will be established with the Secretary of Homeland Security at the
helm.
The EO sets goals for modernizing the federal government’s
approach to cybersecurity, which includes adopting security best
practices; moving toward Zero Trust Architecture and better secure
cloud services; centralized and streamlined access to cybersecurity
data to drive analytics for identifying and managing cybersecurity
risks; and investment in both technology and personnel to match
these modernization goals. The EO identified certain measures that
will soon be required across executive agencies, such as
multi-factor authentication and data encryption.
In terms of the commercial supply chain, the EO directs broad
regulatory changes. One notable change is establishing baseline
security standards for the development of software sold to the
government, including requiring developers to maintain greater
visibility into their software and making security data publicly
available. Another is the creation of a pilot program –
similar to the Energy Star program used in consumer product
labeling – so the government and private consumers can
quickly determine whether certain software was developed
securely.
Federal agencies will be busy in the coming weeks and months
developing the new policies to address these heightened
cybersecurity needs. Then comes the rulemaking process to create
new regulations or amend existing regulations to address the new
policies. Government contractors, specifically those that are IT
providers, need to be prepared to implement any new
requirements.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Technology from United States
Ripe For The Picking: Hackers Target Agribusinesses
Ward and Smith, P.A.
Agribusiness may not be an industry that the public at large often associates with data breaches and hacking, but whatever the perception may be, the agricultural sector of the American economy is…
Lawyers Need To Review SOC 2 Audit Reports!
Foley & Lardner
Darkreading.com asked this question “How can SaaS vendors demonstrate proof of their commitment to taking their customers’ data security seriously?” because a “…2020 survey found that 52% of companies