On May 12, 2021, the Biden Administration issued Executive Order 14028 on improving the nation’s cybersecurity. The executive order comes as a result of cybersecurity incidents such as the SolarWinds hacking in December 2020, the recent colonial pipeline attack and the JBS attack in Brazil last week. The overall goal of the Executive Order is to standardize cybersecurity protection protocols across the federal government, rather than the current agency-to-agency protocols, and use government purchasing power to drive cybersecurity improvements. in the private sector. With these changes, the executive order is expected to affect government contractors and their cybersecurity requirements.
The Executive Order
The Executive Order covers a number of cybersecurity issues, including preparedness, protection and response to computer breaches; notification and cooperation of government contractors as a result of cyber breaches was required; direct the federal government toward the transition to secure cloud services and implement Zero Trust architecture and multifactor authentication; improve software supply chain security; and the establishment of a Cyber Security Review Board.
While the main goal of the Executive Order is to implement changes within the federal government itself, government contractors can also expect some changes. Specifically, in support of initiatives to remove barriers to sharing information about threats and improve software supply chain security, President Biden has instructed the Office of Management and Budget (OMB) to review and recommend updates to FAR and DFARS. As the Executive Order gives OMB 60 days to make recommendations, the full impact on government contractors is not yet known. However, any proposed changes to FAR and DFARS will follow standard procedures and will be open to public comment, thus providing potentially affected contractors with the opportunity to provide information on the proposed changes.
While the details of the FAR and DFARS changes are not yet known, it is clear that contractors will need to extend data collection and retention requirements to prevent and respond to cyber breaches across the contractor’s entire IT infrastructure, not only those systems used. in federal procurement. Consequently, all contractors doing business with the federal government may need a potentially significant overhaul of their IT systems to comply with up-to-date cybersecurity standards.
Certification of the cybersecurity maturity model
Interestingly, the Executive Order does not mention or refer to the certification of the cybersecurity maturity model (CMMC), which is the current cybersecurity certification process that government contractors must complete before bidding on Department of Public Works contracts. Defense. CMMC had previously experienced delays in its deployment, which were exacerbated by the replacement of top Pentagon officials after the election. The omission of any reference to CMMC in the Executive Order may indicate an intention to replace the CMMC with a single set of rules throughout the federal government, but so far there has been no official word on the fate of the CMMC.
While the exact future of cybersecurity practices and standards is unclear, government contractors should be prepared to meet stricter requirements and should consider reviewing their cybersecurity programs now to identify weaknesses. and areas for improvement. When the FAR and DFARS reviews are published, contractors will need to implement them immediately. Improving cybersecurity should provide the federal government and its government contractors with additional operational security to combat the growing threat of cyberattacks.