After several recent major cyberattacks, President Biden issued a sweeping Executive Order on Improving the Nation’s Cybersecurity (“Order”) on May 12, 2012. The Order reflects the Administration’s policy of “prevention , detection, assessment and remediation of cyber incidents “. as a top priority and essential for economic and national security. ”President Biden issued the Order following a series of recent cyberattacks against networks of federal governments and private companies, including the Colonial Pipeline and SolarWinds incidents.
The Order aims to improve the country’s cybersecurity and protect federal government networks from malicious attacks by partnering with the private sector so that the nation can better adapt to a constantly changing cybersecurity threat environment.
The eight initiatives of the executive order
The College announces eight key initiatives to improve the country’s cybersecurity and better protect federal government networks:
1. Remove barriers to information sharing between government and the private sector
The College seeks to remove barriers to the exchange of information between government and the private sector by updating the terms of the federal information technology and operational technology service contract. The College is requesting a review of the terms of the federal procurement regulation (“FAR”) contracting agreement and agency supplements to ensure that contractors collect, retain, and share information related to cyber threats and incidents. It also establishes a federal government policy that requires information and communications technology service providers to report rapidly the discovery of cyber incidents. The Administration has stated that it expects the revised contract terms to encourage the private sector to share similar information more widely.
2. Modernize and implement stronger cybersecurity standards in the federal government
Recognizing that the cyber-threat environment is “dynamic and increasingly sophisticated,” the College urges federal agencies to take decisive steps to modernize their cybersecurity approach, including: (i) the adoption of best practices in cybersecurity. security; (ii) move towards Zero Trust Architecture; (iii) accelerate the move to protect cloud services, including software as a service (SaaS), infrastructure as a service (IaaS), and platform as a service (PaaS); (iv) centralize and streamline access to cybersecurity data to drive analytics to identify and manage cybersecurity risks; and (v) invest in both technology and personnel to meet these modernization goals.
3. Improve security of the software supply chain
The College recognizes that security of supply chain software is vital to the ability of the federal government to perform its critical functions. The Order instructs Federal Civil Executive agencies to take steps to rapidly improve the security and integrity of the software supply chain by developing and implementing standards to achieve this goal. The rules are likely to ultimately affect not only government contractors, but also commercial enterprises.
4. Establish a cybersecurity security review board
The College establishes a Cyber Security Review Board composed of federal officials and representatives of private sector entities that will review and assess the activity of threats, vulnerabilities, mitigation activities, and agencies’ responses related to the significant cybernetics. (This Board is based on the National Transportation Safety Board model, which investigates plane crashes and other transportation incidents.)
5. Standardize the federal government’s playbook for responding to vulnerabilities and cybersecurity incidents
Federal agencies have different approaches to responding to cybersecurity, vulnerabilities, and incidents. The Order instructs federal civilian agencies to “develop a standard set of operational procedures (game book) that will be used in the planning and implementation of a cybersecurity vulnerability and an incident response activity.” The game book (i) will incorporate the appropriate standards of the National Institute of Standards and Technology (NIST); (ii) be used by all federal agencies; and (iii) articulate progress and completion through all phases of an incident response, while allowing flexibility so that it can be used in support of various response activities. The Administration intends that the private book can also be used by the private sector in relation to its responses to cybersecurity.
6. Improve the detection of cyber incidents in federal government networks
The Order aims to improve the detection of malicious cyber activities in federal civilian networks through the possibility of a Government-wide endpoint detection and response system and an improvement in the exchange of information with the Government. federal.
7. Improve research and remediation skills
The Order directs the “agencies to establish requirements for registration, retention of records and record management, which will ensure centralized access and visibility of the highest level security operations center for each agency.” . The College also directs the Federal Procurement Regulations Board (“FAR”) to consider these requirements when enacting procurement regulations. These recommendations are likely to generate new contractor and supply chain requirements.
8. Adopt national security systems
Finally, the Order directs the Secretary of Defense to adopt national security system requirements equivalent to or greater than the requirements of the Order. Briefly, a national security system is any system used by or on behalf of an agency (such as a contractor or other third party) that involves: intelligence activities; cryptological activities related to national security; command and control of military forces; equipment that is an integral part of a weapon or weapon system; or it is fundamental to the direct fulfillment of military or intelligence missions.
Key behaviors for federal contractors and other private companies
The College sets an aggressive timetable, with deadlines ranging from 45 to 120 days for agencies to begin implementing many key requirements. Although the scope of the Order’s impact will become clearer in the coming months as the Government enacts the implementing rules, however, it is already clear that:
- The requirements of the Order will affect companies doing business with the Government as main contractors, subcontractors or suppliers;
- The impact of the Order will extend far beyond the channel of the government contractor, as the processes, procedures and standards created to comply with the Order will influence best practices in the sector and the fact that the company does not apply these practices could have an impact on the protection of “reasonable prudence” your network and data: i
- While many of the requirements of the Order may have been adopted by large companies, implementation by the federal government is likely to involve the adoption of these same practices by smaller companies.
In light of this Order, federal contractors and other private companies should evaluate their technical, administrative, and physical measures to protect the confidentiality, availability, and integrity of their systems and data. And as federal agencies work to implement the order, companies should monitor and respond to changes in regulations, standards, and guidelines. As established by the Order, “[t]The private sector must adapt to the ever-changing threats environment, make sure its products are built and operate safely, and work with the federal government to promote safer cyberspace. ” The ability of the private sector to be a good partner with the federal government is sure to be tested in the coming months.