President Biden Issues Executive Order on Cybersecurity
On May 12, 2021, President Biden issued an executive order to strengthen U.S. cybersecurity defenses. The order comes in the wake of the ransomware attack on Colonial Pipeline and numerous other cybersecurity attacks against the U.S. government and private companies over the past few years. The order proposes a wide array of changes to bolster the federal government’s ability to respond to and prevent cybersecurity attacks. The major sections of the order are highlighted below:
- Removing Barriers to Sharing Threat Information – IT and OT service providers contracting with the federal government will be required to share data and information related to cybersecurity breaches that could impact U.S networks. The order requires review and updates to the Federal Acquisition Regulation (FAR) and agency-specific cybersecurity requirements to meet this goal
- Modernizing Federal Government Cybersecurity – Agencies will be required to modernize their approach to cybersecurity. The order imposes requirements to reach this modernization goal, including: (a) requiring all agencies to develop a plan for implementing Zero Trust Architecture (an approach to network security that focuses on user authentication and limiting access on a need-to-know basis), (b) requiring agencies and the Director of OMB to develop a federal cloud security strategy, and (c) requiring agencies to adopt multi-factor authentication and encryption for data at rest and in transit (to the maximum extent possible under applicable laws).
- Enhancing Software Supply Chain Security – After receiving input from the federal government, private sector, academia and others, the Director of the National Institute of Standards and Technology (NIST) will develop guidelines to enhance the security of commercial software. Once such guidelines are put in place, agencies will only be allowed to purchase software that meets the guidelines. Software suppliers will have to “self-certify” that the guidelines have been met and suppliers who do not comply will be removed from federal procurement lists.
- Establishing a Cyber Safety Review Board – A “Cyber Safety Review Board” will be established by the Secretary of Homeland Security to assess significant cyber incidents affecting federal civilian agency systems and non-federal systems. The board will be composed of private and public sector officials and will convene after “significant cyber incidents” to analyze and make recommendations on responding to such cyberattacks.
- Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents – The Secretary of Homeland Security will develop a standard set of operational procedures (or “playbook”) to be used in planning and conducting cyber incident response.
- Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks – All federal civilian agencies will be required to deploy an Endpoint Detection and Response (EDR) initiative. EDR is an integrated endpoint security solution that combines real-time continuous monitoring and collection of endpoint data with rules-based automated response and analysis capabilities. The goal of EDR is to proactively and quickly identify cybersecurity threats and respond to them.
- Improving the Federal Government’s Investigative and Remediation Capabilities – The Secretary of Homeland Security will provide the Director of OMB recommendations on requirements for logging events and retaining other relevant data within an agency’s systems and networks.
- National Security Systems – The Department of Defense will be required to adopt at least equivalent requirements for “National Security Systems” to the extent the order is not otherwise applicable to such systems.