President Biden’s Recent Cybersecurity Executive Order Will Increase Compliance Obligations on the Private Sector
Companies providing information technology products and services to U.S. government agencies are now required to notify such agencies of cyber incidents and meet specific cybersecurity standards. The executive order attempts to modernize the federal government’s cybersecurity defenses by “protecting federal networks, improving information-sharing between the U.S. government and the private sector on cyber issues, and strengthening the [United States]’ ability to respond to incidents when they occur.” The executive order is just one example of the Biden administration’s push to improve the nation’s data privacy and cybersecurity practices in response to the recent series of ransomware attacks.
On May 12, 2021, President Biden signed an executive order to bolster the federal government’s cybersecurity practices and contractually obligate the private sector to align with such enhanced security practices (“the Order”). The Order comes on the heels of a ransomware attack on Colonial Pipeline that occurred on May 6, 2021, which shut down the largest oil pipeline in the United States and disrupted supplies of gasoline, diesel, and jet fuel to the East Coast. This initiative to improve the security of the software supply chain also stems from the SolarWinds cyberattack that occurred last year. In the attack, Russian hackers used a routine software update that Texas-based SolarWinds Corp. provided to its customers to install malicious code, allowing the hackers to infiltrate nine federal agencies and about 100 companies.
Proposed amendments are soon expected from the Federal Acquisition Regulation (“FAR”) and the Defense Federal Acquisition Regulation Supplement (“DFARS”) that will increase compliance obligations for government contractors and their vendors, building on a string of supply chain and cybersecurity regulation in recent years (including Section 889’s prohibition on the use of certain Chinese telecommunications, new registration requirements in the Supplier Performance Risk System, and the Department of Defense’s Cybersecurity Maturity Model Certification program). We see the biggest impacts on government contractors, such as developers and users of software.
The Order:
Removes Barriers to Threat Information Sharing between the Government and the Private Sector. The Order removes certain contractual barriers that prevent information technology (“IT”) service providers from sharing information about cyber incidents with government agencies with which they contract and requires the IT service providers to promptly notify such agencies of a cyber incident involving the software and support-related products or services they provide. The Order requires the FAR Council to update the FAR and the DFARS to remove the contractual impediments to sharing information about cyber incidents and to detail the information that must be included in a cyber incident notification to government agencies, including the time periods for reporting cyber incidents (a three-day deadline for the most severe incidents). The Order also requires IT service providers to cooperate with federal agencies to investigate and respond to incidents on federal information systems, including by implementing technical capabilities, such as monitoring networks for threats in collaboration with government agencies. Department of Defense contractors are already subject to similar cyber reporting and cooperation requirements. This means that the Order will have the greatest impact on civilian agency contractors, which, to date, have generally not been required to report cyber incidents to the U.S. government.