“It is the policy of my Administration that the prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security.”
The Biden Administration recently issued Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity,” to strengthen federal agency and contractor cybersecurity. The EO was drafted in response to the Solarwinds compromise and other recent cyber incidents affecting private sector supply chains and government agencies.
Because this is an EO and not legislation, the EO can only apply to federal agencies and federal contractors, not the private sector more generally. Many of the requirements in the Biden EO are directed at federal agencies (both civilian and military, per section 9), such as standardizing agency incident reporting, moving to secure cloud, etc. But some of the most critical sections of the EO relate to the security of entities that contract with the federal government. We’ll take a closer look at two of those items here:
Software supply chain security. Federal contracts for software procurement will incorporate requirements for secure development processes. Key dates:
- 11/08/21 - Preliminary supply chain security guidelines
- 02/06/22 - Supply chain security guidance
- 07/11/21 - Security measures for “critical software”
- 08/10/21 - Agency compliance with critical software security measures
- 03/08/22 - Agency compliance with supply chain security guidance
- Post-05/12/22 - New federal contract language incorporating the guidance and measures will be proposed
Incident reporting. Federal contractors must preserve information relevant to cybersecurity event prevention and response, and notify the government of any incidents. Key dates:
- 09/09/21 - Expanding incident reporting as much as possible under existing requirements
- 09/24/21 - Proposed updates to standardize cyber incident reporting requirements
- 10/09/21 - Proposed updates to cyber information sharing requirements
Software supply chain security
One of the most complex and impactful sections of the EO is aimed at secure software development for federal contractors. The EO does this by tasking the National Institute of Standards and Technology (NIST) with defining and detailing security requirements, which will ultimately be incorporated into federal contracts for software procurement after a yearlong process. Below are the major steps and milestones within that process.
* Preliminary supply chain security guidelines: By **11/08/21**, NIST will issue preliminary supply chain security guidelines. The guidelines must include criteria that can be used to evaluate software security and the security practices of developers and suppliers. [Sec. 4(b)-(c)] NIST has already begun [soliciting input](https://www.nist.gov/itl/executive-order-improving-nations-cybersecurity/workshop-and-call-position-papers) for these guidelines.
Supply chain security guidance: By 02/06/22, NIST will issue more detailed guidance identifying practices that enhance software supply chain security. The guidance will include
- Secure development environments (including use of MFA and encryption, auditing trust relationships, monitoring for cyber incidents, etc.);
- Generating artifacts from those environments to demonstrate conformance;
- Using automated tools to validate source code supply chains;
- Checking for known and potential vulnerabilities in secure environments;
- Ensuring up-to-date provenance (origin) of source code or components;
- Providing a software bill of materials (SBOM) for each product. By 07/11/21, the Dept. of Commerce will publish the minimum elements of an SBOM. [Sec. 4(f)] Commerce has begun soliciting input on what the elements should be.
- Participating in vulnerability disclosure programs;
- Attestation to secure software practices;
- Maintaining and attesting to source code integrity. [Sec. 4(e)]
Agency compliance with supply chain security guidance: By 03/08/22, agencies must comply with the supply chain security guidance for software purchases from 05/12/21. [Sec. 4(k)]
Security requirements in federal contracts - After 05/12/22, the Federal Acquisition Regulatory (FAR) Council will propose contract language with the new security requirements for software vendors. The contract terms will be based on the NIST supply chain and critical software guidance. [Sec. 4(n)-(o)] Once the language is finalized, federal agencies must comply with these requirements [Sec. 4(q)] and remove non-compliant software. [Sec. 4(p)]
The EO also highlights “critical software” within the broader supply chain, with more stringent security requirements expected for critical software. [Sec. 4(a)]
Defining “critical software” - By 06/26/21, NIST will publish guidance on what the term "critical software" means, taking into account the level of privilege or access required to function, integration and dependencies with other software, potential for harm if compromised, and other factors. [Sec. 4(g)-(i)].
Critical software security requirements - By 07/11/21, NIST will issue guidance on security measures for critical software. This guidance must include applying practices of least privilege, network segmentation, and proper configuration. [Sec. 4(i)]
Agency compliance with security requirements - By 08/10/21, agencies must comply with the security measures for critical software. [Sec. 4(j)]
Incident reporting for federal contractors.
One theme of the government’s response to the Solarwinds and Colonial compromises has been greater scrutiny over reporting on cyber incidents. Part of the theory is that the government wants to ensure it is able to act quickly on reports of a significant breach, and potentially stem the expansion of the breach. At the same time Congress is considering legislation that would require incident reporting for critical infrastructure and other key companies, the Biden Administration’s EO applies new cyber incident reporting structures to federal contractors.
Expanding incident reporting as much as presently possible - By 09/09/21, the Office of Management and Budget (OMB) and the Dept. of Homeland Security (DHS) must take steps to ensure, to the “greatest extent” presently possible, that service providers are sharing data with agencies, CISA, and the FBI to ensure the government is able to respond to cyber incidents, threats, and risks. [Sec. 2(e)]
Standardizing cyber incident reporting requirements - By 09/24/21, the FAR Council will propose standardized procedures for ICT service providers to report cyber incidents to customer agencies and CISA. [Sec. 2(g)(ii)] These requirements shall include incident reporting timelines based on severity, with the most severe to be reported within 72 hours. [Sec. 2(g)(i)(D)]
Updating cyber information sharing requirements - By 10/09/21, the FAR Council may propose new federal contract requirements for IT and OT service providers to enable better cyber threat and incident information sharing. [Sec. 2(d)] The contract modifications will ensure federal contractors
- Collect and preserve information, over “all” information systems they control (or operate on behalf of federal agencies) “relevant to cybersecurity event prevention, detection, response, and investigation.” [Sec. 2(c)(i)]
- Share this information with any agency with which they have contracted and other agencies recommended by the OMB, consistent with applicable privacy laws. [Sec. 2(c)(iii)]
- Share cyber threat and incident information in industry-recognized formats for incident response and remediation. [Sec. 2(c)(iv)]
And there is more
As you can see, there’s a lot in this Order! The action items are just around the corner, and keep coming for at least a year. And yet there is more. Setting aside the substantial new federal agency cybersecurity modernization requirements [Sec. 3, 7], the EO contains several other noteworthy items that may affect federal contractors:
Event logging - By 08/24/21, Federal agencies will be required to log cybersecurity events. The event-logging requirements may also be considered for federal contracts. [Sec. 8(b)-(d)]
Streamlining FedRAMP - By 07/11/21, the General Services Administration (GSA) must begin modernizing FedRAMP by, among other things, identifying other compliance frameworks that could receive reciprocity for portions of the authorization process. [Sec. 3(f)]
Source code testing standards - By 07/11/21, NIST shall publish guidelines recommending minimum standards for vendors testing their source code, including penetration testing, code review tools, etc. [Sec. 4(r)]
Labeling and transparency pilot programs - By 02/06/22, NIST shall identify criteria for a consumer IoT cybersecurity labeling program, and initiate a pilot program. [Sec. 4(s)-(t)] NIST will also identify secure development practices for a consumer software labeling program, and initiate a pilot program. [Sec. 4(s), (u)]
Move fast and break stuff?
Many of the actions in the EO are on aggressive deadlines. Though the actions themselves are helpful, it will be challenging for all involved to meaningfully participate, develop the best policy outcome, and ensure compliance on the timelines proposed in the EO. Nonetheless, this is a consequence of under-prioritizing security for many years, and unduly delay would only worsen existing problems.
In general, we believe the EO is positive and demonstrates that the Biden Administration prioritizes cybersecurity. The modernization of federal agency cybersecurity is overdue and needed to address the risks government agencies face. Strengthening cybersecurity requirements for federal software procurement will raise the bar for contractors, and hopefully have ripple effects that boost cyber resiliency across the private sector.