White House Cybersecurity Executive Order – Key Provisions Impacting Contractors

Recently the White House released a much-anticipated Executive Order on Improving the Nation’s Cybersecurity. In the EO the Biden Administration seeks to “make bold changes and significant investments” to protect and secure federal information technology (IT), systems and data.

Here are the key elements of the EO that will drive the cybersecurity standards and requirements for federal agencies as well as their contract partners that provide cloud services, software products and other technology solutions. Most of the activities apply predominantly to Federal Civilian Executive Branch (FCEB) agencies under the prevue of the Cybersecurity and Infrastructure Security Agency (CISA), although elements that apply to the Department of Defense (DoD) or members of the Intelligence Community (IC) are noted.  

Requirements to Share Cyber Threat Information

Updated Contract Requirements – The Office of Management and Budget (OMB), in consultation with other federal cybersecurity leaders, shall review and recommend updates to the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement (DFARS) contract requirements and language for contracting with IT and operational technology (OT)) service providers. The updated contract requirements are to ensure that service providers – including cloud service providers – collect and store cybersecurity data on all information systems over which they have control, including systems operated on behalf of agencies.

Info Sharing – Service providers will be required to share data on cyber incidents or potential incidents relevant to any agency with which they have contracted and collaborate with federal cybersecurity or investigative agencies in their incident investigations and responses. The Department of Homeland Security (DHS) will identify the nature of cyber incidents that require reporting;  the types of information that require reporting; protections for privacy and civil liberties; and the time periods within which contractors must report.

Standardizing Agency Cyber Requirement Contract Language

To streamline and improve compliance for vendors and agencies CISA will review existing agency-specific cybersecurity requirements and recommend to the FAR Council standardized contract language for appropriate cybersecurity requirements. Once approved by the FAR Council, agencies will update their agency-specific cybersecurity requirements to remove any duplicative requirements.

Modernizing Federal Cybersecurity

Agency heads must update plans and prioritize the use of secure cloud services, develop plans to move to Zero Trust Architecture (ZTA) and report to the White House on both plans. Cloud migrations are to adopt ZTA to enable the capability to prevent, detect, assess, and remediate cyber incidents. CISA will modernize its current cybersecurity programs to be fully functional with cloud-computing environments with ZTA.

Cloud Security

CISA and the General Services Administration’s (GSA) Federal Risk and Authorization Management Program (FedRAMP) shall develop security principles governing Cloud Service Providers (CSPs) for incorporation into agency modernization efforts. In support of this OMB, CISA, and FedRAMP will develop a federal cloud-security strategy and guidance for agencies. CISA will also develop and issue a cloud-security technical reference architecture and a cloud-service governance framework.  CISA will establish a framework to collaborate on cybersecurity and incident response activities related to FCEB cloud technology to ensure effective information sharing among agencies and between agencies and CSPs.

FedRAMP Modernization

GSA will embark on a number of efforts to modernize their Cloud program, including establishing an agency training program to equip them to effectively manage FedRAMP requests; improving communication with CSPs through automation and standardization; incorporating automation throughout the lifecycle of FedRAMP; digitizing and streamlining documentation that vendors are required to complete; and mapping relevant compliance frameworks onto FedRAMP authorization requirements so that they may be used as a substitute for the relevant FedRAMP portion of the authorization process.

Data Security

Agency shall evaluate and report to CISA and OMB on the types and sensitivity of their unclassified data – prioritizing unclassified data considered to be the most sensitive and under the greatest threat – and appropriate processing and storage solutions for those data. Agencies shall adopt multi-factor authentication (MFA) and encryption for data at rest and in transit and report to CISA, OMB and the White House on their progress every 60 days until fully adopted. CISA may assist lagging agencies implement MFA and encryption.

Software Supply Chain Security

Software Supply Chain Guidance – The National Institute of Standards and Technology (NIST) will develop, refine and issue guidance identifying practices that enhance the security of the software supply chain (SSC).  The guidance will include standards, procedures, or criteria regarding secure software development environments; conformance artifacts; automated tools or processes to maintain trusted source code supply chains and that check for and remediate known and potential vulnerabilities; data and software code provenance; and audit and enforcement. The NIST guidance will also address minimum elements for a Software Bill of Materials (SBOM) for each product a vendor produces. The guidance is due in six months and OMB will begin enforcement in agency software procurements one month after that. Agencies may request an extension or a waiver.

Critical Software – Within the guidance above, NIST shall publish a definition of “critical software” that “reflects the level of privilege or access required to function, integration and dependencies with other software, direct access to networking and computing resources, performance of a function critical to trust, and potential for harm if compromised.” CISA will then identify a list of categories of software and software products in use or in the acquisition process meeting the definition of critical software. NIST shall publish guidance outlining security measures for critical software, including applying practices of least privilege, network segmentation, and proper configuration to which agencies must comply in their software procurements.

Contract Compliance – Within 1 year of the date of this EO, the Homeland Security Secretary and the FAR Council will update the FAR with contract language requiring suppliers of software to comply with and attest to these NIST compliance requirements. Afterwards, software products that do not meet the requirements of the amended FAR will be removed from all federal contract vehicles.

Legacy Software Remediation – Agencies employing software developed and procured prior to the date of the EO (i.e. legacy software) will need to comply with these NIST SSC security requirements or provide a plan outlining actions to remediate or meet those requirements. Renewals of software contracts, including legacy software, will need to comply with NIST requirements.

Software Testing Standards – NIST shall publish guidelines recommending minimum standards for vendors’ testing of their software source code, including identifying recommended types of manual or automated testing (such as code review tools, static and dynamic analysis, software composition tools, and penetration testing).

Internet-of-Things (IoT) Security – NIST shall initiate pilot programs informed by existing consumer product labeling programs to educate the public on the security capabilities of Internet-of-Things (IoT) devices and software development practices. Manufacturers and developers may be incentivized to participate in these programs.

Consumer Product Labeling Programs – NIST will work with the Federal Trade Commission (FTC) and other agencies to identify IoT cybersecurity criteria for a consumer labeling program, which may be operated in conjunction with or modeled after any similar existing government programs. In a similar fashion, NIST and the FTC shall also identify secure software development practices or criteria for a consumer software labeling program and/or a tiered software security rating system. 

Cyber Safety Review Board

The Department of Homeland Security shall establish the Cyber Safety Review Board, consisting of federal officials and representatives from private-sector entities, which will review and assess significant cyber incidents affecting FCEB Information Systems or non-Federal systems, threat activity, vulnerabilities, mitigation activities, and agency responses. The Board will make recommendations for improving federal cybersecurity and incident response practices following a significant cyber incident, starting with a review of the recent SolarWinds and Microsoft Exchange incidents.

Standardizing federal cybersecurity vulnerability and incident response procedures

CISA will work with other federal cybersecurity leaders to develop a standard set of operational procedures (playbook) to be used in planning and conducting a cybersecurity vulnerability and incident response activity through all phases of an incident response. The playbook will define key terms to provide a shared lexicon among agencies and OMB shall issue guidance on agency use of the playbook. Agencies with procedures that deviate from the playbook may use such procedures only after demonstrating to OMB and the Assistant to the President and National Security Advisor (APNSA) that these procedures meet or exceed the standards proposed in the playbook.

Cyber Vulnerability and Incident Detection

Endpoint Detection and Response – CISA and OMB will develop an Endpoint Detection and Response (EDR) initiative aimed at increasing the visibility into and early detection of cybersecurity vulnerabilities and threats to agency networks. The EDR initiative will be centrally located to support host-level visibility, attribution, and response and will support proactive detection of cybersecurity incidents within federal infrastructure, active cyber hunting, containment and remediation, and incident response. Agencies will be required to adopt the defined federal government-wide EDR approaches, including a capability for CISA to engage in cyber hunt, detection, and response activities. 

Continuous Diagnostics and Mitigation – Agencies shall establish or update Memoranda of Agreement (MOA) with CISA for the Continuous Diagnostics and Mitigation Program (CDM) to ensure object level data are available and accessible to CISA.

National Security Systems – The Director of the NSA as the National Manager for National Security Systems (National Manager), along with Defense and Intelligence leadership, shall establish policies for improving detection of cyber incidents affecting National Security Systems, including EDR approaches and whether such measures should be operated by agencies or through a centralized service of common concern provided by the NSA. 

Threat-Hunting – CISA shall report quarterly to OMB and the APNSA how threat-hunting authorities granted under section 1705 of the FY 2021 NDAA are being implemented.  

Cross-Sector Cyber Directive Alignment – The Departments of Defense and Homeland Security shall establish procedures to immediately share with each other DoD Incident Response Orders or DHS Emergency Directives and Binding Operational Directives applying to their respective information networks. DoD and DHS will then evaluate whether to adopt the guidance issued by the other department.

Investigative and Remediation Capabilities

DHS and OMB shall formulate policies for agencies to establish requirements for network and system logging on federal information systems (for both on-premises systems and connections hosted by third parties, such as CSPs), as well as log retention, management and protection. These requirements will be designed to permit agencies to share log information with other federal agencies for cyber risks or incidents.

National Security Systems

Equivalent Requirements – The Director of the NSA (the National Manager) shall adopt National Security Systems (NSS) requirements that are equivalent to or exceed the cybersecurity requirements set forth in the EO that are not already applicable to National Security Systems. Such requirements must be codified in a National Security Memorandum (NSM) to be applicable.

Status Quo Authorities – The EO reemphasizes the authority split that National Security Systems fall under the authority of the NSA Director/National Manager and that FCEB networks continue to be within the authority of CISA.

Flexibility and Funding

National Cyber Director (NCD) – The White House noted that once the nominated National Cyber Director (NCD) is confirmed and the related office within the White House is established this order may be modified to enable the NCD to execute its duties and responsibilities.

Funding Support – The order notes in its final provisions that its implementation is “subject to the availability of appropriations,” so the Biden Administration is looking for Congress to support these and other cybersecurity initiatives with sufficient funding.