In response to increasing cybersecurity threats, including the SolarWinds and Colonial Pipeline attacks, President Biden issued an Executive Order on May 12, 2021, that enhances cybersecurity requirements for federal contractors. The Executive Order applies to contractors that provide government-procured software and those that operate the “vital machinery that ensures our safety.” Sections 2 and 4 of the Executive Order will have the greatest impact on contractors due to the new requirements discussed below.
Section 2 aims to remove barriers to sharing information about cyber threats between the public and private sectors. The Executive Order calls for revisions within 60 days to the contract requirements for government service providers. These new contract provisions must ensure that:
All new federal contracts involving software products will require service providers to promptly report any cyber incidents directly to the Cybersecurity and Infrastructure Security Agency (CISA). These new requirements are expected to be published within the next five months.
Section 4 of the Executive Order enhances the security of the software supply chain and requires the Secretary of Commerce to issue related guidance within one year. The Office of Management and Budget (OMB) will then require agencies to comply with the guidelines for all software procured after the date of the Executive Order.
Supply chain security will include standards regarding:
Federal agencies will remove software products from federal deployment that do not contain the new contract language or meet the supply chain guidance issued under Section 4. The OMB will also require federal agencies that employ software developed prior to the Executive Order to either comply with Section 4 or provide a plan for how to comply. All renewed software contracts will need to comply with Section 4 going forward.
Section 4 also creates a new category of “critical software,” or software that performs functions critical to trust (such as affording or requiring elevated system privileges or direct access to networking and computing resources). The Secretary of Commerce will publish special security requirements for handling all critical software, including applying practices of least privilege, network segmentation, and proper systems configuration. Within the next 90 days, the OMB will require agencies to comply with the new guidance for critical software.
Finally, Section 4 calls for guidelines within 60 days that recommend minimum standards for vendors to test their government-procured software, including identifying recommended types of manual or automated testing (e.g., code review tools). The Secretary of Commerce will also initiate pilot programs to educate the public on the security capabilities of Internet of Things (IoT) devices, and related IoT software development practices, and will consider means to incentivize IoT developers to participate in these programs. These pilot programs will lead to IoT cybersecurity criteria, to be issued within nine months of the Executive Order, that will incorporate a consumer-labeling program that reflects the testing and assessment criteria that an IoT device has undergone.
The Executive Order requires government service providers to strengthen their cybersecurity procedures and affirm compliance through new contract language. These requirements for government contracts may well be followed and expanded upon in the private sector. Companies that provide software to federal agencies, or operate critical infrastructure, should monitor the resulting regulations in the coming months.