On May 12, 2021, the Biden administration released Executive Order 14028, “Improving the Nation's Cybersecurity”, which implements new directives intended to strengthen the nation’s cybersecurity posture. Some industry observers describe the executive order (EO) as the foundation for a fundamental shift in how the nation prioritizes cybersecurity concerns. Notably, the EO is expected to send ripples across the private sector (particularly federal contractors) with an emphasis on spurring greater collaboration and transparency.
“The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector and ultimately the American people’s security and privacy,” the order states. It goes on to note, “In the end, the trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is, and to the consequences we will incur if that trust is misplaced.”
President Biden touted the EO as “the first of many ambitious steps” to modernize the federal government’s cyber defense system. SolarWinds, Microsoft Exchange and the Colonial Pipeline incidents are three recent examples of exploited cyber weaknesses that resulted in significant consequences. The EO stresses that the federal government “must lead by example” while also highlighting ways that the private sector needs to tighten cybersecurity defenses.
At a high level, the executive order includes these steps:
Section 4: Enhancing Software Supply Chain Security is an important segment within the EO that should be understood in more depth. Given the recent string of significant cybersecurity attacks and the associated national security risks, federal contractors need to be aware of this section, in particular.
“The federal government must take action to rapidly improve the security and integrity of the software supply chain, with a priority on addressing critical software,” the EO states. While the order emphasizes the security of “critical software,” the exact definition has yet to be announced.
Instead, the order directs the National Institute of Standards of Technology (NIST) to publish a definition of the term “critical software” which the EO states “shall reflect the level of privilege or access required to function, integration and dependencies with other software, direct access to networking and computing resources, performance of a function critical to trust, and potential for harm if compromised.”
Along with this definition, NIST is tasked with publishing further guidance that will identify practices enhancing the security of the software supply chain, such as establishing secure software development environments, employing automated tools for maintaining trusted source code supply chains and for detecting potential vulnerabilities, among other practices. Notably, in its guidance NIST will also include a provision requiring a Software Bill of Materials (SBOM).
Additionally, Section 4 of the EO sets the path for an ambitious timeline of a year filled with guidance to come from various agencies. Organizations should keep a close eye on guidance that is published in the next six months, while keeping May 12, 2022, in their sights. This date marks one year after the EO was published, when the Department of Homeland Security stated it will recommend contract language changes to the Federal Acquisition Regulatory (FAR) Council in order to implement the new software security standards and procedures.
The EO goes on to note that the purchasing power of the federal government can be a powerful tool to create a culture where contractors create software with tighter security and enhance the current security standards in place surrounding their software.
In addition to the changes already discussed, the EO requires the FAR Council to take up the topics of “cyber incident reporting” and “current cybersecurity requirements for unclassified system contracts.” DFARS 252.204-7012 addresses cyber incident reporting and is a likely model that could be modified and proposed for inclusion in the FAR. While notably not called out by name, the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) is referenced in Section 2 (h). The section states, “Current cybersecurity requirements for unclassified system contracts are largely implemented through agency-specific policies and regulations.” The FAR Council will take up standardized contract language for appropriate cybersecurity requirements. These two topics represent significant changes that contractors need to prepare for now.
Will CMMC be the cybersecurity requirements that the EO discusses? It is difficult to forecast; however, a single standard across all agencies is a desirable outcome. Much of the EO calls on NIST to establish standards. This section does not call on the establishment of unclassified cybersecurity requirements like other portions of the EO. This is likely because the existing NIST 800-171 framework will be invoked. CMMC at Level 3 is heavily based on the NIST 800-171 framework. If CMMC is the selected cybersecurity requirement or an alternative set of requirements is chosen, it is highly likely that adopting NIST 800-171 is a useful effort.
Contractors who access government systems and possess sensitive unclassified information and software should be prepared to make changes to their own cyber practices and expect adjustments to their government contracts to adhere to the resulting new regulations. Baker Tilly is here to help walk you through the impending changes and the resulting impact on your business, your systems and your government contracts.