On May 12, 2021, President Biden signed an executive order to bolster the federal government’s cybersecurity practices and contractually obligate the private sector to align with such enhanced security practices (“the Order”). The Order comes on the heels of a ransomware attack on Colonial Pipeline that occurred on May 6, 2021, which shut down the largest oil pipeline in the United States and disrupted supplies of gasoline, diesel, and jet fuel to the East Coast. This initiative to improve the security of the software supply chain also stems from the SolarWinds cyberattack that occurred last year. In the attack, Russian hackers used a routine software update that Texas-based SolarWinds Corp. provided to its customers to install malicious code, allowing the hackers to infiltrate nine federal agencies and about 100 companies.
The Order:
- Removes barriers to threat information sharing between the government and the private sector. The Order removes certain contractual barriers that prevent information technology (“IT”) service providers from sharing information about cyber incidents with government agencies with which they contract and requires the IT service providers to promptly notify such agencies of a cyber incident involving the software and support-related products or services they provide.
- Modernizes and implements stronger cybersecurity standards in the federal government. The Order mandates government agencies to move to secure cloud services and a zero-trust architecture. The Order further mandates deployment of multifactor authentication and encryption for data at rest and in transit within 180 days of the date of the Order.
- Improves software supply chain security. The Order requires all software purchased by the federal government to meet, within six months of the Order, a series of new baseline security standards, which includes requiring developers to maintain greater visibility into their software and making security data publicly available.
- Establishes a cybersecurity safety review board. The Order establishes a Cybersecurity Safety Review Board, comprised of government and private-sector officials to review and assess major cyber incidents and make concrete recommendations for improving cybersecurity.
- Creates a standard playbook for responding to cyber incidents. The Order creates a standardized playbook and set of definitions for cyber incident response by federal departments and agencies that incorporate NIST standards.
- Improves detection of cybersecurity incidents on federal government networks. The Order improves the ability to detect malicious cyber activity on federal networks by requiring initiatives to identify deployment options for a government-wide endpoint detection and response system, and enabling improved information sharing within the federal government.
- Improve investigative and remediation capabilities. The Order creates cybersecurity event log requirements for federal departments and agencies.
To address weaknesses in national cyber defense that have been recently exposed with the SolarWinds hack and the recent series of ransomware attacks, including on Colonial Pipeline, the Order seeks to “improve the nation’s cybersecurity and protect federal government networks” and address the “insufficient cybersecurity defenses that leave public and private sector entities more vulnerable to [cyber] incidents.” The rise of ransomware attacks in the United States has also caused the Department of Justice (“DOJ”) to create a new task force to unify efforts across the federal government to pursue and disrupt ransomware attackers. Moreover, the United States government has signaled that cybersecurity will be a critical factor when evaluating contractors for new contracts. Contractors who can demonstrate compliance with the Order and other new cybersecurity initiatives will be more competitive than their non-compliant counterparts. For a road map on the updates to regulations to come under the Order, please see “A Gov’t Contractor’s Road Map to Biden Cybersecurity Order.”
The full article in its original form can be found here.
Sharon R. Klein (LAW ’78), is a partner in the corporate practice group and Chair of the Privacy, Security, and Data Protection Practice at Blank Rome. She specializes in assessing and mitigating risks related to the privacy and security of personal data, ownership, and commercialization of data artificial intelligence.
Karen H. Shin is an associate in the corporate practice group at Blank Rome, where she focuses her practice on a diverse range of data privacy and information security matters.
Alex C. Nisenbaum is a partner in the corporate practice group at Blank Rome, where he advises clients on data privacy and information security laws and regulations.
Justin Chiarodo is a partner in the government contracts practice group at Blank Rome’s Washington, D.C. office, where he focuses his practice on all aspects of federal, state, and local procurement law.
Michael Joseph Montalbano is an associate in the government contracts practice group at Blank Rome.