United States: Biden signs executive order to improve federal government’s cybersecurity
To print this article, simply register or connect to Mondaq.com.
On May 12, President Biden signed a Executive Decree (EO) which aims to improve the cybersecurity of the federal government. This follows extensive cyber incidents, such as the SolarWinds incident. The OE calls on both the federal government and the private sector to work collaboratively to identify, deter, detect and respond to cyber incidents, declaring that “bold changes and significant investments” are needed to defend the country’s computer systems against the attacks.
Note, the OE:
- Creates new IT security rules for some entrepreneurs. The OE requires revisions to the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement (DFARS). IT and operations technology contractors may be required to maintain and share data with federal agencies on cyber threats, incidents and risks and may be required to work with federal agencies to investigate and respond to such incidents. . These additional obligations – which will likely be implemented through the yet un-drafted FAR and DFARS provisions – are in addition to those already established in FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems, DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting, and the soon to be implemented requirements for obtaining Cyber Security Maturity Model (CMMC) certification, DFARS Case 2019-D041 (interim rule in effect as of November 30, 2020 and subject to review by Congress).
- Requires federal agencies to update and modernize their cybersecurity standards. The OE calls on federal agencies to adopt best security practices, including moving to secure cloud services, adopting a “zero trust architecture”, developing secure data storage solutions , evaluating and classifying data types and sensitivity, adopting multi-factor authentication and data encryption to the extent possible and establishing training programs.
- Establishes basic security standards for the security of the federal government’s software supply chain. The OE requires that software developers now provide greater visibility of their products and will be required to provide federal agencies with a “software nomenclature” for each software product.
- Establishes a national review committee. The IB establishes a Cyber Security Review Committee that reports to the Secretary of Homeland Security and is responsible for reviewing and evaluating cyber incidents that affect the information systems of the federal civilian executive or non-federal systems.
- Instructs federal agencies to develop an incident response manual. The EO asks the Department of Homeland Security to collaborate and coordinate with the DOD, OMB, DOJ, and NSA, among others, to create a standardized incident response plan (or playbook) for the government. The playbook will outline the agencies’ plan to incorporate all relevant NIST standards and respond to incidents.
As evidenced by this OE, we can expect the Biden administration to continue to focus on cybersecurity and related laws and regulations. And whether you are a contractor or a government supplier, this OE should remind all businesses to evaluate their information security program and practices to ensure they continue to update, modernize and adopt, at a minimum, best security practices now. mandatory for all federal agencies.
The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.
POPULAR ARTICLES ON: US Consumer Protection