In response to a series of cyberattacks against the United States and its critical infrastructure, including the SolarWinds breach, President Biden recently issued an executive order on Improving the Nation’s Cybersecurity (Cyber EO). The Cyber EO creates several new cyber and data protection requirements that will impact organizations providing, directly or indirectly, cloud services, software solutions, and other information technology to the federal government. Compliance with the Cyber EO, and the resulting changes to the Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS), will significantly influence whether an organization is determined to be a “responsible contractor” as required by FAR Part 9. Some of the Cyber EO’s key issues are set forth below.
Information Sharing Requirements
A cornerstone of the U.S. government’s cybersecurity policy is to encourage and, in some instances, mandate cyber threat information sharing between private sector entities and the government. The Cyber EO recognizes that technology-related government contractors “have unique access to and insight into cyber threat and incident information” pertaining to the federal government’s networks and systems, but that government contracts limit the sharing of such data to federal agencies. In turn, the Cyber EO mandates updates to the FAR and DFARS to ensure that government contracts include clauses requiring contractors to collect and preserve data relevant to cybersecurity events, share such data with the agency with which they have contracted and other federal agencies (as may be determined in the future), collaborate with federal agencies as they investigate and respond to cyber incidents, and share cyber threat and incident information with federal agencies.
Breach Notification Obligations
The Cyber EO mandates that all information and communications technology contractors report to their contracting agency and certain other federal departments “when they discover a cyber incident involving a software product or service provided to such agencies or involving a support system for a software product or service provided to such agencies.” The Cyber EO requires the FAR and DFARS to be updated to clarify the scope and nature of this reporting. The FAR and DFARS must also address the time periods within which contractors must report cyber incidents based on a graduated scale of severity, with reporting on the most severe cyber incidents to be within three days after initial detection.
Cloud Service Providers
A significant portion of the Cyber EO is dedicated to cloud service providers (CSP), the Federal Risk and Authorization Management Program (FedRAMP), and requiring the adoption of a zero trust architecture within the federal government. In particular, the Cyber EO requires certain federal agencies to issue a federal cloud security strategy, cloud security technical reference architecture documentation, and a cloud service governance framework. It also requires federal agencies to “establish a framework to collaborate on cybersecurity and incident response activities” related to certain federal cloud technology to “ensure effective information sharing among agencies and between agencies and CSPs.” The Cyber EO also includes requirements addressing automating and standardizing communications between CSPs and federal agencies; automation throughout the FedRAMP lifecycle; digitizing and streamlining compliance documentation; and identifying relevant compliance frameworks, mapping those frameworks into the FedRAMP authorization process, and allowing them to be used as a substitute for the relevant portion of the authorization process.
Software Supply Chain Security
The Cyber EO includes several technically detailed provisions addressing risks, threats, and new requirements pertaining to the government’s procurement of software. In particular, it notes that the “development of commercial software often lacks transparency, sufficient focus on the ability of the software to resist attack, and adequate controls to prevent tampering by malicious actors” and “[t]here is a pressing need to implement more rigorous and predictable mechanisms for ensuring that products function securely, and as intended.” To address these concerns, the Cyber EO mandates that certain federal agencies, in conjunction with the private sector and academia, identify existing or develop new standards, tools, and best practices for developing and procuring secure software solutions and issue related guidance that addresses, among other issues:
- securing software development environments;
- generating artifacts that demonstrate compliance with the guidance;
- employing automated tools to maintain trusted source code supply chains and that check for known and potential vulnerabilities;
- publishing data on the software security life cycle;
- maintaining accurate and up-to-date data, provenance (i.e., origin) of all software components;
- providing a Software Bill of Materials (SBOM) for each product directly or by publishing it on a public website;
- participating in a vulnerability disclosure program that includes a reporting and disclosure process;
- identifying minimum standards for vendors’ testing of their software source code; and
- attesting to conformity with secure software development practices.
The Cyber EO also requires that certain agencies more thoroughly examine and define the term “critical software” to which these requirements will apply. In addition, federal agencies must furnish recommendations on amendments to the FAR requiring “suppliers of software available for purchase by agencies to comply with, and attest to complying with, any requirements” that are issued pursuant to the Cyber EO. After such FAR amendments become final, federal agencies must remove software products that do not meet the requirements of the amended FAR from all federal supply schedules, federal government-wide acquisition contracts, blanket purchase agreements, and multiple award contracts. However, the Cyber EO creates separate rules for agencies employing software developed and procured prior to the date of the Cyber EO (i.e., legacy software).
Software Product Labeling
The Cyber EO mandates that certain federal agencies initiate pilot programs (informed by existing consumer product labeling programs) to educate the public on the security capabilities of IoT devices and software development practices; identify IoT cybersecurity criteria for a consumer labeling program; and identify secure software development practices for a consumer software labeling program. The criteria for IoT devices must reflect the levels of testing and assessment that the product may have undergone and be compatible with existing labeling schemes that manufacturers use to inform consumers about the security of their products. The practices for software must consider whether a labeling program may align with any similar existing government programs and reflect a baseline level of secure practices and increasingly comprehensive levels of testing and assessment that the software may have undergone.
It will be important for government contractors to assess the upcoming changes to the FAR and DFARS to ensure they are compliant with these new requirements. Government contractors should also consider participating in the government’s rulemaking process to ensure any new cybersecurity requirements are practical and reasonable in light of the government’s compelling need for greater information protection.
- Steven G. Stransky | Steve.Stransky@ThompsonHine.com
- Mona Adabi | Mona.Adabi@ThompsonHine.com
- Tom Mason | Tom.Mason@ThompsonHine.com
- Thomas F. Zych | Tom.Zych@ThompsonHine.com
Compliments of Thompson Hine LLP – a member of the EACCNY.